github.com/khulnasoft-lab/defsec@v1.0.5-0.20230827010352-5e9f46893d95/rules/cloud/policies/azure/database/enable_ssl_enforcement.go (about) 1 package database 2 3 import ( 4 "github.com/khulnasoft-lab/defsec/internal/rules" 5 "github.com/khulnasoft-lab/defsec/pkg/providers" 6 "github.com/khulnasoft-lab/defsec/pkg/scan" 7 "github.com/khulnasoft-lab/defsec/pkg/severity" 8 "github.com/khulnasoft-lab/defsec/pkg/state" 9 ) 10 11 var CheckEnableSslEnforcement = rules.Register( 12 scan.Rule{ 13 AVDID: "AVD-AZU-0020", 14 Provider: providers.AzureProvider, 15 Service: "database", 16 ShortCode: "enable-ssl-enforcement", 17 Summary: "SSL should be enforced on database connections where applicable", 18 Impact: "Insecure connections could lead to data loss and other vulnerabilities", 19 Resolution: "Enable SSL enforcement", 20 Explanation: `SSL connections should be enforced were available to ensure secure transfer and reduce the risk of compromising data in flight.`, 21 Links: []string{}, 22 Terraform: &scan.EngineMetadata{ 23 GoodExamples: terraformEnableSslEnforcementGoodExamples, 24 BadExamples: terraformEnableSslEnforcementBadExamples, 25 Links: terraformEnableSslEnforcementLinks, 26 RemediationMarkdown: terraformEnableSslEnforcementRemediationMarkdown, 27 }, 28 Severity: severity.Medium, 29 }, 30 func(s *state.State) (results scan.Results) { 31 for _, server := range s.Azure.Database.MariaDBServers { 32 if server.Metadata.IsUnmanaged() { 33 continue 34 } 35 if server.EnableSSLEnforcement.IsFalse() { 36 results.Add( 37 "Database server does not have enforce SSL.", 38 server.EnableSSLEnforcement, 39 ) 40 } else { 41 results.AddPassed(&server) 42 } 43 } 44 for _, server := range s.Azure.Database.MySQLServers { 45 if server.Metadata.IsUnmanaged() { 46 continue 47 } 48 if server.EnableSSLEnforcement.IsFalse() { 49 results.Add( 50 "Database server does not have enforce SSL.", 51 server.EnableSSLEnforcement, 52 ) 53 } else { 54 results.AddPassed(&server) 55 } 56 } 57 for _, server := range s.Azure.Database.PostgreSQLServers { 58 if server.Metadata.IsUnmanaged() { 59 continue 60 } 61 if server.EnableSSLEnforcement.IsFalse() { 62 results.Add( 63 "Database server does not have enforce SSL.", 64 server.EnableSSLEnforcement, 65 ) 66 } else { 67 results.AddPassed(&server) 68 } 69 } 70 return 71 }, 72 )