Certificate validation disabled with Ansible get_url module
Description
This policy detects whether the Ansible get_url tasks enforce SSL certificate validation. Disabling certificate validation in get_url tasks may allow accepting potentially compromised certificates, leading to security vulnerabilities, such as man-in-the-middle attacks.
Code Example
yaml
---
- name: Example
hosts: all
gather_facts: False
tasks:
- name: Ensure certificate validation is not disabled
ansible.builtin.get_url:
url: "https://example.com/file.tar.gz"
dest: "/tmp/file.tar.gz"
- validate_certs: false
+ validate_certs: trueRemediation
Ansible
- Module: ansible.builtin.get_url or get_url
- Attribute: validate_certs
To address this issue, make sure the `validate_certs` attribute within your `get_url` tasks is not set to false. Setting `validate_certs` to true is crucial for validating the SSL certificates and securing your HTTPS connections.
Secure Code Example:
Rule Details
| Field | Value |
|---|---|
| ID | IAC-0043 |
| Severity | MEDIUM |
| IaC Type | Ansible |
| Frameworks | Ansible |
| Checkov ID | CKV_ANSIBLE_2 |