Skip to content

Add additional-cloud IaC misconfiguration rule pack (DigitalOcean, Oracle, Alibaba)#218

Open
seonghobae wants to merge 1 commit into
developfrom
cloud-extra-rules
Open

Add additional-cloud IaC misconfiguration rule pack (DigitalOcean, Oracle, Alibaba)#218
seonghobae wants to merge 1 commit into
developfrom
cloud-extra-rules

Conversation

@seonghobae

Copy link
Copy Markdown
Contributor

Summary

Adds scanner/rules/cloud-extra.yml — a high-precision Terraform IaC misconfiguration rule pack covering three clouds not previously handled: DigitalOcean, Oracle Cloud (OCI), and Alibaba Cloud.

Every pattern is anchored on a provider-specific resource or attribute name (digitalocean_spaces_bucket, source_addresses, ingress_security_rules, oci_objectstorage_bucket, alicloud_security_group_rule, alicloud_oss_bucket), so it never fires on generic files or on AWS/Azure/GCP Terraform.

Rules (6)

Rule Severity
digitalocean-firewall-sensitive-port-world-open HIGH
digitalocean-spaces-bucket-public-acl HIGH
oracle-security-list-ingress-world-open HIGH
oracle-object-storage-bucket-public HIGH
alibaba-security-group-rule-world-open HIGH
alibaba-oss-bucket-public-write CRITICAL

Testing

  • tests/test_cloud_extra_rules.py: per-rule positives + negatives + severities, plus an end-to-end _scan_file scan on a .tf file (confirms rules fire through the real scanner and stay silent on safe config, including a non-matching aws_s3_bucket public ACL).
  • Full suite: 229 passed.

Docs

  • CHANGELOG [Unreleased] entry (Korean).
  • README "Detects" list + rule-tree.

🤖 Generated with Claude Code

Add scanner/rules/cloud-extra.yml with 6 high-precision Terraform rules
for DigitalOcean, Oracle Cloud (OCI), and Alibaba Cloud. Every pattern is
anchored on a provider-specific resource or attribute name so it never
fires on generic files or on AWS/Azure/GCP Terraform.

- digitalocean-firewall-sensitive-port-world-open (HIGH)
- digitalocean-spaces-bucket-public-acl (HIGH)
- oracle-security-list-ingress-world-open (HIGH)
- oracle-object-storage-bucket-public (HIGH)
- alibaba-security-group-rule-world-open (HIGH)
- alibaba-oss-bucket-public-write (CRITICAL)

Includes tests/test_cloud_extra_rules.py (per-rule positives/negatives,
severities, and an end-to-end .tf scan) plus CHANGELOG and README updates.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_01EywwS2Du8pimW7xqRP3An3
@seonghobae seonghobae enabled auto-merge (squash) July 6, 2026 02:13
the pack fires through the real file scanner and stays quiet on safe config.
"""

from pathlib import Path
@opencode-agent opencode-agent Bot disabled auto-merge July 6, 2026 09:17
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant