fix: check only managed load balancers (#369)

nikpivkin · web-flow · commit 83ac3dddea29 · 2025-04-08T07:19:33.000Z
* fix: check only managed load balancers

Signed-off-by: Nikita Pivkin &lt;nikita.pivkin@smartforce.io&gt;

* rest: add test cases

Signed-off-by: Nikita Pivkin &lt;nikita.pivkin@smartforce.io&gt;

---------

Signed-off-by: Nikita Pivkin &lt;nikita.pivkin@smartforce.io&gt;
diff --git a/checks/cloud/aws/elb/http_not_used.rego b/checks/cloud/aws/elb/http_not_used.rego
@@ -29,6 +29,7 @@ import rego.v1
 
 deny contains res if {
 	some lb in input.aws.elb.loadbalancers
+	isManaged(lb)
 	lb.type.value == "application"
 
 	some listener in lb.listeners
diff --git a/checks/cloud/aws/elb/http_not_used_test.rego b/checks/cloud/aws/elb/http_not_used_test.rego
@@ -50,6 +50,19 @@ test_allow_http_but_not_application if {
 	test.assert_empty(check.deny) with input as inp
 }
 
+test_allow_not_managed if {
+	inp := {"aws": {"elb": {"loadbalancers": [{
+		"__defsec_metadata": {"managed": false},
+		"type": {"value": "application"},
+		"listeners": [{
+			"protocol": {"value": "HTTP"},
+			"defaultactions": [{"type": {"value": "forward"}}],
+		}],
+	}]}}}
+
+	test.assert_empty(check.deny) with input as inp
+}
+
 test_deny_http_without_redirect if {
 	inp := {"aws": {"elb": {"loadbalancers": [{
 		"type": {"value": "application"},
diff --git a/checks/cloud/aws/elb/use_secure_tls_policy.rego b/checks/cloud/aws/elb/use_secure_tls_policy.rego
@@ -39,6 +39,7 @@ outdated_ssl_policies := {
 
 deny contains res if {
 	some lb in input.aws.elb.loadbalancers
+	isManaged(lb)
 	some listener in lb.listeners
 	has_outdated_policy(listener)
 	res := result.new("Listener uses an outdated TLS policy.", listener.tlspolicy)
diff --git a/checks/cloud/aws/elb/use_secure_tls_policy_test.rego b/checks/cloud/aws/elb/use_secure_tls_policy_test.rego
@@ -11,6 +11,15 @@ test_deny_with_outdated_tls_policy if {
 	test.assert_equal_message("Load balancer listener using TLS v1.0", check.deny) with input as inp
 }
 
+test_allow_not_managed if {
+	inp := {"aws": {"elb": {"loadbalancers": [{
+		"__defsec_metadata": {"managed": false},
+		"listeners": [{"tlspolicy": {"value": "ELBSecurityPolicy-TLS-1-0-2015-04"}}],
+	}]}}}
+
+	test.assert_empty(check.deny) with input as inp
+}
+
 test_allow_with_actual_tls_policy if {
 	inp := {"aws": {"elb": {"loadbalancers": [{"listeners": [{"tlspolicy": {"value": "ELBSecurityPolicy-TLS-1-2-2017-01"}}]}]}}}
 
