github.com/khulnasoft-lab/defsec@v1.0.5-0.20230827010352-5e9f46893d95/rules/cloud/policies/nifcloud/rdb/no_public_ingress_db_sgr.go (about) 1 package rdb 2 3 import ( 4 "github.com/khulnasoft-lab/defsec/internal/cidr" 5 "github.com/khulnasoft-lab/defsec/internal/rules" 6 "github.com/khulnasoft-lab/defsec/pkg/providers" 7 "github.com/khulnasoft-lab/defsec/pkg/scan" 8 "github.com/khulnasoft-lab/defsec/pkg/severity" 9 "github.com/khulnasoft-lab/defsec/pkg/state" 10 ) 11 12 var CheckNoPublicIngressDBSgr = rules.Register( 13 scan.Rule{ 14 AVDID: "AVD-NIF-0011", 15 Aliases: []string{"nifcloud-rdb-no-public-ingress-db-sgr"}, 16 Provider: providers.NifcloudProvider, 17 Service: "rdb", 18 ShortCode: "no-public-ingress-db-sgr", 19 Summary: "An ingress db security group rule allows traffic from /0.", 20 Impact: "Your port exposed to the internet", 21 Resolution: "Set a more restrictive cidr range", 22 Explanation: `Opening up ports to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that explicitly require it where possible.`, 23 Links: []string{ 24 "https://pfs.nifcloud.com/api/rdb/AuthorizeDBSecurityGroupIngress.htm", 25 }, 26 Terraform: &scan.EngineMetadata{ 27 GoodExamples: terraformNoPublicIngressDBSgrGoodExamples, 28 BadExamples: terraformNoPublicIngressDBSgrBadExamples, 29 Links: terraformNoPublicIngressDBSgrLinks, 30 RemediationMarkdown: terraformNoPublicIngressDBSgrRemediationMarkdown, 31 }, 32 Severity: severity.Critical, 33 }, 34 func(s *state.State) (results scan.Results) { 35 for _, group := range s.Nifcloud.RDB.DBSecurityGroups { 36 for _, rule := range group.CIDRs { 37 if cidr.IsPublic(rule.Value()) && cidr.CountAddresses(rule.Value()) > 1 { 38 results.Add( 39 "DB Security group rule allows ingress from public internet.", 40 rule, 41 ) 42 } else { 43 results.AddPassed(&group) 44 } 45 } 46 } 47 return 48 }, 49 )