github.com/khulnasoft-lab/defsec@v1.0.5-0.20230827010352-5e9f46893d95/rules/cloud/policies/google/dns/enable_dnssec.go

github.com/khulnasoft-lab/defsec@v1.0.5-0.20230827010352-5e9f46893d95/rules/cloud/policies/google/dns/enable_dnssec.go (about)

     1  package dns
     2  
     3  import (
     4  	"github.com/khulnasoft-lab/defsec/internal/rules"
     5  	"github.com/khulnasoft-lab/defsec/pkg/providers"
     6  	"github.com/khulnasoft-lab/defsec/pkg/scan"
     7  	"github.com/khulnasoft-lab/defsec/pkg/severity"
     8  	"github.com/khulnasoft-lab/defsec/pkg/state"
     9  )
    10  
    11  var CheckEnableDnssec = rules.Register(
    12  	scan.Rule{
    13  		AVDID:       "AVD-GCP-0013",
    14  		Provider:    providers.GoogleProvider,
    15  		Service:     "dns",
    16  		ShortCode:   "enable-dnssec",
    17  		Summary:     "Cloud DNS should use DNSSEC",
    18  		Impact:      "Unverified DNS responses could lead to man-in-the-middle attacks",
    19  		Resolution:  "Enable DNSSEC",
    20  		Explanation: `DNSSEC authenticates DNS responses, preventing MITM attacks and impersonation.`,
    21  		Links:       []string{},
    22  		Terraform: &scan.EngineMetadata{
    23  			GoodExamples:        terraformEnableDnssecGoodExamples,
    24  			BadExamples:         terraformEnableDnssecBadExamples,
    25  			Links:               terraformEnableDnssecLinks,
    26  			RemediationMarkdown: terraformEnableDnssecRemediationMarkdown,
    27  		},
    28  		Severity: severity.Medium,
    29  	},
    30  	func(s *state.State) (results scan.Results) {
    31  		for _, zone := range s.Google.DNS.ManagedZones {
    32  			if zone.Metadata.IsUnmanaged() || zone.IsPrivate() {
    33  				continue
    34  			}
    35  			if zone.DNSSec.Enabled.IsFalse() {
    36  				results.Add(
    37  					"Managed zone does not have DNSSEC enabled.",
    38  					zone.DNSSec.Enabled,
    39  				)
    40  			} else {
    41  				results.AddPassed(&zone)
    42  			}
    43  		}
    44  		return
    45  	},
    46  )