Communication over HTTP in defaults

Docs > Datadog Security > Code Security > Infrastructure as Code (IaC) Security > IaC Security Rules > Communication over HTTP in defaults

Metadata

Id: d7dc9350-74bc-485b-8c85-fed22d276c43

Cloud Provider: Ansible Config

Platform: Ansible

Severity: Medium

Category: Insecure Configurations

Learn More

Provider Reference

Description

Galaxy server URLs must use HTTPS to protect the confidentiality and integrity of downloaded roles and any credentials exchanged. Using plain HTTP exposes downloads and authentication data to interception or tampering.

In Ansible configuration documents, this is the groups.galaxy.server property, which must begin with https:// instead of http://. Resources with a missing server property or a value that starts with http:// are flagged. Ensure the HTTPS endpoint presents a valid TLS certificate and do not disable certificate verification.

Secure configuration example:

groups:
  galaxy:
    server: "https://galaxy.example.com"

Compliant Code Examples

[galaxy]
cache_dir=~/.ansible/galaxy_cache
ignore_certs=False
role_skeleton_ignore=^.git$, ^.*/.git_keep$
server=https://galaxy.ansible.com

Non-Compliant Code Examples

[galaxy]
cache_dir=~/.ansible/galaxy_cache
ignore_certs=False
role_skeleton_ignore=^.git$, ^.*/.git_keep$
server=http://galaxy.ansible.com