← all rules

iac/terraform/tf-security-group-world-ingress

Security group allows ingress from 0.0.0.0/0

highTerraformiac-terraform

What it detects

An `ingress` rule with `cidr_blocks = ["0.0.0.0/0"]` (or `["::/0"]`) exposes the port to the entire internet. On management ports (SSH 22, RDP 3389, database ports) this is a direct attack surface; even on app ports it removes the network boundary.

Remediation

Restrict `cidr_blocks` to known office/VPN ranges or reference another security group. Egress to 0.0.0.0/0 is usually fine; ingress rarely is.

How it runs

Detection layer not documented.

Found a false positive or want this rule tuned? File an issue. You can also suppress per-repo via a .repoguardignore line.