github.com/khulnasoft-lab/defsec@v1.0.5-0.20230827010352-5e9f46893d95/rules/cloud/policies/azure/storage/no_public_access.go (about) 1 package storage 2 3 import ( 4 "github.com/khulnasoft-lab/defsec/internal/rules" 5 "github.com/khulnasoft-lab/defsec/pkg/providers" 6 "github.com/khulnasoft-lab/defsec/pkg/providers/azure/storage" 7 "github.com/khulnasoft-lab/defsec/pkg/scan" 8 "github.com/khulnasoft-lab/defsec/pkg/severity" 9 "github.com/khulnasoft-lab/defsec/pkg/state" 10 ) 11 12 var CheckNoPublicAccess = rules.Register( 13 scan.Rule{ 14 AVDID: "AVD-AZU-0007", 15 Provider: providers.AzureProvider, 16 Service: "storage", 17 ShortCode: "no-public-access", 18 Summary: "Storage containers in blob storage mode should not have public access", 19 Impact: "Data in the storage container could be exposed publicly", 20 Resolution: "Disable public access to storage containers", 21 Explanation: `Storage container public access should be off. It can be configured for blobs only, containers and blobs or off entirely. The default is off, with no public access. 22 23 Explicitly overriding publicAccess to anything other than off should be avoided.`, 24 Links: []string{ 25 "https://docs.microsoft.com/en-us/azure/storage/blobs/anonymous-read-access-configure?tabs=portal#set-the-public-access-level-for-a-container", 26 }, 27 Terraform: &scan.EngineMetadata{ 28 GoodExamples: terraformNoPublicAccessGoodExamples, 29 BadExamples: terraformNoPublicAccessBadExamples, 30 Links: terraformNoPublicAccessLinks, 31 RemediationMarkdown: terraformNoPublicAccessRemediationMarkdown, 32 }, 33 Severity: severity.High, 34 }, 35 func(s *state.State) (results scan.Results) { 36 for _, account := range s.Azure.Storage.Accounts { 37 for _, container := range account.Containers { 38 if container.PublicAccess.NotEqualTo(storage.PublicAccessOff) { 39 results.Add( 40 "Container allows public access.", 41 container.PublicAccess, 42 ) 43 } else { 44 results.AddPassed(&container) 45 } 46 } 47 } 48 return 49 }, 50 )