github.com/khulnasoft-lab/defsec@v1.0.5-0.20230827010352-5e9f46893d95/rules/cloud/policies/cloudstack/compute/no_sensitive_info.go (about) 1 package compute 2 3 import ( 4 "github.com/khulnasoft-lab/defsec/internal/rules" 5 "github.com/khulnasoft-lab/defsec/pkg/providers" 6 "github.com/khulnasoft-lab/defsec/pkg/scan" 7 "github.com/khulnasoft-lab/defsec/pkg/severity" 8 "github.com/khulnasoft-lab/defsec/pkg/state" 9 "github.com/owenrumney/squealer/pkg/squealer" 10 ) 11 12 var scanner = squealer.NewStringScanner() 13 14 var CheckNoSensitiveInfo = rules.Register( 15 scan.Rule{ 16 AVDID: "AVD-CLDSTK-0001", 17 Provider: providers.CloudStackProvider, 18 Service: "compute", 19 ShortCode: "no-sensitive-info", 20 Summary: "No sensitive data stored in user_data", 21 Impact: "Sensitive credentials in the user data can be leaked", 22 Resolution: "Don't use sensitive data in the user data section", 23 Explanation: `When creating instances, user data can be used during the initial configuration. User data must not contain sensitive information`, 24 Links: []string{}, 25 Terraform: &scan.EngineMetadata{ 26 GoodExamples: terraformNoSensitiveInfoGoodExamples, 27 BadExamples: terraformNoSensitiveInfoBadExamples, 28 Links: terraformNoSensitiveInfoLinks, 29 RemediationMarkdown: terraformNoSensitiveInfoRemediationMarkdown, 30 }, 31 Severity: severity.High, 32 }, 33 func(s *state.State) (results scan.Results) { 34 for _, instance := range s.CloudStack.Compute.Instances { 35 if instance.Metadata.IsUnmanaged() { 36 continue 37 } 38 if scanner.Scan(instance.UserData.Value()).TransgressionFound { 39 results.Add( 40 "Instance user data contains secret(s).", 41 instance.UserData, 42 ) 43 } else { 44 results.AddPassed(&instance) 45 } 46 } 47 return 48 }, 49 )