github.com/khulnasoft-lab/defsec@v1.0.5-0.20230827010352-5e9f46893d95/rules/cloud/policies/nifcloud/computing/no_public_ingress_sgr.go (about) 1 package computing 2 3 import ( 4 "github.com/khulnasoft-lab/defsec/internal/cidr" 5 "github.com/khulnasoft-lab/defsec/internal/rules" 6 "github.com/khulnasoft-lab/defsec/pkg/providers" 7 "github.com/khulnasoft-lab/defsec/pkg/scan" 8 "github.com/khulnasoft-lab/defsec/pkg/severity" 9 "github.com/khulnasoft-lab/defsec/pkg/state" 10 ) 11 12 var CheckNoPublicIngressSgr = rules.Register( 13 scan.Rule{ 14 AVDID: "AVD-NIF-0001", 15 Aliases: []string{"nifcloud-computing-no-public-ingress-sgr"}, 16 Provider: providers.NifcloudProvider, 17 Service: "computing", 18 ShortCode: "no-public-ingress-sgr", 19 Summary: "An ingress security group rule allows traffic from /0.", 20 Impact: "Your port exposed to the internet", 21 Resolution: "Set a more restrictive cidr range", 22 Explanation: `Opening up ports to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that explicitly require it where possible. 23 When publishing web applications, use a load balancer instead of publishing directly to instances. 24 `, 25 Links: []string{ 26 "https://pfs.nifcloud.com/help/fw/rule_new.htm", 27 }, 28 Terraform: &scan.EngineMetadata{ 29 GoodExamples: terraformNoPublicIngressSgrGoodExamples, 30 BadExamples: terraformNoPublicIngressSgrBadExamples, 31 Links: terraformNoPublicIngressSgrLinks, 32 RemediationMarkdown: terraformNoPublicIngressSgrRemediationMarkdown, 33 }, 34 Severity: severity.Critical, 35 }, 36 func(s *state.State) (results scan.Results) { 37 for _, group := range s.Nifcloud.Computing.SecurityGroups { 38 for _, rule := range group.IngressRules { 39 if cidr.IsPublic(rule.CIDR.Value()) && cidr.CountAddresses(rule.CIDR.Value()) > 1 { 40 results.Add( 41 "Security group rule allows ingress from public internet.", 42 rule.CIDR, 43 ) 44 } else { 45 results.AddPassed(&rule) 46 } 47 } 48 } 49 return 50 }, 51 )