github.com/khulnasoft-lab/defsec@v1.0.5-0.20230827010352-5e9f46893d95/rules/cloud/policies/azure/network/no_public_ingress.go (about) 1 package network 2 3 import ( 4 "github.com/khulnasoft-lab/defsec/internal/cidr" 5 "github.com/khulnasoft-lab/defsec/internal/rules" 6 "github.com/khulnasoft-lab/defsec/pkg/providers" 7 "github.com/khulnasoft-lab/defsec/pkg/scan" 8 "github.com/khulnasoft-lab/defsec/pkg/severity" 9 "github.com/khulnasoft-lab/defsec/pkg/state" 10 ) 11 12 var CheckNoPublicIngress = rules.Register( 13 scan.Rule{ 14 AVDID: "AVD-AZU-0047", 15 Provider: providers.AzureProvider, 16 Service: "network", 17 ShortCode: "no-public-ingress", 18 Summary: "An inbound network security rule allows traffic from /0.", 19 Impact: "The port is exposed for ingress from the internet", 20 Resolution: "Set a more restrictive cidr range", 21 Explanation: `Network security rules should not use very broad subnets. 22 23 Where possible, segments should be broken into smaller subnets.`, 24 Links: []string{ 25 "https://docs.microsoft.com/en-us/azure/security/fundamentals/network-best-practices", 26 }, 27 Terraform: &scan.EngineMetadata{ 28 GoodExamples: terraformNoPublicIngressGoodExamples, 29 BadExamples: terraformNoPublicIngressBadExamples, 30 Links: terraformNoPublicIngressLinks, 31 RemediationMarkdown: terraformNoPublicIngressRemediationMarkdown, 32 }, 33 Severity: severity.Critical, 34 }, 35 func(s *state.State) (results scan.Results) { 36 for _, group := range s.Azure.Network.SecurityGroups { 37 var failed bool 38 for _, rule := range group.Rules { 39 if rule.Outbound.IsTrue() || rule.Allow.IsFalse() { 40 continue 41 } 42 for _, ip := range rule.SourceAddresses { 43 // single public IPs acceptable to allow for well known IP addresses to be used 44 if cidr.IsPublic(ip.Value()) && cidr.CountAddresses(ip.Value()) > 1 { 45 failed = true 46 results.Add( 47 "Security group rule allows ingress from public internet.", 48 ip, 49 ) 50 } 51 } 52 } 53 if !failed { 54 results.AddPassed(&group) 55 } 56 } 57 return 58 }, 59 )