Ensure configuration validation logic accurately reflects security intentions and best practices. When writing validation checks:
not_equals_ignore_case "true")Example:
# GOOD: Directly validates the intended state
- cond_type: attribute
attribute: "enable_feature"
operator: "not_equals_ignore_case"
value: "true"
# BAD: Unnecessarily complex and error-prone
- cond_type: attribute
attribute: "enable_feature"
operator: "exists"
- cond_type: attribute
attribute: "enable_feature"
operator: "equals_ignore_case"
value: "false"
# GOOD: Handles configuration dependencies
- or:
- cond_type: attribute
attribute: "shared_access_key_enabled"
operator: "equals_ignore_case"
value: "false"
- and:
- cond_type: attribute
attribute: "shared_access_key_enabled"
operator: "equals_ignore_case"
value: "true"
- cond_type: attribute
attribute: "sas_policy.expiration_period"
operator: "exists"
Enter the URL of a public GitHub repository