github.com/khulnasoft-lab/defsec@v1.0.5-0.20230827010352-5e9f46893d95/rules/cloud/policies/digitalocean/compute/no_public_egress.go (about) 1 package compute 2 3 import ( 4 "github.com/khulnasoft-lab/defsec/internal/cidr" 5 "github.com/khulnasoft-lab/defsec/internal/rules" 6 "github.com/khulnasoft-lab/defsec/pkg/providers" 7 "github.com/khulnasoft-lab/defsec/pkg/scan" 8 "github.com/khulnasoft-lab/defsec/pkg/severity" 9 "github.com/khulnasoft-lab/defsec/pkg/state" 10 ) 11 12 var CheckNoPublicEgress = rules.Register( 13 scan.Rule{ 14 AVDID: "AVD-DIG-0003", 15 Provider: providers.DigitalOceanProvider, 16 Service: "compute", 17 ShortCode: "no-public-egress", 18 Summary: "The firewall has an outbound rule with open access", 19 Impact: "The port is exposed for ingress from the internet", 20 Resolution: "Set a more restrictive cidr range", 21 Explanation: `Opening up ports to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that explicitly require it where possible.`, 22 Links: []string{ 23 "https://docs.digitalocean.com/products/networking/firewalls/how-to/configure-rules/", 24 }, 25 Terraform: &scan.EngineMetadata{ 26 GoodExamples: terraformNoPublicEgressGoodExamples, 27 BadExamples: terraformNoPublicEgressBadExamples, 28 Links: terraformNoPublicEgressLinks, 29 RemediationMarkdown: terraformNoPublicEgressRemediationMarkdown, 30 }, 31 Severity: severity.Critical, 32 }, 33 func(s *state.State) (results scan.Results) { 34 for _, firewall := range s.DigitalOcean.Compute.Firewalls { 35 var failed bool 36 for _, rule := range firewall.OutboundRules { 37 for _, address := range rule.DestinationAddresses { 38 if cidr.IsPublic(address.Value()) && cidr.CountAddresses(address.Value()) > 1 { 39 failed = true 40 results.Add( 41 "Egress rule allows access to multiple public addresses.", 42 address, 43 ) 44 } 45 } 46 } 47 if !failed { 48 results.AddPassed(&firewall) 49 } 50 } 51 return 52 }, 53 )