github.com/khulnasoft-lab/defsec@v1.0.5-0.20230827010352-5e9f46893d95/rules/cloud/policies/digitalocean/compute/no_public_ingress.go (about) 1 package compute 2 3 import ( 4 "github.com/khulnasoft-lab/defsec/internal/cidr" 5 "github.com/khulnasoft-lab/defsec/internal/rules" 6 "github.com/khulnasoft-lab/defsec/pkg/providers" 7 "github.com/khulnasoft-lab/defsec/pkg/scan" 8 "github.com/khulnasoft-lab/defsec/pkg/severity" 9 "github.com/khulnasoft-lab/defsec/pkg/state" 10 ) 11 12 var CheckNoPublicIngress = rules.Register( 13 scan.Rule{ 14 AVDID: "AVD-DIG-0001", 15 Provider: providers.DigitalOceanProvider, 16 Service: "compute", 17 ShortCode: "no-public-ingress", 18 Summary: "The firewall has an inbound rule with open access", 19 Impact: "Your port is exposed to the internet", 20 Resolution: "Set a more restrictive CIRDR range", 21 Explanation: `Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.`, 22 Links: []string{ 23 "https://docs.digitalocean.com/products/networking/firewalls/how-to/configure-rules/", 24 }, 25 Terraform: &scan.EngineMetadata{ 26 GoodExamples: terraformNoPublicIngressGoodExamples, 27 BadExamples: terraformNoPublicIngressBadExamples, 28 Links: terraformNoPublicIngressLinks, 29 RemediationMarkdown: terraformNoPublicIngressRemediationMarkdown, 30 }, 31 Severity: severity.Critical, 32 }, 33 func(s *state.State) (results scan.Results) { 34 for _, firewall := range s.DigitalOcean.Compute.Firewalls { 35 var failed bool 36 for _, rule := range firewall.InboundRules { 37 for _, address := range rule.SourceAddresses { 38 if cidr.IsPublic(address.Value()) && cidr.CountAddresses(address.Value()) > 1 { 39 failed = true 40 results.Add( 41 "Ingress rule allows access from multiple public addresses.", 42 address, 43 ) 44 } 45 } 46 } 47 if !failed { 48 results.AddPassed(&firewall) 49 } 50 } 51 return 52 }, 53 )