Communication over HTTP in defaults

문서 > Datadog 보안 > Code Security > Infrastructure as Code (IaC) Security > IaC Security Rules > Communication over HTTP in defaults

이 페이지는 아직 한국어로 제공되지 않습니다. 번역 작업 중입니다.
현재 번역 프로젝트에 대한 질문이나 피드백이 있으신 경우 언제든지 연락주시기 바랍니다.

Metadata

Id: d7dc9350-74bc-485b-8c85-fed22d276c43

Cloud Provider: Ansible Config

Platform: Ansible

Severity: Medium

Category: Insecure Configurations

Learn More

Provider Reference

Description

Galaxy server URLs must use HTTPS to protect the confidentiality and integrity of downloaded roles and any credentials exchanged. Using plain HTTP exposes downloads and authentication data to interception or tampering.

In Ansible configuration documents, this is the groups.galaxy.server property, which must begin with https:// instead of http://. Resources with a missing server property or a value that starts with http:// are flagged. Ensure the HTTPS endpoint presents a valid TLS certificate and do not disable certificate verification.

Secure configuration example:

groups:
  galaxy:
    server: "https://galaxy.example.com"

Compliant Code Examples

[galaxy]
cache_dir=~/.ansible/galaxy_cache
ignore_certs=False
role_skeleton_ignore=^.git$, ^.*/.git_keep$
server=https://galaxy.ansible.com

Non-Compliant Code Examples

[galaxy]
cache_dir=~/.ansible/galaxy_cache
ignore_certs=False
role_skeleton_ignore=^.git$, ^.*/.git_keep$
server=http://galaxy.ansible.com