github.com/khulnasoft-lab/defsec@v1.0.5-0.20230827010352-5e9f46893d95/rules/cloud/policies/azure/keyvault/no_purge.go

github.com/khulnasoft-lab/defsec@v1.0.5-0.20230827010352-5e9f46893d95/rules/cloud/policies/azure/keyvault/no_purge.go (about)

     1  package keyvault
     2  
     3  import (
     4  	"github.com/khulnasoft-lab/defsec/internal/rules"
     5  	"github.com/khulnasoft-lab/defsec/pkg/providers"
     6  	"github.com/khulnasoft-lab/defsec/pkg/scan"
     7  	"github.com/khulnasoft-lab/defsec/pkg/severity"
     8  	"github.com/khulnasoft-lab/defsec/pkg/state"
     9  )
    10  
    11  var CheckNoPurge = rules.Register(
    12  	scan.Rule{
    13  		AVDID:      "AVD-AZU-0016",
    14  		Provider:   providers.AzureProvider,
    15  		Service:    "keyvault",
    16  		ShortCode:  "no-purge",
    17  		Summary:    "Key vault should have purge protection enabled",
    18  		Impact:     "Keys could be purged from the vault without protection",
    19  		Resolution: "Enable purge protection for key vaults",
    20  		Explanation: `Purge protection is an optional Key Vault behavior and is not enabled by default.
    21  
    22  Purge protection can only be enabled once soft-delete is enabled. It can be turned on via CLI or PowerShell.`,
    23  		Links: []string{
    24  			"https://docs.microsoft.com/en-us/azure/key-vault/general/soft-delete-overview#purge-protection",
    25  		},
    26  		Terraform: &scan.EngineMetadata{
    27  			GoodExamples:        terraformNoPurgeGoodExamples,
    28  			BadExamples:         terraformNoPurgeBadExamples,
    29  			Links:               terraformNoPurgeLinks,
    30  			RemediationMarkdown: terraformNoPurgeRemediationMarkdown,
    31  		},
    32  		Severity: severity.Medium,
    33  	},
    34  	func(s *state.State) (results scan.Results) {
    35  		for _, vault := range s.Azure.KeyVault.Vaults {
    36  			if vault.Metadata.IsUnmanaged() {
    37  				continue
    38  			}
    39  			if vault.EnablePurgeProtection.IsFalse() {
    40  				results.Add(
    41  					"Vault does not have purge protection enabled.",
    42  					vault.EnablePurgeProtection,
    43  				)
    44  			} else if vault.EnablePurgeProtection.IsTrue() && (vault.SoftDeleteRetentionDays.LessThan(7) || vault.SoftDeleteRetentionDays.GreaterThan(90)) {
    45  				results.Add(
    46  					"Resource should have soft_delete_retention_days set between 7 and 90 days in order to enable purge protection.",
    47  					vault.SoftDeleteRetentionDays,
    48  				)
    49  			} else {
    50  				results.AddPassed(&vault)
    51  			}
    52  		}
    53  		return
    54  	},
    55  )