github.com/khulnasoft-lab/defsec@v1.0.5-0.20230827010352-5e9f46893d95/rules/cloud/policies/azure/network/no_public_egress.go (about) 1 package network 2 3 import ( 4 "github.com/khulnasoft-lab/defsec/internal/cidr" 5 "github.com/khulnasoft-lab/defsec/internal/rules" 6 "github.com/khulnasoft-lab/defsec/pkg/providers" 7 "github.com/khulnasoft-lab/defsec/pkg/scan" 8 "github.com/khulnasoft-lab/defsec/pkg/severity" 9 "github.com/khulnasoft-lab/defsec/pkg/state" 10 ) 11 12 var CheckNoPublicEgress = rules.Register( 13 scan.Rule{ 14 AVDID: "AVD-AZU-0051", 15 Provider: providers.AzureProvider, 16 Service: "network", 17 ShortCode: "no-public-egress", 18 Summary: "An outbound network security rule allows traffic to /0.", 19 Impact: "The port is exposed for egress to the internet", 20 Resolution: "Set a more restrictive cidr range", 21 Explanation: `Network security rules should not use very broad subnets. 22 23 Where possible, segments should be broken into smaller subnets.`, 24 Links: []string{ 25 "https://docs.microsoft.com/en-us/azure/security/fundamentals/network-best-practices", 26 }, 27 Terraform: &scan.EngineMetadata{ 28 GoodExamples: terraformNoPublicEgressGoodExamples, 29 BadExamples: terraformNoPublicEgressBadExamples, 30 Links: terraformNoPublicEgressLinks, 31 RemediationMarkdown: terraformNoPublicEgressRemediationMarkdown, 32 }, 33 Severity: severity.Critical, 34 }, 35 func(s *state.State) (results scan.Results) { 36 for _, group := range s.Azure.Network.SecurityGroups { 37 var failed bool 38 for _, rule := range group.Rules { 39 if rule.Outbound.IsFalse() || rule.Allow.IsFalse() { 40 continue 41 } 42 for _, ip := range rule.DestinationAddresses { 43 if cidr.IsPublic(ip.Value()) { 44 failed = true 45 results.Add( 46 "Security group rule allows egress to public internet.", 47 ip, 48 ) 49 } 50 } 51 } 52 if !failed { 53 results.AddPassed(&group) 54 } 55 } 56 return 57 }, 58 )