github.com/khulnasoft-lab/defsec@v1.0.5-0.20230827010352-5e9f46893d95/rules/cloud/policies/google/sql/no_contained_db_auth.go (about) 1 package sql 2 3 import ( 4 "github.com/khulnasoft-lab/defsec/internal/rules" 5 "github.com/khulnasoft-lab/defsec/pkg/providers" 6 "github.com/khulnasoft-lab/defsec/pkg/providers/google/sql" 7 "github.com/khulnasoft-lab/defsec/pkg/scan" 8 "github.com/khulnasoft-lab/defsec/pkg/severity" 9 "github.com/khulnasoft-lab/defsec/pkg/state" 10 ) 11 12 var CheckNoContainedDbAuth = rules.Register( 13 scan.Rule{ 14 AVDID: "AVD-GCP-0023", 15 Provider: providers.GoogleProvider, 16 Service: "sql", 17 ShortCode: "no-contained-db-auth", 18 Summary: "Contained database authentication should be disabled", 19 Impact: "Access can be granted without knowledge of the database administrator", 20 Resolution: "Disable contained database authentication", 21 Explanation: `Users with ALTER permissions on users can grant access to a contained database without the knowledge of an administrator`, 22 Links: []string{ 23 "https://docs.microsoft.com/en-us/sql/database-engine/configure-windows/contained-database-authentication-server-configuration-option?view=sql-server-ver15", 24 }, 25 Terraform: &scan.EngineMetadata{ 26 GoodExamples: terraformNoContainedDbAuthGoodExamples, 27 BadExamples: terraformNoContainedDbAuthBadExamples, 28 Links: terraformNoContainedDbAuthLinks, 29 RemediationMarkdown: terraformNoContainedDbAuthRemediationMarkdown, 30 }, 31 Severity: severity.Medium, 32 }, 33 func(s *state.State) (results scan.Results) { 34 for _, instance := range s.Google.SQL.Instances { 35 if instance.Metadata.IsUnmanaged() { 36 continue 37 } 38 if instance.DatabaseFamily() != sql.DatabaseFamilySQLServer { 39 continue 40 } 41 if instance.Settings.Flags.ContainedDatabaseAuthentication.IsTrue() { 42 results.Add( 43 "Database instance has contained database authentication enabled.", 44 instance.Settings.Flags.ContainedDatabaseAuthentication, 45 ) 46 } else { 47 results.AddPassed(&instance) 48 } 49 50 } 51 return 52 }, 53 )