Demo Comments#45
Conversation
![datadog-datadog-prod-us1[bot]](https://avatars.githubusercontent.com/u/365230?s=60&v=4){kind=small}
| @@ -0,0 +1,6 @@ | |||
| from ruamel.yaml import YAML | |||
|
|
|||
| foo = YAML(typ='unsafe') | |||
There was a problem hiding this comment.
🔴 Code Vulnerability
| foo = YAML(typ='unsafe') | |
| foo = YAML(typ='safe') |
unsafe YAML deserialization (...read more)
Unsafe YAML deserialization. Make sure to use safe deserialization methods to avoid execution or arbitrary code.
Learn More
| resource "google_sql_database_instance" "bad_example" { | ||
| name = "bad-instance" | ||
| database_version = "MYSQL_8" | ||
| region = "us-central1" | ||
|
|
||
| settings { | ||
| tier = "db-custom-2-13312" | ||
| database_flags { | ||
| name = "cross db ownership chaining" | ||
| value = "on" | ||
| } | ||
| } | ||
| } |
There was a problem hiding this comment.
Infrastructure as Code Finding
🔴 High Severitysettings.backup_configuration is undefined or null (...read more)
Checks if backup configuration is enabled for all Cloud SQL Database instances
Rule ID: [cf3c7631-cd1e-42f3-8801-a561214a6e79]
| tier = "db-custom-2-13312" | ||
| database_flags { | ||
| name = "cross db ownership chaining" | ||
| value = "on" |
There was a problem hiding this comment.
Infrastructure as Code Finding
⚫ Critical Severity| value = "on" | |
| value = "off" |
'settings.database_flags.cross db ownership chaining' is on (...read more)
Cross-database ownership chaining allows users to access objects across databases without requiring separate permissions for each database, creating a potential privilege escalation vulnerability. When enabled, an attacker with access to one database might exploit ownership chains to gain unauthorized access to data in other linked databases, bypassing normal permission boundaries. To secure your SQL Server instance, configure the 'cross db ownership chaining' database flag to 'off' as shown:
settings {
database_flags {
name = "cross db ownership chaining"
value = "off"
}
}
Rule ID: [b2d5f3c9-1e68-47a1-89b4-92f3a6d7e123]
| resource "aws_ebs_volume" "iac_volume" { | ||
| availability_zone = data.aws_availability_zones.available_iac.names[0] | ||
| size = 1 | ||
|
|
There was a problem hiding this comment.
Infrastructure as Code Finding
⚫ Critical SeverityOne of 'aws_ebs_volume.encrypted' is undefined (...read more)
This check verifies that Amazon Elastic Block Store (EBS) volumes have encryption enabled. EBS volumes store data in an unencrypted format by default, which could expose sensitive information if the volume is compromised. When encryption is enabled, all data stored at rest on the volume, disk I/O, and snapshots created from the volume are encrypted, providing an additional layer of data protection. To enable encryption, set the 'encrypted' parameter to 'true' in your EBS volume configuration. For example: resource "aws_ebs_volume" "secure_example" { availability_zone = "us-west-2a", size = 40, encrypted = true }. Leaving encryption disabled can lead to data exposure risks and may violate compliance requirements for sensitive data protection.
Rule ID: [cc997676-481b-4e93-aa81-d19f8c5e9b12]
1 participant
No description provided.