SonarCloud detects security problems in Terraform for Azure files


SonarCloud provides already the possibility to detect security issues on your AWS infrastructure as code files (Terraform and CloudFormation).

Today, we are happy to announce that we do the same for Microsoft Azure and provide the support of Terraform for Azure for the following domains:

  • Encryption at Rest
  • Encryption at Transit
  • Public Access
  • Permission and Access Control

Here are the rules dedicated to Terraform for Azure:

  • S4423: Weak SSL/TLS protocols should not be used
  • S5332: Using clear-text protocols is security-sensitive
  • S6388: Using unencrypted cloud storages is security-sensitive
  • S6321: Administration services access should be restricted to specific IP addresses
  • S6329: Allowing public network access to cloud resources is security-sensitive
  • S6375: Assigning high privileges Azure Active Directory built-in roles is security-sensitive
  • S6381: Assigning high privileges Azure Resource Manager built-in roles is security-sensitive
  • S6385: Azure custom roles should not grant subscription Owner capabilities
  • S6387: Azure role assignments that grant access to all resources of a subscription are security-sensitive
  • S6378: Disabling Managed Identities for Azure resources is security-sensitive
  • S6380: Authorizing anonymous access to Azure resources is security-sensitive
  • S6379: Enabling Azure resource-specific admin accounts is security-sensitive
  • S6383: Disabling Role-Based Access Control on Azure resources is security-sensitive
  • S6382: Disabling certificate-based authentication is security-sensitive

What about SonarQube? This is available starting from SonarQube CE 9.3.

Next step? We will cover the same domains for Terraform for Google Cloud.


1 Like