github.com/khulnasoft-lab/defsec@v1.0.5-0.20230827010352-5e9f46893d95/rules/cloud/policies/azure/storage/default_action_deny.go (about) 1 package storage 2 3 import ( 4 "github.com/khulnasoft-lab/defsec/internal/rules" 5 "github.com/khulnasoft-lab/defsec/pkg/providers" 6 "github.com/khulnasoft-lab/defsec/pkg/scan" 7 "github.com/khulnasoft-lab/defsec/pkg/severity" 8 "github.com/khulnasoft-lab/defsec/pkg/state" 9 ) 10 11 var CheckDefaultActionDeny = rules.Register( 12 scan.Rule{ 13 AVDID: "AVD-AZU-0012", 14 Provider: providers.AzureProvider, 15 Service: "storage", 16 ShortCode: "default-action-deny", 17 Summary: "The default action on Storage account network rules should be set to deny", 18 Impact: "Network rules that allow could cause data to be exposed publicly", 19 Resolution: "Set network rules to deny", 20 Explanation: `The default_action for network rules should come into effect when no other rules are matched. 21 22 The default action should be set to Deny.`, 23 Links: []string{ 24 "https://docs.microsoft.com/en-us/azure/firewall/rule-processing", 25 }, 26 Terraform: &scan.EngineMetadata{ 27 GoodExamples: terraformDefaultActionDenyGoodExamples, 28 BadExamples: terraformDefaultActionDenyBadExamples, 29 Links: terraformDefaultActionDenyLinks, 30 RemediationMarkdown: terraformDefaultActionDenyRemediationMarkdown, 31 }, 32 Severity: severity.Critical, 33 }, 34 func(s *state.State) (results scan.Results) { 35 for _, account := range s.Azure.Storage.Accounts { 36 for _, rule := range account.NetworkRules { 37 if rule.AllowByDefault.IsTrue() { 38 results.Add( 39 "Network rules allow access by default.", 40 rule.AllowByDefault, 41 ) 42 } else { 43 results.AddPassed(&rule) 44 } 45 } 46 } 47 return 48 }, 49 )