← all rules
iac/terraform/tf-security-group-world-ingress
Security group allows ingress from 0.0.0.0/0
highTerraformiac-terraform
What it detects
An `ingress` rule with `cidr_blocks = ["0.0.0.0/0"]` (or `["::/0"]`) exposes the port to the entire internet. On management ports (SSH 22, RDP 3389, database ports) this is a direct attack surface; even on app ports it removes the network boundary.
Remediation
Restrict `cidr_blocks` to known office/VPN ranges or reference another security group. Egress to 0.0.0.0/0 is usually fine; ingress rarely is.
How it runs
Detection layer not documented.
Found a false positive or want this rule tuned? File an issue. You can also suppress per-repo via a .repoguardignore line.