github.com/khulnasoft-lab/defsec@v1.0.5-0.20230827010352-5e9f46893d95/rules/cloud/policies/azure/keyvault/ensure_key_expiry.go (about) 1 package keyvault 2 3 import ( 4 "github.com/khulnasoft-lab/defsec/internal/rules" 5 "github.com/khulnasoft-lab/defsec/pkg/providers" 6 "github.com/khulnasoft-lab/defsec/pkg/scan" 7 "github.com/khulnasoft-lab/defsec/pkg/severity" 8 "github.com/khulnasoft-lab/defsec/pkg/state" 9 ) 10 11 var CheckEnsureKeyExpiry = rules.Register( 12 scan.Rule{ 13 AVDID: "AVD-AZU-0014", 14 Provider: providers.AzureProvider, 15 Service: "keyvault", 16 ShortCode: "ensure-key-expiry", 17 Summary: "Ensure that the expiration date is set on all keys", 18 Impact: "Long life keys increase the attack surface when compromised", 19 Resolution: "Set an expiration date on the vault key", 20 Explanation: `Expiration Date is an optional Key Vault Key behavior and is not set by default. 21 22 Set when the resource will be become inactive.`, 23 Links: []string{ 24 "https://docs.microsoft.com/en-us/powershell/module/az.keyvault/update-azkeyvaultkey?view=azps-5.8.0#example-1--modify-a-key-to-enable-it--and-set-the-expiration-date-and-tags", 25 }, 26 Terraform: &scan.EngineMetadata{ 27 GoodExamples: terraformEnsureKeyExpiryGoodExamples, 28 BadExamples: terraformEnsureKeyExpiryBadExamples, 29 Links: terraformEnsureKeyExpiryLinks, 30 RemediationMarkdown: terraformEnsureKeyExpiryRemediationMarkdown, 31 }, 32 Severity: severity.Medium, 33 }, 34 func(s *state.State) (results scan.Results) { 35 for _, vault := range s.Azure.KeyVault.Vaults { 36 for _, key := range vault.Keys { 37 if key.ExpiryDate.IsNever() { 38 results.Add( 39 "Key should have an expiry date specified.", 40 key.ExpiryDate, 41 ) 42 } else { 43 results.AddPassed(&key) 44 } 45 } 46 } 47 return 48 }, 49 )