aquasecurity · simar7 · Aug 27, 2024 · Aug 21, 2024 · Aug 27, 2024
@@ -1,8 +1,9 @@
 
 When creating instances, user data can be used during the initial configuration. User data must not contain sensitive information
 
+
 ### Impact
-Sensitive credentials in the user data can be leaked
+<!-- Add Impact here -->
 
 <!-- DO NOT CHANGE -->
 {{ remediationActions }}

@@ -28,7 +28,8 @@ var CheckNoSensitiveInfo = rules.Register(
 			Links:               terraformNoSensitiveInfoLinks,
 			RemediationMarkdown: terraformNoSensitiveInfoRemediationMarkdown,
 		},
-		Severity: severity.High,
+		Severity:   severity.High,
+		Deprecated: true,
 	},
 	func(s *state.State) (results scan.Results) {
 		for _, instance := range s.CloudStack.Compute.Instances {

@@ -0,0 +1,37 @@
+# METADATA
+# title: No sensitive data stored in user_data
+# description: |
+#   When creating instances, user data can be used during the initial configuration. User data must not contain sensitive information
+# scope: package
+# schemas:
+#   - input: schema["cloud"]
+# custom:
+#   id: AVD-CLDSTK-0001
+#   avd_id: AVD-CLDSTK-0001
+#   provider: cloudstack
+#   service: compute
+#   severity: HIGH
+#   short_code: no-sensitive-info
+#   recommended_action: Don't use sensitive data in the user data section
+#   input:
+#     selector:
+#       - type: cloud
+#         subtypes:
+#           - service: compute
+#             provider: cloudstack
+#   terraform:
+#     links:
+#       - https://registry.terraform.io/providers/hashicorp/cloudstack/latest/docs/resources/instance#
+#     good_examples: checks/cloud/cloudstack/compute/no_sensitive_info.tf.go
+#     bad_examples: checks/cloud/cloudstack/compute/no_sensitive_info.tf.go
+package builtin.cloudstack.compute.cloudstack0001
+
+import rego.v1
+
+deny contains res if {
+	some instance in input.cloudstack.compute.instances
+	isManaged(instance)
+	scan_result := squealer.scan_string(instance.userdata.value)
+	scan_result.transgressionFound
+	res := result.new("Instance user data contains secret(s).", instance.userdata)
+}
@@ -0,0 +1,20 @@
+package builtin.cloudstack.compute.cloudstack0001_test
+
+import rego.v1
+
+import data.builtin.cloudstack.compute.cloudstack0001 as check
+import data.lib.test
+
+test_deny_compute_instance_with_sensitive_data if {
+	inp := {"cloudstack": {"compute": {"instances": [{"userdata": {"value": " export DATABASE_PASSWORD=\"SomeSortOfPassword\""}}]}}}
+
+	res := check.deny with input as inp
+	count(res) == 1
+}
+
+test_allow_compute_instance_without_sensitive_data if {
+	inp := {"cloudstack": {"compute": {"instances": [{"userdata": {"value": ` export GREETING="Hello there"`}}]}}}
+
+	res := check.deny with input as inp
+	res == set()
+}
@@ -0,0 +1,41 @@
+package test
+
+import (
+	"github.com/aquasecurity/trivy/pkg/iac/providers/cloudstack"
+	"github.com/aquasecurity/trivy/pkg/iac/providers/cloudstack/compute"
+	"github.com/aquasecurity/trivy/pkg/iac/state"
+	trivyTypes "github.com/aquasecurity/trivy/pkg/iac/types"
+)
+
+func init() {
+	addTests(cloudStackTestCases)
+}
+
+var cloudStackTestCases = testCases{
+	"AVD-CLDSTK-0001": {
+		{
+			name: "Compute instance with sensitive information in user data",
+			input: state.State{CloudStack: cloudstack.CloudStack{Compute: compute.Compute{
+				Instances: []compute.Instance{
+					{
+						Metadata: trivyTypes.NewTestMetadata(),
+						UserData: trivyTypes.String(` export DATABASE_PASSWORD=\"SomeSortOfPassword\"`, trivyTypes.NewTestMetadata()),
+					},
+				},
+			}}},
+			expected: true,
+		},
+		{
+			name: "Compute instance with no sensitive information in user data",
+			input: state.State{CloudStack: cloudstack.CloudStack{Compute: compute.Compute{
+				Instances: []compute.Instance{
+					{
+						Metadata: trivyTypes.NewTestMetadata(),
+						UserData: trivyTypes.String(` export GREETING="Hello there"`, trivyTypes.NewTestMetadata()),
+					},
+				},
+			}}},
+			expected: false,
+		},
+	},
+}