diff --git a/.github/workflows/official-build.yml b/.github/workflows/official-build.yml new file mode 100644 index 00000000..5c82489a --- /dev/null +++ b/.github/workflows/official-build.yml @@ -0,0 +1,49 @@ +name: security-devops-action Official Build + +on: + pull_request: + branches: + - release/vNext + +permissions: + contents: read + +jobs: + build: + runs-on: ubuntu-latest + + permissions: + contents: write + + steps: + - name: Checkout repository + uses: actions/checkout@v2 + + - name: Extract branch name + shell: bash + run: echo "branch=${GITHUB_HEAD_REF:-${GITHUB_REF#refs/heads/}}" >> $GITHUB_OUTPUT + id: extract_branch + + - name: Set up Node.js + uses: actions/setup-node@v2 + with: + node-version: '14' + + - name: Configure npm to use GitHub Packages + run: echo "//npm.pkg.github.com/:_authToken=${{ secrets.NPM_TOKEN }}" > ~/.npmrc + + - name: Install dependencies + run: npm install + + - name: Compile TypeScript + run: npm run build + + - name: Commit compiled JavaScript + run: | + git config --global user.name 'github-actions[bot]' + git config --global user.email 'github-actions[bot]@users.noreply.github.com' + git add lib/. + git commit -m 'Official Build: Compile TypeScript to JavaScript' + git push --force origin HEAD:${{ steps.extract_branch.outputs.branch }} + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} \ No newline at end of file diff --git a/README.md b/README.md index fdb3f760..1ec09319 100644 --- a/README.md +++ b/README.md @@ -66,6 +66,7 @@ To only run specific analyzers, use the `tools` command. This command is a comma | [AntiMalware](https://www.microsoft.com/en-us/windows/comprehensive-security) | code, artifacts | - | | [Bandit](https://github.com/PyCQA/bandit) | python | [Apache License 2.0](https://github.com/PyCQA/bandit/blob/master/LICENSE) | | [BinSkim](https://github.com/Microsoft/binskim) | binary - Windows, ELF | [MIT License](https://github.com/microsoft/binskim/blob/main/LICENSE) | +| [Checkov](https://github.com/bridgecrewio/checkov) | Infrastructure-as-code (IaC), Terraform, Terraform plan, Cloudformation, AWS SAM, Kubernetes, Helm charts, Kustomize, Dockerfile, Serverless, Bicep, OpenAPI, ARM Templates, or OpenTofu | [Apache License 2.0](https://github.com/bridgecrewio/checkov/blob/main/LICENSE) | | [ESlint](https://github.com/eslint/eslint) | JavaScript | [MIT License](https://github.com/eslint/eslint/blob/main/LICENSE) | | [Template Analyzer](https://github.com/Azure/template-analyzer) | Infrastructure-as-code (IaC), ARM templates, Bicep files | [MIT License](https://github.com/Azure/template-analyzer/blob/main/LICENSE.txt) | | [Terrascan](https://github.com/accurics/terrascan) | Infrastructure-as-code (IaC), Terraform (HCL2), Kubernetes (JSON/YAML), Helm v3, Kustomize, Dockerfiles, Cloudformation | [Apache License 2.0](https://github.com/accurics/terrascan/blob/master/LICENSE) | diff --git a/action.yml b/action.yml index 0e073371..9bf83346 100644 --- a/action.yml +++ b/action.yml @@ -20,11 +20,13 @@ inputs: description: A comma separated list of analyzer to run. Example bandit, binskim, container-mapping, eslint, templateanalyzer, terrascan, trivy. includeTools: description: Deprecated + existingFilename: + description: A SARIF filename that already exists. If it does, then the normal run will not take place and the file will instead be uploaded to MSDO backend. outputs: sarifFile: description: A file path to a SARIF results file. runs: - using: 'node16' + using: 'node20' main: 'lib/main.js' pre: 'lib/pre.js' post: 'lib/post.js' diff --git a/lib/msdo-helpers.js b/lib/msdo-helpers.js index ead0ff5e..3a060a58 100644 --- a/lib/msdo-helpers.js +++ b/lib/msdo-helpers.js @@ -14,6 +14,7 @@ var Inputs; Inputs["Languages"] = "languages"; Inputs["Tools"] = "tools"; Inputs["IncludeTools"] = "includeTools"; + Inputs["ExistingFilename"] = "existingFilename"; })(Inputs || (exports.Inputs = Inputs = {})); var RunnerType; (function (RunnerType) { @@ -25,6 +26,7 @@ var Tools; (function (Tools) { Tools["Bandit"] = "bandit"; Tools["Binskim"] = "binskim"; + Tools["Checkov"] = "checkov"; Tools["ContainerMapping"] = "container-mapping"; Tools["ESLint"] = "eslint"; Tools["TemplateAnalyzer"] = "templateanalyzer"; diff --git a/lib/msdo.js b/lib/msdo.js index 0d2ef306..e15b453e 100644 --- a/lib/msdo.js +++ b/lib/msdo.js @@ -52,59 +52,66 @@ class MicrosoftSecurityDevOps { runMain() { return __awaiter(this, void 0, void 0, function* () { core.debug('MicrosoftSecurityDevOps.runMain - Running MSDO...'); - let args = ['run']; - let config = core.getInput('config'); - if (!common.isNullOrWhiteSpace(config)) { - args.push('-c'); - args.push(config); + let args = undefined; + let existingFilename = core.getInput('existingFilename'); + if (!common.isNullOrWhiteSpace(existingFilename)) { + args = ['upload', '--file', existingFilename]; } - let policy = core.getInput('policy'); - if (common.isNullOrWhiteSpace(policy)) { - policy = "GitHub"; - } - args.push('-p'); - args.push(policy); - let categoriesString = core.getInput('categories'); - if (!common.isNullOrWhiteSpace(categoriesString)) { - args.push('--categories'); - let categories = categoriesString.split(','); - for (let i = 0; i < categories.length; i++) { - let category = categories[i]; - if (!common.isNullOrWhiteSpace(category)) { - args.push(category.trim()); + else { + args = ['run']; + let config = core.getInput('config'); + if (!common.isNullOrWhiteSpace(config)) { + args.push('-c'); + args.push(config); + } + let policy = core.getInput('policy'); + if (common.isNullOrWhiteSpace(policy)) { + policy = "GitHub"; + } + args.push('-p'); + args.push(policy); + let categoriesString = core.getInput('categories'); + if (!common.isNullOrWhiteSpace(categoriesString)) { + args.push('--categories'); + let categories = categoriesString.split(','); + for (let i = 0; i < categories.length; i++) { + let category = categories[i]; + if (!common.isNullOrWhiteSpace(category)) { + args.push(category.trim()); + } } } - } - let languagesString = core.getInput('languages'); - if (!common.isNullOrWhiteSpace(languagesString)) { - args.push('--languages'); - let languages = languagesString.split(','); - for (let i = 0; i < languages.length; i++) { - let language = languages[i]; - if (!common.isNullOrWhiteSpace(language)) { - args.push(language.trim()); + let languagesString = core.getInput('languages'); + if (!common.isNullOrWhiteSpace(languagesString)) { + args.push('--languages'); + let languages = languagesString.split(','); + for (let i = 0; i < languages.length; i++) { + let language = languages[i]; + if (!common.isNullOrWhiteSpace(language)) { + args.push(language.trim()); + } } } - } - let toolsString = core.getInput('tools'); - let includedTools = []; - if (!common.isNullOrWhiteSpace(toolsString)) { - let tools = toolsString.split(','); - for (let i = 0; i < tools.length; i++) { - let tool = tools[i]; - let toolTrimmed = tool.trim(); - if (!common.isNullOrWhiteSpace(tool) - && tool != msdo_helpers_1.Tools.ContainerMapping - && includedTools.indexOf(toolTrimmed) == -1) { - if (includedTools.length == 0) { - args.push('--tool'); + let toolsString = core.getInput('tools'); + let includedTools = []; + if (!common.isNullOrWhiteSpace(toolsString)) { + let tools = toolsString.split(','); + for (let i = 0; i < tools.length; i++) { + let tool = tools[i]; + let toolTrimmed = tool.trim(); + if (!common.isNullOrWhiteSpace(tool) + && tool != msdo_helpers_1.Tools.ContainerMapping + && includedTools.indexOf(toolTrimmed) == -1) { + if (includedTools.length == 0) { + args.push('--tool'); + } + args.push(toolTrimmed); + includedTools.push(toolTrimmed); } - args.push(toolTrimmed); - includedTools.push(toolTrimmed); } } + args.push('--github'); } - args.push('--github'); yield client.run(args, 'microsoft/security-devops-action'); }); } diff --git a/node_modules/.bin/uuid b/node_modules/.bin/uuid index c3ec0035..0c2d4696 100644 --- a/node_modules/.bin/uuid +++ b/node_modules/.bin/uuid @@ -2,7 +2,11 @@ basedir=$(dirname "$(echo "$0" | sed -e 's,\\,/,g')") case `uname` in - *CYGWIN*|*MINGW*|*MSYS*) basedir=`cygpath -w "$basedir"`;; + *CYGWIN*|*MINGW*|*MSYS*) + if command -v cygpath > /dev/null 2>&1; then + basedir=`cygpath -w "$basedir"` + fi + ;; esac if [ -x "$basedir/node" ]; then diff --git a/node_modules/.package-lock.json b/node_modules/.package-lock.json index cbf38086..3d2207b8 100644 --- a/node_modules/.package-lock.json +++ b/node_modules/.package-lock.json @@ -1,6 +1,6 @@ { "name": "microsoft-security-devops-action", - "version": "1.10.0", + "version": "1.12.0", "lockfileVersion": 3, "requires": true, "packages": { @@ -31,9 +31,9 @@ "license": "MIT" }, "node_modules/@microsoft/security-devops-actions-toolkit": { - "version": "1.10.0", - "resolved": "https://npm.pkg.github.com/download/@microsoft/security-devops-actions-toolkit/1.10.0/f22bf01b5f678e9b9ed9965d45d9889fb39b1dd9", - "integrity": "sha512-jOJ3FlqgHdcBzEcoxb039h8+W+mGp0xwV/HMA8gx1TlCzR4kGCOfYyJUlAtGFoiU9slDMDE3EbziDszAF1+L5Q==", + "version": "1.11.0", + "resolved": "https://npm.pkg.github.com/download/@microsoft/security-devops-actions-toolkit/1.11.0/04fef883382f5a7c9b9ac2015dcc419009e2a858", + "integrity": "sha512-dcuMhkEa8uqVpsT05E/nSMfBRtKzEhiQ/KFqEbTd5sAs7ChVP+Ke+ZMEgw4gP4LdA2cO7mH7VTfJ8xxlmwEwUw==", "license": "MIT", "dependencies": { "@actions/core": "1.10.0", @@ -1851,6 +1851,7 @@ "resolved": "https://registry.npmjs.org/gulp/-/gulp-4.0.2.tgz", "integrity": "sha512-dvEs27SCZt2ibF29xYgmnwwCYZxdxhQ/+LFWlbAW8y7jt68L/65402Lz3+CKy0Ov4rOs+NERmDq7YlZaDqUIfA==", "dev": true, + "license": "MIT", "dependencies": { "glob-watcher": "^5.0.3", "gulp-cli": "^2.2.0", diff --git a/node_modules/@microsoft/security-devops-actions-toolkit/msdo-client.js b/node_modules/@microsoft/security-devops-actions-toolkit/msdo-client.js index 821e2c12..f08baae6 100644 --- a/node_modules/@microsoft/security-devops-actions-toolkit/msdo-client.js +++ b/node_modules/@microsoft/security-devops-actions-toolkit/msdo-client.js @@ -97,27 +97,30 @@ function run(inputArgs, telemetryEnvironment = 'github') { yield init(); cliFilePath = process.env.MSDO_FILEPATH; core.debug(`cliFilePath = ${cliFilePath}`); - if (inputArgs != null) { + if (inputArgs != null && inputArgs.length != 0) { for (let i = 0; i < inputArgs.length; i++) { args.push(inputArgs[i]); } } - args.push('--not-break-on-detections'); if (core.isDebug()) { args.push('--logger-level'); args.push('trace'); } - let sarifFile = path.join(process.env.GITHUB_WORKSPACE, '.gdn', 'msdo.sarif'); - core.debug(`sarifFile = ${sarifFile}`); - core.exportVariable('MSDO_SARIF_FILE', sarifFile); - core.setOutput('sarifFile', sarifFile); - if (common.isVersionGreaterThanOrEqualTo(process.env.MSDO_INSTALLEDVERSION, '0.183.0')) { - args.push('--export-file'); - } - else { - args.push('--export-breaking-results-to-file'); + let isUploadExisting = inputArgs[0] == "upload"; + if (!isUploadExisting) { + args.push('--not-break-on-detections'); + let sarifFile = path.join(process.env.GITHUB_WORKSPACE, '.gdn', 'msdo.sarif'); + core.debug(`sarifFile = ${sarifFile}`); + core.exportVariable('MSDO_SARIF_FILE', sarifFile); + core.setOutput('sarifFile', sarifFile); + if (common.isVersionGreaterThanOrEqualTo(process.env.MSDO_INSTALLEDVERSION, '0.183.0')) { + args.push('--export-file'); + } + else { + args.push('--export-breaking-results-to-file'); + } + args.push(sarifFile); } - args.push(sarifFile); args.push('--telemetry-environment'); args.push(telemetryEnvironment); core.debug(`GdnDebugDrop = ${debugDrop}`); diff --git a/node_modules/@microsoft/security-devops-actions-toolkit/package.json b/node_modules/@microsoft/security-devops-actions-toolkit/package.json index d60e82ef..a621b3e5 100644 --- a/node_modules/@microsoft/security-devops-actions-toolkit/package.json +++ b/node_modules/@microsoft/security-devops-actions-toolkit/package.json @@ -1,6 +1,6 @@ { "name": "@microsoft/security-devops-actions-toolkit", - "version": "1.10.0", + "version": "1.11.0", "description": "Microsoft Security DevOps for GitHub Actions toolkit.", "author": "Microsoft Corporation", "license": "MIT", diff --git a/package-lock.json b/package-lock.json index 09437444..e5854f3b 100644 --- a/package-lock.json +++ b/package-lock.json @@ -1,17 +1,17 @@ { "name": "microsoft-security-devops-action", - "version": "1.10.0", + "version": "1.12.0", "lockfileVersion": 2, "requires": true, "packages": { "": { "name": "microsoft-security-devops-action", - "version": "1.10.0", + "version": "1.12.0", "license": "MIT", "dependencies": { "@actions/core": "1.10.0", "@actions/exec": "1.1.1", - "@microsoft/security-devops-actions-toolkit": "1.10.0" + "@microsoft/security-devops-actions-toolkit": "1.11.0" }, "devDependencies": { "@types/mocha": "^2.2.44", @@ -55,9 +55,9 @@ "license": "MIT" }, "node_modules/@microsoft/security-devops-actions-toolkit": { - "version": "1.10.0", - "resolved": "https://npm.pkg.github.com/download/@microsoft/security-devops-actions-toolkit/1.10.0/f22bf01b5f678e9b9ed9965d45d9889fb39b1dd9", - "integrity": "sha512-jOJ3FlqgHdcBzEcoxb039h8+W+mGp0xwV/HMA8gx1TlCzR4kGCOfYyJUlAtGFoiU9slDMDE3EbziDszAF1+L5Q==", + "version": "1.11.0", + "resolved": "https://npm.pkg.github.com/download/@microsoft/security-devops-actions-toolkit/1.11.0/04fef883382f5a7c9b9ac2015dcc419009e2a858", + "integrity": "sha512-dcuMhkEa8uqVpsT05E/nSMfBRtKzEhiQ/KFqEbTd5sAs7ChVP+Ke+ZMEgw4gP4LdA2cO7mH7VTfJ8xxlmwEwUw==", "license": "MIT", "dependencies": { "@actions/core": "1.10.0", @@ -1875,6 +1875,7 @@ "resolved": "https://registry.npmjs.org/gulp/-/gulp-4.0.2.tgz", "integrity": "sha512-dvEs27SCZt2ibF29xYgmnwwCYZxdxhQ/+LFWlbAW8y7jt68L/65402Lz3+CKy0Ov4rOs+NERmDq7YlZaDqUIfA==", "dev": true, + "license": "MIT", "dependencies": { "glob-watcher": "^5.0.3", "gulp-cli": "^2.2.0", @@ -5493,9 +5494,9 @@ "version": "1.0.2" }, "@microsoft/security-devops-actions-toolkit": { - "version": "1.10.0", - "resolved": "https://npm.pkg.github.com/download/@microsoft/security-devops-actions-toolkit/1.10.0/f22bf01b5f678e9b9ed9965d45d9889fb39b1dd9", - "integrity": "sha512-jOJ3FlqgHdcBzEcoxb039h8+W+mGp0xwV/HMA8gx1TlCzR4kGCOfYyJUlAtGFoiU9slDMDE3EbziDszAF1+L5Q==", + "version": "1.11.0", + "resolved": "https://npm.pkg.github.com/download/@microsoft/security-devops-actions-toolkit/1.11.0/04fef883382f5a7c9b9ac2015dcc419009e2a858", + "integrity": "sha512-dcuMhkEa8uqVpsT05E/nSMfBRtKzEhiQ/KFqEbTd5sAs7ChVP+Ke+ZMEgw4gP4LdA2cO7mH7VTfJ8xxlmwEwUw==", "requires": { "@actions/core": "1.10.0", "@actions/exec": "1.1.1", diff --git a/package.json b/package.json index 04af9bec..0de9e27a 100644 --- a/package.json +++ b/package.json @@ -1,6 +1,6 @@ { "name": "microsoft-security-devops-action", - "version": "1.11.0", + "version": "1.12.0", "description": "Node dependencies for the microsoft/security-devops-action.", "scripts": { "build": "npx gulp", @@ -13,7 +13,7 @@ "dependencies": { "@actions/core": "1.10.0", "@actions/exec": "1.1.1", - "@microsoft/security-devops-actions-toolkit": "1.10.0" + "@microsoft/security-devops-actions-toolkit": "1.11.0" }, "devDependencies": { "@types/mocha": "^2.2.44", diff --git a/samples/insecure.py b/samples/insecure.py index d43c0b3b..f9d4921e 100644 --- a/samples/insecure.py +++ b/samples/insecure.py @@ -1,24 +1,26 @@ -import hashlib -print("I am very insecure. Bandit thinks so too.") -#B110 -xs=[1,2,3,4,5,6,7,8] -try: - print(xs[7]) - print(xs[8]) -except: pass +# Commented out sample to pass scanning +# +#import hashlib +# print("I am very insecure. Bandit thinks so too.") +# #B110 +# xs=[1,2,3,4,5,6,7,8] +# try: +# print(xs[7]) +# print(xs[8]) +# except: pass -ys=[1, 2, None, None] -for y in ys: - try: - print(str(y+3)) #TypeErrors ahead - except: continue #not how to handle them +# ys=[1, 2, None, None] +# for y in ys: +# try: +# print(str(y+3)) #TypeErrors ahead +# except: continue #not how to handle them -#some imports -import telnetlib -import ftplib +# #some imports +# import telnetlib +# import ftplib -#B303 and B324 -s = b"I am a string" -print("MD5: " +hashlib.md5(s).hexdigest()) -print("SHA1: " +hashlib.sha1(s).hexdigest()) -print("SHA256: " +hashlib.sha256(s).hexdigest()) +# #B303 and B324 +# s = b"I am a string" +# print("MD5: " +hashlib.md5(s).hexdigest()) +# print("SHA1: " +hashlib.sha1(s).hexdigest()) +# print("SHA256: " +hashlib.sha256(s).hexdigest()) diff --git a/sda.sarif b/sda.sarif new file mode 100644 index 00000000..46a3e920 --- /dev/null +++ b/sda.sarif @@ -0,0 +1,9259 @@ +{ + "$schema": "https://schemastore.azurewebsites.net/schemas/json/sarif-2.1.0-rtm.5.json", + "version": "2.1.0", + "runs": [ + { + "tool": { + "driver": { + "name": "antimalware", + "rules": [ + { + "id": "NoThreatsFound", + "name": "No threats were found by AntiMalware." + } + ], + "properties": { + "RawName": "antimalware" + } + } + }, + "invocations": [ + { + "commandLine": "\"C:\\ProgramData\\Microsoft\\Windows Defender\\Platform\\4.18.24090.11-0\\MpCmdRun.exe\" -Scan -ScanType 3 -DisableRemediation -File D:\\source\\security-devops-action", + "executionSuccessful": true + } + ], + "versionControlProvenance": [ + { + "repositoryUri": "https://github.com/reynoldsa/security-devops-action", + "revisionId": "c5bc432f9640469fd713f651b4d18af73867f27a", + "branch": "main", + "properties": { + "RepositoryRoot": "D:\\source\\security-devops-action" + } + } + ], + "results": [], + "columnKind": "utf16CodeUnits", + "policies": [ + { + "name": "Microsoft", + "version": "2.0.3" + } + ], + "properties": { + "toolInfoId": "antimalware>>0>>202411062057" + } + }, + { + "tool": { + "driver": { + "name": "bandit", + "properties": { + "RawName": "bandit" + } + } + }, + "invocations": [ + { + "endTimeUtc": "2024-11-07T04:56:49.000Z", + "executionSuccessful": true + } + ], + "versionControlProvenance": [ + { + "repositoryUri": "https://github.com/reynoldsa/security-devops-action", + "revisionId": "c5bc432f9640469fd713f651b4d18af73867f27a", + "branch": "main", + "properties": { + "RepositoryRoot": "D:\\source\\security-devops-action" + } + } + ], + "results": [], + "columnKind": "utf16CodeUnits", + "policies": [ + { + "name": "Microsoft", + "version": "2.0.3" + } + ], + "properties": { + "metrics": {"_totals":{"loc":0,"nosec":0,"SEVERITY.UNDEFINED":0.0,"CONFIDENCE.UNDEFINED":0.0,"SEVERITY.LOW":0.0,"CONFIDENCE.LOW":0.0,"SEVERITY.MEDIUM":0.0,"CONFIDENCE.MEDIUM":0.0,"SEVERITY.HIGH":0.0,"CONFIDENCE.HIGH":0.0},"D:\\source\\security-devops-action\\samples\\insecure.py":{"loc":0,"nosec":0,"SEVERITY.UNDEFINED":0.0,"SEVERITY.LOW":0.0,"SEVERITY.MEDIUM":0.0,"SEVERITY.HIGH":0.0,"CONFIDENCE.UNDEFINED":0.0,"CONFIDENCE.LOW":0.0,"CONFIDENCE.MEDIUM":0.0,"CONFIDENCE.HIGH":0.0}}, + "toolInfoId": "bandit>>1>>202411062057" + } + }, + { + "tool": { + "driver": { + "name": "credscan", + "organization": "Microsoft Corporation", + "product": "Microsoft Security Credential Scanner Client", + "fullName": "CredentialScanner 2.5.1.13", + "version": "2.5.1.13", + "semanticVersion": "2.5.1", + "rules": [ + { + "id": "CSCAN-GENERAL0020", + "name": "X.509 Certificate Private Key", + "fullDescription": { + "text": "used as a private component in SSL certificates." + }, + "shortDescription": { + "text": "X.509 Certificate Private Key." + }, + "messageStrings": { + "Default": { + "text": "A potential secret was detected. Validate file contains secrets, remove, rotate credential, and use approved store. For additional information on secret remediation see the remediation section at https://aka.ms/CredScanDocs " + } + }, + "helpUri": "https://aka.ms/CredScanDocs" + } + ], + "properties": { + "Comments": "CredentialScanner is an Azure security tool to scan for credentials & other sensitive data in source code and/or system files.", + "RawName": "credscan" + } + }, + "properties": { + "IsPreview": true + } + }, + "invocations": [ + { + "startTimeUtc": "2024-11-07T04:57:07.500Z", + "endTimeUtc": "2024-11-07T04:57:15.725Z", + "executionSuccessful": true + } + ], + "versionControlProvenance": [ + { + "repositoryUri": "https://github.com/reynoldsa/security-devops-action", + "revisionId": "c5bc432f9640469fd713f651b4d18af73867f27a", + "branch": "main", + "properties": { + "RepositoryRoot": "D:\\source\\security-devops-action" + } + } + ], + "originalUriBaseIds": { + "file:///D:/source/security-devops-action/": { + "uri": "file:///D:/source/security-devops-action/" + } + }, + "results": [ + { + "ruleId": "CSCAN-GENERAL0020", + "ruleIndex": 0, + "rule": { + "id": "CSCAN-GENERAL0020" + }, + "level": "error", + "message": { + "text": "A potential secret was detected. Validate file contains secrets, remove, rotate credential, and use approved store. For additional information on secret remediation see the remediation section at https://aka.ms/CredScanDocs " + }, + "analysisTarget": { + "uri": ".gdn/i/nuget/Microsoft.Guardian.BanditRedist_windows_amd64.1.6.3.1/tools/lib/test/allsans.pem", + "uriBaseId": "file:///D:/source/security-devops-action/" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": ".gdn/i/nuget/Microsoft.Guardian.BanditRedist_windows_amd64.1.6.3.1/tools/lib/test/allsans.pem", + "uriBaseId": "file:///D:/source/security-devops-action/" + }, + "region": { + "startLine": 1, + "startColumn": 1, + "endLine": 1, + "endColumn": 27 + } + } + } + ], + "fingerprints": { + "HashCode": "K4LFfz40Tf2WjHYSwHcxzmrGBXdPbp+75ngl6MIfimE=", + "gdnPrimarySignature": "ad80df55e021c410c64bbdc3c768739c9b7fd32cfe9d37e5049efe305a7cabbe", + "gdnAlternativeSignature0": "471e593e20b5c75c62e499b8249c85f1835dc7f99dc9553a8a66b1be2550515d" + }, + "suppressions": [], + "rank": 94.0, + "properties": { + "DefectCode": "SecretInFile", + "MatchingScore": 94.41, + "EnrichmentScore": 112.5, + "Severity": 94.0, + "Validation": "NoValidationRequested", + "Risk": "100" + } + }, + { + "ruleId": "CSCAN-GENERAL0020", + "ruleIndex": 0, + "rule": { + "id": "CSCAN-GENERAL0020" + }, + "level": "error", + "message": { + "text": "A potential secret was detected. Validate file contains secrets, remove, rotate credential, and use approved store. For additional information on secret remediation see the remediation section at https://aka.ms/CredScanDocs " + }, + "analysisTarget": { + "uri": ".gdn/i/nuget/Microsoft.Guardian.BanditRedist_windows_amd64.1.6.3.1/tools/lib/test/badcert.pem", + "uriBaseId": "file:///D:/source/security-devops-action/" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": ".gdn/i/nuget/Microsoft.Guardian.BanditRedist_windows_amd64.1.6.3.1/tools/lib/test/badcert.pem", + "uriBaseId": "file:///D:/source/security-devops-action/" + }, + "region": { + "startLine": 19, + "startColumn": 1, + "endLine": 19, + "endColumn": 31 + } + } + } + ], + "fingerprints": { + "HashCode": "fdZwTjfxyQHIYf+BmyPXyLEOqdG4U2NLBuFNLckqc/s=", + "gdnPrimarySignature": "8c4f1c7c24033f5c2d1af110b7167b907f6c213c8da0388cc94da267b3b26053", + "gdnAlternativeSignature0": "370b8fdda16cd6662fa9f668df5eb3d0a34e6a7df7f9a47aa8e76ca6db6d7ceb" + }, + "suppressions": [], + "rank": 94.0, + "properties": { + "DefectCode": "SecretInFile", + "MatchingScore": 94.41, + "EnrichmentScore": 112.5, + "Severity": 94.0, + "Validation": "NoValidationRequested", + "Risk": "100" + } + }, + { + "ruleId": "CSCAN-GENERAL0020", + "ruleIndex": 0, + "rule": { + "id": "CSCAN-GENERAL0020" + }, + "level": "error", + "message": { + "text": "A potential secret was detected. Validate file contains secrets, remove, rotate credential, and use approved store. For additional information on secret remediation see the remediation section at https://aka.ms/CredScanDocs " + }, + "analysisTarget": { + "uri": ".gdn/i/nuget/Microsoft.Guardian.BanditRedist_windows_amd64.1.6.3.1/tools/lib/test/idnsans.pem", + "uriBaseId": "file:///D:/source/security-devops-action/" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": ".gdn/i/nuget/Microsoft.Guardian.BanditRedist_windows_amd64.1.6.3.1/tools/lib/test/idnsans.pem", + "uriBaseId": "file:///D:/source/security-devops-action/" + }, + "region": { + "startLine": 1, + "startColumn": 1, + "endLine": 1, + "endColumn": 27 + } + } + } + ], + "fingerprints": { + "HashCode": "K4LFfz40Tf2WjHYSwHcxzmrGBXdPbp+75ngl6MIfimE=", + "gdnPrimarySignature": "e0143173968f10743c164db98a97f2f2ad51665ef207fc2e5ed568dadf16daa4", + "gdnAlternativeSignature0": "6a0059872bc6e5a9f1910e1c20b82a8c9770991596470214159c8d720884cf3c" + }, + "suppressions": [], + "rank": 94.0, + "properties": { + "DefectCode": "SecretInFile", + "MatchingScore": 94.41, + "EnrichmentScore": 112.5, + "Severity": 94.0, + "Validation": "NoValidationRequested", + "Risk": "100" + } + }, + { + "ruleId": "CSCAN-GENERAL0020", + "ruleIndex": 0, + "rule": { + "id": "CSCAN-GENERAL0020" + }, + "level": "error", + "message": { + "text": "A potential secret was detected. Validate file contains secrets, remove, rotate credential, and use approved store. For additional information on secret remediation see the remediation section at https://aka.ms/CredScanDocs " + }, + "analysisTarget": { + "uri": ".gdn/i/nuget/Microsoft.Guardian.BanditRedist_windows_amd64.1.6.3.1/tools/lib/test/keycert.passwd.pem", + "uriBaseId": "file:///D:/source/security-devops-action/" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": ".gdn/i/nuget/Microsoft.Guardian.BanditRedist_windows_amd64.1.6.3.1/tools/lib/test/keycert.passwd.pem", + "uriBaseId": "file:///D:/source/security-devops-action/" + }, + "region": { + "startLine": 1, + "startColumn": 1, + "endLine": 1, + "endColumn": 37 + } + } + } + ], + "fingerprints": { + "HashCode": "vIPMvs25zTEA4CvYd/yXI5Q3s9TvruLN5sjPEqmD9Qo=", + "gdnPrimarySignature": "81cfc42c1d0b6a44b58032508492c13a1da8709259d9b955b7818b54375d7454", + "gdnAlternativeSignature0": "a3834b8e54bd96dedf30634b2195d9c1b45ffc9ac2d0cf9e7d72fb01ab2be4b6" + }, + "suppressions": [], + "rank": 94.0, + "properties": { + "DefectCode": "SecretInFile", + "MatchingScore": 94.41, + "EnrichmentScore": 112.5, + "Severity": 94.0, + "Validation": "NoValidationRequested", + "Risk": "100" + } + }, + { + "ruleId": "CSCAN-GENERAL0020", + "ruleIndex": 0, + "rule": { + "id": "CSCAN-GENERAL0020" + }, + "level": "error", + "message": { + "text": "A potential secret was detected. Validate file contains secrets, remove, rotate credential, and use approved store. For additional information on secret remediation see the remediation section at https://aka.ms/CredScanDocs " + }, + "analysisTarget": { + "uri": ".gdn/i/nuget/Microsoft.Guardian.BanditRedist_windows_amd64.1.6.3.1/tools/lib/test/keycert.pem", + "uriBaseId": "file:///D:/source/security-devops-action/" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": ".gdn/i/nuget/Microsoft.Guardian.BanditRedist_windows_amd64.1.6.3.1/tools/lib/test/keycert.pem", + "uriBaseId": "file:///D:/source/security-devops-action/" + }, + "region": { + "startLine": 1, + "startColumn": 1, + "endLine": 1, + "endColumn": 27 + } + } + } + ], + "fingerprints": { + "HashCode": "K4LFfz40Tf2WjHYSwHcxzmrGBXdPbp+75ngl6MIfimE=", + "gdnPrimarySignature": "a5673d23e7575ac45ddbdc1d2e29a20164ef7e82f569408bffe292ceb779806a", + "gdnAlternativeSignature0": "13b90a64372a219e131bd44c942fb99d2e0499c28a050af144f432498b71b0b7" + }, + "suppressions": [], + "rank": 94.0, + "properties": { + "DefectCode": "SecretInFile", + "MatchingScore": 94.41, + "EnrichmentScore": 112.5, + "Severity": 94.0, + "Validation": "NoValidationRequested", + "Risk": "100" + } + }, + { + "ruleId": "CSCAN-GENERAL0020", + "ruleIndex": 0, + "rule": { + "id": "CSCAN-GENERAL0020" + }, + "level": "error", + "message": { + "text": "A potential secret was detected. Validate file contains secrets, remove, rotate credential, and use approved store. For additional information on secret remediation see the remediation section at https://aka.ms/CredScanDocs " + }, + "analysisTarget": { + "uri": ".gdn/i/nuget/Microsoft.Guardian.BanditRedist_windows_amd64.1.6.3.1/tools/lib/test/keycert2.pem", + "uriBaseId": "file:///D:/source/security-devops-action/" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": ".gdn/i/nuget/Microsoft.Guardian.BanditRedist_windows_amd64.1.6.3.1/tools/lib/test/keycert2.pem", + "uriBaseId": "file:///D:/source/security-devops-action/" + }, + "region": { + "startLine": 1, + "startColumn": 1, + "endLine": 1, + "endColumn": 27 + } + } + } + ], + "fingerprints": { + "HashCode": "K4LFfz40Tf2WjHYSwHcxzmrGBXdPbp+75ngl6MIfimE=", + "gdnPrimarySignature": "0e05cea19167aed8b8ae01c841a7334ccb9c7fd7b993406580ff2832d15f7ce5", + "gdnAlternativeSignature0": "17f42847401af81a1d829e8aeac516090ae6c41935d0265f19c20dc5208ce44b" + }, + "suppressions": [], + "rank": 94.0, + "properties": { + "DefectCode": "SecretInFile", + "MatchingScore": 94.41, + "EnrichmentScore": 112.5, + "Severity": 94.0, + "Validation": "NoValidationRequested", + "Risk": "100" + } + }, + { + "ruleId": "CSCAN-GENERAL0020", + "ruleIndex": 0, + "rule": { + "id": "CSCAN-GENERAL0020" + }, + "level": "error", + "message": { + "text": "A potential secret was detected. Validate file contains secrets, remove, rotate credential, and use approved store. For additional information on secret remediation see the remediation section at https://aka.ms/CredScanDocs " + }, + "analysisTarget": { + "uri": ".gdn/i/nuget/Microsoft.Guardian.BanditRedist_windows_amd64.1.6.3.1/tools/lib/test/keycert3.pem", + "uriBaseId": "file:///D:/source/security-devops-action/" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": ".gdn/i/nuget/Microsoft.Guardian.BanditRedist_windows_amd64.1.6.3.1/tools/lib/test/keycert3.pem", + "uriBaseId": "file:///D:/source/security-devops-action/" + }, + "region": { + "startLine": 1, + "startColumn": 1, + "endLine": 1, + "endColumn": 27 + } + } + } + ], + "fingerprints": { + "HashCode": "K4LFfz40Tf2WjHYSwHcxzmrGBXdPbp+75ngl6MIfimE=", + "gdnPrimarySignature": "cc2c869c6af3917c188f3405a5cab29825b895ad248b5e8d5657be11a3575e97", + "gdnAlternativeSignature0": "77b87003353fbbbdd842e915e87ceb94a00295aaa14b394e046cfc2e3d4c70a3" + }, + "suppressions": [], + "rank": 94.0, + "properties": { + "DefectCode": "SecretInFile", + "MatchingScore": 94.41, + "EnrichmentScore": 112.5, + "Severity": 94.0, + "Validation": "NoValidationRequested", + "Risk": "100" + } + }, + { + "ruleId": "CSCAN-GENERAL0020", + "ruleIndex": 0, + "rule": { + "id": "CSCAN-GENERAL0020" + }, + "level": "error", + "message": { + "text": "A potential secret was detected. Validate file contains secrets, remove, rotate credential, and use approved store. For additional information on secret remediation see the remediation section at https://aka.ms/CredScanDocs " + }, + "analysisTarget": { + "uri": ".gdn/i/nuget/Microsoft.Guardian.BanditRedist_windows_amd64.1.6.3.1/tools/lib/test/keycert4.pem", + "uriBaseId": "file:///D:/source/security-devops-action/" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": ".gdn/i/nuget/Microsoft.Guardian.BanditRedist_windows_amd64.1.6.3.1/tools/lib/test/keycert4.pem", + "uriBaseId": "file:///D:/source/security-devops-action/" + }, + "region": { + "startLine": 1, + "startColumn": 1, + "endLine": 1, + "endColumn": 27 + } + } + } + ], + "fingerprints": { + "HashCode": "K4LFfz40Tf2WjHYSwHcxzmrGBXdPbp+75ngl6MIfimE=", + "gdnPrimarySignature": "c778616f1b5c561f1c66d5843f0e4759cbccf82ba1868f8af267ba96077086df", + "gdnAlternativeSignature0": "c387065dadee4e1320aee04842ec83e45758e802066fcc8deba5055695bfe565" + }, + "suppressions": [], + "rank": 94.0, + "properties": { + "DefectCode": "SecretInFile", + "MatchingScore": 94.41, + "EnrichmentScore": 112.5, + "Severity": 94.0, + "Validation": "NoValidationRequested", + "Risk": "100" + } + }, + { + "ruleId": "CSCAN-GENERAL0020", + "ruleIndex": 0, + "rule": { + "id": "CSCAN-GENERAL0020" + }, + "level": "error", + "message": { + "text": "A potential secret was detected. Validate file contains secrets, remove, rotate credential, and use approved store. For additional information on secret remediation see the remediation section at https://aka.ms/CredScanDocs " + }, + "analysisTarget": { + "uri": ".gdn/i/nuget/Microsoft.Guardian.BanditRedist_windows_amd64.1.6.3.1/tools/lib/test/keycertecc.pem", + "uriBaseId": "file:///D:/source/security-devops-action/" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": ".gdn/i/nuget/Microsoft.Guardian.BanditRedist_windows_amd64.1.6.3.1/tools/lib/test/keycertecc.pem", + "uriBaseId": "file:///D:/source/security-devops-action/" + }, + "region": { + "startLine": 1, + "startColumn": 1, + "endLine": 1, + "endColumn": 27 + } + } + } + ], + "fingerprints": { + "HashCode": "K4LFfz40Tf2WjHYSwHcxzmrGBXdPbp+75ngl6MIfimE=", + "gdnPrimarySignature": "07fc5532f6969723a59a30bbf4679124b3408c52ad141644aefd5a5ee5ce3187", + "gdnAlternativeSignature0": "c3edc90bf722fd1545c98c99e988dc5405b162ce917767cb0aa7f53ac4954506" + }, + "suppressions": [], + "rank": 94.0, + "properties": { + "DefectCode": "SecretInFile", + "MatchingScore": 94.41, + "EnrichmentScore": 112.5, + "Severity": 94.0, + "Validation": "NoValidationRequested", + "Risk": "100" + } + }, + { + "ruleId": "CSCAN-GENERAL0020", + "ruleIndex": 0, + "rule": { + "id": "CSCAN-GENERAL0020" + }, + "level": "error", + "message": { + "text": "A potential secret was detected. Validate file contains secrets, remove, rotate credential, and use approved store. For additional information on secret remediation see the remediation section at https://aka.ms/CredScanDocs " + }, + "analysisTarget": { + "uri": ".gdn/i/nuget/Microsoft.Guardian.BanditRedist_windows_amd64.1.6.3.1/tools/lib/test/pycakey.pem", + "uriBaseId": "file:///D:/source/security-devops-action/" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": ".gdn/i/nuget/Microsoft.Guardian.BanditRedist_windows_amd64.1.6.3.1/tools/lib/test/pycakey.pem", + "uriBaseId": "file:///D:/source/security-devops-action/" + }, + "region": { + "startLine": 1, + "startColumn": 1, + "endLine": 1, + "endColumn": 27 + } + } + } + ], + "fingerprints": { + "HashCode": "K4LFfz40Tf2WjHYSwHcxzmrGBXdPbp+75ngl6MIfimE=", + "gdnPrimarySignature": "4d5d643001bdc9ca750ddc12572d03f20c6ea6b00ccec260daad81b2cbaad937", + "gdnAlternativeSignature0": "5940924f309382ed130dc9019b7ddc750982599de02152e9f2badb1a4def1c77" + }, + "suppressions": [], + "rank": 94.0, + "properties": { + "DefectCode": "SecretInFile", + "MatchingScore": 94.41, + "EnrichmentScore": 112.5, + "Severity": 94.0, + "Validation": "NoValidationRequested", + "Risk": "100" + } + }, + { + "ruleId": "CSCAN-GENERAL0020", + "ruleIndex": 0, + "rule": { + "id": "CSCAN-GENERAL0020" + }, + "level": "error", + "message": { + "text": "A potential secret was detected. Validate file contains secrets, remove, rotate credential, and use approved store. For additional information on secret remediation see the remediation section at https://aka.ms/CredScanDocs " + }, + "analysisTarget": { + "uri": ".gdn/i/nuget/Microsoft.Guardian.BanditRedist_windows_amd64.1.6.3.1/tools/lib/test/ssl_key.passwd.pem", + "uriBaseId": "file:///D:/source/security-devops-action/" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": ".gdn/i/nuget/Microsoft.Guardian.BanditRedist_windows_amd64.1.6.3.1/tools/lib/test/ssl_key.passwd.pem", + "uriBaseId": "file:///D:/source/security-devops-action/" + }, + "region": { + "startLine": 1, + "startColumn": 1, + "endLine": 1, + "endColumn": 37 + } + } + } + ], + "fingerprints": { + "HashCode": "vIPMvs25zTEA4CvYd/yXI5Q3s9TvruLN5sjPEqmD9Qo=", + "gdnPrimarySignature": "78f7c576f77b65667382d3cd1f98088d2a5e607d39cc22af6729d55e1f62f28c", + "gdnAlternativeSignature0": "45c71b1ac1f0538e9be6aba276dcb1484749f62e1ed6c955b8d06b3a034f4295" + }, + "suppressions": [], + "rank": 94.0, + "properties": { + "DefectCode": "SecretInFile", + "MatchingScore": 94.41, + "EnrichmentScore": 112.5, + "Severity": 94.0, + "Validation": "NoValidationRequested", + "Risk": "100" + } + }, + { + "ruleId": "CSCAN-GENERAL0020", + "ruleIndex": 0, + "rule": { + "id": "CSCAN-GENERAL0020" + }, + "level": "error", + "message": { + "text": "A potential secret was detected. Validate file contains secrets, remove, rotate credential, and use approved store. For additional information on secret remediation see the remediation section at https://aka.ms/CredScanDocs " + }, + "analysisTarget": { + "uri": ".gdn/i/nuget/Microsoft.Guardian.BanditRedist_windows_amd64.1.6.3.1/tools/lib/test/ssl_key.pem", + "uriBaseId": "file:///D:/source/security-devops-action/" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": ".gdn/i/nuget/Microsoft.Guardian.BanditRedist_windows_amd64.1.6.3.1/tools/lib/test/ssl_key.pem", + "uriBaseId": "file:///D:/source/security-devops-action/" + }, + "region": { + "startLine": 1, + "startColumn": 1, + "endLine": 1, + "endColumn": 27 + } + } + } + ], + "fingerprints": { + "HashCode": "K4LFfz40Tf2WjHYSwHcxzmrGBXdPbp+75ngl6MIfimE=", + "gdnPrimarySignature": "1f4b7943f9d0c70caa2b1022c17ac1978128ebd3cf36afb1375dbd8dade2cd89", + "gdnAlternativeSignature0": "47585da2145382121fadbbbe66ef8b7f20a193b4b38372d031552b996edb0fea" + }, + "suppressions": [], + "rank": 94.0, + "properties": { + "DefectCode": "SecretInFile", + "MatchingScore": 94.41, + "EnrichmentScore": 112.5, + "Severity": 94.0, + "Validation": "NoValidationRequested", + "Risk": "100" + } + } + ], + "columnKind": "utf16CodeUnits", + "policies": [ + { + "name": "Microsoft", + "version": "2.0.3" + } + ], + "properties": { + "toolInfoId": "credscan>>2>>202411062057" + } + }, + { + "tool": { + "driver": { + "name": "eslint", + "version": "8.56.0", + "informationUri": "https://eslint.org", + "properties": { + "RawName": "eslint" + } + } + }, + "invocations": [ + { + "toolConfigurationNotifications": [ + { + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "file:///D:/source/security-devops-action/gulpfile.js", + "index": 0 + }, + "region": { + "startLine": 1, + "startColumn": 1 + } + } + } + ], + "message": { + "text": "Parsing error: The keyword 'const' is reserved" + }, + "level": "error", + "descriptor": { + "id": "ESL0999" + } + }, + { + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "file:///D:/source/security-devops-action/lib/container-mapping.js", + "index": 1 + }, + "region": { + "startLine": 36, + "startColumn": 1 + } + } + } + ], + "message": { + "text": "Parsing error: The keyword 'const' is reserved" + }, + "level": "error", + "descriptor": { + "id": "ESL0999" + } + }, + { + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "file:///D:/source/security-devops-action/lib/main.js", + "index": 2 + }, + "region": { + "startLine": 35, + "startColumn": 1 + } + } + } + ], + "message": { + "text": "Parsing error: The keyword 'const' is reserved" + }, + "level": "error", + "descriptor": { + "id": "ESL0999" + } + }, + { + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "file:///D:/source/security-devops-action/lib/msdo-helpers.js", + "index": 3 + }, + "region": { + "startLine": 7, + "startColumn": 1 + } + } + } + ], + "message": { + "text": "Parsing error: The keyword 'const' is reserved" + }, + "level": "error", + "descriptor": { + "id": "ESL0999" + } + }, + { + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "file:///D:/source/security-devops-action/lib/msdo.js", + "index": 5 + }, + "region": { + "startLine": 36, + "startColumn": 1 + } + } + } + ], + "message": { + "text": "Parsing error: The keyword 'const' is reserved" + }, + "level": "error", + "descriptor": { + "id": "ESL0999" + } + }, + { + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "file:///D:/source/security-devops-action/lib/post.js", + "index": 6 + }, + "region": { + "startLine": 35, + "startColumn": 1 + } + } + } + ], + "message": { + "text": "Parsing error: The keyword 'const' is reserved" + }, + "level": "error", + "descriptor": { + "id": "ESL0999" + } + }, + { + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "file:///D:/source/security-devops-action/lib/pre.js", + "index": 7 + }, + "region": { + "startLine": 35, + "startColumn": 1 + } + } + } + ], + "message": { + "text": "Parsing error: The keyword 'const' is reserved" + }, + "level": "error", + "descriptor": { + "id": "ESL0999" + } + }, + { + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "file:///D:/source/security-devops-action/samples/insecure.js", + "index": 8 + }, + "region": { + "startLine": 1, + "startColumn": 5 + } + } + } + ], + "message": { + "text": "Parsing error: Unexpected token injection" + }, + "level": "error", + "descriptor": { + "id": "ESL0999" + } + }, + { + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "file:///D:/source/security-devops-action/src/container-mapping.ts", + "index": 9 + }, + "region": { + "startLine": 1, + "startColumn": 1 + } + } + } + ], + "message": { + "text": "Parsing error: The keyword 'import' is reserved" + }, + "level": "error", + "descriptor": { + "id": "ESL0999" + } + }, + { + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "file:///D:/source/security-devops-action/src/main.ts", + "index": 10 + }, + "region": { + "startLine": 1, + "startColumn": 1 + } + } + } + ], + "message": { + "text": "Parsing error: The keyword 'import' is reserved" + }, + "level": "error", + "descriptor": { + "id": "ESL0999" + } + }, + { + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "file:///D:/source/security-devops-action/src/msdo-helpers.ts", + "index": 11 + }, + "region": { + "startLine": 1, + "startColumn": 1 + } + } + } + ], + "message": { + "text": "Parsing error: The keyword 'import' is reserved" + }, + "level": "error", + "descriptor": { + "id": "ESL0999" + } + }, + { + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "file:///D:/source/security-devops-action/src/msdo-interface.ts", + "index": 12 + }, + "region": { + "startLine": 4, + "startColumn": 1 + } + } + } + ], + "message": { + "text": "Parsing error: The keyword 'export' is reserved" + }, + "level": "error", + "descriptor": { + "id": "ESL0999" + } + }, + { + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "file:///D:/source/security-devops-action/src/msdo.ts", + "index": 13 + }, + "region": { + "startLine": 1, + "startColumn": 1 + } + } + } + ], + "message": { + "text": "Parsing error: The keyword 'import' is reserved" + }, + "level": "error", + "descriptor": { + "id": "ESL0999" + } + }, + { + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "file:///D:/source/security-devops-action/src/post.ts", + "index": 14 + }, + "region": { + "startLine": 1, + "startColumn": 1 + } + } + } + ], + "message": { + "text": "Parsing error: The keyword 'import' is reserved" + }, + "level": "error", + "descriptor": { + "id": "ESL0999" + } + }, + { + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "file:///D:/source/security-devops-action/src/pre.ts", + "index": 15 + }, + "region": { + "startLine": 1, + "startColumn": 1 + } + } + } + ], + "message": { + "text": "Parsing error: The keyword 'import' is reserved" + }, + "level": "error", + "descriptor": { + "id": "ESL0999" + } + }, + { + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "file:///D:/source/security-devops-action/test/post.tests.ts", + "index": 16 + }, + "region": { + "startLine": 1, + "startColumn": 1 + } + } + } + ], + "message": { + "text": "Parsing error: The keyword 'import' is reserved" + }, + "level": "error", + "descriptor": { + "id": "ESL0999" + } + }, + { + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "file:///D:/source/security-devops-action/test/pre.tests.ts", + "index": 17 + }, + "region": { + "startLine": 1, + "startColumn": 1 + } + } + } + ], + "message": { + "text": "Parsing error: The keyword 'import' is reserved" + }, + "level": "error", + "descriptor": { + "id": "ESL0999" + } + }, + { + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "file:///D:/source/security-devops-action/test/testCommon.ts", + "index": 18 + }, + "region": { + "startLine": 1, + "startColumn": 1 + } + } + } + ], + "message": { + "text": "Parsing error: The keyword 'import' is reserved" + }, + "level": "error", + "descriptor": { + "id": "ESL0999" + } + } + ], + "executionSuccessful": false + } + ], + "versionControlProvenance": [ + { + "repositoryUri": "https://github.com/reynoldsa/security-devops-action", + "revisionId": "c5bc432f9640469fd713f651b4d18af73867f27a", + "branch": "main", + "properties": { + "RepositoryRoot": "D:\\source\\security-devops-action" + } + } + ], + "artifacts": [ + { + "location": { + "uri": "file:///D:/source/security-devops-action/gulpfile.js" + } + }, + { + "location": { + "uri": "file:///D:/source/security-devops-action/lib/container-mapping.js" + } + }, + { + "location": { + "uri": "file:///D:/source/security-devops-action/lib/main.js" + } + }, + { + "location": { + "uri": "file:///D:/source/security-devops-action/lib/msdo-helpers.js" + } + }, + { + "location": { + "uri": "file:///D:/source/security-devops-action/lib/msdo-interface.js" + } + }, + { + "location": { + "uri": "file:///D:/source/security-devops-action/lib/msdo.js" + } + }, + { + "location": { + "uri": "file:///D:/source/security-devops-action/lib/post.js" + } + }, + { + "location": { + "uri": "file:///D:/source/security-devops-action/lib/pre.js" + } + }, + { + "location": { + "uri": "file:///D:/source/security-devops-action/samples/insecure.js" + } + }, + { + "location": { + "uri": "file:///D:/source/security-devops-action/src/container-mapping.ts" + } + }, + { + "location": { + "uri": "file:///D:/source/security-devops-action/src/main.ts" + } + }, + { + "location": { + "uri": "file:///D:/source/security-devops-action/src/msdo-helpers.ts" + } + }, + { + "location": { + "uri": "file:///D:/source/security-devops-action/src/msdo-interface.ts" + } + }, + { + "location": { + "uri": "file:///D:/source/security-devops-action/src/msdo.ts" + } + }, + { + "location": { + "uri": "file:///D:/source/security-devops-action/src/post.ts" + } + }, + { + "location": { + "uri": "file:///D:/source/security-devops-action/src/pre.ts" + } + }, + { + "location": { + "uri": "file:///D:/source/security-devops-action/test/post.tests.ts" + } + }, + { + "location": { + "uri": "file:///D:/source/security-devops-action/test/pre.tests.ts" + } + }, + { + "location": { + "uri": "file:///D:/source/security-devops-action/test/testCommon.ts" + } + } + ], + "results": [], + "columnKind": "utf16CodeUnits", + "policies": [ + { + "name": "Microsoft", + "version": "2.0.3" + } + ], + "properties": { + "toolInfoId": "eslint>>3>>202411062057" + } + }, + { + "tool": { + "driver": { + "name": "iacfilescanner", + "organization": "Microsoft", + "fullName": "IaC File Scanner", + "version": "0.1.3", + "rules": [ + { + "id": "IFS-1", + "name": "TagForResource", + "help": { + "text": "An IaC tag(s) was found on this resource. If there is a supported mapping tag, it will be used for code-to-cloud mapping." + }, + "shortDescription": { + "text": "An IaC tag(s) was found on this resource." + }, + "messageStrings": { + "default": { + "text": "An IaC tag(s) was found on this resource." + } + } + } + ], + "properties": { + "RawName": "iacfilescanner" + } + } + }, + "invocations": [ + { + "startTimeUtc": "2024-11-07T04:57:38.817Z", + "endTimeUtc": "2024-11-07T04:57:38.863Z", + "executionSuccessful": true + } + ], + "versionControlProvenance": [ + { + "repositoryUri": "https://github.com/reynoldsa/security-devops-action", + "revisionId": "c5bc432f9640469fd713f651b4d18af73867f27a", + "branch": "main", + "properties": { + "RepositoryRoot": "D:\\source\\security-devops-action" + } + } + ], + "originalUriBaseIds": { + "ROOTPATH": { + "uri": "file:///D:/source/security-devops-action" + } + }, + "artifacts": [ + { + "location": { + "uri": "samples/IaCMapping/main.tf", + "uriBaseId": "ROOTPATH" + } + } + ], + "results": [ + { + "ruleId": "IFS-1", + "ruleIndex": 0, + "level": "note", + "message": { + "id": "default" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "samples/IaCMapping/main.tf", + "uriBaseId": "ROOTPATH" + }, + "region": { + "startLine": 1 + } + }, + "logicalLocations": [ + { + "fullyQualifiedName": "iacmapping1212", + "kind": "azurerm_storage_account" + } + ], + "properties": { + "mappingTagDictionary": {"mapping_tag":"6189b638-15a5-42ec-b934-0d2b8e035ce1"} + } + } + ], + "fingerprints": { + "gdnPrimarySignature": "6a2b2a71245a88c5e349c7097ea77bb21272924e2d7d7fb032670e63664912bd", + "gdnAlternativeSignature0": "21dbf0708629d98ff73f008fe2a43b6e0848c2e9ab665049176189097f037ace" + } + } + ], + "columnKind": "utf16CodeUnits", + "policies": [ + { + "name": "Microsoft", + "version": "2.0.3" + } + ], + "properties": { + "toolInfoId": "iacfilescanner>>4>>202411062057" + } + }, + { + "tool": { + "driver": { + "name": "templateanalyzer", + "organization": "Microsoft", + "fullName": "Template Analyzer", + "version": "0.8.0+1ba73133c28786a16b2c19e5d5eef09eb2324538", + "informationUri": "https://github.com/Azure/template-analyzer", + "rules": [ + { + "id": "TA-000001", + "name": "AppService.EnableDiagnosticLogs", + "fullDescription": { + "text": "Enable auditing of diagnostic logs on the app. This enables you to recreate activity trails for investigation purposes if a security incident occurs or your network is compromised." + }, + "help": { + "text": "Enable diagnostic logs in App Service." + }, + "shortDescription": { + "text": "Diagnostic logs in App Service should be enabled." + }, + "messageStrings": { + "default": { + "text": "Enable auditing of diagnostic logs on the app. This enables you to recreate activity trails for investigation purposes if a security incident occurs or your network is compromised." + } + }, + "helpUri": "https://github.com/Azure/template-analyzer/blob/main/docs/built-in-rules.md/#ta-000001-diagnostic-logs-in-app-service-should-be-enabled" + }, + { + "id": "TA-000003", + "name": "AppServiceAPIApp.OnlyFTPS", + "fullDescription": { + "text": "Enable FTPS enforcement for enhanced security." + }, + "help": { + "text": "Enable FTPS enforcement for enhanced security." + }, + "shortDescription": { + "text": "FTPS only should be required in your API app." + }, + "messageStrings": { + "default": { + "text": "Enable FTPS enforcement for enhanced security." + } + }, + "defaultConfiguration": { + "level": "error" + }, + "helpUri": "https://github.com/Azure/template-analyzer/blob/main/docs/built-in-rules.md/#ta-000003-ftps-only-should-be-required-in-your-api-app" + }, + { + "id": "TA-000004", + "name": "AppServiceAPIApp.OnlyHTTPS", + "fullDescription": { + "text": "API apps should require HTTPS to ensure connections are made to the expected server and data in transit is protected from network layer eavesdropping attacks." + }, + "help": { + "text": "Use HTTPS to ensure server/service authentication and protect data in transit from network layer eavesdropping attacks." + }, + "shortDescription": { + "text": "API app should only be accessible over HTTPS." + }, + "messageStrings": { + "default": { + "text": "API apps should require HTTPS to ensure connections are made to the expected server and data in transit is protected from network layer eavesdropping attacks." + } + }, + "helpUri": "https://github.com/Azure/template-analyzer/blob/main/docs/built-in-rules.md#ta-000004-api-app-should-only-be-accessible-over-https" + }, + { + "id": "TA-000005", + "name": "AppServiceAPIApp.UseLatestTLS", + "fullDescription": { + "text": "API apps should require the latest TLS version." + }, + "help": { + "text": "Upgrade to the latest TLS version." + }, + "shortDescription": { + "text": "Latest TLS version should be used in your API app." + }, + "messageStrings": { + "default": { + "text": "API apps should require the latest TLS version." + } + }, + "defaultConfiguration": { + "level": "error" + }, + "helpUri": "https://github.com/Azure/template-analyzer/blob/main/docs/built-in-rules.md/#ta-000005-latest-tls-version-should-be-used-in-your-api-app" + }, + { + "id": "TA-000006", + "name": "AppServiceAPIApp.RestrictCORSAccess", + "fullDescription": { + "text": "Cross-Origin Resource Sharing (CORS) should not allow all domains to access your API app. Allow only required domains to interact with your API app." + }, + "help": { + "text": "Allow only required domains to interact with your API app." + }, + "shortDescription": { + "text": "CORS should not allow every resource to access your API app." + }, + "messageStrings": { + "default": { + "text": "Cross-Origin Resource Sharing (CORS) should not allow all domains to access your API app. Allow only required domains to interact with your API app." + } + }, + "defaultConfiguration": { + "level": "note" + }, + "helpUri": "https://github.com/Azure/template-analyzer/blob/main/docs/built-in-rules.md/#ta-000006-cors-should-not-allow-every-resource-to-access-your-api-app" + }, + { + "id": "TA-000007", + "name": "AppServiceAPIApp.UseManagedIdentity", + "fullDescription": { + "text": "For enhanced authentication security, use a managed identity. On Azure, managed identities eliminate the need for developers to have to manage credentials by providing an identity for the Azure resource in Azure AD and using it to obtain Azure Active Directory (Azure AD) tokens." + }, + "help": { + "text": "Use a managed identity for enhanced authentication security." + }, + "shortDescription": { + "text": "Managed identity should be used in your API app." + }, + "messageStrings": { + "default": { + "text": "For enhanced authentication security, use a managed identity. On Azure, managed identities eliminate the need for developers to have to manage credentials by providing an identity for the Azure resource in Azure AD and using it to obtain Azure Active Directory (Azure AD) tokens." + } + }, + "helpUri": "https://github.com/Azure/template-analyzer/blob/main/docs/built-in-rules.md/#ta-000007-managed-identity-should-be-used-in-your-api-app" + }, + { + "id": "TA-000009", + "name": "AppServiceFunctionApp.OnlyFTPS", + "fullDescription": { + "text": "Enable FTPS enforcement for enhanced security." + }, + "help": { + "text": "Enable FTPS enforcement for enhanced security." + }, + "shortDescription": { + "text": "FTPS only should be required in your function app." + }, + "messageStrings": { + "default": { + "text": "Enable FTPS enforcement for enhanced security." + } + }, + "defaultConfiguration": { + "level": "error" + }, + "helpUri": "https://github.com/Azure/template-analyzer/blob/main/docs/built-in-rules.md/#ta-000009-ftps-only-should-be-required-in-your-function-app" + }, + { + "id": "TA-000010", + "name": "AppServiceFunctionApp.OnlyHTTPS", + "fullDescription": { + "text": "Function apps should require HTTPS to ensure connections are made to the expected server and data in transit is protected from network layer eavesdropping attacks." + }, + "help": { + "text": "Use HTTPS to ensure server/service authentication and protect data in transit from network layer eavesdropping attacks." + }, + "shortDescription": { + "text": "Function app should only be accessible over HTTPS." + }, + "messageStrings": { + "default": { + "text": "Function apps should require HTTPS to ensure connections are made to the expected server and data in transit is protected from network layer eavesdropping attacks." + } + }, + "helpUri": "https://github.com/Azure/template-analyzer/blob/main/docs/built-in-rules.md/#ta-000010-function-app-should-only-be-accessible-over-https" + }, + { + "id": "TA-000011", + "name": "AppServiceFunctionApp.UseLatestTLS", + "fullDescription": { + "text": "Function apps should require the latest TLS version." + }, + "help": { + "text": "Upgrade to the latest TLS version." + }, + "shortDescription": { + "text": "Latest TLS version should be used in your function app." + }, + "messageStrings": { + "default": { + "text": "Function apps should require the latest TLS version." + } + }, + "defaultConfiguration": { + "level": "error" + }, + "helpUri": "https://github.com/Azure/template-analyzer/blob/main/docs/built-in-rules.md/#ta-000011-latest-tls-version-should-be-used-in-your-function-app" + }, + { + "id": "TA-000012", + "name": "AppServiceFunctionApp.RestrictCORSAccess", + "fullDescription": { + "text": "Cross-Origin Resource Sharing (CORS) should not allow all domains to access your function app. Allow only required domains to interact with your function app." + }, + "help": { + "text": "Allow only required domains to interact with your function app." + }, + "shortDescription": { + "text": "CORS should not allow every resource to access your function app." + }, + "messageStrings": { + "default": { + "text": "Cross-Origin Resource Sharing (CORS) should not allow all domains to access your function app. Allow only required domains to interact with your function app." + } + }, + "defaultConfiguration": { + "level": "note" + }, + "helpUri": "https://github.com/Azure/template-analyzer/blob/main/docs/built-in-rules.md/#ta-000012-cors-should-not-allow-every-resource-to-access-your-function-app" + }, + { + "id": "TA-000013", + "name": "AppServiceFunctionApp.UseManagedIdentity", + "fullDescription": { + "text": "For enhanced authentication security, use a managed identity. On Azure, managed identities eliminate the need for developers to have to manage credentials by providing an identity for the Azure resource in Azure AD and using it to obtain Azure Active Directory (Azure AD) tokens." + }, + "help": { + "text": "Use a managed identity for enhanced authentication security." + }, + "shortDescription": { + "text": "Managed identity should be used in your function app." + }, + "messageStrings": { + "default": { + "text": "For enhanced authentication security, use a managed identity. On Azure, managed identities eliminate the need for developers to have to manage credentials by providing an identity for the Azure resource in Azure AD and using it to obtain Azure Active Directory (Azure AD) tokens." + } + }, + "helpUri": "https://github.com/Azure/template-analyzer/blob/main/docs/built-in-rules.md/#ta-000013-managed-identity-should-be-used-in-your-function-app" + }, + { + "id": "TA-000015", + "name": "AppServiceWebApp.OnlyFTPS", + "fullDescription": { + "text": "Enable FTPS enforcement for enhanced security." + }, + "help": { + "text": "Enable FTPS enforcement for enhanced security." + }, + "shortDescription": { + "text": "FTPS only should be required in your web app." + }, + "messageStrings": { + "default": { + "text": "Enable FTPS enforcement for enhanced security." + } + }, + "defaultConfiguration": { + "level": "error" + }, + "helpUri": "https://github.com/Azure/template-analyzer/blob/main/docs/built-in-rules.md/#ta-000015-ftps-only-should-be-required-in-your-web-app" + }, + { + "id": "TA-000016", + "name": "AppServiceWebApp.OnlyHTTPS", + "fullDescription": { + "text": "Web apps should require HTTPS to ensure connections are made to the expected server and data in transit is protected from network layer eavesdropping attacks." + }, + "help": { + "text": "Use HTTPS to ensure server/service authentication and protect data in transit from network layer eavesdropping attacks." + }, + "shortDescription": { + "text": "Web apps should only be accessible over HTTPS." + }, + "messageStrings": { + "default": { + "text": "Web apps should require HTTPS to ensure connections are made to the expected server and data in transit is protected from network layer eavesdropping attacks." + } + }, + "helpUri": "https://github.com/Azure/template-analyzer/blob/main/docs/built-in-rules.md/#ta-000016-web-apps-should-only-be-accessible-over-https" + }, + { + "id": "TA-000017", + "name": "AppServiceWebApp.UseLatestTLS", + "fullDescription": { + "text": "Web apps should require the latest TLS version." + }, + "help": { + "text": "Upgrade to the latest TLS version." + }, + "shortDescription": { + "text": "Latest TLS version should be used in your web app." + }, + "messageStrings": { + "default": { + "text": "Web apps should require the latest TLS version." + } + }, + "defaultConfiguration": { + "level": "error" + }, + "helpUri": "https://github.com/Azure/template-analyzer/blob/main/docs/built-in-rules.md/#ta-000017-latest-tls-version-should-be-used-in-your-web-app" + }, + { + "id": "TA-000018", + "name": "AppServiceWebApp.RestrictCORSAccess", + "fullDescription": { + "text": "Cross-Origin Resource Sharing (CORS) should not allow all domains to access your web application. Allow only required domains to interact with your web app." + }, + "help": { + "text": "Allow only required domains to interact with your web app." + }, + "shortDescription": { + "text": "CORS should not allow every resource to access your web apps." + }, + "messageStrings": { + "default": { + "text": "Cross-Origin Resource Sharing (CORS) should not allow all domains to access your web application. Allow only required domains to interact with your web app." + } + }, + "defaultConfiguration": { + "level": "note" + }, + "helpUri": "https://github.com/Azure/template-analyzer/blob/main/docs/built-in-rules.md/#ta-000018-cors-should-not-allow-every-resource-to-access-your-web-apps" + }, + { + "id": "TA-000019", + "name": "AppServiceWebApp.UseManagedIdentity", + "fullDescription": { + "text": "For enhanced authentication security, use a managed identity. On Azure, managed identities eliminate the need for developers to have to manage credentials by providing an identity for the Azure resource in Azure AD and using it to obtain Azure Active Directory (Azure AD) tokens." + }, + "help": { + "text": "Use a managed identity for enhanced authentication security." + }, + "shortDescription": { + "text": "Managed identity should be used in your web app." + }, + "messageStrings": { + "default": { + "text": "For enhanced authentication security, use a managed identity. On Azure, managed identities eliminate the need for developers to have to manage credentials by providing an identity for the Azure resource in Azure AD and using it to obtain Azure Active Directory (Azure AD) tokens." + } + }, + "helpUri": "https://github.com/Azure/template-analyzer/blob/main/docs/built-in-rules.md/#ta-000019-managed-identity-should-be-used-in-your-web-app" + } + ], + "properties": { + "RawName": "templateanalyzer" + } + } + }, + "invocations": [ + { + "startTimeUtc": "2024-11-07T04:57:57.369Z", + "endTimeUtc": "2024-11-07T04:58:02.943Z", + "toolExecutionNotifications": [ + { + "message": { + "text": "Discovered 1 template-parameter pairs to analyze" + }, + "level": "note" + } + ], + "executionSuccessful": true + } + ], + "versionControlProvenance": [ + { + "repositoryUri": "https://github.com/reynoldsa/security-devops-action", + "revisionId": "c5bc432f9640469fd713f651b4d18af73867f27a", + "branch": "main", + "properties": { + "RepositoryRoot": "D:\\source\\security-devops-action" + } + } + ], + "originalUriBaseIds": { + "ROOTPATH": { + "uri": "file:///D:/source/security-devops-action" + } + }, + "artifacts": [ + { + "location": { + "uri": "samples/insecure_arm.json", + "uriBaseId": "ROOTPATH" + } + } + ], + "results": [ + { + "ruleId": "TA-000001", + "ruleIndex": 0, + "level": "error", + "message": { + "id": "default" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "samples/insecure_arm.json", + "uriBaseId": "ROOTPATH" + }, + "region": { + "startLine": 264 + } + } + } + ], + "fingerprints": { + "gdnPrimarySignature": "be38ef4a5beacf017f220b3d98472e58b2a22f36fd9be444d705a6da0156fd74", + "gdnAlternativeSignature0": "ed2c5f6d187878540408f5bbb17875166e824df9cd545c2071e66b80f6c4bb01" + } + }, + { + "ruleId": "TA-000001", + "ruleIndex": 0, + "level": "error", + "message": { + "id": "default" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "samples/insecure_arm.json", + "uriBaseId": "ROOTPATH" + }, + "region": { + "startLine": 179 + } + } + }, + { + "physicalLocation": { + "artifactLocation": { + "uri": "samples/insecure_arm.json", + "uriBaseId": "ROOTPATH" + }, + "region": { + "startLine": 215 + } + } + }, + { + "physicalLocation": { + "artifactLocation": { + "uri": "samples/insecure_arm.json", + "uriBaseId": "ROOTPATH" + }, + "region": { + "startLine": 280 + } + } + } + ], + "fingerprints": { + "gdnPrimarySignature": "d37d8282e31133b27146eb024c2736f1d7b65bdd6a42c08607bdb2bead9b5423", + "gdnAlternativeSignature0": "4c40d2cc63ce679ba6157fdc72d12b40481a893ab13296c36239c7ed8622cb86" + } + }, + { + "ruleId": "TA-000003", + "ruleIndex": 1, + "level": "error", + "message": { + "id": "default" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "samples/insecure_arm.json", + "uriBaseId": "ROOTPATH" + }, + "region": { + "startLine": 165 + } + } + }, + { + "physicalLocation": { + "artifactLocation": { + "uri": "samples/insecure_arm.json", + "uriBaseId": "ROOTPATH" + }, + "region": { + "startLine": 179 + } + } + }, + { + "physicalLocation": { + "artifactLocation": { + "uri": "samples/insecure_arm.json", + "uriBaseId": "ROOTPATH" + }, + "region": { + "startLine": 215 + } + } + } + ], + "fingerprints": { + "gdnPrimarySignature": "3549d0b318441c8b49bd89ca36ea85f70bf45f022ab8c0609706ff5f5a88d2d8", + "gdnAlternativeSignature0": "0edb0e1b59eb8e8d3fc182d647d80d92147876a0454f610aa836842fb52181e5" + } + }, + { + "ruleId": "TA-000003", + "ruleIndex": 1, + "level": "error", + "message": { + "id": "default" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "samples/insecure_arm.json", + "uriBaseId": "ROOTPATH" + }, + "region": { + "startLine": 195 + } + } + } + ], + "fingerprints": { + "gdnPrimarySignature": "8dbbe99de40dee0eb3c9eb6568f8e48c5effeec820c694f77be3999efaad513b", + "gdnAlternativeSignature0": "f244a0d31df3eeaba0ca511703721d84fe79f8beb849b3cc4453a7f7e9ffc9c1" + } + }, + { + "ruleId": "TA-000004", + "ruleIndex": 2, + "level": "error", + "message": { + "id": "default" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "samples/insecure_arm.json", + "uriBaseId": "ROOTPATH" + }, + "region": { + "startLine": 29 + } + } + } + ], + "fingerprints": { + "gdnPrimarySignature": "d1a766811373af8220668a1819fa53325b88ba36dffbf2706701e95dfa1e0aed", + "gdnAlternativeSignature0": "f0153f08d6d8174a8d76708b6935ba0ef2b38e06ff62758758e948d72ef1be52" + } + }, + { + "ruleId": "TA-000004", + "ruleIndex": 2, + "level": "error", + "message": { + "id": "default" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "samples/insecure_arm.json", + "uriBaseId": "ROOTPATH" + }, + "region": { + "startLine": 44 + } + } + } + ], + "fingerprints": { + "gdnPrimarySignature": "6e9b1515330559d9ab46e4c5b6afdd2ee9a07fc5122b6c3748c3688cfeca2789", + "gdnAlternativeSignature0": "c0dd2c03abc529e58717d3191f4fd5e673d3316a39093ba7bd9b964920239290" + } + }, + { + "ruleId": "TA-000005", + "ruleIndex": 3, + "level": "error", + "message": { + "id": "default" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "samples/insecure_arm.json", + "uriBaseId": "ROOTPATH" + }, + "region": { + "startLine": 165 + } + } + }, + { + "physicalLocation": { + "artifactLocation": { + "uri": "samples/insecure_arm.json", + "uriBaseId": "ROOTPATH" + }, + "region": { + "startLine": 179 + } + } + }, + { + "physicalLocation": { + "artifactLocation": { + "uri": "samples/insecure_arm.json", + "uriBaseId": "ROOTPATH" + }, + "region": { + "startLine": 215 + } + } + } + ], + "fingerprints": { + "gdnPrimarySignature": "b7e1a7ec5ef845a37f73c0407622bd567cdd07b2dfedc75a099d29862f374762", + "gdnAlternativeSignature0": "1cdb3b2f11971c7558e88df98da50f7e9a361b97dd3668a26543df13716d7597" + } + }, + { + "ruleId": "TA-000005", + "ruleIndex": 3, + "level": "error", + "message": { + "id": "default" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "samples/insecure_arm.json", + "uriBaseId": "ROOTPATH" + }, + "region": { + "startLine": 195 + } + } + } + ], + "fingerprints": { + "gdnPrimarySignature": "4643d07151b417ee81f093352a1a712e3536febd4f9c68cb9774bc20578541ec", + "gdnAlternativeSignature0": "c90df3b94d648eb7354b444cbe823e580310b5eda0a5391f3f4c80b4c05317f9" + } + }, + { + "ruleId": "TA-000006", + "ruleIndex": 4, + "level": "error", + "message": { + "id": "default" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "samples/insecure_arm.json", + "uriBaseId": "ROOTPATH" + }, + "region": { + "startLine": 218 + } + } + } + ], + "fingerprints": { + "gdnPrimarySignature": "65526fef72a3bd5686e08978f894f58ee0c94d6b14333616137c1197168771c2", + "gdnAlternativeSignature0": "6738218eca8210aa235b6a000d75d9cd8ec306669ef6783344d819eea5ad16a3" + } + }, + { + "ruleId": "TA-000006", + "ruleIndex": 4, + "level": "error", + "message": { + "id": "default" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "samples/insecure_arm.json", + "uriBaseId": "ROOTPATH" + }, + "region": { + "startLine": 199 + } + } + } + ], + "fingerprints": { + "gdnPrimarySignature": "74875f7d2bcd35300850f78ef8d77d9ccba6f1f3e01f8aa8126148d78a157a60", + "gdnAlternativeSignature0": "02e4138fc76c7af81aa05894a92ac4d606d31021aa410b0aa62abbdd6eba5eed" + } + }, + { + "ruleId": "TA-000007", + "ruleIndex": 5, + "level": "error", + "message": { + "id": "default" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "samples/insecure_arm.json", + "uriBaseId": "ROOTPATH" + }, + "region": { + "startLine": 187 + } + } + } + ], + "fingerprints": { + "gdnPrimarySignature": "be7e0b3fdbf227e31c46e9fd7b3a36bd67a5577fe93fabe7de457fb26f58dc34", + "gdnAlternativeSignature0": "b76e97cfdd95980416531f989be2fa221fd4f3689c9ca167b515e573bc729d04" + } + }, + { + "ruleId": "TA-000009", + "ruleIndex": 6, + "level": "error", + "message": { + "id": "default" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "samples/insecure_arm.json", + "uriBaseId": "ROOTPATH" + }, + "region": { + "startLine": 309 + } + } + } + ], + "fingerprints": { + "gdnPrimarySignature": "265486bd8e28eea8810483d45dcc81f731cd9776eed60a7893943e33d9b07b6f", + "gdnAlternativeSignature0": "ed44340ff877ba9d68523648797c4f0f7b56c7c028d93312e55d5c4dc2cdf0a8" + } + }, + { + "ruleId": "TA-000009", + "ruleIndex": 6, + "level": "error", + "message": { + "id": "default" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "samples/insecure_arm.json", + "uriBaseId": "ROOTPATH" + }, + "region": { + "startLine": 179 + } + } + }, + { + "physicalLocation": { + "artifactLocation": { + "uri": "samples/insecure_arm.json", + "uriBaseId": "ROOTPATH" + }, + "region": { + "startLine": 215 + } + } + }, + { + "physicalLocation": { + "artifactLocation": { + "uri": "samples/insecure_arm.json", + "uriBaseId": "ROOTPATH" + }, + "region": { + "startLine": 325 + } + } + } + ], + "fingerprints": { + "gdnPrimarySignature": "d70937da25c2f4c4bf54334ccc495634c22918258a3b46e45fcd389fd482855f", + "gdnAlternativeSignature0": "34c1f242e862c9a4b1ccceb99a33b1aac0df47aadcc5e6b4cc6a9957bfa60ddb" + } + }, + { + "ruleId": "TA-000010", + "ruleIndex": 7, + "level": "error", + "message": { + "id": "default" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "samples/insecure_arm.json", + "uriBaseId": "ROOTPATH" + }, + "region": { + "startLine": 70 + } + } + } + ], + "fingerprints": { + "gdnPrimarySignature": "f09e415fda3660cc86a250ca8b35c87db6d6f5d15c69693c1cee3d5a1bd841c4", + "gdnAlternativeSignature0": "c11ab3206f07476269883239e183c0a38d77630a64dc0a0fac178d45f7f0cb8b" + } + }, + { + "ruleId": "TA-000010", + "ruleIndex": 7, + "level": "error", + "message": { + "id": "default" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "samples/insecure_arm.json", + "uriBaseId": "ROOTPATH" + }, + "region": { + "startLine": 85 + } + } + } + ], + "fingerprints": { + "gdnPrimarySignature": "b3eb7244e83ec91b3b2fdcadbdd498b8f8095140b6c23b74883b5ca61878a994", + "gdnAlternativeSignature0": "3a37f05c16ebd9b493c603024eeb1c5f9c35a5a44d2378a11b6c33003fba815f" + } + }, + { + "ruleId": "TA-000011", + "ruleIndex": 8, + "level": "error", + "message": { + "id": "default" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "samples/insecure_arm.json", + "uriBaseId": "ROOTPATH" + }, + "region": { + "startLine": 309 + } + } + } + ], + "fingerprints": { + "gdnPrimarySignature": "03a4354b8e006461fb34be109fe4601b633f817d7b237a02dbf2f1346d91e0b4", + "gdnAlternativeSignature0": "c490246cd2a3ee33ab981814e002c687938d33fba3eefb891fd8db2c7a92d64c" + } + }, + { + "ruleId": "TA-000011", + "ruleIndex": 8, + "level": "error", + "message": { + "id": "default" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "samples/insecure_arm.json", + "uriBaseId": "ROOTPATH" + }, + "region": { + "startLine": 179 + } + } + }, + { + "physicalLocation": { + "artifactLocation": { + "uri": "samples/insecure_arm.json", + "uriBaseId": "ROOTPATH" + }, + "region": { + "startLine": 215 + } + } + }, + { + "physicalLocation": { + "artifactLocation": { + "uri": "samples/insecure_arm.json", + "uriBaseId": "ROOTPATH" + }, + "region": { + "startLine": 325 + } + } + } + ], + "fingerprints": { + "gdnPrimarySignature": "24126068b178d605ced2a12989a4fa2ebd4d15eb30c7c2c37b9d3c6cab349686", + "gdnAlternativeSignature0": "c5923a6a520bd145ef3957d75a6c9d8cbf1025fcd4915449e60bbb02bd10a9e8" + } + }, + { + "ruleId": "TA-000012", + "ruleIndex": 9, + "level": "error", + "message": { + "id": "default" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "samples/insecure_arm.json", + "uriBaseId": "ROOTPATH" + }, + "region": { + "startLine": 313 + } + } + } + ], + "fingerprints": { + "gdnPrimarySignature": "36e23dcaac28961df21b197c601391bc76f0c90d72380a56f1fa29327bd0017c", + "gdnAlternativeSignature0": "3fa84bc1cc49b60bb7204fb88c7fada8faa63e5f8c9984e10e1b83d3b95bb9e7" + } + }, + { + "ruleId": "TA-000012", + "ruleIndex": 9, + "level": "error", + "message": { + "id": "default" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "samples/insecure_arm.json", + "uriBaseId": "ROOTPATH" + }, + "region": { + "startLine": 218 + } + } + } + ], + "fingerprints": { + "gdnPrimarySignature": "b20e23b6ed47125967e4d087e615c9d4a9aba6d7dd9e2176ed151efcebb82d02", + "gdnAlternativeSignature0": "2ee68544e8b6b6a54363c95df7bd3d1422cf1c193ed005dddba038439e9650d7" + } + }, + { + "ruleId": "TA-000013", + "ruleIndex": 10, + "level": "error", + "message": { + "id": "default" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "samples/insecure_arm.json", + "uriBaseId": "ROOTPATH" + }, + "region": { + "startLine": 319 + } + } + } + ], + "fingerprints": { + "gdnPrimarySignature": "ed0363b6f87f1d4e7c0807f68e051e1b3787bafbd2455d4528a10bf4d94b9edf", + "gdnAlternativeSignature0": "72d1e7c2a57d35fa08e178c56264746e48ed563a4da2d7f5dc8570438ed5d90c" + } + }, + { + "ruleId": "TA-000015", + "ruleIndex": 11, + "level": "error", + "message": { + "id": "default" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "samples/insecure_arm.json", + "uriBaseId": "ROOTPATH" + }, + "region": { + "startLine": 264 + } + } + } + ], + "fingerprints": { + "gdnPrimarySignature": "ec6f5ed98134d472df3077d9c883d07c25923b8e2f9f0ee4ad62438d0a72b4f4", + "gdnAlternativeSignature0": "5e86cd98e6560ffb14e4eb72c99c8a11042feb183a1713a37c682f8417eca214" + } + }, + { + "ruleId": "TA-000015", + "ruleIndex": 11, + "level": "error", + "message": { + "id": "default" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "samples/insecure_arm.json", + "uriBaseId": "ROOTPATH" + }, + "region": { + "startLine": 179 + } + } + }, + { + "physicalLocation": { + "artifactLocation": { + "uri": "samples/insecure_arm.json", + "uriBaseId": "ROOTPATH" + }, + "region": { + "startLine": 215 + } + } + }, + { + "physicalLocation": { + "artifactLocation": { + "uri": "samples/insecure_arm.json", + "uriBaseId": "ROOTPATH" + }, + "region": { + "startLine": 280 + } + } + } + ], + "fingerprints": { + "gdnPrimarySignature": "38abf206aa092efe2a8fa6d3546f1a342e08c86f4b25be558b8afd5bcb532651", + "gdnAlternativeSignature0": "f53e1db90f911dfc29b77e08c01fc16a609b9720473da74edae88428a4e2bc1c" + } + }, + { + "ruleId": "TA-000016", + "ruleIndex": 12, + "level": "error", + "message": { + "id": "default" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "samples/insecure_arm.json", + "uriBaseId": "ROOTPATH" + }, + "region": { + "startLine": 111 + } + } + } + ], + "fingerprints": { + "gdnPrimarySignature": "408e1546a1bb4ad4b304b67d08fe6d99943c94a173d95edb8ddaa25a03798989", + "gdnAlternativeSignature0": "84d16425f679ebd232bade7a449c0cdbfef3776b9b928279599f00b71fbcfb22" + } + }, + { + "ruleId": "TA-000016", + "ruleIndex": 12, + "level": "error", + "message": { + "id": "default" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "samples/insecure_arm.json", + "uriBaseId": "ROOTPATH" + }, + "region": { + "startLine": 125 + } + } + } + ], + "fingerprints": { + "gdnPrimarySignature": "bce4367d8d17dfed8e0504a56bdbde591cfc253f3632a2f21142dffcac9e33a5", + "gdnAlternativeSignature0": "e76df0666939f84d4c4ef2f13e863a131ecb5f7e36060126730de3bd7aee8734" + } + }, + { + "ruleId": "TA-000017", + "ruleIndex": 13, + "level": "error", + "message": { + "id": "default" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "samples/insecure_arm.json", + "uriBaseId": "ROOTPATH" + }, + "region": { + "startLine": 264 + } + } + } + ], + "fingerprints": { + "gdnPrimarySignature": "84b7be1aa526d0d05c2de90d3e202c9ac537835e7b3140c871e452ee53505cf7", + "gdnAlternativeSignature0": "059a393d058cffaa8cdbe2fad159ee89d4f04ea63fcbee3981408888a39432e8" + } + }, + { + "ruleId": "TA-000017", + "ruleIndex": 13, + "level": "error", + "message": { + "id": "default" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "samples/insecure_arm.json", + "uriBaseId": "ROOTPATH" + }, + "region": { + "startLine": 179 + } + } + }, + { + "physicalLocation": { + "artifactLocation": { + "uri": "samples/insecure_arm.json", + "uriBaseId": "ROOTPATH" + }, + "region": { + "startLine": 215 + } + } + }, + { + "physicalLocation": { + "artifactLocation": { + "uri": "samples/insecure_arm.json", + "uriBaseId": "ROOTPATH" + }, + "region": { + "startLine": 280 + } + } + } + ], + "fingerprints": { + "gdnPrimarySignature": "c8faed1d99ea5b1ced01439da3370660d482769c59a7665dda694f69f336bc76", + "gdnAlternativeSignature0": "216e7a3be42bfa5aae23ed3abf7bccf0d48aa5ad6ae0f617088f0de77723da89" + } + }, + { + "ruleId": "TA-000018", + "ruleIndex": 14, + "level": "error", + "message": { + "id": "default" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "samples/insecure_arm.json", + "uriBaseId": "ROOTPATH" + }, + "region": { + "startLine": 268 + } + } + } + ], + "fingerprints": { + "gdnPrimarySignature": "b17d79fb40da84e43645bcdc62e3f720f8039e9be3454fd847cbef27623eea6f", + "gdnAlternativeSignature0": "4050ebca29a424898a464da3b851e5ae90c32384f653b4478a38a331c2639fa8" + } + }, + { + "ruleId": "TA-000018", + "ruleIndex": 14, + "level": "error", + "message": { + "id": "default" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "samples/insecure_arm.json", + "uriBaseId": "ROOTPATH" + }, + "region": { + "startLine": 218 + } + } + } + ], + "fingerprints": { + "gdnPrimarySignature": "478c565e6f29f52f64c42e08aca4fe0c94a9ed37a629ab4529d58c764580df69", + "gdnAlternativeSignature0": "0a4753c9c18e6f31fb4d238774fa74f694731b7aff4566b256d7a4f2c93536cd" + } + }, + { + "ruleId": "TA-000019", + "ruleIndex": 15, + "level": "error", + "message": { + "id": "default" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "samples/insecure_arm.json", + "uriBaseId": "ROOTPATH" + }, + "region": { + "startLine": 274 + } + } + } + ], + "fingerprints": { + "gdnPrimarySignature": "b7f8fadd8a0cbc8600952d828f4f4f59c163cd99350430230e976a126d8c9a89", + "gdnAlternativeSignature0": "1dad07739d9b4f2d7845f7a709da12b240d41c1a3536217dc80b23b104ea5362" + } + } + ], + "columnKind": "utf16CodeUnits", + "policies": [ + { + "name": "Microsoft", + "version": "2.0.3" + } + ], + "properties": { + "toolInfoId": "templateanalyzer>>5>>202411062057" + } + }, + { + "tool": { + "driver": { + "name": "checkov", + "organization": "bridgecrew", + "version": "3.2.199", + "informationUri": "https://checkov.io", + "rules": [ + { + "id": "CKV_AZURE_59", + "name": "Ensure that Storage accounts disallow public access", + "fullDescription": { + "text": "Ensure that Storage accounts disallow public access" + }, + "help": { + "text": "Ensure that Storage accounts disallow public access\nResource: azurerm_storage_account.terraformaccount1" + }, + "defaultConfiguration": { + "level": "error" + }, + "helpUri": "https://docs.prismacloud.io/en/enterprise-edition/policy-reference/azure-policies/azure-networking-policies/ensure-that-storage-accounts-disallow-public-access" + }, + { + "id": "CKV_AZURE_33", + "name": "Ensure Storage logging is enabled for Queue service for read, write and delete requests", + "fullDescription": { + "text": "Ensure Storage logging is enabled for Queue service for read, write and delete requests" + }, + "help": { + "text": "Ensure Storage logging is enabled for Queue service for read, write and delete requests\nResource: azurerm_storage_account.terraformaccount1" + }, + "defaultConfiguration": { + "level": "error" + }, + "helpUri": "https://docs.prismacloud.io/en/enterprise-edition/policy-reference/azure-policies/azure-logging-policies/enable-requests-on-storage-logging-for-queue-service" + }, + { + "id": "CKV_AZURE_44", + "name": "Ensure Storage Account is using the latest version of TLS encryption", + "fullDescription": { + "text": "Ensure Storage Account is using the latest version of TLS encryption" + }, + "help": { + "text": "Ensure Storage Account is using the latest version of TLS encryption\nResource: azurerm_storage_account.terraformaccount1" + }, + "defaultConfiguration": { + "level": "error" + }, + "helpUri": "https://docs.prismacloud.io/en/enterprise-edition/policy-reference/azure-policies/azure-storage-policies/bc-azr-storage-2" + }, + { + "id": "CKV_AZURE_190", + "name": "Ensure that Storage blobs restrict public access", + "fullDescription": { + "text": "Ensure that Storage blobs restrict public access" + }, + "help": { + "text": "Ensure that Storage blobs restrict public access\nResource: azurerm_storage_account.terraformaccount1" + }, + "defaultConfiguration": { + "level": "error" + }, + "helpUri": "https://docs.prismacloud.io/en/enterprise-edition/policy-reference/azure-policies/azure-networking-policies/azr-networking-190" + }, + { + "id": "CKV2_AZURE_40", + "name": "Ensure storage account is not configured with Shared Key authorization", + "fullDescription": { + "text": "Ensure storage account is not configured with Shared Key authorization" + }, + "help": { + "text": "Ensure storage account is not configured with Shared Key authorization\nResource: azurerm_storage_account.terraformaccount1" + }, + "defaultConfiguration": { + "level": "error" + }, + "helpUri": "https://docs.prismacloud.io/en/enterprise-edition/policy-reference/azure-policies/azure-iam-policies/bc-azure-2-40" + }, + { + "id": "CKV2_AZURE_47", + "name": "Ensure storage account is configured without blob anonymous access", + "fullDescription": { + "text": "Ensure storage account is configured without blob anonymous access" + }, + "help": { + "text": "Ensure storage account is configured without blob anonymous access\nResource: azurerm_storage_account.terraformaccount1" + }, + "defaultConfiguration": { + "level": "error" + }, + "helpUri": "https://docs.prismacloud.io/en/enterprise-edition/policy-reference/azure-policies/azure-iam-policies/bc-azure-2-47" + }, + { + "id": "CKV2_AZURE_33", + "name": "Ensure storage account is configured with private endpoint", + "fullDescription": { + "text": "Ensure storage account is configured with private endpoint" + }, + "help": { + "text": "Ensure storage account is configured with private endpoint\nResource: azurerm_storage_account.terraformaccount1" + }, + "defaultConfiguration": { + "level": "error" + }, + "helpUri": "https://docs.prismacloud.io/en/enterprise-edition/policy-reference/azure-policies/azure-general-policies/bc-azure-2-33" + }, + { + "id": "CKV2_AZURE_41", + "name": "Ensure storage account is configured with SAS expiration policy", + "fullDescription": { + "text": "Ensure storage account is configured with SAS expiration policy" + }, + "help": { + "text": "Ensure storage account is configured with SAS expiration policy\nResource: azurerm_storage_account.terraformaccount1" + }, + "defaultConfiguration": { + "level": "error" + }, + "helpUri": "https://docs.prismacloud.io/en/enterprise-edition/policy-reference/azure-policies/azure-iam-policies/bc-azure-2-41" + }, + { + "id": "CKV2_AZURE_38", + "name": "Ensure soft-delete is enabled on Azure storage account", + "fullDescription": { + "text": "Ensure soft-delete is enabled on Azure storage account" + }, + "help": { + "text": "Ensure soft-delete is enabled on Azure storage account\nResource: azurerm_storage_account.terraformaccount1" + }, + "defaultConfiguration": { + "level": "error" + }, + "helpUri": "https://docs.prismacloud.io/en/enterprise-edition/policy-reference/azure-policies/azure-general-policies/bc-azure-2-38" + }, + { + "id": "CKV2_AZURE_1", + "name": "Ensure storage for critical data are encrypted with Customer Managed Key", + "fullDescription": { + "text": "Ensure storage for critical data are encrypted with Customer Managed Key" + }, + "help": { + "text": "Ensure storage for critical data are encrypted with Customer Managed Key\nResource: azurerm_storage_account.terraformaccount1" + }, + "defaultConfiguration": { + "level": "error" + }, + "helpUri": "https://docs.prismacloud.io/en/enterprise-edition/policy-reference/azure-policies/azure-general-policies/ensure-storage-for-critical-data-are-encrypted-with-customer-managed-key" + }, + { + "id": "CKV_K8S_25", + "name": "Minimize the admission of containers with added capability", + "fullDescription": { + "text": "Minimize the admission of containers with added capability" + }, + "help": { + "text": "Minimize the admission of containers with added capability\nResource: StatefulSet.default.cassandra" + }, + "defaultConfiguration": { + "level": "error" + }, + "helpUri": "https://docs.prismacloud.io/en/enterprise-edition/policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-24" + }, + { + "id": "CKV_K8S_20", + "name": "Containers should not run with allowPrivilegeEscalation", + "fullDescription": { + "text": "Containers should not run with allowPrivilegeEscalation" + }, + "help": { + "text": "Containers should not run with allowPrivilegeEscalation\nResource: StatefulSet.default.cassandra" + }, + "defaultConfiguration": { + "level": "error" + }, + "helpUri": "https://docs.prismacloud.io/en/enterprise-edition/policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-19" + }, + { + "id": "CKV_K8S_21", + "name": "The default namespace should not be used", + "fullDescription": { + "text": "The default namespace should not be used" + }, + "help": { + "text": "The default namespace should not be used\nResource: StatefulSet.default.cassandra" + }, + "defaultConfiguration": { + "level": "error" + }, + "helpUri": "https://docs.prismacloud.io/en/enterprise-edition/policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20" + }, + { + "id": "CKV_K8S_28", + "name": "Minimize the admission of containers with the NET_RAW capability", + "fullDescription": { + "text": "Minimize the admission of containers with the NET_RAW capability" + }, + "help": { + "text": "Minimize the admission of containers with the NET_RAW capability\nResource: StatefulSet.default.cassandra" + }, + "defaultConfiguration": { + "level": "error" + }, + "helpUri": "https://docs.prismacloud.io/en/enterprise-edition/policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27" + }, + { + "id": "CKV_K8S_43", + "name": "Image should use digest", + "fullDescription": { + "text": "Image should use digest" + }, + "help": { + "text": "Image should use digest\nResource: StatefulSet.default.cassandra" + }, + "defaultConfiguration": { + "level": "error" + }, + "helpUri": "https://docs.prismacloud.io/en/enterprise-edition/policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39" + }, + { + "id": "CKV_K8S_8", + "name": "Liveness Probe Should be Configured", + "fullDescription": { + "text": "Liveness Probe Should be Configured" + }, + "help": { + "text": "Liveness Probe Should be Configured\nResource: StatefulSet.default.cassandra" + }, + "defaultConfiguration": { + "level": "error" + }, + "helpUri": "https://docs.prismacloud.io/en/enterprise-edition/policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-7" + }, + { + "id": "CKV_K8S_37", + "name": "Minimize the admission of containers with capabilities assigned", + "fullDescription": { + "text": "Minimize the admission of containers with capabilities assigned" + }, + "help": { + "text": "Minimize the admission of containers with capabilities assigned\nResource: StatefulSet.default.cassandra" + }, + "defaultConfiguration": { + "level": "error" + }, + "helpUri": "https://docs.prismacloud.io/en/enterprise-edition/policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-34" + }, + { + "id": "CKV_K8S_29", + "name": "Apply security context to your pods and containers", + "fullDescription": { + "text": "Apply security context to your pods and containers" + }, + "help": { + "text": "Apply security context to your pods and containers\nResource: StatefulSet.default.cassandra" + }, + "defaultConfiguration": { + "level": "error" + }, + "helpUri": "https://docs.prismacloud.io/en/enterprise-edition/policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-securitycontext-is-applied-to-pods-and-containers" + }, + { + "id": "CKV_K8S_22", + "name": "Use read-only filesystem for containers where possible", + "fullDescription": { + "text": "Use read-only filesystem for containers where possible" + }, + "help": { + "text": "Use read-only filesystem for containers where possible\nResource: StatefulSet.default.cassandra" + }, + "defaultConfiguration": { + "level": "error" + }, + "helpUri": "https://docs.prismacloud.io/en/enterprise-edition/policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-21" + }, + { + "id": "CKV_K8S_23", + "name": "Minimize the admission of root containers", + "fullDescription": { + "text": "Minimize the admission of root containers" + }, + "help": { + "text": "Minimize the admission of root containers\nResource: StatefulSet.default.cassandra" + }, + "defaultConfiguration": { + "level": "error" + }, + "helpUri": "https://docs.prismacloud.io/en/enterprise-edition/policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-22" + }, + { + "id": "CKV_K8S_40", + "name": "Containers should run as a high UID to avoid host conflict", + "fullDescription": { + "text": "Containers should run as a high UID to avoid host conflict" + }, + "help": { + "text": "Containers should run as a high UID to avoid host conflict\nResource: StatefulSet.default.cassandra" + }, + "defaultConfiguration": { + "level": "error" + }, + "helpUri": "https://docs.prismacloud.io/en/enterprise-edition/policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-37" + }, + { + "id": "CKV_K8S_31", + "name": "Ensure that the seccomp profile is set to docker/default or runtime/default", + "fullDescription": { + "text": "Ensure that the seccomp profile is set to docker/default or runtime/default" + }, + "help": { + "text": "Ensure that the seccomp profile is set to docker/default or runtime/default\nResource: StatefulSet.default.cassandra" + }, + "defaultConfiguration": { + "level": "error" + }, + "helpUri": "https://docs.prismacloud.io/en/enterprise-edition/policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-29" + }, + { + "id": "CKV_K8S_38", + "name": "Ensure that Service Account Tokens are only mounted where necessary", + "fullDescription": { + "text": "Ensure that Service Account Tokens are only mounted where necessary" + }, + "help": { + "text": "Ensure that Service Account Tokens are only mounted where necessary\nResource: StatefulSet.default.cassandra" + }, + "defaultConfiguration": { + "level": "error" + }, + "helpUri": "https://docs.prismacloud.io/en/enterprise-edition/policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-35" + }, + { + "id": "CKV2_K8S_6", + "name": "Minimize the admission of pods which lack an associated NetworkPolicy", + "fullDescription": { + "text": "Minimize the admission of pods which lack an associated NetworkPolicy" + }, + "help": { + "text": "Minimize the admission of pods which lack an associated NetworkPolicy\nResource: Pod.default.cassandra.app-cassandra" + }, + "defaultConfiguration": { + "level": "error" + } + }, + { + "id": "CKV_AZURE_225", + "name": "Ensure the App Service Plan is zone redundant", + "fullDescription": { + "text": "Ensure the App Service Plan is zone redundant" + }, + "help": { + "text": "Ensure the App Service Plan is zone redundant\nResource: Microsoft.Web/serverfarms.serverFarm" + }, + "defaultConfiguration": { + "level": "error" + }, + "helpUri": "https://docs.prismacloud.io/en/enterprise-edition/policy-reference/azure-policies/azure-storage-policies/bc-azure-225" + }, + { + "id": "CKV_AZURE_17", + "name": "Ensure the web app has 'Client Certificates (Incoming client certificates)' set", + "fullDescription": { + "text": "Ensure the web app has 'Client Certificates (Incoming client certificates)' set" + }, + "help": { + "text": "Ensure the web app has 'Client Certificates (Incoming client certificates)' set\nResource: Microsoft.Web/sites.ApiAppNoHttps" + }, + "defaultConfiguration": { + "level": "error" + }, + "helpUri": "https://docs.prismacloud.io/en/enterprise-edition/policy-reference/azure-policies/azure-networking-policies/bc-azr-networking-7" + }, + { + "id": "CKV_AZURE_78", + "name": "Ensure FTP deployments are disabled", + "fullDescription": { + "text": "Ensure FTP deployments are disabled" + }, + "help": { + "text": "Ensure FTP deployments are disabled\nResource: Microsoft.Web/sites.ApiAppNoHttps" + }, + "defaultConfiguration": { + "level": "error" + }, + "helpUri": "https://docs.prismacloud.io/en/enterprise-edition/policy-reference/azure-policies/azure-general-policies/ensure-ftp-deployments-are-disabled" + }, + { + "id": "CKV_AZURE_18", + "name": "Ensure that 'HTTP Version' is the latest if used to run the web app", + "fullDescription": { + "text": "Ensure that 'HTTP Version' is the latest if used to run the web app" + }, + "help": { + "text": "Ensure that 'HTTP Version' is the latest if used to run the web app\nResource: Microsoft.Web/sites.ApiAppNoHttps" + }, + "defaultConfiguration": { + "level": "error" + }, + "helpUri": "https://docs.prismacloud.io/en/enterprise-edition/policy-reference/azure-policies/azure-networking-policies/bc-azr-networking-8" + }, + { + "id": "CKV_AZURE_14", + "name": "Ensure web app redirects all HTTP traffic to HTTPS in Azure App Service", + "fullDescription": { + "text": "Ensure web app redirects all HTTP traffic to HTTPS in Azure App Service" + }, + "help": { + "text": "Ensure web app redirects all HTTP traffic to HTTPS in Azure App Service\nResource: Microsoft.Web/sites.ApiAppNoHttps" + }, + "defaultConfiguration": { + "level": "error" + }, + "helpUri": "https://docs.prismacloud.io/en/enterprise-edition/policy-reference/azure-policies/azure-networking-policies/bc-azr-networking-5" + }, + { + "id": "CKV_AZURE_16", + "name": "Ensure that Register with Azure Active Directory is enabled on App Service", + "fullDescription": { + "text": "Ensure that Register with Azure Active Directory is enabled on App Service" + }, + "help": { + "text": "Ensure that Register with Azure Active Directory is enabled on App Service\nResource: Microsoft.Web/sites.ApiAppNoHttps" + }, + "defaultConfiguration": { + "level": "error" + }, + "helpUri": "https://docs.prismacloud.io/en/enterprise-edition/policy-reference/azure-policies/azure-iam-policies/bc-azr-iam-1" + }, + { + "id": "CKV_AZURE_71", + "name": "Ensure that Managed identity provider is enabled for web apps", + "fullDescription": { + "text": "Ensure that Managed identity provider is enabled for web apps" + }, + "help": { + "text": "Ensure that Managed identity provider is enabled for web apps\nResource: Microsoft.Web/sites.ApiAppNoHttps" + }, + "defaultConfiguration": { + "level": "error" + }, + "helpUri": "https://docs.prismacloud.io/en/enterprise-edition/policy-reference/azure-policies/azure-general-policies/ensure-that-managed-identity-provider-is-enabled-for-app-services" + }, + { + "id": "CKV_AZURE_15", + "name": "Ensure web app is using the latest version of TLS encryption", + "fullDescription": { + "text": "Ensure web app is using the latest version of TLS encryption" + }, + "help": { + "text": "Ensure web app is using the latest version of TLS encryption\nResource: Microsoft.Web/sites.ApiAppNoHttps" + }, + "defaultConfiguration": { + "level": "error" + }, + "helpUri": "https://docs.prismacloud.io/en/enterprise-edition/policy-reference/azure-policies/azure-networking-policies/bc-azr-networking-6" + }, + { + "id": "CKV_AZURE_222", + "name": "Ensure that Azure Web App public network access is disabled", + "fullDescription": { + "text": "Ensure that Azure Web App public network access is disabled" + }, + "help": { + "text": "Ensure that Azure Web App public network access is disabled\nResource: Microsoft.Web/sites.ApiAppNoHttps" + }, + "defaultConfiguration": { + "level": "error" + }, + "helpUri": "https://docs.prismacloud.io/en/enterprise-edition/policy-reference/azure-policies/azure-networking-policies/azr-networking-63" + }, + { + "id": "CKV_AZURE_153", + "name": "Ensure web app redirects all HTTP traffic to HTTPS in Azure App Service Slot", + "fullDescription": { + "text": "Ensure web app redirects all HTTP traffic to HTTPS in Azure App Service Slot" + }, + "help": { + "text": "Ensure web app redirects all HTTP traffic to HTTPS in Azure App Service Slot\nResource: Microsoft.Web/sites.ApiAppNoHttps" + }, + "defaultConfiguration": { + "level": "error" + }, + "helpUri": "https://docs.prismacloud.io/en/enterprise-edition/policy-reference/azure-policies/azure-networking-policies/ensure-azure-web-app-redirects-all-http-traffic-to-https-in-azure-app-service-slot" + }, + { + "id": "CKV_AZURE_67", + "name": "Ensure that 'HTTP Version' is the latest, if used to run the Function app", + "fullDescription": { + "text": "Ensure that 'HTTP Version' is the latest, if used to run the Function app" + }, + "help": { + "text": "Ensure that 'HTTP Version' is the latest, if used to run the Function app\nResource: Microsoft.Web/sites.ApiAppNoHttps" + }, + "defaultConfiguration": { + "level": "error" + }, + "helpUri": "https://docs.prismacloud.io/en/enterprise-edition/policy-reference/azure-policies/azure-general-policies/ensure-that-http-version-is-the-latest-if-used-to-run-the-function-app" + }, + { + "id": "CKV_AZURE_70", + "name": "Ensure that Function apps is only accessible over HTTPS", + "fullDescription": { + "text": "Ensure that Function apps is only accessible over HTTPS" + }, + "help": { + "text": "Ensure that Function apps is only accessible over HTTPS\nResource: Microsoft.Web/sites.ApiAppNoHttps" + }, + "defaultConfiguration": { + "level": "error" + }, + "helpUri": "https://docs.prismacloud.io/en/enterprise-edition/policy-reference/azure-policies/azure-networking-policies/ensure-that-function-apps-is-only-accessible-over-https" + }, + { + "id": "CKV_AZURE_13", + "name": "Ensure App Service Authentication is set on Azure App Service", + "fullDescription": { + "text": "Ensure App Service Authentication is set on Azure App Service" + }, + "help": { + "text": "Ensure App Service Authentication is set on Azure App Service\nResource: Microsoft.Web/sites/config.SitesConfig/RestrictedCORSAccess_web" + }, + "defaultConfiguration": { + "level": "error" + }, + "helpUri": "https://docs.prismacloud.io/en/enterprise-edition/policy-reference/azure-policies/azure-general-policies/bc-azr-general-2" + }, + { + "id": "CKV_AZURE_65", + "name": "Ensure that App service enables detailed error messages", + "fullDescription": { + "text": "Ensure that App service enables detailed error messages" + }, + "help": { + "text": "Ensure that App service enables detailed error messages\nResource: Microsoft.Web/sites/config.SitesConfig/RestrictedCORSAccess_web" + }, + "defaultConfiguration": { + "level": "error" + }, + "helpUri": "https://docs.prismacloud.io/en/enterprise-edition/policy-reference/azure-policies/azure-logging-policies/tbdensure-that-app-service-enables-detailed-error-messages" + }, + { + "id": "CKV_AZURE_80", + "name": "Ensure that 'Net Framework' version is the latest, if used as a part of the web app", + "fullDescription": { + "text": "Ensure that 'Net Framework' version is the latest, if used as a part of the web app" + }, + "help": { + "text": "Ensure that 'Net Framework' version is the latest, if used as a part of the web app\nResource: Microsoft.Web/sites/config.SitesConfig/RestrictedCORSAccess_web" + }, + "defaultConfiguration": { + "level": "error" + }, + "helpUri": "https://docs.prismacloud.io/en/enterprise-edition/policy-reference/azure-policies/azure-general-policies/ensure-that-net-framework-version-is-the-latest-if-used-as-a-part-of-the-web-app" + }, + { + "id": "CKV_AZURE_66", + "name": "Ensure that App service enables failed request tracing", + "fullDescription": { + "text": "Ensure that App service enables failed request tracing" + }, + "help": { + "text": "Ensure that App service enables failed request tracing\nResource: Microsoft.Web/sites/config.SitesConfig/RestrictedCORSAccess_web" + }, + "defaultConfiguration": { + "level": "error" + }, + "helpUri": "https://docs.prismacloud.io/en/enterprise-edition/policy-reference/azure-policies/azure-logging-policies/ensure-that-app-service-enables-failed-request-tracing" + }, + { + "id": "CKV_AZURE_63", + "name": "Ensure that App service enables HTTP logging", + "fullDescription": { + "text": "Ensure that App service enables HTTP logging" + }, + "help": { + "text": "Ensure that App service enables HTTP logging\nResource: Microsoft.Web/sites/config.SitesConfig/RestrictedCORSAccess_web" + }, + "defaultConfiguration": { + "level": "error" + }, + "helpUri": "https://docs.prismacloud.io/en/enterprise-edition/policy-reference/azure-policies/azure-logging-policies/ensure-that-app-service-enables-http-logging" + }, + { + "id": "CKV_AZURE_88", + "name": "Ensure that app services use Azure Files", + "fullDescription": { + "text": "Ensure that app services use Azure Files" + }, + "help": { + "text": "Ensure that app services use Azure Files\nResource: Microsoft.Web/sites/config.SitesConfig/RestrictedCORSAccess_web" + }, + "defaultConfiguration": { + "level": "error" + }, + "helpUri": "https://docs.prismacloud.io/en/enterprise-edition/policy-reference/azure-policies/azure-general-policies/ensure-that-app-services-use-azure-files" + }, + { + "id": "CKV_DOCKER_2", + "name": "Ensure that HEALTHCHECK instructions have been added to container images", + "fullDescription": { + "text": "Ensure that HEALTHCHECK instructions have been added to container images" + }, + "help": { + "text": "Ensure that HEALTHCHECK instructions have been added to container images\nResource: /samples\\Dockerfile." + }, + "defaultConfiguration": { + "level": "error" + }, + "helpUri": "https://docs.prismacloud.io/en/enterprise-edition/policy-reference/docker-policies/docker-policy-index/ensure-that-healthcheck-instructions-have-been-added-to-container-images" + }, + { + "id": "CKV_DOCKER_3", + "name": "Ensure that a user for the container has been created", + "fullDescription": { + "text": "Ensure that a user for the container has been created" + }, + "help": { + "text": "Ensure that a user for the container has been created\nResource: /samples\\Dockerfile." + }, + "defaultConfiguration": { + "level": "error" + }, + "helpUri": "https://docs.prismacloud.io/en/enterprise-edition/policy-reference/docker-policies/docker-policy-index/ensure-that-a-user-for-the-container-has-been-created" + } + ], + "properties": { + "RawName": "checkov" + } + } + }, + "versionControlProvenance": [ + { + "repositoryUri": "https://github.com/reynoldsa/security-devops-action", + "revisionId": "c5bc432f9640469fd713f651b4d18af73867f27a", + "branch": "main", + "properties": { + "RepositoryRoot": "D:\\source\\security-devops-action" + } + } + ], + "results": [ + { + "ruleId": "CKV_DOCKER_2", + "ruleIndex": 42, + "level": "note", + "message": { + "text": "Ensure that HEALTHCHECK instructions have been added to container images" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "samples/Dockerfile" + }, + "region": { + "startLine": 1, + "endLine": 2, + "snippet": { + "text": "FROM alpine:3.14.0\nRUN echo \"testuser:x:10999:10999:,,,:/home/testuser:/bin/bash\" >> /etc/passwd && echo \"testuser::18761:0:99999:7:::\" >> /etc/shadow\n" + } + } + } + } + ], + "fingerprints": { + "gdnPrimarySignature": "d575ad4cda6d50d0a5b22693f2455c3705f7c36bb4b15adc9192690133bf9374", + "gdnAlternativeSignature0": "b638b75acb82e58442ebe3ecff85569f7009ac136ba3db701680ba599b613c84" + }, + "attachments": [] + }, + { + "ruleId": "CKV_DOCKER_3", + "ruleIndex": 43, + "level": "note", + "message": { + "text": "Ensure that a user for the container has been created" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "samples/Dockerfile" + }, + "region": { + "startLine": 1, + "endLine": 2, + "snippet": { + "text": "FROM alpine:3.14.0\nRUN echo \"testuser:x:10999:10999:,,,:/home/testuser:/bin/bash\" >> /etc/passwd && echo \"testuser::18761:0:99999:7:::\" >> /etc/shadow\n" + } + } + } + } + ], + "fingerprints": { + "gdnPrimarySignature": "1242a262a0e0dc6e681ad67a81a121ae66f0b2562d1d669a066233daaa7a615a", + "gdnAlternativeSignature0": "81662655dc607bf53d1554c1d9b11df48d1d564eac1529173b8d0a2e61969e63" + }, + "attachments": [] + }, + { + "ruleId": "CKV_AZURE_225", + "ruleIndex": 24, + "message": { + "text": "Ensure the App Service Plan is zone redundant" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "samples/insecure_arm.json" + }, + "region": { + "startLine": 14, + "endLine": 19, + "snippet": { + "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/serverfarms\",\n \"name\": \"serverFarm\",\n \"location\": \"[parameters('location')]\"\n },\n" + } + } + } + } + ], + "fingerprints": { + "gdnPrimarySignature": "5221a67299814f524df6a6522077373a0fd22c2d3f1748e6025a8552333f7141", + "gdnAlternativeSignature0": "e6aab96518196be0b417589447f9a67fea4ac7f6f0a89667d1394f61195916f6" + }, + "attachments": [] + }, + { + "ruleId": "CKV_AZURE_17", + "ruleIndex": 25, + "message": { + "text": "Ensure the web app has 'Client Certificates (Incoming client certificates)' set" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "samples/insecure_arm.json" + }, + "region": { + "startLine": 20, + "endLine": 32, + "snippet": { + "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites\",\n \"kind\": \"api\",\n \"name\": \"ApiAppNoHttps\",\n \"location\": \"[parameters('location')]\",\n \"dependsOn\": [\n \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\"\n ],\n \"properties\": {\n \"serverFarmId\": \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\"\n }\n },\n" + } + } + } + } + ], + "fingerprints": { + "gdnPrimarySignature": "2052f152b6d5766a7b59a9c7b4f1d29a0f7bb9060b894b7a65b9e58207a28318", + "gdnAlternativeSignature0": "e18fdea947ebaa5eeda8e3c09e3f041d81794a440563fc2ff6526653c22c9300" + }, + "attachments": [] + }, + { + "ruleId": "CKV_AZURE_78", + "ruleIndex": 26, + "message": { + "text": "Ensure FTP deployments are disabled" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "samples/insecure_arm.json" + }, + "region": { + "startLine": 20, + "endLine": 32, + "snippet": { + "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites\",\n \"kind\": \"api\",\n \"name\": \"ApiAppNoHttps\",\n \"location\": \"[parameters('location')]\",\n \"dependsOn\": [\n \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\"\n ],\n \"properties\": {\n \"serverFarmId\": \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\"\n }\n },\n" + } + } + } + } + ], + "fingerprints": { + "gdnPrimarySignature": "5f73cccef9e3e5de304868ce267f1b16ddbbad0c9c52f4c39866f9e347b7d5d2", + "gdnAlternativeSignature0": "7806091df62a7f1ac9e2fd4c6a8f834a76f61fa22e8e6b577272499b3e942104" + }, + "attachments": [] + }, + { + "ruleId": "CKV_AZURE_18", + "ruleIndex": 27, + "message": { + "text": "Ensure that 'HTTP Version' is the latest if used to run the web app" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "samples/insecure_arm.json" + }, + "region": { + "startLine": 20, + "endLine": 32, + "snippet": { + "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites\",\n \"kind\": \"api\",\n \"name\": \"ApiAppNoHttps\",\n \"location\": \"[parameters('location')]\",\n \"dependsOn\": [\n \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\"\n ],\n \"properties\": {\n \"serverFarmId\": \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\"\n }\n },\n" + } + } + } + } + ], + "fingerprints": { + "gdnPrimarySignature": "b9354cf1c73339ba30adcd102787a08181f25aaff9f6782332e185ca65fb9a6b", + "gdnAlternativeSignature0": "c95f4a7cc4fb4eab5c51d2885069bf453fc79e65aac23ff2d04b015fe36717d0" + }, + "attachments": [] + }, + { + "ruleId": "CKV_AZURE_14", + "ruleIndex": 28, + "message": { + "text": "Ensure web app redirects all HTTP traffic to HTTPS in Azure App Service" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "samples/insecure_arm.json" + }, + "region": { + "startLine": 20, + "endLine": 32, + "snippet": { + "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites\",\n \"kind\": \"api\",\n \"name\": \"ApiAppNoHttps\",\n \"location\": \"[parameters('location')]\",\n \"dependsOn\": [\n \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\"\n ],\n \"properties\": {\n \"serverFarmId\": \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\"\n }\n },\n" + } + } + } + } + ], + "fingerprints": { + "gdnPrimarySignature": "be5f727a2ce11c634799422c02b8a4786d9b57ab5402571c6025b43e6b077b3d", + "gdnAlternativeSignature0": "30eef084050fc6c74f476b1ce8aa4c766974299647bbfbf548e37ddd1fc1ceb1" + }, + "attachments": [] + }, + { + "ruleId": "CKV_AZURE_16", + "ruleIndex": 29, + "message": { + "text": "Ensure that Register with Azure Active Directory is enabled on App Service" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "samples/insecure_arm.json" + }, + "region": { + "startLine": 20, + "endLine": 32, + "snippet": { + "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites\",\n \"kind\": \"api\",\n \"name\": \"ApiAppNoHttps\",\n \"location\": \"[parameters('location')]\",\n \"dependsOn\": [\n \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\"\n ],\n \"properties\": {\n \"serverFarmId\": \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\"\n }\n },\n" + } + } + } + } + ], + "fingerprints": { + "gdnPrimarySignature": "8ec0cf28cfe77f1886c419e78389f8a6102878cb7612535c76516fd29c664889", + "gdnAlternativeSignature0": "b35de61bb549b7a7050bd10b59810d2d6c10f19155d87b4bd9b1f6a92ac87ae8" + }, + "attachments": [] + }, + { + "ruleId": "CKV_AZURE_71", + "ruleIndex": 30, + "level": "note", + "message": { + "text": "Ensure that Managed identity provider is enabled for web apps" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "samples/insecure_arm.json" + }, + "region": { + "startLine": 20, + "endLine": 32, + "snippet": { + "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites\",\n \"kind\": \"api\",\n \"name\": \"ApiAppNoHttps\",\n \"location\": \"[parameters('location')]\",\n \"dependsOn\": [\n \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\"\n ],\n \"properties\": {\n \"serverFarmId\": \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\"\n }\n },\n" + } + } + } + } + ], + "fingerprints": { + "gdnPrimarySignature": "ee7a8721be19f071f11af14aaa7aca9576415f4d4d1e62346a853f58100c82e4", + "gdnAlternativeSignature0": "ec622e49b27f8e22a9e6f643cf8cf907eb559102eae22be4e991b94720701355" + }, + "attachments": [] + }, + { + "ruleId": "CKV_AZURE_15", + "ruleIndex": 31, + "message": { + "text": "Ensure web app is using the latest version of TLS encryption" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "samples/insecure_arm.json" + }, + "region": { + "startLine": 20, + "endLine": 32, + "snippet": { + "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites\",\n \"kind\": \"api\",\n \"name\": \"ApiAppNoHttps\",\n \"location\": \"[parameters('location')]\",\n \"dependsOn\": [\n \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\"\n ],\n \"properties\": {\n \"serverFarmId\": \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\"\n }\n },\n" + } + } + } + } + ], + "fingerprints": { + "gdnPrimarySignature": "ef9b889940362ecd85475a4717800814cf44656011817a1d3370a3bcab0f9006", + "gdnAlternativeSignature0": "e8b887b9e4630d128d846a53822b5d4d36f7078245f4e138644f951d5da1c04b" + }, + "attachments": [] + }, + { + "ruleId": "CKV_AZURE_222", + "ruleIndex": 32, + "message": { + "text": "Ensure that Azure Web App public network access is disabled" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "samples/insecure_arm.json" + }, + "region": { + "startLine": 20, + "endLine": 32, + "snippet": { + "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites\",\n \"kind\": \"api\",\n \"name\": \"ApiAppNoHttps\",\n \"location\": \"[parameters('location')]\",\n \"dependsOn\": [\n \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\"\n ],\n \"properties\": {\n \"serverFarmId\": \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\"\n }\n },\n" + } + } + } + } + ], + "fingerprints": { + "gdnPrimarySignature": "e1dc47b6e2369dd39565addd153d327dd0d76de16d44d15949739b4ece89857b", + "gdnAlternativeSignature0": "d43a14c244c9f2b15c1ba3cec391a15f1baf94ac985c7db47cad796ef60a075e" + }, + "attachments": [] + }, + { + "ruleId": "CKV_AZURE_153", + "ruleIndex": 33, + "level": "note", + "message": { + "text": "Ensure web app redirects all HTTP traffic to HTTPS in Azure App Service Slot" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "samples/insecure_arm.json" + }, + "region": { + "startLine": 20, + "endLine": 32, + "snippet": { + "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites\",\n \"kind\": \"api\",\n \"name\": \"ApiAppNoHttps\",\n \"location\": \"[parameters('location')]\",\n \"dependsOn\": [\n \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\"\n ],\n \"properties\": {\n \"serverFarmId\": \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\"\n }\n },\n" + } + } + } + } + ], + "fingerprints": { + "gdnPrimarySignature": "97d7ca490bf520d069c13ebdb0d71a09b89fcd7769dde3ce13a56b628553002e", + "gdnAlternativeSignature0": "4900509f0378a44b7fbeba8ec8bf1dbc277cdf17e6f3726e7111c71d23884b5a" + }, + "attachments": [] + }, + { + "ruleId": "CKV_AZURE_67", + "ruleIndex": 34, + "message": { + "text": "Ensure that 'HTTP Version' is the latest, if used to run the Function app" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "samples/insecure_arm.json" + }, + "region": { + "startLine": 20, + "endLine": 32, + "snippet": { + "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites\",\n \"kind\": \"api\",\n \"name\": \"ApiAppNoHttps\",\n \"location\": \"[parameters('location')]\",\n \"dependsOn\": [\n \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\"\n ],\n \"properties\": {\n \"serverFarmId\": \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\"\n }\n },\n" + } + } + } + } + ], + "fingerprints": { + "gdnPrimarySignature": "c56f175caf69b08d44542457468251bc934009d1db105d9b7bbebcbcb3beb452", + "gdnAlternativeSignature0": "913aa909429d17a84df0c1e8748ff6aea024d4ef99d8904de01b8ebfebb6ef2c" + }, + "attachments": [] + }, + { + "ruleId": "CKV_AZURE_70", + "ruleIndex": 35, + "message": { + "text": "Ensure that Function apps is only accessible over HTTPS" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "samples/insecure_arm.json" + }, + "region": { + "startLine": 20, + "endLine": 32, + "snippet": { + "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites\",\n \"kind\": \"api\",\n \"name\": \"ApiAppNoHttps\",\n \"location\": \"[parameters('location')]\",\n \"dependsOn\": [\n \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\"\n ],\n \"properties\": {\n \"serverFarmId\": \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\"\n }\n },\n" + } + } + } + } + ], + "fingerprints": { + "gdnPrimarySignature": "2f45d4e06de44a01421e37f361501aad833ff822c1204548527c417f387a4bfd", + "gdnAlternativeSignature0": "c1176515ad6f738679a0735507229cb7137334a387d241a6f6f16e99fe2c2751" + }, + "attachments": [] + }, + { + "ruleId": "CKV_AZURE_17", + "ruleIndex": 25, + "message": { + "text": "Ensure the web app has 'Client Certificates (Incoming client certificates)' set" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "samples/insecure_arm.json" + }, + "region": { + "startLine": 33, + "endLine": 46, + "snippet": { + "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites\",\n \"kind\": \"api\",\n \"name\": \"ApiApp_HttpsFalse\",\n \"location\": \"[parameters('location')]\",\n \"dependsOn\": [\n \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\"\n ],\n \"properties\": {\n \"serverFarmId\": \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\",\n \"httpsOnly\": false\n }\n },\n" + } + } + } + } + ], + "fingerprints": { + "gdnPrimarySignature": "77217b91fc3a35c94077b14d569129379554bc6c475fef0ed13e21ee3f64e356", + "gdnAlternativeSignature0": "a92fd4c7fd1c82fb5c7c4e2b973b97bd202817cb9be0631ec7ec94540eca12a0" + }, + "attachments": [] + }, + { + "ruleId": "CKV_AZURE_78", + "ruleIndex": 26, + "message": { + "text": "Ensure FTP deployments are disabled" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "samples/insecure_arm.json" + }, + "region": { + "startLine": 33, + "endLine": 46, + "snippet": { + "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites\",\n \"kind\": \"api\",\n \"name\": \"ApiApp_HttpsFalse\",\n \"location\": \"[parameters('location')]\",\n \"dependsOn\": [\n \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\"\n ],\n \"properties\": {\n \"serverFarmId\": \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\",\n \"httpsOnly\": false\n }\n },\n" + } + } + } + } + ], + "fingerprints": { + "gdnPrimarySignature": "96272a03ccdc56a5a8b96c5109daa200cb64585bf6cb129647e817d4f08a4bfd", + "gdnAlternativeSignature0": "3e23e70479065b8d7df9e45448b64661427e6438fbe37d04a36266ce32bee78a" + }, + "attachments": [] + }, + { + "ruleId": "CKV_AZURE_18", + "ruleIndex": 27, + "message": { + "text": "Ensure that 'HTTP Version' is the latest if used to run the web app" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "samples/insecure_arm.json" + }, + "region": { + "startLine": 33, + "endLine": 46, + "snippet": { + "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites\",\n \"kind\": \"api\",\n \"name\": \"ApiApp_HttpsFalse\",\n \"location\": \"[parameters('location')]\",\n \"dependsOn\": [\n \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\"\n ],\n \"properties\": {\n \"serverFarmId\": \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\",\n \"httpsOnly\": false\n }\n },\n" + } + } + } + } + ], + "fingerprints": { + "gdnPrimarySignature": "67cba71b0950ef66e3a3a355b9a91d2d202c0813fe7f8b95e741f7812d7033fc", + "gdnAlternativeSignature0": "fbff0c06779ae5a02c627c32a5286e16208ac4855c442d93ca1238f9c34e1d11" + }, + "attachments": [] + }, + { + "ruleId": "CKV_AZURE_14", + "ruleIndex": 28, + "message": { + "text": "Ensure web app redirects all HTTP traffic to HTTPS in Azure App Service" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "samples/insecure_arm.json" + }, + "region": { + "startLine": 33, + "endLine": 46, + "snippet": { + "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites\",\n \"kind\": \"api\",\n \"name\": \"ApiApp_HttpsFalse\",\n \"location\": \"[parameters('location')]\",\n \"dependsOn\": [\n \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\"\n ],\n \"properties\": {\n \"serverFarmId\": \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\",\n \"httpsOnly\": false\n }\n },\n" + } + } + } + } + ], + "fingerprints": { + "gdnPrimarySignature": "2f0e38a86c95c2a52024f64d67bcd131909536c1a0e5b97ad5e093d03574efea", + "gdnAlternativeSignature0": "5ecca9431ae6ccf7833666998b89928bef027106342ff5293dbcea4fbfd8985f" + }, + "attachments": [] + }, + { + "ruleId": "CKV_AZURE_16", + "ruleIndex": 29, + "message": { + "text": "Ensure that Register with Azure Active Directory is enabled on App Service" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "samples/insecure_arm.json" + }, + "region": { + "startLine": 33, + "endLine": 46, + "snippet": { + "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites\",\n \"kind\": \"api\",\n \"name\": \"ApiApp_HttpsFalse\",\n \"location\": \"[parameters('location')]\",\n \"dependsOn\": [\n \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\"\n ],\n \"properties\": {\n \"serverFarmId\": \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\",\n \"httpsOnly\": false\n }\n },\n" + } + } + } + } + ], + "fingerprints": { + "gdnPrimarySignature": "047e97aec3e3db452cd6494fac807837f79de6dbf49057a6af9fa720f29866cd", + "gdnAlternativeSignature0": "4d3bb1bfb723ab4e801290b50a7f708428b9978d60d75e9d4b421ce3261e987e" + }, + "attachments": [] + }, + { + "ruleId": "CKV_AZURE_71", + "ruleIndex": 30, + "level": "note", + "message": { + "text": "Ensure that Managed identity provider is enabled for web apps" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "samples/insecure_arm.json" + }, + "region": { + "startLine": 33, + "endLine": 46, + "snippet": { + "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites\",\n \"kind\": \"api\",\n \"name\": \"ApiApp_HttpsFalse\",\n \"location\": \"[parameters('location')]\",\n \"dependsOn\": [\n \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\"\n ],\n \"properties\": {\n \"serverFarmId\": \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\",\n \"httpsOnly\": false\n }\n },\n" + } + } + } + } + ], + "fingerprints": { + "gdnPrimarySignature": "60a28f98c4f08919941b75af5cb9983b3d6d0d4fdbdfd72f0090398ec41d78b8", + "gdnAlternativeSignature0": "81e9acc15fdef5820327f3e7ba5bb7d63c7bc0ff05365b47c155fc8b5bf089f7" + }, + "attachments": [] + }, + { + "ruleId": "CKV_AZURE_15", + "ruleIndex": 31, + "message": { + "text": "Ensure web app is using the latest version of TLS encryption" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "samples/insecure_arm.json" + }, + "region": { + "startLine": 33, + "endLine": 46, + "snippet": { + "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites\",\n \"kind\": \"api\",\n \"name\": \"ApiApp_HttpsFalse\",\n \"location\": \"[parameters('location')]\",\n \"dependsOn\": [\n \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\"\n ],\n \"properties\": {\n \"serverFarmId\": \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\",\n \"httpsOnly\": false\n }\n },\n" + } + } + } + } + ], + "fingerprints": { + "gdnPrimarySignature": "661df7e8e64bd5bdd34a1d439102b29529c13c746e5feb730fac1b89383a4443", + "gdnAlternativeSignature0": "20930ab9036a0597b410e4bbb9a3ae46121270bb3384764cabfe9af8664ee4c2" + }, + "attachments": [] + }, + { + "ruleId": "CKV_AZURE_222", + "ruleIndex": 32, + "message": { + "text": "Ensure that Azure Web App public network access is disabled" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "samples/insecure_arm.json" + }, + "region": { + "startLine": 33, + "endLine": 46, + "snippet": { + "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites\",\n \"kind\": \"api\",\n \"name\": \"ApiApp_HttpsFalse\",\n \"location\": \"[parameters('location')]\",\n \"dependsOn\": [\n \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\"\n ],\n \"properties\": {\n \"serverFarmId\": \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\",\n \"httpsOnly\": false\n }\n },\n" + } + } + } + } + ], + "fingerprints": { + "gdnPrimarySignature": "eef8e08eefe99efe6383c19a6c2f6896c9ef94af166789c535a44e439faff96b", + "gdnAlternativeSignature0": "d9cfc31c8fd621cb84b4ac6e4aebe8fbdc58ac745ec38f3cad71e0d6516cac75" + }, + "attachments": [] + }, + { + "ruleId": "CKV_AZURE_153", + "ruleIndex": 33, + "level": "note", + "message": { + "text": "Ensure web app redirects all HTTP traffic to HTTPS in Azure App Service Slot" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "samples/insecure_arm.json" + }, + "region": { + "startLine": 33, + "endLine": 46, + "snippet": { + "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites\",\n \"kind\": \"api\",\n \"name\": \"ApiApp_HttpsFalse\",\n \"location\": \"[parameters('location')]\",\n \"dependsOn\": [\n \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\"\n ],\n \"properties\": {\n \"serverFarmId\": \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\",\n \"httpsOnly\": false\n }\n },\n" + } + } + } + } + ], + "fingerprints": { + "gdnPrimarySignature": "b6eaac00912ec69927074d73bba19050e90b93d7c2863034c5f57ac14b6c3f56", + "gdnAlternativeSignature0": "63b91b45615d3139f0c8994573f3c9045d8602acb32fa9a2b56ff7b1e8c030d3" + }, + "attachments": [] + }, + { + "ruleId": "CKV_AZURE_67", + "ruleIndex": 34, + "message": { + "text": "Ensure that 'HTTP Version' is the latest, if used to run the Function app" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "samples/insecure_arm.json" + }, + "region": { + "startLine": 33, + "endLine": 46, + "snippet": { + "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites\",\n \"kind\": \"api\",\n \"name\": \"ApiApp_HttpsFalse\",\n \"location\": \"[parameters('location')]\",\n \"dependsOn\": [\n \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\"\n ],\n \"properties\": {\n \"serverFarmId\": \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\",\n \"httpsOnly\": false\n }\n },\n" + } + } + } + } + ], + "fingerprints": { + "gdnPrimarySignature": "1a28305cc04bfcb6e7d6cd127478774b1bee41fc46643d7798536ede530ea751", + "gdnAlternativeSignature0": "0f393c4096130800e7805e4a66f1950cf2d771868201e4632b04ce44be71df65" + }, + "attachments": [] + }, + { + "ruleId": "CKV_AZURE_70", + "ruleIndex": 35, + "message": { + "text": "Ensure that Function apps is only accessible over HTTPS" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "samples/insecure_arm.json" + }, + "region": { + "startLine": 33, + "endLine": 46, + "snippet": { + "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites\",\n \"kind\": \"api\",\n \"name\": \"ApiApp_HttpsFalse\",\n \"location\": \"[parameters('location')]\",\n \"dependsOn\": [\n \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\"\n ],\n \"properties\": {\n \"serverFarmId\": \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\",\n \"httpsOnly\": false\n }\n },\n" + } + } + } + } + ], + "fingerprints": { + "gdnPrimarySignature": "b7e0569871e364eb4f1ad13804f6bbac0225d2b791ccc53683c54d880a8d56ad", + "gdnAlternativeSignature0": "558d0b90f8a67d09495fad85b33c5877cb89b0319b670c21c57f4959cca1eaf1" + }, + "attachments": [] + }, + { + "ruleId": "CKV_AZURE_17", + "ruleIndex": 25, + "message": { + "text": "Ensure the web app has 'Client Certificates (Incoming client certificates)' set" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "samples/insecure_arm.json" + }, + "region": { + "startLine": 47, + "endLine": 60, + "snippet": { + "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites\",\n \"kind\": \"api\",\n \"name\": \"ApiApp_HttpsTrue\",\n \"location\": \"[parameters('location')]\",\n \"dependsOn\": [\n \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\"\n ],\n \"properties\": {\n \"serverFarmId\": \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\",\n \"httpsOnly\": true\n }\n },\n" + } + } + } + } + ], + "fingerprints": { + "gdnPrimarySignature": "aaddab01eb68ff517e9444b2e9d93377d31950dea3e82ddb8ab944c5dfee7c1f", + "gdnAlternativeSignature0": "57cebe241ad3cf45ef799f306169e2b2264d43b4510f8e0752726be7131ab490" + }, + "attachments": [] + }, + { + "ruleId": "CKV_AZURE_78", + "ruleIndex": 26, + "message": { + "text": "Ensure FTP deployments are disabled" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "samples/insecure_arm.json" + }, + "region": { + "startLine": 47, + "endLine": 60, + "snippet": { + "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites\",\n \"kind\": \"api\",\n \"name\": \"ApiApp_HttpsTrue\",\n \"location\": \"[parameters('location')]\",\n \"dependsOn\": [\n \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\"\n ],\n \"properties\": {\n \"serverFarmId\": \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\",\n \"httpsOnly\": true\n }\n },\n" + } + } + } + } + ], + "fingerprints": { + "gdnPrimarySignature": "590ff9987116abb8a3400496eddeb58c1f024d384c76051a44dc2c39e4e49283", + "gdnAlternativeSignature0": "61d1b562f5d44f6ddbc3c5c2814e820572971c9d99d41830d74ee6dab9e8b1b8" + }, + "attachments": [] + }, + { + "ruleId": "CKV_AZURE_18", + "ruleIndex": 27, + "message": { + "text": "Ensure that 'HTTP Version' is the latest if used to run the web app" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "samples/insecure_arm.json" + }, + "region": { + "startLine": 47, + "endLine": 60, + "snippet": { + "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites\",\n \"kind\": \"api\",\n \"name\": \"ApiApp_HttpsTrue\",\n \"location\": \"[parameters('location')]\",\n \"dependsOn\": [\n \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\"\n ],\n \"properties\": {\n \"serverFarmId\": \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\",\n \"httpsOnly\": true\n }\n },\n" + } + } + } + } + ], + "fingerprints": { + "gdnPrimarySignature": "db280dfff3e2790244c8b505a80423b5448fc8e75d59a62250b7a79536cf7ff1", + "gdnAlternativeSignature0": "ac8dbe3cffb76f8661fc62b1f0f4da58be581b4d0ef2caa7f3cd204caca2463e" + }, + "attachments": [] + }, + { + "ruleId": "CKV_AZURE_16", + "ruleIndex": 29, + "message": { + "text": "Ensure that Register with Azure Active Directory is enabled on App Service" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "samples/insecure_arm.json" + }, + "region": { + "startLine": 47, + "endLine": 60, + "snippet": { + "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites\",\n \"kind\": \"api\",\n \"name\": \"ApiApp_HttpsTrue\",\n \"location\": \"[parameters('location')]\",\n \"dependsOn\": [\n \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\"\n ],\n \"properties\": {\n \"serverFarmId\": \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\",\n \"httpsOnly\": true\n }\n },\n" + } + } + } + } + ], + "fingerprints": { + "gdnPrimarySignature": "aea92e244aca978f643e2e1ac665f53ebba318185bd336a66cd47a0b665060ec", + "gdnAlternativeSignature0": "b48782f8c3aa23c586d734684f31424229a47093f158458dc6b2d60685e3d769" + }, + "attachments": [] + }, + { + "ruleId": "CKV_AZURE_71", + "ruleIndex": 30, + "level": "note", + "message": { + "text": "Ensure that Managed identity provider is enabled for web apps" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "samples/insecure_arm.json" + }, + "region": { + "startLine": 47, + "endLine": 60, + "snippet": { + "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites\",\n \"kind\": \"api\",\n \"name\": \"ApiApp_HttpsTrue\",\n \"location\": \"[parameters('location')]\",\n \"dependsOn\": [\n \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\"\n ],\n \"properties\": {\n \"serverFarmId\": \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\",\n \"httpsOnly\": true\n }\n },\n" + } + } + } + } + ], + "fingerprints": { + "gdnPrimarySignature": "798c50dcd9acde7329ed5009c3d07a2217acf11fec1f31004c527083961c540d", + "gdnAlternativeSignature0": "165dd9555e9c9161445bf7503e05d3cbed8dcbb6302f42637d6b45ccaca0ff58" + }, + "attachments": [] + }, + { + "ruleId": "CKV_AZURE_15", + "ruleIndex": 31, + "message": { + "text": "Ensure web app is using the latest version of TLS encryption" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "samples/insecure_arm.json" + }, + "region": { + "startLine": 47, + "endLine": 60, + "snippet": { + "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites\",\n \"kind\": \"api\",\n \"name\": \"ApiApp_HttpsTrue\",\n \"location\": \"[parameters('location')]\",\n \"dependsOn\": [\n \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\"\n ],\n \"properties\": {\n \"serverFarmId\": \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\",\n \"httpsOnly\": true\n }\n },\n" + } + } + } + } + ], + "fingerprints": { + "gdnPrimarySignature": "4c5dfc4574f7685bcd89ddc5a65c7d0c511987abf75c9de4430457d1727af8af", + "gdnAlternativeSignature0": "d2ce914431dc4d3c206c55b66c4b6dca1bb2031972528496dbf84c655535f145" + }, + "attachments": [] + }, + { + "ruleId": "CKV_AZURE_222", + "ruleIndex": 32, + "message": { + "text": "Ensure that Azure Web App public network access is disabled" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "samples/insecure_arm.json" + }, + "region": { + "startLine": 47, + "endLine": 60, + "snippet": { + "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites\",\n \"kind\": \"api\",\n \"name\": \"ApiApp_HttpsTrue\",\n \"location\": \"[parameters('location')]\",\n \"dependsOn\": [\n \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\"\n ],\n \"properties\": {\n \"serverFarmId\": \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\",\n \"httpsOnly\": true\n }\n },\n" + } + } + } + } + ], + "fingerprints": { + "gdnPrimarySignature": "44c94e00b2108329c9f76c78147b2604cc20cabbf31e7f8e4299bf4d2fd94f14", + "gdnAlternativeSignature0": "61c01b83b4d60836ee555f3f704f36d40cb7a30c25a0d5dcd09b5f172423448a" + }, + "attachments": [] + }, + { + "ruleId": "CKV_AZURE_67", + "ruleIndex": 34, + "message": { + "text": "Ensure that 'HTTP Version' is the latest, if used to run the Function app" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "samples/insecure_arm.json" + }, + "region": { + "startLine": 47, + "endLine": 60, + "snippet": { + "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites\",\n \"kind\": \"api\",\n \"name\": \"ApiApp_HttpsTrue\",\n \"location\": \"[parameters('location')]\",\n \"dependsOn\": [\n \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\"\n ],\n \"properties\": {\n \"serverFarmId\": \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\",\n \"httpsOnly\": true\n }\n },\n" + } + } + } + } + ], + "fingerprints": { + "gdnPrimarySignature": "235d3319b06d373c3b2babd6236b29e3ee46066a92409d48434ecf54474c4f3d", + "gdnAlternativeSignature0": "781e42feb7fc10ca262f5cce84e3a566206e0d9abfe2465ba0a1fb45a98eef9e" + }, + "attachments": [] + }, + { + "ruleId": "CKV_AZURE_17", + "ruleIndex": 25, + "message": { + "text": "Ensure the web app has 'Client Certificates (Incoming client certificates)' set" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "samples/insecure_arm.json" + }, + "region": { + "startLine": 61, + "endLine": 73, + "snippet": { + "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites\",\n \"kind\": \"functionapp\",\n \"name\": \"FunctionAppNoHttps\",\n \"location\": \"[parameters('location')]\",\n \"dependsOn\": [\n \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\"\n ],\n \"properties\": {\n \"serverFarmId\": \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\"\n }\n },\n" + } + } + } + } + ], + "fingerprints": { + "gdnPrimarySignature": "3645ea9051ae5673c813896b86a7ba9dd2b3b5e32c23cafc80908b2f2524f944", + "gdnAlternativeSignature0": "3f5299a9cafa29f11de4de69e3fd6545bbed0d8ef6dfdc23e989ccbd39b25cdd" + }, + "attachments": [] + }, + { + "ruleId": "CKV_AZURE_78", + "ruleIndex": 26, + "message": { + "text": "Ensure FTP deployments are disabled" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "samples/insecure_arm.json" + }, + "region": { + "startLine": 61, + "endLine": 73, + "snippet": { + "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites\",\n \"kind\": \"functionapp\",\n \"name\": \"FunctionAppNoHttps\",\n \"location\": \"[parameters('location')]\",\n \"dependsOn\": [\n \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\"\n ],\n \"properties\": {\n \"serverFarmId\": \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\"\n }\n },\n" + } + } + } + } + ], + "fingerprints": { + "gdnPrimarySignature": "ca7a9cc04d61e4c2746e08d814a13bfce97322ab3330c23ac6a3a046e1da28cb", + "gdnAlternativeSignature0": "7223771f7f45cc448238ef3189a578bb9838dc9dcd6954b1769a77b8828299a3" + }, + "attachments": [] + }, + { + "ruleId": "CKV_AZURE_18", + "ruleIndex": 27, + "message": { + "text": "Ensure that 'HTTP Version' is the latest if used to run the web app" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "samples/insecure_arm.json" + }, + "region": { + "startLine": 61, + "endLine": 73, + "snippet": { + "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites\",\n \"kind\": \"functionapp\",\n \"name\": \"FunctionAppNoHttps\",\n \"location\": \"[parameters('location')]\",\n \"dependsOn\": [\n \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\"\n ],\n \"properties\": {\n \"serverFarmId\": \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\"\n }\n },\n" + } + } + } + } + ], + "fingerprints": { + "gdnPrimarySignature": "71dc14fcd10f9c9553a4da8ac502b6435b2ed0db62277cd987cca6d551c6d181", + "gdnAlternativeSignature0": "d43fc88acb8d338e40410db7c591108b80e3d46c28060e62437919f14f722dfe" + }, + "attachments": [] + }, + { + "ruleId": "CKV_AZURE_14", + "ruleIndex": 28, + "message": { + "text": "Ensure web app redirects all HTTP traffic to HTTPS in Azure App Service" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "samples/insecure_arm.json" + }, + "region": { + "startLine": 61, + "endLine": 73, + "snippet": { + "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites\",\n \"kind\": \"functionapp\",\n \"name\": \"FunctionAppNoHttps\",\n \"location\": \"[parameters('location')]\",\n \"dependsOn\": [\n \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\"\n ],\n \"properties\": {\n \"serverFarmId\": \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\"\n }\n },\n" + } + } + } + } + ], + "fingerprints": { + "gdnPrimarySignature": "3c0093298905723cba273ae4a7665878ab158eed129e338a933ea628f12cea27", + "gdnAlternativeSignature0": "3e6753aa3addf5ba0305dc624bf944236f65feb3fb342a87052ac03331c29086" + }, + "attachments": [] + }, + { + "ruleId": "CKV_AZURE_16", + "ruleIndex": 29, + "message": { + "text": "Ensure that Register with Azure Active Directory is enabled on App Service" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "samples/insecure_arm.json" + }, + "region": { + "startLine": 61, + "endLine": 73, + "snippet": { + "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites\",\n \"kind\": \"functionapp\",\n \"name\": \"FunctionAppNoHttps\",\n \"location\": \"[parameters('location')]\",\n \"dependsOn\": [\n \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\"\n ],\n \"properties\": {\n \"serverFarmId\": \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\"\n }\n },\n" + } + } + } + } + ], + "fingerprints": { + "gdnPrimarySignature": "d1a5aac95999bad7e7b5c9e0e255d9d2ca11a7cea6fa5dc385222d4feaf488c3", + "gdnAlternativeSignature0": "33369208b079f75cbe0cab69fc1bf20ac7c43ea8f2b7536e1b4f13a771190cb6" + }, + "attachments": [] + }, + { + "ruleId": "CKV_AZURE_71", + "ruleIndex": 30, + "level": "note", + "message": { + "text": "Ensure that Managed identity provider is enabled for web apps" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "samples/insecure_arm.json" + }, + "region": { + "startLine": 61, + "endLine": 73, + "snippet": { + "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites\",\n \"kind\": \"functionapp\",\n \"name\": \"FunctionAppNoHttps\",\n \"location\": \"[parameters('location')]\",\n \"dependsOn\": [\n \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\"\n ],\n \"properties\": {\n \"serverFarmId\": \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\"\n }\n },\n" + } + } + } + } + ], + "fingerprints": { + "gdnPrimarySignature": "d73af49617110ba351d090184b05165dc8855332c51a8857ed25280cf9afad44", + "gdnAlternativeSignature0": "09a999b4a9287158b3cca86c7e300c895a1350f7ef5816c5b55efc9f3ea7ce55" + }, + "attachments": [] + }, + { + "ruleId": "CKV_AZURE_15", + "ruleIndex": 31, + "message": { + "text": "Ensure web app is using the latest version of TLS encryption" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "samples/insecure_arm.json" + }, + "region": { + "startLine": 61, + "endLine": 73, + "snippet": { + "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites\",\n \"kind\": \"functionapp\",\n \"name\": \"FunctionAppNoHttps\",\n \"location\": \"[parameters('location')]\",\n \"dependsOn\": [\n \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\"\n ],\n \"properties\": {\n \"serverFarmId\": \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\"\n }\n },\n" + } + } + } + } + ], + "fingerprints": { + "gdnPrimarySignature": "03753151129aae06d95a6bf05714f3962691cc58c210d7d9e1834d8fd0ccfbf9", + "gdnAlternativeSignature0": "ee019a6f911abaec8264daa5ce7e95edb613bb130a37c20e98d07b6ce408aa71" + }, + "attachments": [] + }, + { + "ruleId": "CKV_AZURE_222", + "ruleIndex": 32, + "message": { + "text": "Ensure that Azure Web App public network access is disabled" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "samples/insecure_arm.json" + }, + "region": { + "startLine": 61, + "endLine": 73, + "snippet": { + "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites\",\n \"kind\": \"functionapp\",\n \"name\": \"FunctionAppNoHttps\",\n \"location\": \"[parameters('location')]\",\n \"dependsOn\": [\n \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\"\n ],\n \"properties\": {\n \"serverFarmId\": \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\"\n }\n },\n" + } + } + } + } + ], + "fingerprints": { + "gdnPrimarySignature": "b8b0b37b159d4ac33da5cc0f6c8e629f574c8e2989630facb7ed998b4fbd3e2b", + "gdnAlternativeSignature0": "c33ac75db46382ebd17cb142c0ac1e4ad6899e74b3a7aba6452e31cff4a58b91" + }, + "attachments": [] + }, + { + "ruleId": "CKV_AZURE_153", + "ruleIndex": 33, + "level": "note", + "message": { + "text": "Ensure web app redirects all HTTP traffic to HTTPS in Azure App Service Slot" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "samples/insecure_arm.json" + }, + "region": { + "startLine": 61, + "endLine": 73, + "snippet": { + "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites\",\n \"kind\": \"functionapp\",\n \"name\": \"FunctionAppNoHttps\",\n \"location\": \"[parameters('location')]\",\n \"dependsOn\": [\n \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\"\n ],\n \"properties\": {\n \"serverFarmId\": \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\"\n }\n },\n" + } + } + } + } + ], + "fingerprints": { + "gdnPrimarySignature": "e964440f1574351b358e9ad24c3716799d68e1fff901003018bb171fe1731425", + "gdnAlternativeSignature0": "d665f8f5eb905b17e8a1114333ea0f968495576f17e39f7aa042a5e10d58f6dd" + }, + "attachments": [] + }, + { + "ruleId": "CKV_AZURE_67", + "ruleIndex": 34, + "message": { + "text": "Ensure that 'HTTP Version' is the latest, if used to run the Function app" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "samples/insecure_arm.json" + }, + "region": { + "startLine": 61, + "endLine": 73, + "snippet": { + "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites\",\n \"kind\": \"functionapp\",\n \"name\": \"FunctionAppNoHttps\",\n \"location\": \"[parameters('location')]\",\n \"dependsOn\": [\n \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\"\n ],\n \"properties\": {\n \"serverFarmId\": \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\"\n }\n },\n" + } + } + } + } + ], + "fingerprints": { + "gdnPrimarySignature": "46bcafa5ef7682f49218b2cdae86203af9bd2d6676b1305517ff82ed2534c8a4", + "gdnAlternativeSignature0": "3aa93e2f42f94795cf57ca2abb96bbaf98d85c457a25083f5dc76fd25f6c828d" + }, + "attachments": [] + }, + { + "ruleId": "CKV_AZURE_70", + "ruleIndex": 35, + "message": { + "text": "Ensure that Function apps is only accessible over HTTPS" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "samples/insecure_arm.json" + }, + "region": { + "startLine": 61, + "endLine": 73, + "snippet": { + "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites\",\n \"kind\": \"functionapp\",\n \"name\": \"FunctionAppNoHttps\",\n \"location\": \"[parameters('location')]\",\n \"dependsOn\": [\n \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\"\n ],\n \"properties\": {\n \"serverFarmId\": \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\"\n }\n },\n" + } + } + } + } + ], + "fingerprints": { + "gdnPrimarySignature": "8897f68b7d0cfd331d551cfe62263a1a37c12f1b2fa6cc72ced0fb70f1d07bea", + "gdnAlternativeSignature0": "1e32293b35ee682f0207bfc6b97b03f98947a3c42b123d602986180ab02349dd" + }, + "attachments": [] + }, + { + "ruleId": "CKV_AZURE_17", + "ruleIndex": 25, + "message": { + "text": "Ensure the web app has 'Client Certificates (Incoming client certificates)' set" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "samples/insecure_arm.json" + }, + "region": { + "startLine": 74, + "endLine": 87, + "snippet": { + "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites\",\n \"kind\": \"functionapp,linux\",\n \"name\": \"FunctionApp_HttpsFalse\",\n \"location\": \"[parameters('location')]\",\n \"dependsOn\": [\n \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\"\n ],\n \"properties\": {\n \"serverFarmId\": \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\",\n \"httpsOnly\": false\n }\n },\n" + } + } + } + } + ], + "fingerprints": { + "gdnPrimarySignature": "e19ab0fdf6b41c60416ec1789e435d14b225c9059e0cb0e72b85621eaa9a6a86", + "gdnAlternativeSignature0": "9c76d0ac3067ddae324af883867178b01d2394b6293865422cfd1c2a0d8f2322" + }, + "attachments": [] + }, + { + "ruleId": "CKV_AZURE_78", + "ruleIndex": 26, + "message": { + "text": "Ensure FTP deployments are disabled" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "samples/insecure_arm.json" + }, + "region": { + "startLine": 74, + "endLine": 87, + "snippet": { + "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites\",\n \"kind\": \"functionapp,linux\",\n \"name\": \"FunctionApp_HttpsFalse\",\n \"location\": \"[parameters('location')]\",\n \"dependsOn\": [\n \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\"\n ],\n \"properties\": {\n \"serverFarmId\": \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\",\n \"httpsOnly\": false\n }\n },\n" + } + } + } + } + ], + "fingerprints": { + "gdnPrimarySignature": "9ccd2eec805423da588e0e4fb39a20af8824e7b43e64c3e4b69ef404665c32cc", + "gdnAlternativeSignature0": "f564ab2518131f06da69f86eb0b8f61753018f7a7779cfb057eddd15551977ee" + }, + "attachments": [] + }, + { + "ruleId": "CKV_AZURE_18", + "ruleIndex": 27, + "message": { + "text": "Ensure that 'HTTP Version' is the latest if used to run the web app" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "samples/insecure_arm.json" + }, + "region": { + "startLine": 74, + "endLine": 87, + "snippet": { + "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites\",\n \"kind\": \"functionapp,linux\",\n \"name\": \"FunctionApp_HttpsFalse\",\n \"location\": \"[parameters('location')]\",\n \"dependsOn\": [\n \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\"\n ],\n \"properties\": {\n \"serverFarmId\": \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\",\n \"httpsOnly\": false\n }\n },\n" + } + } + } + } + ], + "fingerprints": { + "gdnPrimarySignature": "9359461703908a57a96cb32c9d317be3fe28b28f0bf8392611a279a831e3c47d", + "gdnAlternativeSignature0": "4e87df39b2999630b9a10e9ecb92008f17baf6e351e0b208887f85e9931397af" + }, + "attachments": [] + }, + { + "ruleId": "CKV_AZURE_14", + "ruleIndex": 28, + "message": { + "text": "Ensure web app redirects all HTTP traffic to HTTPS in Azure App Service" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "samples/insecure_arm.json" + }, + "region": { + "startLine": 74, + "endLine": 87, + "snippet": { + "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites\",\n \"kind\": \"functionapp,linux\",\n \"name\": \"FunctionApp_HttpsFalse\",\n \"location\": \"[parameters('location')]\",\n \"dependsOn\": [\n \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\"\n ],\n \"properties\": {\n \"serverFarmId\": \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\",\n \"httpsOnly\": false\n }\n },\n" + } + } + } + } + ], + "fingerprints": { + "gdnPrimarySignature": "52979741c27ad8788e0a869cb9c45f1dd101ad482c8c5157b8812f78991baf31", + "gdnAlternativeSignature0": "5058e736e60a56f62767c611d9a6aa94a5845c6ee0c4aa10fb6626a2aa2a70bf" + }, + "attachments": [] + }, + { + "ruleId": "CKV_AZURE_16", + "ruleIndex": 29, + "message": { + "text": "Ensure that Register with Azure Active Directory is enabled on App Service" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "samples/insecure_arm.json" + }, + "region": { + "startLine": 74, + "endLine": 87, + "snippet": { + "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites\",\n \"kind\": \"functionapp,linux\",\n \"name\": \"FunctionApp_HttpsFalse\",\n \"location\": \"[parameters('location')]\",\n \"dependsOn\": [\n \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\"\n ],\n \"properties\": {\n \"serverFarmId\": \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\",\n \"httpsOnly\": false\n }\n },\n" + } + } + } + } + ], + "fingerprints": { + "gdnPrimarySignature": "31f0c7f30ad4509ee75d1a179af6e021694beb27d3a38ff0b5bcf0fd5d9bfec0", + "gdnAlternativeSignature0": "1129123e54ead9a5143b8feca94087caf7d35b5ae8251eafbe5b7cc169c2321e" + }, + "attachments": [] + }, + { + "ruleId": "CKV_AZURE_71", + "ruleIndex": 30, + "level": "note", + "message": { + "text": "Ensure that Managed identity provider is enabled for web apps" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "samples/insecure_arm.json" + }, + "region": { + "startLine": 74, + "endLine": 87, + "snippet": { + "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites\",\n \"kind\": \"functionapp,linux\",\n \"name\": \"FunctionApp_HttpsFalse\",\n \"location\": \"[parameters('location')]\",\n \"dependsOn\": [\n \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\"\n ],\n \"properties\": {\n \"serverFarmId\": \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\",\n \"httpsOnly\": false\n }\n },\n" + } + } + } + } + ], + "fingerprints": { + "gdnPrimarySignature": "0768d45c77ded4c1385d2feae675b811f3c643696bda9156a8bfccd599aff704", + "gdnAlternativeSignature0": "a60f942f7a1141f3ee5bceb13b7991b3a42f1f9d9b467e82a0d3f2b9ba339d7c" + }, + "attachments": [] + }, + { + "ruleId": "CKV_AZURE_15", + "ruleIndex": 31, + "message": { + "text": "Ensure web app is using the latest version of TLS encryption" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "samples/insecure_arm.json" + }, + "region": { + "startLine": 74, + "endLine": 87, + "snippet": { + "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites\",\n \"kind\": \"functionapp,linux\",\n \"name\": \"FunctionApp_HttpsFalse\",\n \"location\": \"[parameters('location')]\",\n \"dependsOn\": [\n \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\"\n ],\n \"properties\": {\n \"serverFarmId\": \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\",\n \"httpsOnly\": false\n }\n },\n" + } + } + } + } + ], + "fingerprints": { + "gdnPrimarySignature": "6401e6c3c7b71999c46c38b67aac9488aa986bc7b294124d85576bda8a4c0a9a", + "gdnAlternativeSignature0": "4dfd2fb00d7468e4b5ec7f9be6f463d7ce9654014d94abd3d367315c073cb7bb" + }, + "attachments": [] + }, + { + "ruleId": "CKV_AZURE_222", + "ruleIndex": 32, + "message": { + "text": "Ensure that Azure Web App public network access is disabled" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "samples/insecure_arm.json" + }, + "region": { + "startLine": 74, + "endLine": 87, + "snippet": { + "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites\",\n \"kind\": \"functionapp,linux\",\n \"name\": \"FunctionApp_HttpsFalse\",\n \"location\": \"[parameters('location')]\",\n \"dependsOn\": [\n \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\"\n ],\n \"properties\": {\n \"serverFarmId\": \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\",\n \"httpsOnly\": false\n }\n },\n" + } + } + } + } + ], + "fingerprints": { + "gdnPrimarySignature": "e32c0ff998fcef5e2c8dc7044fad00fee70e804ea115377e31bb12a7f59a2c10", + "gdnAlternativeSignature0": "439c05a50fad4d75ec8d278a58719987c9009948631a2f11782251d73c8f4200" + }, + "attachments": [] + }, + { + "ruleId": "CKV_AZURE_153", + "ruleIndex": 33, + "level": "note", + "message": { + "text": "Ensure web app redirects all HTTP traffic to HTTPS in Azure App Service Slot" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "samples/insecure_arm.json" + }, + "region": { + "startLine": 74, + "endLine": 87, + "snippet": { + "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites\",\n \"kind\": \"functionapp,linux\",\n \"name\": \"FunctionApp_HttpsFalse\",\n \"location\": \"[parameters('location')]\",\n \"dependsOn\": [\n \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\"\n ],\n \"properties\": {\n \"serverFarmId\": \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\",\n \"httpsOnly\": false\n }\n },\n" + } + } + } + } + ], + "fingerprints": { + "gdnPrimarySignature": "a5c04b13d6677bc41f4b3715f1e01ce95036675d6de4df8dc0439de074a03d73", + "gdnAlternativeSignature0": "49b98e30d0dd7ce696a9b0b481e3281fd671f0fd70de26dd6fb7510b705e0f87" + }, + "attachments": [] + }, + { + "ruleId": "CKV_AZURE_67", + "ruleIndex": 34, + "message": { + "text": "Ensure that 'HTTP Version' is the latest, if used to run the Function app" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "samples/insecure_arm.json" + }, + "region": { + "startLine": 74, + "endLine": 87, + "snippet": { + "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites\",\n \"kind\": \"functionapp,linux\",\n \"name\": \"FunctionApp_HttpsFalse\",\n \"location\": \"[parameters('location')]\",\n \"dependsOn\": [\n \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\"\n ],\n \"properties\": {\n \"serverFarmId\": \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\",\n \"httpsOnly\": false\n }\n },\n" + } + } + } + } + ], + "fingerprints": { + "gdnPrimarySignature": "e6301a23f58d4b667b0f9399522c3093c2289a6533a91c5cdcf22d245d526fa9", + "gdnAlternativeSignature0": "6091c16fd0d417e61913fb8a205a0381ceb3beab6ee091ecdef880751180c796" + }, + "attachments": [] + }, + { + "ruleId": "CKV_AZURE_70", + "ruleIndex": 35, + "message": { + "text": "Ensure that Function apps is only accessible over HTTPS" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "samples/insecure_arm.json" + }, + "region": { + "startLine": 74, + "endLine": 87, + "snippet": { + "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites\",\n \"kind\": \"functionapp,linux\",\n \"name\": \"FunctionApp_HttpsFalse\",\n \"location\": \"[parameters('location')]\",\n \"dependsOn\": [\n \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\"\n ],\n \"properties\": {\n \"serverFarmId\": \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\",\n \"httpsOnly\": false\n }\n },\n" + } + } + } + } + ], + "fingerprints": { + "gdnPrimarySignature": "0f2797770c6de1cf13dc915a59ed4540e23f915d86778fdb7e6b17a631c027fa", + "gdnAlternativeSignature0": "7f942a785576efce2530b9d5e5138b37b95f67caaaf4f068e03450ac35bc9b27" + }, + "attachments": [] + }, + { + "ruleId": "CKV_AZURE_17", + "ruleIndex": 25, + "message": { + "text": "Ensure the web app has 'Client Certificates (Incoming client certificates)' set" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "samples/insecure_arm.json" + }, + "region": { + "startLine": 88, + "endLine": 101, + "snippet": { + "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites\",\n \"kind\": \"functionapp\",\n \"name\": \"FunctionApp_HttpsTrue\",\n \"location\": \"[parameters('location')]\",\n \"dependsOn\": [\n \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\"\n ],\n \"properties\": {\n \"serverFarmId\": \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\",\n \"httpsOnly\": true\n }\n },\n" + } + } + } + } + ], + "fingerprints": { + "gdnPrimarySignature": "8a917df4e8c678506a78db5559479538775f940b8c14aa146822e79c821a287e", + "gdnAlternativeSignature0": "536e095efb39b0a59bf24cda2950cc9d7a939e228a53bf159bf8cd0fb1b8da6e" + }, + "attachments": [] + }, + { + "ruleId": "CKV_AZURE_78", + "ruleIndex": 26, + "message": { + "text": "Ensure FTP deployments are disabled" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "samples/insecure_arm.json" + }, + "region": { + "startLine": 88, + "endLine": 101, + "snippet": { + "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites\",\n \"kind\": \"functionapp\",\n \"name\": \"FunctionApp_HttpsTrue\",\n \"location\": \"[parameters('location')]\",\n \"dependsOn\": [\n \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\"\n ],\n \"properties\": {\n \"serverFarmId\": \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\",\n \"httpsOnly\": true\n }\n },\n" + } + } + } + } + ], + "fingerprints": { + "gdnPrimarySignature": "012a7cc9d1337a51d3b90f52d7866f9183fa75c796a6b444a5792554db38986e", + "gdnAlternativeSignature0": "a0b181e8b990ea5f29718c2f802c61d0e3d160d0fea9394c335ce70582b89c12" + }, + "attachments": [] + }, + { + "ruleId": "CKV_AZURE_18", + "ruleIndex": 27, + "message": { + "text": "Ensure that 'HTTP Version' is the latest if used to run the web app" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "samples/insecure_arm.json" + }, + "region": { + "startLine": 88, + "endLine": 101, + "snippet": { + "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites\",\n \"kind\": \"functionapp\",\n \"name\": \"FunctionApp_HttpsTrue\",\n \"location\": \"[parameters('location')]\",\n \"dependsOn\": [\n \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\"\n ],\n \"properties\": {\n \"serverFarmId\": \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\",\n \"httpsOnly\": true\n }\n },\n" + } + } + } + } + ], + "fingerprints": { + "gdnPrimarySignature": "07162ca3946165f6599af87465895d93e3a4672e03b47519894ce51b2c5cc9bd", + "gdnAlternativeSignature0": "74128bc18a6b19a6678aa9cbd0384858bae0f0270c9c36bed84570fd26bfbaca" + }, + "attachments": [] + }, + { + "ruleId": "CKV_AZURE_16", + "ruleIndex": 29, + "message": { + "text": "Ensure that Register with Azure Active Directory is enabled on App Service" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "samples/insecure_arm.json" + }, + "region": { + "startLine": 88, + "endLine": 101, + "snippet": { + "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites\",\n \"kind\": \"functionapp\",\n \"name\": \"FunctionApp_HttpsTrue\",\n \"location\": \"[parameters('location')]\",\n \"dependsOn\": [\n \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\"\n ],\n \"properties\": {\n \"serverFarmId\": \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\",\n \"httpsOnly\": true\n }\n },\n" + } + } + } + } + ], + "fingerprints": { + "gdnPrimarySignature": "a69519b3c5b094db4ab476ddeb127f3a19304d1a0dceaaa0990a3438551fa084", + "gdnAlternativeSignature0": "be3bd3018a1fbfa842ccab409f12e02b083c1afa3058a47b84c9fff1d4da82b3" + }, + "attachments": [] + }, + { + "ruleId": "CKV_AZURE_71", + "ruleIndex": 30, + "level": "note", + "message": { + "text": "Ensure that Managed identity provider is enabled for web apps" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "samples/insecure_arm.json" + }, + "region": { + "startLine": 88, + "endLine": 101, + "snippet": { + "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites\",\n \"kind\": \"functionapp\",\n \"name\": \"FunctionApp_HttpsTrue\",\n \"location\": \"[parameters('location')]\",\n \"dependsOn\": [\n \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\"\n ],\n \"properties\": {\n \"serverFarmId\": \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\",\n \"httpsOnly\": true\n }\n },\n" + } + } + } + } + ], + "fingerprints": { + "gdnPrimarySignature": "736147b83648552df9d3f8b2b392ab48a9bf9ab58620fb7a3818f40f07bbfc61", + "gdnAlternativeSignature0": "f27f79c0de60ef21728d0f1fc1410e6a2cea4efb033b119007e4e6ab0626384a" + }, + "attachments": [] + }, + { + "ruleId": "CKV_AZURE_15", + "ruleIndex": 31, + "message": { + "text": "Ensure web app is using the latest version of TLS encryption" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "samples/insecure_arm.json" + }, + "region": { + "startLine": 88, + "endLine": 101, + "snippet": { + "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites\",\n \"kind\": \"functionapp\",\n \"name\": \"FunctionApp_HttpsTrue\",\n \"location\": \"[parameters('location')]\",\n \"dependsOn\": [\n \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\"\n ],\n \"properties\": {\n \"serverFarmId\": \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\",\n \"httpsOnly\": true\n }\n },\n" + } + } + } + } + ], + "fingerprints": { + "gdnPrimarySignature": "a4b11836c10056ef0cdbbdb6afefc25c31906aaa79ca3bdbc1bdb18ed2d011b7", + "gdnAlternativeSignature0": "07b6c44a303c8c16e35003d2412596b49a13368ed484ff649ffa144d2b5771f8" + }, + "attachments": [] + }, + { + "ruleId": "CKV_AZURE_222", + "ruleIndex": 32, + "message": { + "text": "Ensure that Azure Web App public network access is disabled" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "samples/insecure_arm.json" + }, + "region": { + "startLine": 88, + "endLine": 101, + "snippet": { + "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites\",\n \"kind\": \"functionapp\",\n \"name\": \"FunctionApp_HttpsTrue\",\n \"location\": \"[parameters('location')]\",\n \"dependsOn\": [\n \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\"\n ],\n \"properties\": {\n \"serverFarmId\": \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\",\n \"httpsOnly\": true\n }\n },\n" + } + } + } + } + ], + "fingerprints": { + "gdnPrimarySignature": "ac27e5bae66e1875d76fc175bccaf11c9f0a10e45ac8385025f5dde90c69e4fb", + "gdnAlternativeSignature0": "9a5fdc81a5d1e596583d75f0a2da7b28dd82d0c9155a0baf2b57fd32cf33e21d" + }, + "attachments": [] + }, + { + "ruleId": "CKV_AZURE_67", + "ruleIndex": 34, + "message": { + "text": "Ensure that 'HTTP Version' is the latest, if used to run the Function app" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "samples/insecure_arm.json" + }, + "region": { + "startLine": 88, + "endLine": 101, + "snippet": { + "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites\",\n \"kind\": \"functionapp\",\n \"name\": \"FunctionApp_HttpsTrue\",\n \"location\": \"[parameters('location')]\",\n \"dependsOn\": [\n \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\"\n ],\n \"properties\": {\n \"serverFarmId\": \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\",\n \"httpsOnly\": true\n }\n },\n" + } + } + } + } + ], + "fingerprints": { + "gdnPrimarySignature": "d06586685b31f55d3be4de5084e13b421c700e4c87a7437bffe41291bf65d35b", + "gdnAlternativeSignature0": "dcb4c97d8e1a7a14524f2c6534312187b0272594e87ed98fe98e172b43b7dff9" + }, + "attachments": [] + }, + { + "ruleId": "CKV_AZURE_17", + "ruleIndex": 25, + "message": { + "text": "Ensure the web app has 'Client Certificates (Incoming client certificates)' set" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "samples/insecure_arm.json" + }, + "region": { + "startLine": 102, + "endLine": 114, + "snippet": { + "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites\",\n \"kind\": \"app,linux\",\n \"name\": \"WebAppNoHttps\",\n \"location\": \"[parameters('location')]\",\n \"dependsOn\": [\n \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\"\n ],\n \"properties\": {\n \"serverFarmId\": \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\"\n }\n },\n" + } + } + } + } + ], + "fingerprints": { + "gdnPrimarySignature": "0207769333b739f934c6c2472c0f269001ca3b1e973fe1cce2d2472d8bc56399", + "gdnAlternativeSignature0": "c00d75f61dc4dfb1d452c9fa66da4eea57d1fd4fada176b36c66d53d5b9b1cb0" + }, + "attachments": [] + }, + { + "ruleId": "CKV_AZURE_78", + "ruleIndex": 26, + "message": { + "text": "Ensure FTP deployments are disabled" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "samples/insecure_arm.json" + }, + "region": { + "startLine": 102, + "endLine": 114, + "snippet": { + "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites\",\n \"kind\": \"app,linux\",\n \"name\": \"WebAppNoHttps\",\n \"location\": \"[parameters('location')]\",\n \"dependsOn\": [\n \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\"\n ],\n \"properties\": {\n \"serverFarmId\": \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\"\n }\n },\n" + } + } + } + } + ], + "fingerprints": { + "gdnPrimarySignature": "5d7890ffeb37cacd07b107299144f625fa773f8e8fb28a62a7c0dea16025a0ee", + "gdnAlternativeSignature0": "089e7957dda409a966a18b7e294c4573d4ec68ad4e24b23938e321a8e82b030d" + }, + "attachments": [] + }, + { + "ruleId": "CKV_AZURE_18", + "ruleIndex": 27, + "message": { + "text": "Ensure that 'HTTP Version' is the latest if used to run the web app" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "samples/insecure_arm.json" + }, + "region": { + "startLine": 102, + "endLine": 114, + "snippet": { + "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites\",\n \"kind\": \"app,linux\",\n \"name\": \"WebAppNoHttps\",\n \"location\": \"[parameters('location')]\",\n \"dependsOn\": [\n \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\"\n ],\n \"properties\": {\n \"serverFarmId\": \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\"\n }\n },\n" + } + } + } + } + ], + "fingerprints": { + "gdnPrimarySignature": "c29ee62ee70b4965bc0d67ef69030f6b70e617d9fcd3ac8200b68198192b7dc1", + "gdnAlternativeSignature0": "b4ba90b3e3e84e928c796f1c7ebb2e6797dea862b0e44cef5199dbe9bfe5e6aa" + }, + "attachments": [] + }, + { + "ruleId": "CKV_AZURE_14", + "ruleIndex": 28, + "message": { + "text": "Ensure web app redirects all HTTP traffic to HTTPS in Azure App Service" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "samples/insecure_arm.json" + }, + "region": { + "startLine": 102, + "endLine": 114, + "snippet": { + "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites\",\n \"kind\": \"app,linux\",\n \"name\": \"WebAppNoHttps\",\n \"location\": \"[parameters('location')]\",\n \"dependsOn\": [\n \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\"\n ],\n \"properties\": {\n \"serverFarmId\": \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\"\n }\n },\n" + } + } + } + } + ], + "fingerprints": { + "gdnPrimarySignature": "ee8d746b0689b235f3208999ce7df1653fa45d2711d41a5d6e7ba90fd50c388c", + "gdnAlternativeSignature0": "ea3506129a69e11e59a2393a8e401e15c35473f82a143746cf124f0aceb0f013" + }, + "attachments": [] + }, + { + "ruleId": "CKV_AZURE_16", + "ruleIndex": 29, + "message": { + "text": "Ensure that Register with Azure Active Directory is enabled on App Service" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "samples/insecure_arm.json" + }, + "region": { + "startLine": 102, + "endLine": 114, + "snippet": { + "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites\",\n \"kind\": \"app,linux\",\n \"name\": \"WebAppNoHttps\",\n \"location\": \"[parameters('location')]\",\n \"dependsOn\": [\n \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\"\n ],\n \"properties\": {\n \"serverFarmId\": \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\"\n }\n },\n" + } + } + } + } + ], + "fingerprints": { + "gdnPrimarySignature": "7b591f479f9723771411f3c953ee4ab3beda88856ae3ab53a88a64d61214e01d", + "gdnAlternativeSignature0": "0ac09190fd50243610f0dc1cefc1f8f5bf5340c6554465ca85333d39814c3094" + }, + "attachments": [] + }, + { + "ruleId": "CKV_AZURE_71", + "ruleIndex": 30, + "level": "note", + "message": { + "text": "Ensure that Managed identity provider is enabled for web apps" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "samples/insecure_arm.json" + }, + "region": { + "startLine": 102, + "endLine": 114, + "snippet": { + "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites\",\n \"kind\": \"app,linux\",\n \"name\": \"WebAppNoHttps\",\n \"location\": \"[parameters('location')]\",\n \"dependsOn\": [\n \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\"\n ],\n \"properties\": {\n \"serverFarmId\": \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\"\n }\n },\n" + } + } + } + } + ], + "fingerprints": { + "gdnPrimarySignature": "f3eef46d00d6fe15f0b4da40bda2f0ab16e3c91fcec06df3545e1c7fe7d8ff6d", + "gdnAlternativeSignature0": "6d2fd3507d1f39e715802fc90b4f9779fa4a250936446362dfb3a3c8675b600b" + }, + "attachments": [] + }, + { + "ruleId": "CKV_AZURE_15", + "ruleIndex": 31, + "message": { + "text": "Ensure web app is using the latest version of TLS encryption" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "samples/insecure_arm.json" + }, + "region": { + "startLine": 102, + "endLine": 114, + "snippet": { + "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites\",\n \"kind\": \"app,linux\",\n \"name\": \"WebAppNoHttps\",\n \"location\": \"[parameters('location')]\",\n \"dependsOn\": [\n \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\"\n ],\n \"properties\": {\n \"serverFarmId\": \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\"\n }\n },\n" + } + } + } + } + ], + "fingerprints": { + "gdnPrimarySignature": "52578dfe3657d9104db6fe82cafe200490942428064ed7a2ba755d780c8365a3", + "gdnAlternativeSignature0": "c54bc8f04da699379969061f974819212592deb962782dc7070937bd22ff33c6" + }, + "attachments": [] + }, + { + "ruleId": "CKV_AZURE_222", + "ruleIndex": 32, + "message": { + "text": "Ensure that Azure Web App public network access is disabled" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "samples/insecure_arm.json" + }, + "region": { + "startLine": 102, + "endLine": 114, + "snippet": { + "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites\",\n \"kind\": \"app,linux\",\n \"name\": \"WebAppNoHttps\",\n \"location\": \"[parameters('location')]\",\n \"dependsOn\": [\n \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\"\n ],\n \"properties\": {\n \"serverFarmId\": \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\"\n }\n },\n" + } + } + } + } + ], + "fingerprints": { + "gdnPrimarySignature": "a5c0013a8fd9f0097d45e444d88054036ed8f442fe330587d0eae9d3714ec87c", + "gdnAlternativeSignature0": "10e9ab48939200696e4f91afa907175cea23e4c9aea63613a7ca13160da48477" + }, + "attachments": [] + }, + { + "ruleId": "CKV_AZURE_153", + "ruleIndex": 33, + "level": "note", + "message": { + "text": "Ensure web app redirects all HTTP traffic to HTTPS in Azure App Service Slot" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "samples/insecure_arm.json" + }, + "region": { + "startLine": 102, + "endLine": 114, + "snippet": { + "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites\",\n \"kind\": \"app,linux\",\n \"name\": \"WebAppNoHttps\",\n \"location\": \"[parameters('location')]\",\n \"dependsOn\": [\n \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\"\n ],\n \"properties\": {\n \"serverFarmId\": \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\"\n }\n },\n" + } + } + } + } + ], + "fingerprints": { + "gdnPrimarySignature": "c8b8eb4f5fd69ed893f62f660e2df19dc69d3bb4a56c750d27505476f1cfd972", + "gdnAlternativeSignature0": "3bc11347887444d838588cd7d6dfcda7b36d4137a8406b9064dff980db330958" + }, + "attachments": [] + }, + { + "ruleId": "CKV_AZURE_67", + "ruleIndex": 34, + "message": { + "text": "Ensure that 'HTTP Version' is the latest, if used to run the Function app" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "samples/insecure_arm.json" + }, + "region": { + "startLine": 102, + "endLine": 114, + "snippet": { + "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites\",\n \"kind\": \"app,linux\",\n \"name\": \"WebAppNoHttps\",\n \"location\": \"[parameters('location')]\",\n \"dependsOn\": [\n \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\"\n ],\n \"properties\": {\n \"serverFarmId\": \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\"\n }\n },\n" + } + } + } + } + ], + "fingerprints": { + "gdnPrimarySignature": "7a9df9fe206d31f6b88c7461cbbedd1791b9500136c048ba6c5a1a70390f97ac", + "gdnAlternativeSignature0": "69eb37c4e01e77eaee89dd5c5159883cb79b66d176282e18fcb6e2926e00a887" + }, + "attachments": [] + }, + { + "ruleId": "CKV_AZURE_70", + "ruleIndex": 35, + "message": { + "text": "Ensure that Function apps is only accessible over HTTPS" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "samples/insecure_arm.json" + }, + "region": { + "startLine": 102, + "endLine": 114, + "snippet": { + "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites\",\n \"kind\": \"app,linux\",\n \"name\": \"WebAppNoHttps\",\n \"location\": \"[parameters('location')]\",\n \"dependsOn\": [\n \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\"\n ],\n \"properties\": {\n \"serverFarmId\": \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\"\n }\n },\n" + } + } + } + } + ], + "fingerprints": { + "gdnPrimarySignature": "67339bfd8472664e8e86c3dc86cc304bf7b9e1d32dfd00de0e6fbaeb2beea398", + "gdnAlternativeSignature0": "3e179c62893671bd328f85697d3c649cb45309fb6525b65b76a9aa5a649adc58" + }, + "attachments": [] + }, + { + "ruleId": "CKV_AZURE_17", + "ruleIndex": 25, + "message": { + "text": "Ensure the web app has 'Client Certificates (Incoming client certificates)' set" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "samples/insecure_arm.json" + }, + "region": { + "startLine": 115, + "endLine": 127, + "snippet": { + "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites\",\n \"name\": \"WebApp_HttpsFalse\",\n \"location\": \"[parameters('location')]\",\n \"dependsOn\": [\n \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\"\n ],\n \"properties\": {\n \"serverFarmId\": \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\",\n \"httpsOnly\": false\n }\n },\n" + } + } + } + } + ], + "fingerprints": { + "gdnPrimarySignature": "4f72f1e4d99a8378d05b185cebfa8825d333a71cd5ef5b0bf186468bdbefea17", + "gdnAlternativeSignature0": "c78d4a844035a2ce61548f8d60784616fb2403fb930f340915bc4bfcc468716f" + }, + "attachments": [] + }, + { + "ruleId": "CKV_AZURE_78", + "ruleIndex": 26, + "message": { + "text": "Ensure FTP deployments are disabled" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "samples/insecure_arm.json" + }, + "region": { + "startLine": 115, + "endLine": 127, + "snippet": { + "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites\",\n \"name\": \"WebApp_HttpsFalse\",\n \"location\": \"[parameters('location')]\",\n \"dependsOn\": [\n \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\"\n ],\n \"properties\": {\n \"serverFarmId\": \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\",\n \"httpsOnly\": false\n }\n },\n" + } + } + } + } + ], + "fingerprints": { + "gdnPrimarySignature": "cd8cdaf3f142d7a4565c43f60507169bdc01b2286039cf1255d61c596ba3101f", + "gdnAlternativeSignature0": "bd5c17ecc6b46d6513f8eca0a60db649dd30c9a1eb735d04fbc624a1b4b79f51" + }, + "attachments": [] + }, + { + "ruleId": "CKV_AZURE_18", + "ruleIndex": 27, + "message": { + "text": "Ensure that 'HTTP Version' is the latest if used to run the web app" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "samples/insecure_arm.json" + }, + "region": { + "startLine": 115, + "endLine": 127, + "snippet": { + "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites\",\n \"name\": \"WebApp_HttpsFalse\",\n \"location\": \"[parameters('location')]\",\n \"dependsOn\": [\n \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\"\n ],\n \"properties\": {\n \"serverFarmId\": \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\",\n \"httpsOnly\": false\n }\n },\n" + } + } + } + } + ], + "fingerprints": { + "gdnPrimarySignature": "f7e0232cacef22c54066a9584d66a2197c9c74c0e03f83d8eb7c4e0134444dd0", + "gdnAlternativeSignature0": "7d8d600175945563c3b4bfe9e2c144473bb0a6ad19b8148501a70cdc8061004d" + }, + "attachments": [] + }, + { + "ruleId": "CKV_AZURE_14", + "ruleIndex": 28, + "message": { + "text": "Ensure web app redirects all HTTP traffic to HTTPS in Azure App Service" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "samples/insecure_arm.json" + }, + "region": { + "startLine": 115, + "endLine": 127, + "snippet": { + "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites\",\n \"name\": \"WebApp_HttpsFalse\",\n \"location\": \"[parameters('location')]\",\n \"dependsOn\": [\n \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\"\n ],\n \"properties\": {\n \"serverFarmId\": \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\",\n \"httpsOnly\": false\n }\n },\n" + } + } + } + } + ], + "fingerprints": { + "gdnPrimarySignature": "ae3081631a2091bd9163df6f1ee42da0cb7854cc3bd2d6b398ceb8157d47c295", + "gdnAlternativeSignature0": "89901158631e4d71235d05997a134e895b4ccc2e4ef71ec40ae5b8fe13439adb" + }, + "attachments": [] + }, + { + "ruleId": "CKV_AZURE_16", + "ruleIndex": 29, + "message": { + "text": "Ensure that Register with Azure Active Directory is enabled on App Service" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "samples/insecure_arm.json" + }, + "region": { + "startLine": 115, + "endLine": 127, + "snippet": { + "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites\",\n \"name\": \"WebApp_HttpsFalse\",\n \"location\": \"[parameters('location')]\",\n \"dependsOn\": [\n \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\"\n ],\n \"properties\": {\n \"serverFarmId\": \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\",\n \"httpsOnly\": false\n }\n },\n" + } + } + } + } + ], + "fingerprints": { + "gdnPrimarySignature": "255f7613ce31bf6755bb2ecceee14742ed8cff561d5a310b501ef17b7a9297d3", + "gdnAlternativeSignature0": "b96b4d533c88a6a70fd777af318af980187826608f3a569474d34858e2dfe22c" + }, + "attachments": [] + }, + { + "ruleId": "CKV_AZURE_71", + "ruleIndex": 30, + "level": "note", + "message": { + "text": "Ensure that Managed identity provider is enabled for web apps" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "samples/insecure_arm.json" + }, + "region": { + "startLine": 115, + "endLine": 127, + "snippet": { + "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites\",\n \"name\": \"WebApp_HttpsFalse\",\n \"location\": \"[parameters('location')]\",\n \"dependsOn\": [\n \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\"\n ],\n \"properties\": {\n \"serverFarmId\": \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\",\n \"httpsOnly\": false\n }\n },\n" + } + } + } + } + ], + "fingerprints": { + "gdnPrimarySignature": "0b1fb05ccebfce0be5690acbadf661f9c2c441ad9d90eadd8db28efb2a5c574a", + "gdnAlternativeSignature0": "8835bcf442c7e87a2f87b12a5afeea783d9963935c9e670d58841eeee02b0fe0" + }, + "attachments": [] + }, + { + "ruleId": "CKV_AZURE_15", + "ruleIndex": 31, + "message": { + "text": "Ensure web app is using the latest version of TLS encryption" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "samples/insecure_arm.json" + }, + "region": { + "startLine": 115, + "endLine": 127, + "snippet": { + "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites\",\n \"name\": \"WebApp_HttpsFalse\",\n \"location\": \"[parameters('location')]\",\n \"dependsOn\": [\n \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\"\n ],\n \"properties\": {\n \"serverFarmId\": \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\",\n \"httpsOnly\": false\n }\n },\n" + } + } + } + } + ], + "fingerprints": { + "gdnPrimarySignature": "2b2824300dc3a47d41fe35895bcc7cad5518ad6adbeecd51da01c157e6c984c0", + "gdnAlternativeSignature0": "7649a4df3f008f0807c7e8a88a1a2dc1343615f1b82341ecdf1c0191b0c59f89" + }, + "attachments": [] + }, + { + "ruleId": "CKV_AZURE_222", + "ruleIndex": 32, + "message": { + "text": "Ensure that Azure Web App public network access is disabled" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "samples/insecure_arm.json" + }, + "region": { + "startLine": 115, + "endLine": 127, + "snippet": { + "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites\",\n \"name\": \"WebApp_HttpsFalse\",\n \"location\": \"[parameters('location')]\",\n \"dependsOn\": [\n \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\"\n ],\n \"properties\": {\n \"serverFarmId\": \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\",\n \"httpsOnly\": false\n }\n },\n" + } + } + } + } + ], + "fingerprints": { + "gdnPrimarySignature": "91cfeca6c81755244c63c7c01d9c91da11cbcf416444876ee05b92c981358129", + "gdnAlternativeSignature0": "c4fc2fbf31a7a52d60660e3c94d040c2abb912507c60f5b084cb0d8eae09c334" + }, + "attachments": [] + }, + { + "ruleId": "CKV_AZURE_153", + "ruleIndex": 33, + "level": "note", + "message": { + "text": "Ensure web app redirects all HTTP traffic to HTTPS in Azure App Service Slot" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "samples/insecure_arm.json" + }, + "region": { + "startLine": 115, + "endLine": 127, + "snippet": { + "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites\",\n \"name\": \"WebApp_HttpsFalse\",\n \"location\": \"[parameters('location')]\",\n \"dependsOn\": [\n \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\"\n ],\n \"properties\": {\n \"serverFarmId\": \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\",\n \"httpsOnly\": false\n }\n },\n" + } + } + } + } + ], + "fingerprints": { + "gdnPrimarySignature": "12fdacf2d5aa3a1ee71cd5c41c350cfba3e252cd7cbe4d579fed9cb23ab77388", + "gdnAlternativeSignature0": "26f89be242e3ae985b8f53b8ee3c67bead4ae71123378bf3dee7dc2d8263e6d5" + }, + "attachments": [] + }, + { + "ruleId": "CKV_AZURE_67", + "ruleIndex": 34, + "message": { + "text": "Ensure that 'HTTP Version' is the latest, if used to run the Function app" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "samples/insecure_arm.json" + }, + "region": { + "startLine": 115, + "endLine": 127, + "snippet": { + "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites\",\n \"name\": \"WebApp_HttpsFalse\",\n \"location\": \"[parameters('location')]\",\n \"dependsOn\": [\n \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\"\n ],\n \"properties\": {\n \"serverFarmId\": \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\",\n \"httpsOnly\": false\n }\n },\n" + } + } + } + } + ], + "fingerprints": { + "gdnPrimarySignature": "54ced1e9e7299882c21663f45e6f27de7eb21223e77344e814efcd89b8eed40a", + "gdnAlternativeSignature0": "33f9e2f7e0ddc2d74628ef9e4d55b535c2ddb446f42351f4ba30926022834e1a" + }, + "attachments": [] + }, + { + "ruleId": "CKV_AZURE_70", + "ruleIndex": 35, + "message": { + "text": "Ensure that Function apps is only accessible over HTTPS" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "samples/insecure_arm.json" + }, + "region": { + "startLine": 115, + "endLine": 127, + "snippet": { + "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites\",\n \"name\": \"WebApp_HttpsFalse\",\n \"location\": \"[parameters('location')]\",\n \"dependsOn\": [\n \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\"\n ],\n \"properties\": {\n \"serverFarmId\": \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\",\n \"httpsOnly\": false\n }\n },\n" + } + } + } + } + ], + "fingerprints": { + "gdnPrimarySignature": "288291d4755ccee48c5333b7d63f37c8e0706cf06714117660c84507a289ebc0", + "gdnAlternativeSignature0": "f5a45e007c2154338b28247a0731d64cd6c700e52b86171ebfab23be42290c88" + }, + "attachments": [] + }, + { + "ruleId": "CKV_AZURE_17", + "ruleIndex": 25, + "message": { + "text": "Ensure the web app has 'Client Certificates (Incoming client certificates)' set" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "samples/insecure_arm.json" + }, + "region": { + "startLine": 128, + "endLine": 141, + "snippet": { + "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites\",\n \"kind\": \"app\",\n \"name\": \"WebApp_HttpsTrue\",\n \"location\": \"[parameters('location')]\",\n \"dependsOn\": [\n \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\"\n ],\n \"properties\": {\n \"serverFarmId\": \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\",\n \"httpsOnly\": true\n }\n },\n" + } + } + } + } + ], + "fingerprints": { + "gdnPrimarySignature": "08008df0f45ad8f64f4f9486ca9d1d20053d77608610e41a01834c68b1cc3a09", + "gdnAlternativeSignature0": "7f7317b8b44e4c8b52c5da46edf6e775d451d85bc442fbf7d98ac9b0ecdf9b1a" + }, + "attachments": [] + }, + { + "ruleId": "CKV_AZURE_78", + "ruleIndex": 26, + "message": { + "text": "Ensure FTP deployments are disabled" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "samples/insecure_arm.json" + }, + "region": { + "startLine": 128, + "endLine": 141, + "snippet": { + "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites\",\n \"kind\": \"app\",\n \"name\": \"WebApp_HttpsTrue\",\n \"location\": \"[parameters('location')]\",\n \"dependsOn\": [\n \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\"\n ],\n \"properties\": {\n \"serverFarmId\": \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\",\n \"httpsOnly\": true\n }\n },\n" + } + } + } + } + ], + "fingerprints": { + "gdnPrimarySignature": "a2fcaa633cbc5e8689c4c980a1b76805afde139435d0d92003f29dbc1adb25d2", + "gdnAlternativeSignature0": "02fc484de3908421bf498b943a3501de05c15edb775e37cb7257ad89b4e1ea9b" + }, + "attachments": [] + }, + { + "ruleId": "CKV_AZURE_18", + "ruleIndex": 27, + "message": { + "text": "Ensure that 'HTTP Version' is the latest if used to run the web app" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "samples/insecure_arm.json" + }, + "region": { + "startLine": 128, + "endLine": 141, + "snippet": { + "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites\",\n \"kind\": \"app\",\n \"name\": \"WebApp_HttpsTrue\",\n \"location\": \"[parameters('location')]\",\n \"dependsOn\": [\n \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\"\n ],\n \"properties\": {\n \"serverFarmId\": \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\",\n \"httpsOnly\": true\n }\n },\n" + } + } + } + } + ], + "fingerprints": { + "gdnPrimarySignature": "bf112ad4ff0c1f3dbda36d12b6d980c83e9448f3cea1fab2124874b363e2ac33", + "gdnAlternativeSignature0": "ddde80d77251f9ab96e8180febb6470c41bad8598a1751ecf3205201e04032d6" + }, + "attachments": [] + }, + { + "ruleId": "CKV_AZURE_16", + "ruleIndex": 29, + "message": { + "text": "Ensure that Register with Azure Active Directory is enabled on App Service" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "samples/insecure_arm.json" + }, + "region": { + "startLine": 128, + "endLine": 141, + "snippet": { + "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites\",\n \"kind\": \"app\",\n \"name\": \"WebApp_HttpsTrue\",\n \"location\": \"[parameters('location')]\",\n \"dependsOn\": [\n \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\"\n ],\n \"properties\": {\n \"serverFarmId\": \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\",\n \"httpsOnly\": true\n }\n },\n" + } + } + } + } + ], + "fingerprints": { + "gdnPrimarySignature": "adf211c29e22998dc5e478d0f175052925f2426ac7b3c077d75a3d438bf01a71", + "gdnAlternativeSignature0": "4b079ac338cf1fa4d757290e73fb9b247e37983f28925e314c9d61debdca8a29" + }, + "attachments": [] + }, + { + "ruleId": "CKV_AZURE_71", + "ruleIndex": 30, + "level": "note", + "message": { + "text": "Ensure that Managed identity provider is enabled for web apps" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "samples/insecure_arm.json" + }, + "region": { + "startLine": 128, + "endLine": 141, + "snippet": { + "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites\",\n \"kind\": \"app\",\n \"name\": \"WebApp_HttpsTrue\",\n \"location\": \"[parameters('location')]\",\n \"dependsOn\": [\n \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\"\n ],\n \"properties\": {\n \"serverFarmId\": \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\",\n \"httpsOnly\": true\n }\n },\n" + } + } + } + } + ], + "fingerprints": { + "gdnPrimarySignature": "12cdce98f0d5aa4daf69793f9157ef1dd1dfd49ee3ef333f6d57ae4bad06477b", + "gdnAlternativeSignature0": "9ddb0eff72c95cda99852373789fe69e358faf69c9dd5a9fb90d415e957f67f3" + }, + "attachments": [] + }, + { + "ruleId": "CKV_AZURE_15", + "ruleIndex": 31, + "message": { + "text": "Ensure web app is using the latest version of TLS encryption" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "samples/insecure_arm.json" + }, + "region": { + "startLine": 128, + "endLine": 141, + "snippet": { + "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites\",\n \"kind\": \"app\",\n \"name\": \"WebApp_HttpsTrue\",\n \"location\": \"[parameters('location')]\",\n \"dependsOn\": [\n \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\"\n ],\n \"properties\": {\n \"serverFarmId\": \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\",\n \"httpsOnly\": true\n }\n },\n" + } + } + } + } + ], + "fingerprints": { + "gdnPrimarySignature": "a01b7d7f752ca024104d998b10919091141c26bbd9d73412d05e9b7df9363f16", + "gdnAlternativeSignature0": "7df932c190b3ca666346a7f0465861d381530f106e254076b900a704cda36707" + }, + "attachments": [] + }, + { + "ruleId": "CKV_AZURE_222", + "ruleIndex": 32, + "message": { + "text": "Ensure that Azure Web App public network access is disabled" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "samples/insecure_arm.json" + }, + "region": { + "startLine": 128, + "endLine": 141, + "snippet": { + "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites\",\n \"kind\": \"app\",\n \"name\": \"WebApp_HttpsTrue\",\n \"location\": \"[parameters('location')]\",\n \"dependsOn\": [\n \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\"\n ],\n \"properties\": {\n \"serverFarmId\": \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\",\n \"httpsOnly\": true\n }\n },\n" + } + } + } + } + ], + "fingerprints": { + "gdnPrimarySignature": "92ce11dc062621efb46ffb9f89dfd1b9c12dded0b94b04f3b0595f9420c0511a", + "gdnAlternativeSignature0": "7305d34c7a68da6a3a1c357d001602242c92f53fa425b0b2b7cac8681b8720c0" + }, + "attachments": [] + }, + { + "ruleId": "CKV_AZURE_67", + "ruleIndex": 34, + "message": { + "text": "Ensure that 'HTTP Version' is the latest, if used to run the Function app" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "samples/insecure_arm.json" + }, + "region": { + "startLine": 128, + "endLine": 141, + "snippet": { + "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites\",\n \"kind\": \"app\",\n \"name\": \"WebApp_HttpsTrue\",\n \"location\": \"[parameters('location')]\",\n \"dependsOn\": [\n \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\"\n ],\n \"properties\": {\n \"serverFarmId\": \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\",\n \"httpsOnly\": true\n }\n },\n" + } + } + } + } + ], + "fingerprints": { + "gdnPrimarySignature": "66c95de9831d167d19805f23da1ed5e5e7187f6b898fd2c379923be413ebaed2", + "gdnAlternativeSignature0": "493078216959af69095559e71e4e85917a9850e8ea90fd13cae9e6e6378b602b" + }, + "attachments": [] + }, + { + "ruleId": "CKV_AZURE_17", + "ruleIndex": 25, + "message": { + "text": "Ensure the web app has 'Client Certificates (Incoming client certificates)' set" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "samples/insecure_arm.json" + }, + "region": { + "startLine": 142, + "endLine": 158, + "snippet": { + "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites\",\n \"kind\": \"api\",\n \"name\": \"ApiApp_RestrictedCORSAccess_EmbeddedSitesConfig\",\n \"location\": \"[parameters('location')]\",\n \"properties\": {\n \"httpsOnly\": true,\n \"siteConfig\": {\n \"cors\": {\n \"allowedOrigins\": [\n \"someIP\"\n ]\n }\n }\n }\n },\n" + } + } + } + } + ], + "fingerprints": { + "gdnPrimarySignature": "dae96b9aa7c9155ac642e29b28b9fd890e6e1c9fa6412927d964aa22c026cce4", + "gdnAlternativeSignature0": "9b8c72895461d25ee31a8c5b1b5bdda37dc3c8b032c14663c43538cf838a7484" + }, + "attachments": [] + }, + { + "ruleId": "CKV_AZURE_78", + "ruleIndex": 26, + "message": { + "text": "Ensure FTP deployments are disabled" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "samples/insecure_arm.json" + }, + "region": { + "startLine": 142, + "endLine": 158, + "snippet": { + "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites\",\n \"kind\": \"api\",\n \"name\": \"ApiApp_RestrictedCORSAccess_EmbeddedSitesConfig\",\n \"location\": \"[parameters('location')]\",\n \"properties\": {\n \"httpsOnly\": true,\n \"siteConfig\": {\n \"cors\": {\n \"allowedOrigins\": [\n \"someIP\"\n ]\n }\n }\n }\n },\n" + } + } + } + } + ], + "fingerprints": { + "gdnPrimarySignature": "0e15991fa47fbdff46caf4d88b4a2be08fb7309de35a5105df283f2cd3ef226f", + "gdnAlternativeSignature0": "b0664718fd5e7c63444d10f083239952773ba1744dbab54ba4179b90213c162b" + }, + "attachments": [] + }, + { + "ruleId": "CKV_AZURE_18", + "ruleIndex": 27, + "message": { + "text": "Ensure that 'HTTP Version' is the latest if used to run the web app" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "samples/insecure_arm.json" + }, + "region": { + "startLine": 142, + "endLine": 158, + "snippet": { + "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites\",\n \"kind\": \"api\",\n \"name\": \"ApiApp_RestrictedCORSAccess_EmbeddedSitesConfig\",\n \"location\": \"[parameters('location')]\",\n \"properties\": {\n \"httpsOnly\": true,\n \"siteConfig\": {\n \"cors\": {\n \"allowedOrigins\": [\n \"someIP\"\n ]\n }\n }\n }\n },\n" + } + } + } + } + ], + "fingerprints": { + "gdnPrimarySignature": "f413c46ab964537bc7ae7dfcb7b2ffcef2f4859e417da785d2d693af373bbc72", + "gdnAlternativeSignature0": "90284155b27b35d9aa40959078e6e324d16c9ad43994fb20812c5b87ab3da8fe" + }, + "attachments": [] + }, + { + "ruleId": "CKV_AZURE_16", + "ruleIndex": 29, + "message": { + "text": "Ensure that Register with Azure Active Directory is enabled on App Service" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "samples/insecure_arm.json" + }, + "region": { + "startLine": 142, + "endLine": 158, + "snippet": { + "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites\",\n \"kind\": \"api\",\n \"name\": \"ApiApp_RestrictedCORSAccess_EmbeddedSitesConfig\",\n \"location\": \"[parameters('location')]\",\n \"properties\": {\n \"httpsOnly\": true,\n \"siteConfig\": {\n \"cors\": {\n \"allowedOrigins\": [\n \"someIP\"\n ]\n }\n }\n }\n },\n" + } + } + } + } + ], + "fingerprints": { + "gdnPrimarySignature": "7720ed6c8b5f7baf81abe1e027fc660ee7213935e400dae0edcfd3446026ac34", + "gdnAlternativeSignature0": "19a91cb4fc78c2570287be6094778b7b3129af76dc046331d5a63c1adc857126" + }, + "attachments": [] + }, + { + "ruleId": "CKV_AZURE_71", + "ruleIndex": 30, + "level": "note", + "message": { + "text": "Ensure that Managed identity provider is enabled for web apps" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "samples/insecure_arm.json" + }, + "region": { + "startLine": 142, + "endLine": 158, + "snippet": { + "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites\",\n \"kind\": \"api\",\n \"name\": \"ApiApp_RestrictedCORSAccess_EmbeddedSitesConfig\",\n \"location\": \"[parameters('location')]\",\n \"properties\": {\n \"httpsOnly\": true,\n \"siteConfig\": {\n \"cors\": {\n \"allowedOrigins\": [\n \"someIP\"\n ]\n }\n }\n }\n },\n" + } + } + } + } + ], + "fingerprints": { + "gdnPrimarySignature": "31eeaa41cb930b4da2b791b254b14fe3f8abf8fb09a3f4592f23195d8b3d32ac", + "gdnAlternativeSignature0": "852e81a1be9daed64c584b0a57f48572b61750d22f9558ca1b3cc6dabca55ddf" + }, + "attachments": [] + }, + { + "ruleId": "CKV_AZURE_15", + "ruleIndex": 31, + "message": { + "text": "Ensure web app is using the latest version of TLS encryption" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "samples/insecure_arm.json" + }, + "region": { + "startLine": 142, + "endLine": 158, + "snippet": { + "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites\",\n \"kind\": \"api\",\n \"name\": \"ApiApp_RestrictedCORSAccess_EmbeddedSitesConfig\",\n \"location\": \"[parameters('location')]\",\n \"properties\": {\n \"httpsOnly\": true,\n \"siteConfig\": {\n \"cors\": {\n \"allowedOrigins\": [\n \"someIP\"\n ]\n }\n }\n }\n },\n" + } + } + } + } + ], + "fingerprints": { + "gdnPrimarySignature": "d41a5fe9e3ea723beaa68eaf7d4285ce450d5356436fcf3239c57109fab2e3f3", + "gdnAlternativeSignature0": "2a0982291cb4f11f796e6292520001696fa061f3549a3b4b6874c119b0dc8939" + }, + "attachments": [] + }, + { + "ruleId": "CKV_AZURE_222", + "ruleIndex": 32, + "message": { + "text": "Ensure that Azure Web App public network access is disabled" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "samples/insecure_arm.json" + }, + "region": { + "startLine": 142, + "endLine": 158, + "snippet": { + "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites\",\n \"kind\": \"api\",\n \"name\": \"ApiApp_RestrictedCORSAccess_EmbeddedSitesConfig\",\n \"location\": \"[parameters('location')]\",\n \"properties\": {\n \"httpsOnly\": true,\n \"siteConfig\": {\n \"cors\": {\n \"allowedOrigins\": [\n \"someIP\"\n ]\n }\n }\n }\n },\n" + } + } + } + } + ], + "fingerprints": { + "gdnPrimarySignature": "0ae6105850f99ccaf95cf627c1995f3d7919bd31dc28f2945bcbf79f503fe118", + "gdnAlternativeSignature0": "72596372d73524682d0e517eb7a46d563f86d56830f27c9461e4d32ba4a781f2" + }, + "attachments": [] + }, + { + "ruleId": "CKV_AZURE_67", + "ruleIndex": 34, + "message": { + "text": "Ensure that 'HTTP Version' is the latest, if used to run the Function app" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "samples/insecure_arm.json" + }, + "region": { + "startLine": 142, + "endLine": 158, + "snippet": { + "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites\",\n \"kind\": \"api\",\n \"name\": \"ApiApp_RestrictedCORSAccess_EmbeddedSitesConfig\",\n \"location\": \"[parameters('location')]\",\n \"properties\": {\n \"httpsOnly\": true,\n \"siteConfig\": {\n \"cors\": {\n \"allowedOrigins\": [\n \"someIP\"\n ]\n }\n }\n }\n },\n" + } + } + } + } + ], + "fingerprints": { + "gdnPrimarySignature": "7681cb3edcfb2659c2d32f2e7974f467446481d6b8f2b69ebae4df96958593db", + "gdnAlternativeSignature0": "a0af6fe2a04fe4a682850851dd4abb0ce07f4da5c8164df732c5042397d0f297" + }, + "attachments": [] + }, + { + "ruleId": "CKV_AZURE_17", + "ruleIndex": 25, + "message": { + "text": "Ensure the web app has 'Client Certificates (Incoming client certificates)' set" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "samples/insecure_arm.json" + }, + "region": { + "startLine": 159, + "endLine": 168, + "snippet": { + "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites\",\n \"kind\": \"api\",\n \"name\": \"ApiApp_NoSitesConfig\",\n \"location\": \"[parameters('location')]\",\n \"properties\": {\n \"httpsOnly\": true\n }\n },\n" + } + } + } + } + ], + "fingerprints": { + "gdnPrimarySignature": "4df01be86e5e4147c31aff5bef0d87d3e3a0fea9898be19a88df8f6060c6e582", + "gdnAlternativeSignature0": "a3bda844d97fdd08c544d09a457ab85e6f4f33118537eec7ee0be628841a0253" + }, + "attachments": [] + }, + { + "ruleId": "CKV_AZURE_78", + "ruleIndex": 26, + "message": { + "text": "Ensure FTP deployments are disabled" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "samples/insecure_arm.json" + }, + "region": { + "startLine": 159, + "endLine": 168, + "snippet": { + "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites\",\n \"kind\": \"api\",\n \"name\": \"ApiApp_NoSitesConfig\",\n \"location\": \"[parameters('location')]\",\n \"properties\": {\n \"httpsOnly\": true\n }\n },\n" + } + } + } + } + ], + "fingerprints": { + "gdnPrimarySignature": "7622258391e9aeb5136bfc53200e4631c118a10864775710c6e20c3a1c237687", + "gdnAlternativeSignature0": "481a7ad24af6150821e083f9d4f23bb233fc2533beddacef31c29768569b84d6" + }, + "attachments": [] + }, + { + "ruleId": "CKV_AZURE_18", + "ruleIndex": 27, + "message": { + "text": "Ensure that 'HTTP Version' is the latest if used to run the web app" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "samples/insecure_arm.json" + }, + "region": { + "startLine": 159, + "endLine": 168, + "snippet": { + "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites\",\n \"kind\": \"api\",\n \"name\": \"ApiApp_NoSitesConfig\",\n \"location\": \"[parameters('location')]\",\n \"properties\": {\n \"httpsOnly\": true\n }\n },\n" + } + } + } + } + ], + "fingerprints": { + "gdnPrimarySignature": "ed1a58b3b54cc84e53c7bf600f8fab74e9c11af3031a3f091ec16ba9718b6009", + "gdnAlternativeSignature0": "15c3e8d74638416369e18b9d5385946a799c5d6e07556598bad7ffab2362586e" + }, + "attachments": [] + }, + { + "ruleId": "CKV_AZURE_16", + "ruleIndex": 29, + "message": { + "text": "Ensure that Register with Azure Active Directory is enabled on App Service" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "samples/insecure_arm.json" + }, + "region": { + "startLine": 159, + "endLine": 168, + "snippet": { + "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites\",\n \"kind\": \"api\",\n \"name\": \"ApiApp_NoSitesConfig\",\n \"location\": \"[parameters('location')]\",\n \"properties\": {\n \"httpsOnly\": true\n }\n },\n" + } + } + } + } + ], + "fingerprints": { + "gdnPrimarySignature": "3182a4a340f4f50c65cd416eee5fbc9ded7a6ef32624b4c7474bc837466e224b", + "gdnAlternativeSignature0": "d8a84c842901bc6695e4d2872e84deb0a7baa06a702117331a93c6feadf5a546" + }, + "attachments": [] + }, + { + "ruleId": "CKV_AZURE_71", + "ruleIndex": 30, + "level": "note", + "message": { + "text": "Ensure that Managed identity provider is enabled for web apps" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "samples/insecure_arm.json" + }, + "region": { + "startLine": 159, + "endLine": 168, + "snippet": { + "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites\",\n \"kind\": \"api\",\n \"name\": \"ApiApp_NoSitesConfig\",\n \"location\": \"[parameters('location')]\",\n \"properties\": {\n \"httpsOnly\": true\n }\n },\n" + } + } + } + } + ], + "fingerprints": { + "gdnPrimarySignature": "2c00ee00a620c96918dc4b9545112008c52cc88c30ac68e0b8478f877a16c74f", + "gdnAlternativeSignature0": "0fe0595ae36ffe8d3f8292c1f39136832913fff70668f658520a5a08513d411e" + }, + "attachments": [] + }, + { + "ruleId": "CKV_AZURE_15", + "ruleIndex": 31, + "message": { + "text": "Ensure web app is using the latest version of TLS encryption" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "samples/insecure_arm.json" + }, + "region": { + "startLine": 159, + "endLine": 168, + "snippet": { + "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites\",\n \"kind\": \"api\",\n \"name\": \"ApiApp_NoSitesConfig\",\n \"location\": \"[parameters('location')]\",\n \"properties\": {\n \"httpsOnly\": true\n }\n },\n" + } + } + } + } + ], + "fingerprints": { + "gdnPrimarySignature": "6cdcbc4da68c2815a6d3f0bd78504303b0825e880d14097332cb170407c80128", + "gdnAlternativeSignature0": "1fe507dd25e0339cdc76945f0b74a799aa63dcc0b23cad0285faf8848457d916" + }, + "attachments": [] + }, + { + "ruleId": "CKV_AZURE_222", + "ruleIndex": 32, + "message": { + "text": "Ensure that Azure Web App public network access is disabled" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "samples/insecure_arm.json" + }, + "region": { + "startLine": 159, + "endLine": 168, + "snippet": { + "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites\",\n \"kind\": \"api\",\n \"name\": \"ApiApp_NoSitesConfig\",\n \"location\": \"[parameters('location')]\",\n \"properties\": {\n \"httpsOnly\": true\n }\n },\n" + } + } + } + } + ], + "fingerprints": { + "gdnPrimarySignature": "f3ac1d65124943989cd407b1862791529fab3c4e0eedc65511c90e43edf3404b", + "gdnAlternativeSignature0": "298513397a838c0f2a237b8c715b3e500bcd2a54a0f1f6163bd77768da9dbcca" + }, + "attachments": [] + }, + { + "ruleId": "CKV_AZURE_67", + "ruleIndex": 34, + "message": { + "text": "Ensure that 'HTTP Version' is the latest, if used to run the Function app" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "samples/insecure_arm.json" + }, + "region": { + "startLine": 159, + "endLine": 168, + "snippet": { + "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites\",\n \"kind\": \"api\",\n \"name\": \"ApiApp_NoSitesConfig\",\n \"location\": \"[parameters('location')]\",\n \"properties\": {\n \"httpsOnly\": true\n }\n },\n" + } + } + } + } + ], + "fingerprints": { + "gdnPrimarySignature": "bd6450c773eed311a8e88ceb126978f5c3988a64c332b8ec936cd28ea7aa295b", + "gdnAlternativeSignature0": "f234d72c8e49b23ce2aa32bda1a3f909baa6ad9b4fbbf65d4211d56cbf976848" + }, + "attachments": [] + }, + { + "ruleId": "CKV_AZURE_13", + "ruleIndex": 36, + "message": { + "text": "Ensure App Service Authentication is set on Azure App Service" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "samples/insecure_arm.json" + }, + "region": { + "startLine": 169, + "endLine": 186, + "snippet": { + "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites/config\",\n \"name\": \"SitesConfig/RestrictedCORSAccess_web\",\n \"location\": \"[parameters('location')]\",\n \"dependsOn\": [\n \"ApiApp_NoSitesConfig\",\n \"WebApp_NoSitesConfig\",\n \"FunctionApp_NoSitesConfig\"\n ],\n \"properties\": {\n \"cors\": {\n \"allowedOrigins\": [\n \"someIP\"\n ]\n }\n }\n },\n" + } + } + } + } + ], + "fingerprints": { + "gdnPrimarySignature": "4764b062aa2d198673df7c5f6d2c0e9c01286e83909a609e2372747b782c1ab7", + "gdnAlternativeSignature0": "528e2e7673c1c9c45f2e03b442261956045574d01f03c9004d1d2bef6c09bea0" + }, + "attachments": [] + }, + { + "ruleId": "CKV_AZURE_65", + "ruleIndex": 37, + "level": "note", + "message": { + "text": "Ensure that App service enables detailed error messages" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "samples/insecure_arm.json" + }, + "region": { + "startLine": 169, + "endLine": 186, + "snippet": { + "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites/config\",\n \"name\": \"SitesConfig/RestrictedCORSAccess_web\",\n \"location\": \"[parameters('location')]\",\n \"dependsOn\": [\n \"ApiApp_NoSitesConfig\",\n \"WebApp_NoSitesConfig\",\n \"FunctionApp_NoSitesConfig\"\n ],\n \"properties\": {\n \"cors\": {\n \"allowedOrigins\": [\n \"someIP\"\n ]\n }\n }\n },\n" + } + } + } + } + ], + "fingerprints": { + "gdnPrimarySignature": "b7a5a598012ddeb8be2fd66b67a61ffcdc2b743ee4bdec4d88ff3ec3b35747b5", + "gdnAlternativeSignature0": "1cef927286d0a4b4ea6cf8c1b9c129beffa0889f29a77ce4d2b443c9d83d3669" + }, + "attachments": [] + }, + { + "ruleId": "CKV_AZURE_80", + "ruleIndex": 38, + "level": "note", + "message": { + "text": "Ensure that 'Net Framework' version is the latest, if used as a part of the web app" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "samples/insecure_arm.json" + }, + "region": { + "startLine": 169, + "endLine": 186, + "snippet": { + "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites/config\",\n \"name\": \"SitesConfig/RestrictedCORSAccess_web\",\n \"location\": \"[parameters('location')]\",\n \"dependsOn\": [\n \"ApiApp_NoSitesConfig\",\n \"WebApp_NoSitesConfig\",\n \"FunctionApp_NoSitesConfig\"\n ],\n \"properties\": {\n \"cors\": {\n \"allowedOrigins\": [\n \"someIP\"\n ]\n }\n }\n },\n" + } + } + } + } + ], + "fingerprints": { + "gdnPrimarySignature": "3f0e499426cfa4fe5bdb96a9894cb77d781ce58b0d391af6741cbbb23829d7c9", + "gdnAlternativeSignature0": "e237636bdd6a09fe032da4732bf99d542b96c319747ff963d56185e4298297e4" + }, + "attachments": [] + }, + { + "ruleId": "CKV_AZURE_66", + "ruleIndex": 39, + "level": "note", + "message": { + "text": "Ensure that App service enables failed request tracing" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "samples/insecure_arm.json" + }, + "region": { + "startLine": 169, + "endLine": 186, + "snippet": { + "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites/config\",\n \"name\": \"SitesConfig/RestrictedCORSAccess_web\",\n \"location\": \"[parameters('location')]\",\n \"dependsOn\": [\n \"ApiApp_NoSitesConfig\",\n \"WebApp_NoSitesConfig\",\n \"FunctionApp_NoSitesConfig\"\n ],\n \"properties\": {\n \"cors\": {\n \"allowedOrigins\": [\n \"someIP\"\n ]\n }\n }\n },\n" + } + } + } + } + ], + "fingerprints": { + "gdnPrimarySignature": "ecda7f10c676f4fb72429cae500da0aa6d3a253664f489dd99c37140cc4adbdd", + "gdnAlternativeSignature0": "456c9b0bbba231ac9f76aeb80c65a8f2e4f2395fb0cbc94b7aa38df4ba418c4f" + }, + "attachments": [] + }, + { + "ruleId": "CKV_AZURE_63", + "ruleIndex": 40, + "level": "note", + "message": { + "text": "Ensure that App service enables HTTP logging" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "samples/insecure_arm.json" + }, + "region": { + "startLine": 169, + "endLine": 186, + "snippet": { + "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites/config\",\n \"name\": \"SitesConfig/RestrictedCORSAccess_web\",\n \"location\": \"[parameters('location')]\",\n \"dependsOn\": [\n \"ApiApp_NoSitesConfig\",\n \"WebApp_NoSitesConfig\",\n \"FunctionApp_NoSitesConfig\"\n ],\n \"properties\": {\n \"cors\": {\n \"allowedOrigins\": [\n \"someIP\"\n ]\n }\n }\n },\n" + } + } + } + } + ], + "fingerprints": { + "gdnPrimarySignature": "0debc8b4bed8e61fddb6166094e0f30c9823a2a4bc6e21990d839ce42bbe7faf", + "gdnAlternativeSignature0": "119c560594404bbb1f85c2a4a64be3ba7f355cd183dcc2efa31fd0bc552f5ad5" + }, + "attachments": [] + }, + { + "ruleId": "CKV_AZURE_222", + "ruleIndex": 32, + "message": { + "text": "Ensure that Azure Web App public network access is disabled" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "samples/insecure_arm.json" + }, + "region": { + "startLine": 169, + "endLine": 186, + "snippet": { + "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites/config\",\n \"name\": \"SitesConfig/RestrictedCORSAccess_web\",\n \"location\": \"[parameters('location')]\",\n \"dependsOn\": [\n \"ApiApp_NoSitesConfig\",\n \"WebApp_NoSitesConfig\",\n \"FunctionApp_NoSitesConfig\"\n ],\n \"properties\": {\n \"cors\": {\n \"allowedOrigins\": [\n \"someIP\"\n ]\n }\n }\n },\n" + } + } + } + } + ], + "fingerprints": { + "gdnPrimarySignature": "5c6cabb001d3b83d407085e00b359528524e83c168685191c6a9258098a9d366", + "gdnAlternativeSignature0": "3664e4a542b0f7100774ae71190236958f7e845d9a1d5079ba8b85ebf4ecfd1d" + }, + "attachments": [] + }, + { + "ruleId": "CKV_AZURE_88", + "ruleIndex": 41, + "level": "note", + "message": { + "text": "Ensure that app services use Azure Files" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "samples/insecure_arm.json" + }, + "region": { + "startLine": 169, + "endLine": 186, + "snippet": { + "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites/config\",\n \"name\": \"SitesConfig/RestrictedCORSAccess_web\",\n \"location\": \"[parameters('location')]\",\n \"dependsOn\": [\n \"ApiApp_NoSitesConfig\",\n \"WebApp_NoSitesConfig\",\n \"FunctionApp_NoSitesConfig\"\n ],\n \"properties\": {\n \"cors\": {\n \"allowedOrigins\": [\n \"someIP\"\n ]\n }\n }\n },\n" + } + } + } + } + ], + "fingerprints": { + "gdnPrimarySignature": "6f0de3fde830219d08c3c4083fce6ccd9966859a6cd4143ec03fe04798472dee", + "gdnAlternativeSignature0": "6d432a9079e10e7a68453f21043b67398f44a7095b3b4337ad2a97b879c6adc4" + }, + "attachments": [] + }, + { + "ruleId": "CKV_AZURE_17", + "ruleIndex": 25, + "message": { + "text": "Ensure the web app has 'Client Certificates (Incoming client certificates)' set" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "samples/insecure_arm.json" + }, + "region": { + "startLine": 187, + "endLine": 204, + "snippet": { + "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites\",\n \"kind\": \"api\",\n \"name\": \"ApiApp_UnrestrictedCORSAccess_EmbeddedSitesConfig\",\n \"location\": \"[parameters('location')]\",\n \"properties\": {\n \"httpsOnly\": true,\n \"siteConfig\": {\n \"cors\": {\n \"allowedOrigins\": [\n \"someIP\",\n \"*\"\n ]\n }\n }\n }\n },\n" + } + } + } + } + ], + "fingerprints": { + "gdnPrimarySignature": "dcd550d66ea4f3ffc89adf365fe7cd5bf8d63462acecd1cccb341a7335e9fbc6", + "gdnAlternativeSignature0": "5831a40aa6b645473d2ba22c02586e6993565e63f22aec548d3af0fa06b9fd22" + }, + "attachments": [] + }, + { + "ruleId": "CKV_AZURE_78", + "ruleIndex": 26, + "message": { + "text": "Ensure FTP deployments are disabled" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "samples/insecure_arm.json" + }, + "region": { + "startLine": 187, + "endLine": 204, + "snippet": { + "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites\",\n \"kind\": \"api\",\n \"name\": \"ApiApp_UnrestrictedCORSAccess_EmbeddedSitesConfig\",\n \"location\": \"[parameters('location')]\",\n \"properties\": {\n \"httpsOnly\": true,\n \"siteConfig\": {\n \"cors\": {\n \"allowedOrigins\": [\n \"someIP\",\n \"*\"\n ]\n }\n }\n }\n },\n" + } + } + } + } + ], + "fingerprints": { + "gdnPrimarySignature": "6b0c6b35c56eaa234e454e964d8305e90681f1bb57225e8b47b7d84d4bd9c52f", + "gdnAlternativeSignature0": "25b4881300990c178e3af646a347540425e737d05e462e73ac054f3c73691340" + }, + "attachments": [] + }, + { + "ruleId": "CKV_AZURE_18", + "ruleIndex": 27, + "message": { + "text": "Ensure that 'HTTP Version' is the latest if used to run the web app" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "samples/insecure_arm.json" + }, + "region": { + "startLine": 187, + "endLine": 204, + "snippet": { + "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites\",\n \"kind\": \"api\",\n \"name\": \"ApiApp_UnrestrictedCORSAccess_EmbeddedSitesConfig\",\n \"location\": \"[parameters('location')]\",\n \"properties\": {\n \"httpsOnly\": true,\n \"siteConfig\": {\n \"cors\": {\n \"allowedOrigins\": [\n \"someIP\",\n \"*\"\n ]\n }\n }\n }\n },\n" + } + } + } + } + ], + "fingerprints": { + "gdnPrimarySignature": "9fb5162913194706fc251e38d156beebe0887f9bb6ee8c03671cd6755a952833", + "gdnAlternativeSignature0": "99d41b0689e4d871f9d62281e26dfbfd83c98541d8a02fcc05cae59e1c6e1e61" + }, + "attachments": [] + }, + { + "ruleId": "CKV_AZURE_16", + "ruleIndex": 29, + "message": { + "text": "Ensure that Register with Azure Active Directory is enabled on App Service" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "samples/insecure_arm.json" + }, + "region": { + "startLine": 187, + "endLine": 204, + "snippet": { + "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites\",\n \"kind\": \"api\",\n \"name\": \"ApiApp_UnrestrictedCORSAccess_EmbeddedSitesConfig\",\n \"location\": \"[parameters('location')]\",\n \"properties\": {\n \"httpsOnly\": true,\n \"siteConfig\": {\n \"cors\": {\n \"allowedOrigins\": [\n \"someIP\",\n \"*\"\n ]\n }\n }\n }\n },\n" + } + } + } + } + ], + "fingerprints": { + "gdnPrimarySignature": "e11b584dd233a10ac72c56c29b0abb0a46b40eec0fd60d073902939bb2fa1a7c", + "gdnAlternativeSignature0": "0094ff86f766a290f1f59fd99f98729982d98a5c48687076a1fef7cf652dc8c1" + }, + "attachments": [] + }, + { + "ruleId": "CKV_AZURE_71", + "ruleIndex": 30, + "level": "note", + "message": { + "text": "Ensure that Managed identity provider is enabled for web apps" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "samples/insecure_arm.json" + }, + "region": { + "startLine": 187, + "endLine": 204, + "snippet": { + "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites\",\n \"kind\": \"api\",\n \"name\": \"ApiApp_UnrestrictedCORSAccess_EmbeddedSitesConfig\",\n \"location\": \"[parameters('location')]\",\n \"properties\": {\n \"httpsOnly\": true,\n \"siteConfig\": {\n \"cors\": {\n \"allowedOrigins\": [\n \"someIP\",\n \"*\"\n ]\n }\n }\n }\n },\n" + } + } + } + } + ], + "fingerprints": { + "gdnPrimarySignature": "4750d98ad7c586d98825c46bea9511b196f12dc4264fb696186efd16ab3d94a2", + "gdnAlternativeSignature0": "b8e824ce01520cea292f1a7f62c7bcb8a5f77c5151b5bc056b1412295ff3497a" + }, + "attachments": [] + }, + { + "ruleId": "CKV_AZURE_15", + "ruleIndex": 31, + "message": { + "text": "Ensure web app is using the latest version of TLS encryption" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "samples/insecure_arm.json" + }, + "region": { + "startLine": 187, + "endLine": 204, + "snippet": { + "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites\",\n \"kind\": \"api\",\n \"name\": \"ApiApp_UnrestrictedCORSAccess_EmbeddedSitesConfig\",\n \"location\": \"[parameters('location')]\",\n \"properties\": {\n \"httpsOnly\": true,\n \"siteConfig\": {\n \"cors\": {\n \"allowedOrigins\": [\n \"someIP\",\n \"*\"\n ]\n }\n }\n }\n },\n" + } + } + } + } + ], + "fingerprints": { + "gdnPrimarySignature": "6618f89bf0f657561f12e6f711f090337aa8f3864239d9b428ecc00ca4e734d8", + "gdnAlternativeSignature0": "020034ec5f28ee65e82f5e48c62ebc00c918318b37fb5530d365b705686fd720" + }, + "attachments": [] + }, + { + "ruleId": "CKV_AZURE_222", + "ruleIndex": 32, + "message": { + "text": "Ensure that Azure Web App public network access is disabled" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "samples/insecure_arm.json" + }, + "region": { + "startLine": 187, + "endLine": 204, + "snippet": { + "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites\",\n \"kind\": \"api\",\n \"name\": \"ApiApp_UnrestrictedCORSAccess_EmbeddedSitesConfig\",\n \"location\": \"[parameters('location')]\",\n \"properties\": {\n \"httpsOnly\": true,\n \"siteConfig\": {\n \"cors\": {\n \"allowedOrigins\": [\n \"someIP\",\n \"*\"\n ]\n }\n }\n }\n },\n" + } + } + } + } + ], + "fingerprints": { + "gdnPrimarySignature": "257663068ac706eb48e30972d5ef65ae59a81b05935937b81969fbce76b54284", + "gdnAlternativeSignature0": "7162b78e9cff93e85080d9d077dbd2f6d9c5a765d0da6485890b044204b68786" + }, + "attachments": [] + }, + { + "ruleId": "CKV_AZURE_67", + "ruleIndex": 34, + "message": { + "text": "Ensure that 'HTTP Version' is the latest, if used to run the Function app" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "samples/insecure_arm.json" + }, + "region": { + "startLine": 187, + "endLine": 204, + "snippet": { + "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites\",\n \"kind\": \"api\",\n \"name\": \"ApiApp_UnrestrictedCORSAccess_EmbeddedSitesConfig\",\n \"location\": \"[parameters('location')]\",\n \"properties\": {\n \"httpsOnly\": true,\n \"siteConfig\": {\n \"cors\": {\n \"allowedOrigins\": [\n \"someIP\",\n \"*\"\n ]\n }\n }\n }\n },\n" + } + } + } + } + ], + "fingerprints": { + "gdnPrimarySignature": "2dae51e3df9996d76d22a1ae6f75f332e4bf5bad3f4272e79c26b2b7c999ac94", + "gdnAlternativeSignature0": "8259e76b9c016c2688d043c19e0143fe202feb2d893e108efc9e81c9d35ce4f5" + }, + "attachments": [] + }, + { + "ruleId": "CKV_AZURE_13", + "ruleIndex": 36, + "message": { + "text": "Ensure App Service Authentication is set on Azure App Service" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "samples/insecure_arm.json" + }, + "region": { + "startLine": 205, + "endLine": 222, + "snippet": { + "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites/config\",\n \"name\": \"SitesConfig/UnrestrictedCORSAccess_web\",\n \"location\": \"[parameters('location')]\",\n \"dependsOn\": [\n \"ApiApp_NoSitesConfig\",\n \"WebApp_NoSitesConfig\",\n \"FunctionApp_NoSitesConfig\"\n ],\n \"properties\": {\n \"cors\": {\n \"allowedOrigins\": [\n \"*\"\n ]\n }\n }\n },\n" + } + } + } + } + ], + "fingerprints": { + "gdnPrimarySignature": "0e8af6cde44520ef4bcab2e8711c2dda5a7fd48878091674e03dc681118a266f", + "gdnAlternativeSignature0": "146cabdfaf6092c02eb82036132680f7b6808bdd5432312d46330c9bd3585e72" + }, + "attachments": [] + }, + { + "ruleId": "CKV_AZURE_65", + "ruleIndex": 37, + "level": "note", + "message": { + "text": "Ensure that App service enables detailed error messages" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "samples/insecure_arm.json" + }, + "region": { + "startLine": 205, + "endLine": 222, + "snippet": { + "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites/config\",\n \"name\": \"SitesConfig/UnrestrictedCORSAccess_web\",\n \"location\": \"[parameters('location')]\",\n \"dependsOn\": [\n \"ApiApp_NoSitesConfig\",\n \"WebApp_NoSitesConfig\",\n \"FunctionApp_NoSitesConfig\"\n ],\n \"properties\": {\n \"cors\": {\n \"allowedOrigins\": [\n \"*\"\n ]\n }\n }\n },\n" + } + } + } + } + ], + "fingerprints": { + "gdnPrimarySignature": "ef81362c707d65d3863cae808daf52e6f7ef001be334504a099e1b9ff50e232b", + "gdnAlternativeSignature0": "6b075093c48fdb089dd2354278746e6a51fe721cabb128f140a431cf005127d3" + }, + "attachments": [] + }, + { + "ruleId": "CKV_AZURE_80", + "ruleIndex": 38, + "level": "note", + "message": { + "text": "Ensure that 'Net Framework' version is the latest, if used as a part of the web app" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "samples/insecure_arm.json" + }, + "region": { + "startLine": 205, + "endLine": 222, + "snippet": { + "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites/config\",\n \"name\": \"SitesConfig/UnrestrictedCORSAccess_web\",\n \"location\": \"[parameters('location')]\",\n \"dependsOn\": [\n \"ApiApp_NoSitesConfig\",\n \"WebApp_NoSitesConfig\",\n \"FunctionApp_NoSitesConfig\"\n ],\n \"properties\": {\n \"cors\": {\n \"allowedOrigins\": [\n \"*\"\n ]\n }\n }\n },\n" + } + } + } + } + ], + "fingerprints": { + "gdnPrimarySignature": "0b92428b5f8d657f24f7b113a8e844c8b9f0eb0582cb7ceea6933aa04dafd8ff", + "gdnAlternativeSignature0": "817496a6ee1a0d6d64bb24701e78f9cba8b3fc06268f0bade0689ce46999e311" + }, + "attachments": [] + }, + { + "ruleId": "CKV_AZURE_66", + "ruleIndex": 39, + "level": "note", + "message": { + "text": "Ensure that App service enables failed request tracing" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "samples/insecure_arm.json" + }, + "region": { + "startLine": 205, + "endLine": 222, + "snippet": { + "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites/config\",\n \"name\": \"SitesConfig/UnrestrictedCORSAccess_web\",\n \"location\": \"[parameters('location')]\",\n \"dependsOn\": [\n \"ApiApp_NoSitesConfig\",\n \"WebApp_NoSitesConfig\",\n \"FunctionApp_NoSitesConfig\"\n ],\n \"properties\": {\n \"cors\": {\n \"allowedOrigins\": [\n \"*\"\n ]\n }\n }\n },\n" + } + } + } + } + ], + "fingerprints": { + "gdnPrimarySignature": "3e9ad501881045e5d7309b74094c547164a1dab831701c7dfea6dac72f78ad39", + "gdnAlternativeSignature0": "8d2d4e5f2e7fb6ffe5a3d690ad5075c7a4194060994f0f063c517791e6bd4150" + }, + "attachments": [] + }, + { + "ruleId": "CKV_AZURE_63", + "ruleIndex": 40, + "level": "note", + "message": { + "text": "Ensure that App service enables HTTP logging" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "samples/insecure_arm.json" + }, + "region": { + "startLine": 205, + "endLine": 222, + "snippet": { + "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites/config\",\n \"name\": \"SitesConfig/UnrestrictedCORSAccess_web\",\n \"location\": \"[parameters('location')]\",\n \"dependsOn\": [\n \"ApiApp_NoSitesConfig\",\n \"WebApp_NoSitesConfig\",\n \"FunctionApp_NoSitesConfig\"\n ],\n \"properties\": {\n \"cors\": {\n \"allowedOrigins\": [\n \"*\"\n ]\n }\n }\n },\n" + } + } + } + } + ], + "fingerprints": { + "gdnPrimarySignature": "4f45838aff932f565433ff3fd599bc9de4d7bd434bf4511cee319935dfb28950", + "gdnAlternativeSignature0": "d7afaaf97a739bde64c18fb27889fb4d931b2ba29561244209ab5f03659f4b71" + }, + "attachments": [] + }, + { + "ruleId": "CKV_AZURE_222", + "ruleIndex": 32, + "message": { + "text": "Ensure that Azure Web App public network access is disabled" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "samples/insecure_arm.json" + }, + "region": { + "startLine": 205, + "endLine": 222, + "snippet": { + "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites/config\",\n \"name\": \"SitesConfig/UnrestrictedCORSAccess_web\",\n \"location\": \"[parameters('location')]\",\n \"dependsOn\": [\n \"ApiApp_NoSitesConfig\",\n \"WebApp_NoSitesConfig\",\n \"FunctionApp_NoSitesConfig\"\n ],\n \"properties\": {\n \"cors\": {\n \"allowedOrigins\": [\n \"*\"\n ]\n }\n }\n },\n" + } + } + } + } + ], + "fingerprints": { + "gdnPrimarySignature": "b7d1e0a2597990637571695421255bca16f0c42cb2ec39b943ec7ec98dbf64e8", + "gdnAlternativeSignature0": "1d2b4a62840a1bb054f7389ba3c9215d640240d28ecac6c4dd75531648052b7c" + }, + "attachments": [] + }, + { + "ruleId": "CKV_AZURE_88", + "ruleIndex": 41, + "level": "note", + "message": { + "text": "Ensure that app services use Azure Files" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "samples/insecure_arm.json" + }, + "region": { + "startLine": 205, + "endLine": 222, + "snippet": { + "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites/config\",\n \"name\": \"SitesConfig/UnrestrictedCORSAccess_web\",\n \"location\": \"[parameters('location')]\",\n \"dependsOn\": [\n \"ApiApp_NoSitesConfig\",\n \"WebApp_NoSitesConfig\",\n \"FunctionApp_NoSitesConfig\"\n ],\n \"properties\": {\n \"cors\": {\n \"allowedOrigins\": [\n \"*\"\n ]\n }\n }\n },\n" + } + } + } + } + ], + "fingerprints": { + "gdnPrimarySignature": "7ac28937c766ad8aca6f80f4c1b203c09f14c9b030a09850ddf94906052d3cff", + "gdnAlternativeSignature0": "86dfaece04781f7765ed78900613f50af845e94a4498b5bfe133a0567832350b" + }, + "attachments": [] + }, + { + "ruleId": "CKV_AZURE_17", + "ruleIndex": 25, + "message": { + "text": "Ensure the web app has 'Client Certificates (Incoming client certificates)' set" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "samples/insecure_arm.json" + }, + "region": { + "startLine": 223, + "endLine": 239, + "snippet": { + "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites\",\n \"kind\": \"app\",\n \"name\": \"WebApp_RestrictedCORSAccess_EmbeddedSitesConfig\",\n \"location\": \"[parameters('location')]\",\n \"properties\": {\n \"httpsOnly\": true,\n \"siteConfig\": {\n \"cors\": {\n \"allowedOrigins\": [\n \"someIP\"\n ]\n }\n }\n }\n },\n" + } + } + } + } + ], + "fingerprints": { + "gdnPrimarySignature": "b0458996e102d04b1269a39e6ad2f6d6fa741a778b7821a91a590d13708de75c", + "gdnAlternativeSignature0": "ba1b6ae6482744c512163ee84d83124346fdff55efcc553c93a117827b277dae" + }, + "attachments": [] + }, + { + "ruleId": "CKV_AZURE_78", + "ruleIndex": 26, + "message": { + "text": "Ensure FTP deployments are disabled" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "samples/insecure_arm.json" + }, + "region": { + "startLine": 223, + "endLine": 239, + "snippet": { + "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites\",\n \"kind\": \"app\",\n \"name\": \"WebApp_RestrictedCORSAccess_EmbeddedSitesConfig\",\n \"location\": \"[parameters('location')]\",\n \"properties\": {\n \"httpsOnly\": true,\n \"siteConfig\": {\n \"cors\": {\n \"allowedOrigins\": [\n \"someIP\"\n ]\n }\n }\n }\n },\n" + } + } + } + } + ], + "fingerprints": { + "gdnPrimarySignature": "8e375b5a9dc4728fd4ba4a21882993369de923f2eac2ed78cf8491552d8facaa", + "gdnAlternativeSignature0": "853de3499062ba5a2cb953cc5283596ec4b8e90b4b1b51d5d7ed7fd9ef487dd5" + }, + "attachments": [] + }, + { + "ruleId": "CKV_AZURE_18", + "ruleIndex": 27, + "message": { + "text": "Ensure that 'HTTP Version' is the latest if used to run the web app" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "samples/insecure_arm.json" + }, + "region": { + "startLine": 223, + "endLine": 239, + "snippet": { + "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites\",\n \"kind\": \"app\",\n \"name\": \"WebApp_RestrictedCORSAccess_EmbeddedSitesConfig\",\n \"location\": \"[parameters('location')]\",\n \"properties\": {\n \"httpsOnly\": true,\n \"siteConfig\": {\n \"cors\": {\n \"allowedOrigins\": [\n \"someIP\"\n ]\n }\n }\n }\n },\n" + } + } + } + } + ], + "fingerprints": { + "gdnPrimarySignature": "a127ae6cec02825e2f917c367e3db26bf8017f68b1998857a4ebb175353f6a51", + "gdnAlternativeSignature0": "e1bb268111081a04f49ac60c72a63ed0738145f62892adb59d43e0cdb4181ffc" + }, + "attachments": [] + }, + { + "ruleId": "CKV_AZURE_16", + "ruleIndex": 29, + "message": { + "text": "Ensure that Register with Azure Active Directory is enabled on App Service" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "samples/insecure_arm.json" + }, + "region": { + "startLine": 223, + "endLine": 239, + "snippet": { + "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites\",\n \"kind\": \"app\",\n \"name\": \"WebApp_RestrictedCORSAccess_EmbeddedSitesConfig\",\n \"location\": \"[parameters('location')]\",\n \"properties\": {\n \"httpsOnly\": true,\n \"siteConfig\": {\n \"cors\": {\n \"allowedOrigins\": [\n \"someIP\"\n ]\n }\n }\n }\n },\n" + } + } + } + } + ], + "fingerprints": { + "gdnPrimarySignature": "d351baa7f806ab65257e43138c406148e9c81bb988521fe221f56f7e72e21818", + "gdnAlternativeSignature0": "5c32a35a8c57bffbbce0105bb252897bba594b8d564d6be228aa0d086db40eb6" + }, + "attachments": [] + }, + { + "ruleId": "CKV_AZURE_71", + "ruleIndex": 30, + "level": "note", + "message": { + "text": "Ensure that Managed identity provider is enabled for web apps" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "samples/insecure_arm.json" + }, + "region": { + "startLine": 223, + "endLine": 239, + "snippet": { + "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites\",\n \"kind\": \"app\",\n \"name\": \"WebApp_RestrictedCORSAccess_EmbeddedSitesConfig\",\n \"location\": \"[parameters('location')]\",\n \"properties\": {\n \"httpsOnly\": true,\n \"siteConfig\": {\n \"cors\": {\n \"allowedOrigins\": [\n \"someIP\"\n ]\n }\n }\n }\n },\n" + } + } + } + } + ], + "fingerprints": { + "gdnPrimarySignature": "34cf1285b6c9b01e2163c4235369bba2bd1740e57a71fa21d4945fee87438740", + "gdnAlternativeSignature0": "e681471f7211744f1008218a8212ef79deecebeb44aaf693cb5c6a2ff0c30fbc" + }, + "attachments": [] + }, + { + "ruleId": "CKV_AZURE_15", + "ruleIndex": 31, + "message": { + "text": "Ensure web app is using the latest version of TLS encryption" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "samples/insecure_arm.json" + }, + "region": { + "startLine": 223, + "endLine": 239, + "snippet": { + "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites\",\n \"kind\": \"app\",\n \"name\": \"WebApp_RestrictedCORSAccess_EmbeddedSitesConfig\",\n \"location\": \"[parameters('location')]\",\n \"properties\": {\n \"httpsOnly\": true,\n \"siteConfig\": {\n \"cors\": {\n \"allowedOrigins\": [\n \"someIP\"\n ]\n }\n }\n }\n },\n" + } + } + } + } + ], + "fingerprints": { + "gdnPrimarySignature": "e25dee6e2c2afa0f90032dee4f66872f8022716e6e1870e697e282669a0e6bea", + "gdnAlternativeSignature0": "44100aca6dd76613f2e92578a73695780785c3777bbba30651b6e632ad118318" + }, + "attachments": [] + }, + { + "ruleId": "CKV_AZURE_222", + "ruleIndex": 32, + "message": { + "text": "Ensure that Azure Web App public network access is disabled" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "samples/insecure_arm.json" + }, + "region": { + "startLine": 223, + "endLine": 239, + "snippet": { + "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites\",\n \"kind\": \"app\",\n \"name\": \"WebApp_RestrictedCORSAccess_EmbeddedSitesConfig\",\n \"location\": \"[parameters('location')]\",\n \"properties\": {\n \"httpsOnly\": true,\n \"siteConfig\": {\n \"cors\": {\n \"allowedOrigins\": [\n \"someIP\"\n ]\n }\n }\n }\n },\n" + } + } + } + } + ], + "fingerprints": { + "gdnPrimarySignature": "da1a3fa73f790c28a05f8d7c42c7961059009ddc9e050d309066a52dc28f2964", + "gdnAlternativeSignature0": "b97d0c99d154acece432cd4b25ed97cebdc3307aff68dff7034a8814c9407ae1" + }, + "attachments": [] + }, + { + "ruleId": "CKV_AZURE_67", + "ruleIndex": 34, + "message": { + "text": "Ensure that 'HTTP Version' is the latest, if used to run the Function app" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "samples/insecure_arm.json" + }, + "region": { + "startLine": 223, + "endLine": 239, + "snippet": { + "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites\",\n \"kind\": \"app\",\n \"name\": \"WebApp_RestrictedCORSAccess_EmbeddedSitesConfig\",\n \"location\": \"[parameters('location')]\",\n \"properties\": {\n \"httpsOnly\": true,\n \"siteConfig\": {\n \"cors\": {\n \"allowedOrigins\": [\n \"someIP\"\n ]\n }\n }\n }\n },\n" + } + } + } + } + ], + "fingerprints": { + "gdnPrimarySignature": "c469692cea7b7ca010669e9d28957de550b80aca420639dab41c3b50acb673fd", + "gdnAlternativeSignature0": "0280a30c60f721964ef8f0e1f057cc3823c08e2c877a2f35ecc0bf0cba67aa73" + }, + "attachments": [] + }, + { + "ruleId": "CKV_AZURE_17", + "ruleIndex": 25, + "message": { + "text": "Ensure the web app has 'Client Certificates (Incoming client certificates)' set" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "samples/insecure_arm.json" + }, + "region": { + "startLine": 240, + "endLine": 255, + "snippet": { + "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites\",\n \"name\": \"WebApp_NoKind_RestrictedCORSAccess_EmbeddedSitesConfig\",\n \"location\": \"[parameters('location')]\",\n \"properties\": {\n \"httpsOnly\": true,\n \"siteConfig\": {\n \"cors\": {\n \"allowedOrigins\": [\n \"someIP\"\n ]\n }\n }\n }\n },\n" + } + } + } + } + ], + "fingerprints": { + "gdnPrimarySignature": "4fd9a062f86a13872b9dad7a38cfe0d953f929b117ea32a74b12949f94482d1e", + "gdnAlternativeSignature0": "4313f93aeba30524fe4b597801c38b1eff909f6cbc2cb6ac96c9fc11b4acd52a" + }, + "attachments": [] + }, + { + "ruleId": "CKV_AZURE_78", + "ruleIndex": 26, + "message": { + "text": "Ensure FTP deployments are disabled" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "samples/insecure_arm.json" + }, + "region": { + "startLine": 240, + "endLine": 255, + "snippet": { + "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites\",\n \"name\": \"WebApp_NoKind_RestrictedCORSAccess_EmbeddedSitesConfig\",\n \"location\": \"[parameters('location')]\",\n \"properties\": {\n \"httpsOnly\": true,\n \"siteConfig\": {\n \"cors\": {\n \"allowedOrigins\": [\n \"someIP\"\n ]\n }\n }\n }\n },\n" + } + } + } + } + ], + "fingerprints": { + "gdnPrimarySignature": "6ee562e5d732261eee58f4880f619fded377b21bb88bcc90f9b5abad30ed6398", + "gdnAlternativeSignature0": "e931b536ca4eb49838ef185e4d0af6477b51badbaa93242a6c4ff1b2e1298bf8" + }, + "attachments": [] + }, + { + "ruleId": "CKV_AZURE_18", + "ruleIndex": 27, + "message": { + "text": "Ensure that 'HTTP Version' is the latest if used to run the web app" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "samples/insecure_arm.json" + }, + "region": { + "startLine": 240, + "endLine": 255, + "snippet": { + "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites\",\n \"name\": \"WebApp_NoKind_RestrictedCORSAccess_EmbeddedSitesConfig\",\n \"location\": \"[parameters('location')]\",\n \"properties\": {\n \"httpsOnly\": true,\n \"siteConfig\": {\n \"cors\": {\n \"allowedOrigins\": [\n \"someIP\"\n ]\n }\n }\n }\n },\n" + } + } + } + } + ], + "fingerprints": { + "gdnPrimarySignature": "143778d4f31ab73a5bb75054896253c16373f69b3e0441b850b0369d1bddf1c4", + "gdnAlternativeSignature0": "03129ed6590e6f4bf2f43e9281e29c697a95962f5878ba90589b6fe88fe04380" + }, + "attachments": [] + }, + { + "ruleId": "CKV_AZURE_16", + "ruleIndex": 29, + "message": { + "text": "Ensure that Register with Azure Active Directory is enabled on App Service" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "samples/insecure_arm.json" + }, + "region": { + "startLine": 240, + "endLine": 255, + "snippet": { + "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites\",\n \"name\": \"WebApp_NoKind_RestrictedCORSAccess_EmbeddedSitesConfig\",\n \"location\": \"[parameters('location')]\",\n \"properties\": {\n \"httpsOnly\": true,\n \"siteConfig\": {\n \"cors\": {\n \"allowedOrigins\": [\n \"someIP\"\n ]\n }\n }\n }\n },\n" + } + } + } + } + ], + "fingerprints": { + "gdnPrimarySignature": "8e4a04fbf2e32b4f92897087315fb87884e9f2888146d04906779b927323f6c4", + "gdnAlternativeSignature0": "f321e049084aef0145e1b33f9c49fbfd5cdeb2ab03c824e93f910fbd3adbbd44" + }, + "attachments": [] + }, + { + "ruleId": "CKV_AZURE_71", + "ruleIndex": 30, + "level": "note", + "message": { + "text": "Ensure that Managed identity provider is enabled for web apps" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "samples/insecure_arm.json" + }, + "region": { + "startLine": 240, + "endLine": 255, + "snippet": { + "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites\",\n \"name\": \"WebApp_NoKind_RestrictedCORSAccess_EmbeddedSitesConfig\",\n \"location\": \"[parameters('location')]\",\n \"properties\": {\n \"httpsOnly\": true,\n \"siteConfig\": {\n \"cors\": {\n \"allowedOrigins\": [\n \"someIP\"\n ]\n }\n }\n }\n },\n" + } + } + } + } + ], + "fingerprints": { + "gdnPrimarySignature": "3c4d99dfa4a6499c4718cdbe5c7c7b5fb1667ca31c16bddbc1f0d50f201b0eec", + "gdnAlternativeSignature0": "fe55bb9000959302368aa07dd560c68c98caed221602cf2a2f997e85d4bdd6f6" + }, + "attachments": [] + }, + { + "ruleId": "CKV_AZURE_15", + "ruleIndex": 31, + "message": { + "text": "Ensure web app is using the latest version of TLS encryption" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "samples/insecure_arm.json" + }, + "region": { + "startLine": 240, + "endLine": 255, + "snippet": { + "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites\",\n \"name\": \"WebApp_NoKind_RestrictedCORSAccess_EmbeddedSitesConfig\",\n \"location\": \"[parameters('location')]\",\n \"properties\": {\n \"httpsOnly\": true,\n \"siteConfig\": {\n \"cors\": {\n \"allowedOrigins\": [\n \"someIP\"\n ]\n }\n }\n }\n },\n" + } + } + } + } + ], + "fingerprints": { + "gdnPrimarySignature": "eb4bed8fbe96c4a4bda2d5714d30a37fe5af249e7983c2e529ed2555b2302577", + "gdnAlternativeSignature0": "e5ada8bedea49618df2290b727da8e0b3564bbc4cad4ad22aee82b8a6afd2581" + }, + "attachments": [] + }, + { + "ruleId": "CKV_AZURE_222", + "ruleIndex": 32, + "message": { + "text": "Ensure that Azure Web App public network access is disabled" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "samples/insecure_arm.json" + }, + "region": { + "startLine": 240, + "endLine": 255, + "snippet": { + "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites\",\n \"name\": \"WebApp_NoKind_RestrictedCORSAccess_EmbeddedSitesConfig\",\n \"location\": \"[parameters('location')]\",\n \"properties\": {\n \"httpsOnly\": true,\n \"siteConfig\": {\n \"cors\": {\n \"allowedOrigins\": [\n \"someIP\"\n ]\n }\n }\n }\n },\n" + } + } + } + } + ], + "fingerprints": { + "gdnPrimarySignature": "c7c28aa1f6eb6c981b8dab94041a68bab23a9b72de245b2058c9280c612cac81", + "gdnAlternativeSignature0": "53b134cf1cec93348d12102916d6e3bd4072019df2f026de26b3ef6db3543505" + }, + "attachments": [] + }, + { + "ruleId": "CKV_AZURE_67", + "ruleIndex": 34, + "message": { + "text": "Ensure that 'HTTP Version' is the latest, if used to run the Function app" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "samples/insecure_arm.json" + }, + "region": { + "startLine": 240, + "endLine": 255, + "snippet": { + "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites\",\n \"name\": \"WebApp_NoKind_RestrictedCORSAccess_EmbeddedSitesConfig\",\n \"location\": \"[parameters('location')]\",\n \"properties\": {\n \"httpsOnly\": true,\n \"siteConfig\": {\n \"cors\": {\n \"allowedOrigins\": [\n \"someIP\"\n ]\n }\n }\n }\n },\n" + } + } + } + } + ], + "fingerprints": { + "gdnPrimarySignature": "23dc3709b4a9455bce85771532889a8fb832f85ad458d4f285fe9fb2eb7807ae", + "gdnAlternativeSignature0": "7fa5336cda8b5f2d8c41c95ffc7b95cd3ace43f023bd72dfbf479b585045984b" + }, + "attachments": [] + }, + { + "ruleId": "CKV_AZURE_17", + "ruleIndex": 25, + "message": { + "text": "Ensure the web app has 'Client Certificates (Incoming client certificates)' set" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "samples/insecure_arm.json" + }, + "region": { + "startLine": 256, + "endLine": 273, + "snippet": { + "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites\",\n \"kind\": \"app\",\n \"name\": \"WebApp_UnrestrictedCORSAccess_EmbeddedSitesConfig\",\n \"location\": \"[parameters('location')]\",\n \"properties\": {\n \"httpsOnly\": true,\n \"siteConfig\": {\n \"cors\": {\n \"allowedOrigins\": [\n \"someIP\",\n \"*\"\n ]\n }\n }\n }\n },\n" + } + } + } + } + ], + "fingerprints": { + "gdnPrimarySignature": "4e8cc7e2a4b582670ab605572ebf449e0b91a874db1ab9ef2e8e1202651fb74b", + "gdnAlternativeSignature0": "7fca34e471d5ec9837849486a2e299f93b5ee49824bfbaf0059ddade380c33c5" + }, + "attachments": [] + }, + { + "ruleId": "CKV_AZURE_78", + "ruleIndex": 26, + "message": { + "text": "Ensure FTP deployments are disabled" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "samples/insecure_arm.json" + }, + "region": { + "startLine": 256, + "endLine": 273, + "snippet": { + "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites\",\n \"kind\": \"app\",\n \"name\": \"WebApp_UnrestrictedCORSAccess_EmbeddedSitesConfig\",\n \"location\": \"[parameters('location')]\",\n \"properties\": {\n \"httpsOnly\": true,\n \"siteConfig\": {\n \"cors\": {\n \"allowedOrigins\": [\n \"someIP\",\n \"*\"\n ]\n }\n }\n }\n },\n" + } + } + } + } + ], + "fingerprints": { + "gdnPrimarySignature": "32f70b90c9398c6ab47faf4896ca724cc667414fbdd61f9d37ab64180039afa9", + "gdnAlternativeSignature0": "74ac563e5ceaa5a0e09e489b9fa579c8be0ec02947aed0617c6faddf0243f60c" + }, + "attachments": [] + }, + { + "ruleId": "CKV_AZURE_18", + "ruleIndex": 27, + "message": { + "text": "Ensure that 'HTTP Version' is the latest if used to run the web app" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "samples/insecure_arm.json" + }, + "region": { + "startLine": 256, + "endLine": 273, + "snippet": { + "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites\",\n \"kind\": \"app\",\n \"name\": \"WebApp_UnrestrictedCORSAccess_EmbeddedSitesConfig\",\n \"location\": \"[parameters('location')]\",\n \"properties\": {\n \"httpsOnly\": true,\n \"siteConfig\": {\n \"cors\": {\n \"allowedOrigins\": [\n \"someIP\",\n \"*\"\n ]\n }\n }\n }\n },\n" + } + } + } + } + ], + "fingerprints": { + "gdnPrimarySignature": "f565d488d0ee136a77ca481e53820893ff8ba50cacc9abe76f757c1a84865639", + "gdnAlternativeSignature0": "3fe95bf85179982d04d6323aeb899d481688025a708d5e171859bd82cc1cdd76" + }, + "attachments": [] + }, + { + "ruleId": "CKV_AZURE_16", + "ruleIndex": 29, + "message": { + "text": "Ensure that Register with Azure Active Directory is enabled on App Service" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "samples/insecure_arm.json" + }, + "region": { + "startLine": 256, + "endLine": 273, + "snippet": { + "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites\",\n \"kind\": \"app\",\n \"name\": \"WebApp_UnrestrictedCORSAccess_EmbeddedSitesConfig\",\n \"location\": \"[parameters('location')]\",\n \"properties\": {\n \"httpsOnly\": true,\n \"siteConfig\": {\n \"cors\": {\n \"allowedOrigins\": [\n \"someIP\",\n \"*\"\n ]\n }\n }\n }\n },\n" + } + } + } + } + ], + "fingerprints": { + "gdnPrimarySignature": "88848a38797205708edddcc47234828b56efc3e522b2f791a287bd2e1362ca36", + "gdnAlternativeSignature0": "0c58696e023f4bb523561bf26c5c02916c2411086a669f73ace694130370fd8b" + }, + "attachments": [] + }, + { + "ruleId": "CKV_AZURE_71", + "ruleIndex": 30, + "level": "note", + "message": { + "text": "Ensure that Managed identity provider is enabled for web apps" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "samples/insecure_arm.json" + }, + "region": { + "startLine": 256, + "endLine": 273, + "snippet": { + "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites\",\n \"kind\": \"app\",\n \"name\": \"WebApp_UnrestrictedCORSAccess_EmbeddedSitesConfig\",\n \"location\": \"[parameters('location')]\",\n \"properties\": {\n \"httpsOnly\": true,\n \"siteConfig\": {\n \"cors\": {\n \"allowedOrigins\": [\n \"someIP\",\n \"*\"\n ]\n }\n }\n }\n },\n" + } + } + } + } + ], + "fingerprints": { + "gdnPrimarySignature": "df545930bb8458e5f4d491540b41367072287dd41d4cc413670e820d053b3c59", + "gdnAlternativeSignature0": "b156e3e128bdada88119590b89491ba5637d828eb52a1fd7cb66709f886f4015" + }, + "attachments": [] + }, + { + "ruleId": "CKV_AZURE_15", + "ruleIndex": 31, + "message": { + "text": "Ensure web app is using the latest version of TLS encryption" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "samples/insecure_arm.json" + }, + "region": { + "startLine": 256, + "endLine": 273, + "snippet": { + "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites\",\n \"kind\": \"app\",\n \"name\": \"WebApp_UnrestrictedCORSAccess_EmbeddedSitesConfig\",\n \"location\": \"[parameters('location')]\",\n \"properties\": {\n \"httpsOnly\": true,\n \"siteConfig\": {\n \"cors\": {\n \"allowedOrigins\": [\n \"someIP\",\n \"*\"\n ]\n }\n }\n }\n },\n" + } + } + } + } + ], + "fingerprints": { + "gdnPrimarySignature": "a4a0f2a5361ad3d1b9eae1eee98796fd4b9cb48e588e5ff7e991e03b1fd406f6", + "gdnAlternativeSignature0": "273d89c35b3928f35b2b753a0285d00ac263f3183a4a1488c2f7a79177415611" + }, + "attachments": [] + }, + { + "ruleId": "CKV_AZURE_222", + "ruleIndex": 32, + "message": { + "text": "Ensure that Azure Web App public network access is disabled" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "samples/insecure_arm.json" + }, + "region": { + "startLine": 256, + "endLine": 273, + "snippet": { + "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites\",\n \"kind\": \"app\",\n \"name\": \"WebApp_UnrestrictedCORSAccess_EmbeddedSitesConfig\",\n \"location\": \"[parameters('location')]\",\n \"properties\": {\n \"httpsOnly\": true,\n \"siteConfig\": {\n \"cors\": {\n \"allowedOrigins\": [\n \"someIP\",\n \"*\"\n ]\n }\n }\n }\n },\n" + } + } + } + } + ], + "fingerprints": { + "gdnPrimarySignature": "9719571b68e5b3a885fa6fd8f779399b128f621f8c56f6fab08675f5bab6bad4", + "gdnAlternativeSignature0": "e0db6d935221b8f1a1c87a50acb333285eeab2b10c099cfc8c0e1842c3a55397" + }, + "attachments": [] + }, + { + "ruleId": "CKV_AZURE_67", + "ruleIndex": 34, + "message": { + "text": "Ensure that 'HTTP Version' is the latest, if used to run the Function app" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "samples/insecure_arm.json" + }, + "region": { + "startLine": 256, + "endLine": 273, + "snippet": { + "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites\",\n \"kind\": \"app\",\n \"name\": \"WebApp_UnrestrictedCORSAccess_EmbeddedSitesConfig\",\n \"location\": \"[parameters('location')]\",\n \"properties\": {\n \"httpsOnly\": true,\n \"siteConfig\": {\n \"cors\": {\n \"allowedOrigins\": [\n \"someIP\",\n \"*\"\n ]\n }\n }\n }\n },\n" + } + } + } + } + ], + "fingerprints": { + "gdnPrimarySignature": "c99607a3189b9bc5ab42ae5c2d7df75995a965340270a602883d37aeed0923d9", + "gdnAlternativeSignature0": "95c9c99f71bb81429ee8ccb9608f889801fd91e170be93bd519d0c4aa56ab001" + }, + "attachments": [] + }, + { + "ruleId": "CKV_AZURE_17", + "ruleIndex": 25, + "message": { + "text": "Ensure the web app has 'Client Certificates (Incoming client certificates)' set" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "samples/insecure_arm.json" + }, + "region": { + "startLine": 274, + "endLine": 283, + "snippet": { + "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites\",\n \"kind\": \"app\",\n \"name\": \"WebApp_NoSitesConfig\",\n \"location\": \"[parameters('location')]\",\n \"properties\": {\n \"httpsOnly\": true\n }\n },\n" + } + } + } + } + ], + "fingerprints": { + "gdnPrimarySignature": "ab35f47a9966e5318d1be863b2ec0f17d58d977c71e868ebff0db5b49b68af09", + "gdnAlternativeSignature0": "9c833adad252c499f44a089a84712b55a0a006a47a9aba6c530d01a1bc94f558" + }, + "attachments": [] + }, + { + "ruleId": "CKV_AZURE_78", + "ruleIndex": 26, + "message": { + "text": "Ensure FTP deployments are disabled" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "samples/insecure_arm.json" + }, + "region": { + "startLine": 274, + "endLine": 283, + "snippet": { + "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites\",\n \"kind\": \"app\",\n \"name\": \"WebApp_NoSitesConfig\",\n \"location\": \"[parameters('location')]\",\n \"properties\": {\n \"httpsOnly\": true\n }\n },\n" + } + } + } + } + ], + "fingerprints": { + "gdnPrimarySignature": "602fdea611aaa3d22235f4e83203311f5ffe8e9e22833d6184d440e68f024bf5", + "gdnAlternativeSignature0": "5c17ba6738b8da7c912c45aebf73499fbce4dc65cf6407b66f5a4c274679619c" + }, + "attachments": [] + }, + { + "ruleId": "CKV_AZURE_18", + "ruleIndex": 27, + "message": { + "text": "Ensure that 'HTTP Version' is the latest if used to run the web app" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "samples/insecure_arm.json" + }, + "region": { + "startLine": 274, + "endLine": 283, + "snippet": { + "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites\",\n \"kind\": \"app\",\n \"name\": \"WebApp_NoSitesConfig\",\n \"location\": \"[parameters('location')]\",\n \"properties\": {\n \"httpsOnly\": true\n }\n },\n" + } + } + } + } + ], + "fingerprints": { + "gdnPrimarySignature": "20d3cf16494d80ca62033400936f0feb57be0a8ab23b9cc9b162b2247897388e", + "gdnAlternativeSignature0": "cd1e03ef8f9614165ea4d7a0973270f4bbab817cb3cc52ad0cf36cb647c3b6d9" + }, + "attachments": [] + }, + { + "ruleId": "CKV_AZURE_16", + "ruleIndex": 29, + "message": { + "text": "Ensure that Register with Azure Active Directory is enabled on App Service" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "samples/insecure_arm.json" + }, + "region": { + "startLine": 274, + "endLine": 283, + "snippet": { + "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites\",\n \"kind\": \"app\",\n \"name\": \"WebApp_NoSitesConfig\",\n \"location\": \"[parameters('location')]\",\n \"properties\": {\n \"httpsOnly\": true\n }\n },\n" + } + } + } + } + ], + "fingerprints": { + "gdnPrimarySignature": "78cc949070f476ebc74b2dda7f5c41ae43b805ea3b7daf49d3078c058f79e5a1", + "gdnAlternativeSignature0": "a55b806fb31cb3bf0e6b5c3d01f6ffd490c3b886bb80a722866cc000586f0f8a" + }, + "attachments": [] + }, + { + "ruleId": "CKV_AZURE_71", + "ruleIndex": 30, + "level": "note", + "message": { + "text": "Ensure that Managed identity provider is enabled for web apps" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "samples/insecure_arm.json" + }, + "region": { + "startLine": 274, + "endLine": 283, + "snippet": { + "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites\",\n \"kind\": \"app\",\n \"name\": \"WebApp_NoSitesConfig\",\n \"location\": \"[parameters('location')]\",\n \"properties\": {\n \"httpsOnly\": true\n }\n },\n" + } + } + } + } + ], + "fingerprints": { + "gdnPrimarySignature": "15dc91ac7c730ca245aabad00f156494d8a29ee9b357748967d76f05344eda7f", + "gdnAlternativeSignature0": "5847938307c50605c0610b36925ab50eefcc6634ed7e565f480bda53984af466" + }, + "attachments": [] + }, + { + "ruleId": "CKV_AZURE_15", + "ruleIndex": 31, + "message": { + "text": "Ensure web app is using the latest version of TLS encryption" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "samples/insecure_arm.json" + }, + "region": { + "startLine": 274, + "endLine": 283, + "snippet": { + "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites\",\n \"kind\": \"app\",\n \"name\": \"WebApp_NoSitesConfig\",\n \"location\": \"[parameters('location')]\",\n \"properties\": {\n \"httpsOnly\": true\n }\n },\n" + } + } + } + } + ], + "fingerprints": { + "gdnPrimarySignature": "ea83d615bfff6cce7ff0679906857f978db31bcc20aaf8362758e87312e2d941", + "gdnAlternativeSignature0": "c039abcf9cf88918b4dd9167119722b1a5108ce5e38d75043c0b750fd2981ec3" + }, + "attachments": [] + }, + { + "ruleId": "CKV_AZURE_222", + "ruleIndex": 32, + "message": { + "text": "Ensure that Azure Web App public network access is disabled" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "samples/insecure_arm.json" + }, + "region": { + "startLine": 274, + "endLine": 283, + "snippet": { + "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites\",\n \"kind\": \"app\",\n \"name\": \"WebApp_NoSitesConfig\",\n \"location\": \"[parameters('location')]\",\n \"properties\": {\n \"httpsOnly\": true\n }\n },\n" + } + } + } + } + ], + "fingerprints": { + "gdnPrimarySignature": "b051219a1626ff89706e92b04e25fb0932c1d985ea27f8aecbf7f743c04dc659", + "gdnAlternativeSignature0": "cabf626aade2ee1d730330c88d2aa7d8895dd4c93938eeb77c63f03a052c7679" + }, + "attachments": [] + }, + { + "ruleId": "CKV_AZURE_67", + "ruleIndex": 34, + "message": { + "text": "Ensure that 'HTTP Version' is the latest, if used to run the Function app" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "samples/insecure_arm.json" + }, + "region": { + "startLine": 274, + "endLine": 283, + "snippet": { + "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites\",\n \"kind\": \"app\",\n \"name\": \"WebApp_NoSitesConfig\",\n \"location\": \"[parameters('location')]\",\n \"properties\": {\n \"httpsOnly\": true\n }\n },\n" + } + } + } + } + ], + "fingerprints": { + "gdnPrimarySignature": "6b115656ed41348ad449cf25c954970b70b571ade5d19e1105620b4e7717e2fe", + "gdnAlternativeSignature0": "aa6295e81aa6a4ae09a54ac0c497bf6291b50dd88a72b6e830bd210a1a68aceb" + }, + "attachments": [] + }, + { + "ruleId": "CKV_AZURE_17", + "ruleIndex": 25, + "message": { + "text": "Ensure the web app has 'Client Certificates (Incoming client certificates)' set" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "samples/insecure_arm.json" + }, + "region": { + "startLine": 284, + "endLine": 300, + "snippet": { + "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites\",\n \"kind\": \"functionapp\",\n \"name\": \"FunctionApp_RestrictedCORSAccess_EmbeddedSitesConfig\",\n \"location\": \"[parameters('location')]\",\n \"properties\": {\n \"httpsOnly\": true,\n \"siteConfig\": {\n \"cors\": {\n \"allowedOrigins\": [\n \"someIP\"\n ]\n }\n }\n }\n },\n" + } + } + } + } + ], + "fingerprints": { + "gdnPrimarySignature": "14fcb885307e08a2c5ada1206158c9a84bbe32823e0d5c615704e0bafa8aee79", + "gdnAlternativeSignature0": "fb7374d63bc8d8ab31652d206739a312b4868d345ca64543f8d31991d5b46cfa" + }, + "attachments": [] + }, + { + "ruleId": "CKV_AZURE_78", + "ruleIndex": 26, + "message": { + "text": "Ensure FTP deployments are disabled" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "samples/insecure_arm.json" + }, + "region": { + "startLine": 284, + "endLine": 300, + "snippet": { + "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites\",\n \"kind\": \"functionapp\",\n \"name\": \"FunctionApp_RestrictedCORSAccess_EmbeddedSitesConfig\",\n \"location\": \"[parameters('location')]\",\n \"properties\": {\n \"httpsOnly\": true,\n \"siteConfig\": {\n \"cors\": {\n \"allowedOrigins\": [\n \"someIP\"\n ]\n }\n }\n }\n },\n" + } + } + } + } + ], + "fingerprints": { + "gdnPrimarySignature": "5ed1b342d8a0f06c5b0bb3d15388f5670cf2b409bf65da4b74e438912627892a", + "gdnAlternativeSignature0": "9f5a5eef4cfdb3f4462b7862dcba4b5bef7ef10e97449da469e0495432b1aa9c" + }, + "attachments": [] + }, + { + "ruleId": "CKV_AZURE_18", + "ruleIndex": 27, + "message": { + "text": "Ensure that 'HTTP Version' is the latest if used to run the web app" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "samples/insecure_arm.json" + }, + "region": { + "startLine": 284, + "endLine": 300, + "snippet": { + "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites\",\n \"kind\": \"functionapp\",\n \"name\": \"FunctionApp_RestrictedCORSAccess_EmbeddedSitesConfig\",\n \"location\": \"[parameters('location')]\",\n \"properties\": {\n \"httpsOnly\": true,\n \"siteConfig\": {\n \"cors\": {\n \"allowedOrigins\": [\n \"someIP\"\n ]\n }\n }\n }\n },\n" + } + } + } + } + ], + "fingerprints": { + "gdnPrimarySignature": "f769bd7202fd3a2674861afca95fa1cfc0664bd0b76619913a2f39f87fd2fe8a", + "gdnAlternativeSignature0": "5992da2c97b93015cd5ff7d85e7dca064eea8c61012c16fd094729db911f95a8" + }, + "attachments": [] + }, + { + "ruleId": "CKV_AZURE_16", + "ruleIndex": 29, + "message": { + "text": "Ensure that Register with Azure Active Directory is enabled on App Service" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "samples/insecure_arm.json" + }, + "region": { + "startLine": 284, + "endLine": 300, + "snippet": { + "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites\",\n \"kind\": \"functionapp\",\n \"name\": \"FunctionApp_RestrictedCORSAccess_EmbeddedSitesConfig\",\n \"location\": \"[parameters('location')]\",\n \"properties\": {\n \"httpsOnly\": true,\n \"siteConfig\": {\n \"cors\": {\n \"allowedOrigins\": [\n \"someIP\"\n ]\n }\n }\n }\n },\n" + } + } + } + } + ], + "fingerprints": { + "gdnPrimarySignature": "5bcdda995b38f39e6e644a8b926bad1dda898d677c7095948d0787f601427d9b", + "gdnAlternativeSignature0": "13ea3d62cdfd23a6f501449536936b1c6db8485e0dff7c99196f039ded5323e3" + }, + "attachments": [] + }, + { + "ruleId": "CKV_AZURE_71", + "ruleIndex": 30, + "level": "note", + "message": { + "text": "Ensure that Managed identity provider is enabled for web apps" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "samples/insecure_arm.json" + }, + "region": { + "startLine": 284, + "endLine": 300, + "snippet": { + "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites\",\n \"kind\": \"functionapp\",\n \"name\": \"FunctionApp_RestrictedCORSAccess_EmbeddedSitesConfig\",\n \"location\": \"[parameters('location')]\",\n \"properties\": {\n \"httpsOnly\": true,\n \"siteConfig\": {\n \"cors\": {\n \"allowedOrigins\": [\n \"someIP\"\n ]\n }\n }\n }\n },\n" + } + } + } + } + ], + "fingerprints": { + "gdnPrimarySignature": "01e261f9a2c80b85eac147e32d3398613aacdcc9aba1ad95bed4948b25697177", + "gdnAlternativeSignature0": "06726daca90067656a51c927384b29c2fa63923f996cd8820a67beaac37a348a" + }, + "attachments": [] + }, + { + "ruleId": "CKV_AZURE_15", + "ruleIndex": 31, + "message": { + "text": "Ensure web app is using the latest version of TLS encryption" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "samples/insecure_arm.json" + }, + "region": { + "startLine": 284, + "endLine": 300, + "snippet": { + "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites\",\n \"kind\": \"functionapp\",\n \"name\": \"FunctionApp_RestrictedCORSAccess_EmbeddedSitesConfig\",\n \"location\": \"[parameters('location')]\",\n \"properties\": {\n \"httpsOnly\": true,\n \"siteConfig\": {\n \"cors\": {\n \"allowedOrigins\": [\n \"someIP\"\n ]\n }\n }\n }\n },\n" + } + } + } + } + ], + "fingerprints": { + "gdnPrimarySignature": "72e5f5c502813f23c86f6954f698b653e4357d2982e8bb56333ee89c838fcfad", + "gdnAlternativeSignature0": "faae5ac2227e01f41f73eda05f5b00d5de49e9d7c812dc34cbea14b50d6e9f77" + }, + "attachments": [] + }, + { + "ruleId": "CKV_AZURE_222", + "ruleIndex": 32, + "message": { + "text": "Ensure that Azure Web App public network access is disabled" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "samples/insecure_arm.json" + }, + "region": { + "startLine": 284, + "endLine": 300, + "snippet": { + "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites\",\n \"kind\": \"functionapp\",\n \"name\": \"FunctionApp_RestrictedCORSAccess_EmbeddedSitesConfig\",\n \"location\": \"[parameters('location')]\",\n \"properties\": {\n \"httpsOnly\": true,\n \"siteConfig\": {\n \"cors\": {\n \"allowedOrigins\": [\n \"someIP\"\n ]\n }\n }\n }\n },\n" + } + } + } + } + ], + "fingerprints": { + "gdnPrimarySignature": "64bf46cc4a2b1a39786b447ec202c2052f0686c787af51cc562ff3cb2baeadac", + "gdnAlternativeSignature0": "370f91c60e0d1be39570b5bc47e69e0826dd5835293145c9f61e8fcecac252b6" + }, + "attachments": [] + }, + { + "ruleId": "CKV_AZURE_67", + "ruleIndex": 34, + "message": { + "text": "Ensure that 'HTTP Version' is the latest, if used to run the Function app" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "samples/insecure_arm.json" + }, + "region": { + "startLine": 284, + "endLine": 300, + "snippet": { + "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites\",\n \"kind\": \"functionapp\",\n \"name\": \"FunctionApp_RestrictedCORSAccess_EmbeddedSitesConfig\",\n \"location\": \"[parameters('location')]\",\n \"properties\": {\n \"httpsOnly\": true,\n \"siteConfig\": {\n \"cors\": {\n \"allowedOrigins\": [\n \"someIP\"\n ]\n }\n }\n }\n },\n" + } + } + } + } + ], + "fingerprints": { + "gdnPrimarySignature": "4040613d3dfb88a05ae97881bd42b488d51f9ab73eb119fc0554a783ca548f34", + "gdnAlternativeSignature0": "aa1ce087240db3e7202e98fb6d5d42a12644148791a444e2923686fe70b74fc5" + }, + "attachments": [] + }, + { + "ruleId": "CKV_AZURE_17", + "ruleIndex": 25, + "message": { + "text": "Ensure the web app has 'Client Certificates (Incoming client certificates)' set" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "samples/insecure_arm.json" + }, + "region": { + "startLine": 301, + "endLine": 318, + "snippet": { + "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites\",\n \"kind\": \"functionapp\",\n \"name\": \"FunctionApp_UnrestrictedCORSAccess_EmbeddedSitesConfig\",\n \"location\": \"[parameters('location')]\",\n \"properties\": {\n \"httpsOnly\": true,\n \"siteConfig\": {\n \"cors\": {\n \"allowedOrigins\": [\n \"someIP\",\n \"*\"\n ]\n }\n }\n }\n },\n" + } + } + } + } + ], + "fingerprints": { + "gdnPrimarySignature": "7aa4dc87ad0a059efeb183e063efb6d08c9643371ef92a08431c2d59dbe6d7d8", + "gdnAlternativeSignature0": "efa930281f9711759aae2cbd30e4f5f6dfa8935213ef9d897b14266716dc3a50" + }, + "attachments": [] + }, + { + "ruleId": "CKV_AZURE_78", + "ruleIndex": 26, + "message": { + "text": "Ensure FTP deployments are disabled" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "samples/insecure_arm.json" + }, + "region": { + "startLine": 301, + "endLine": 318, + "snippet": { + "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites\",\n \"kind\": \"functionapp\",\n \"name\": \"FunctionApp_UnrestrictedCORSAccess_EmbeddedSitesConfig\",\n \"location\": \"[parameters('location')]\",\n \"properties\": {\n \"httpsOnly\": true,\n \"siteConfig\": {\n \"cors\": {\n \"allowedOrigins\": [\n \"someIP\",\n \"*\"\n ]\n }\n }\n }\n },\n" + } + } + } + } + ], + "fingerprints": { + "gdnPrimarySignature": "e921d31bfff9b531e071fb26ffdf65b6ad8bbe22352067af06b35cb28e82fb8c", + "gdnAlternativeSignature0": "17ce881dab034d29e0a5df168f9e1c52bdd2c5c975e4fdda06fa613e032d79bf" + }, + "attachments": [] + }, + { + "ruleId": "CKV_AZURE_18", + "ruleIndex": 27, + "message": { + "text": "Ensure that 'HTTP Version' is the latest if used to run the web app" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "samples/insecure_arm.json" + }, + "region": { + "startLine": 301, + "endLine": 318, + "snippet": { + "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites\",\n \"kind\": \"functionapp\",\n \"name\": \"FunctionApp_UnrestrictedCORSAccess_EmbeddedSitesConfig\",\n \"location\": \"[parameters('location')]\",\n \"properties\": {\n \"httpsOnly\": true,\n \"siteConfig\": {\n \"cors\": {\n \"allowedOrigins\": [\n \"someIP\",\n \"*\"\n ]\n }\n }\n }\n },\n" + } + } + } + } + ], + "fingerprints": { + "gdnPrimarySignature": "a1c9a388790b96bca8c54d7e1af1d480c30c7478de1cdf397833aefa8611697a", + "gdnAlternativeSignature0": "6550ec87cae9d511c54e0c344a4cdd2c0de2f8cd89c915cdadf98545ba96361f" + }, + "attachments": [] + }, + { + "ruleId": "CKV_AZURE_16", + "ruleIndex": 29, + "message": { + "text": "Ensure that Register with Azure Active Directory is enabled on App Service" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "samples/insecure_arm.json" + }, + "region": { + "startLine": 301, + "endLine": 318, + "snippet": { + "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites\",\n \"kind\": \"functionapp\",\n \"name\": \"FunctionApp_UnrestrictedCORSAccess_EmbeddedSitesConfig\",\n \"location\": \"[parameters('location')]\",\n \"properties\": {\n \"httpsOnly\": true,\n \"siteConfig\": {\n \"cors\": {\n \"allowedOrigins\": [\n \"someIP\",\n \"*\"\n ]\n }\n }\n }\n },\n" + } + } + } + } + ], + "fingerprints": { + "gdnPrimarySignature": "5f201d5437de55fd80955e36fa892fc93cfb30c65f554f53a86a4df19d91f7a6", + "gdnAlternativeSignature0": "24eb4b238d28c37f127ee733bc68e96c101b7c274ec58a964bb4ef8f105a07ad" + }, + "attachments": [] + }, + { + "ruleId": "CKV_AZURE_71", + "ruleIndex": 30, + "level": "note", + "message": { + "text": "Ensure that Managed identity provider is enabled for web apps" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "samples/insecure_arm.json" + }, + "region": { + "startLine": 301, + "endLine": 318, + "snippet": { + "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites\",\n \"kind\": \"functionapp\",\n \"name\": \"FunctionApp_UnrestrictedCORSAccess_EmbeddedSitesConfig\",\n \"location\": \"[parameters('location')]\",\n \"properties\": {\n \"httpsOnly\": true,\n \"siteConfig\": {\n \"cors\": {\n \"allowedOrigins\": [\n \"someIP\",\n \"*\"\n ]\n }\n }\n }\n },\n" + } + } + } + } + ], + "fingerprints": { + "gdnPrimarySignature": "eb2f9b348b74a7a30a2ccf85154a95c66cbbd999d7f0db1a5515dc50033cd858", + "gdnAlternativeSignature0": "ee26900668b5c483ff485bc262a9dda64ddedd4b96a4e5f956797fc4e31c4d1e" + }, + "attachments": [] + }, + { + "ruleId": "CKV_AZURE_15", + "ruleIndex": 31, + "message": { + "text": "Ensure web app is using the latest version of TLS encryption" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "samples/insecure_arm.json" + }, + "region": { + "startLine": 301, + "endLine": 318, + "snippet": { + "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites\",\n \"kind\": \"functionapp\",\n \"name\": \"FunctionApp_UnrestrictedCORSAccess_EmbeddedSitesConfig\",\n \"location\": \"[parameters('location')]\",\n \"properties\": {\n \"httpsOnly\": true,\n \"siteConfig\": {\n \"cors\": {\n \"allowedOrigins\": [\n \"someIP\",\n \"*\"\n ]\n }\n }\n }\n },\n" + } + } + } + } + ], + "fingerprints": { + "gdnPrimarySignature": "752975926aaa31a34fc4bb75edb0955f8b1b2b7cdd24081443961bd594ef684e", + "gdnAlternativeSignature0": "55cf1c6618e5e7a3be0f2feae175940eb5ec736d17afe66f0895df6997ab216e" + }, + "attachments": [] + }, + { + "ruleId": "CKV_AZURE_222", + "ruleIndex": 32, + "message": { + "text": "Ensure that Azure Web App public network access is disabled" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "samples/insecure_arm.json" + }, + "region": { + "startLine": 301, + "endLine": 318, + "snippet": { + "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites\",\n \"kind\": \"functionapp\",\n \"name\": \"FunctionApp_UnrestrictedCORSAccess_EmbeddedSitesConfig\",\n \"location\": \"[parameters('location')]\",\n \"properties\": {\n \"httpsOnly\": true,\n \"siteConfig\": {\n \"cors\": {\n \"allowedOrigins\": [\n \"someIP\",\n \"*\"\n ]\n }\n }\n }\n },\n" + } + } + } + } + ], + "fingerprints": { + "gdnPrimarySignature": "26f0a1a83d914e1d5687c693993f2e09d71b52f756d23a5682778f4a2085ff5e", + "gdnAlternativeSignature0": "5a8642e916010fccd880c8c0e73e83f149b9d44c76710d50d541dbd4d3c7d72a" + }, + "attachments": [] + }, + { + "ruleId": "CKV_AZURE_67", + "ruleIndex": 34, + "message": { + "text": "Ensure that 'HTTP Version' is the latest, if used to run the Function app" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "samples/insecure_arm.json" + }, + "region": { + "startLine": 301, + "endLine": 318, + "snippet": { + "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites\",\n \"kind\": \"functionapp\",\n \"name\": \"FunctionApp_UnrestrictedCORSAccess_EmbeddedSitesConfig\",\n \"location\": \"[parameters('location')]\",\n \"properties\": {\n \"httpsOnly\": true,\n \"siteConfig\": {\n \"cors\": {\n \"allowedOrigins\": [\n \"someIP\",\n \"*\"\n ]\n }\n }\n }\n },\n" + } + } + } + } + ], + "fingerprints": { + "gdnPrimarySignature": "5add9273a9903c496a94184e7c5ae16aa8c53067ea2f4eecb7f6cc9876a3145b", + "gdnAlternativeSignature0": "a1cb801109625b1081f5c08bf8d85057df4fa338901c035a3c779845e8d973ca" + }, + "attachments": [] + }, + { + "ruleId": "CKV_AZURE_17", + "ruleIndex": 25, + "message": { + "text": "Ensure the web app has 'Client Certificates (Incoming client certificates)' set" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "samples/insecure_arm.json" + }, + "region": { + "startLine": 319, + "endLine": 328, + "snippet": { + "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites\",\n \"kind\": \"functionapp\",\n \"name\": \"FunctionApp_NoSitesConfig\",\n \"location\": \"[parameters('location')]\",\n \"properties\": {\n \"httpsOnly\": true\n }\n }\n" + } + } + } + } + ], + "fingerprints": { + "gdnPrimarySignature": "3f3a80ee3024489c35085570b02f970bafaaf551396274635a00a4b79ac0eae2", + "gdnAlternativeSignature0": "917035e9a96adddabea41ba383c24edf46e1ec39e5e02fc8be4ddbeb01bc5b4e" + }, + "attachments": [] + }, + { + "ruleId": "CKV_AZURE_78", + "ruleIndex": 26, + "message": { + "text": "Ensure FTP deployments are disabled" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "samples/insecure_arm.json" + }, + "region": { + "startLine": 319, + "endLine": 328, + "snippet": { + "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites\",\n \"kind\": \"functionapp\",\n \"name\": \"FunctionApp_NoSitesConfig\",\n \"location\": \"[parameters('location')]\",\n \"properties\": {\n \"httpsOnly\": true\n }\n }\n" + } + } + } + } + ], + "fingerprints": { + "gdnPrimarySignature": "8493bbcbf96e7e1068c6296f576527e894ef7245800bcd2116bc07e72079b43d", + "gdnAlternativeSignature0": "755512e4b82449a08f44e7eaebdb946e29314098160f8e1f39b9870f19dc43f7" + }, + "attachments": [] + }, + { + "ruleId": "CKV_AZURE_18", + "ruleIndex": 27, + "message": { + "text": "Ensure that 'HTTP Version' is the latest if used to run the web app" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "samples/insecure_arm.json" + }, + "region": { + "startLine": 319, + "endLine": 328, + "snippet": { + "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites\",\n \"kind\": \"functionapp\",\n \"name\": \"FunctionApp_NoSitesConfig\",\n \"location\": \"[parameters('location')]\",\n \"properties\": {\n \"httpsOnly\": true\n }\n }\n" + } + } + } + } + ], + "fingerprints": { + "gdnPrimarySignature": "d15577475858e078e31e0a5a4560d3e46f04f5c0af458457d9c46525545d0add", + "gdnAlternativeSignature0": "34f10bce44f8b65d8306df6efd6b8a73666704ebe97281cf5bb20c27415a99c5" + }, + "attachments": [] + }, + { + "ruleId": "CKV_AZURE_16", + "ruleIndex": 29, + "message": { + "text": "Ensure that Register with Azure Active Directory is enabled on App Service" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "samples/insecure_arm.json" + }, + "region": { + "startLine": 319, + "endLine": 328, + "snippet": { + "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites\",\n \"kind\": \"functionapp\",\n \"name\": \"FunctionApp_NoSitesConfig\",\n \"location\": \"[parameters('location')]\",\n \"properties\": {\n \"httpsOnly\": true\n }\n }\n" + } + } + } + } + ], + "fingerprints": { + "gdnPrimarySignature": "21939dfe4c3d1e60adaaab7f75ef7a0b94b4377b2a2950f7670c9afd424de80f", + "gdnAlternativeSignature0": "0054487d755a01b77de504fc5157faecd817a0ecae44d1e4aa91fd1a46e0be8b" + }, + "attachments": [] + }, + { + "ruleId": "CKV_AZURE_71", + "ruleIndex": 30, + "level": "note", + "message": { + "text": "Ensure that Managed identity provider is enabled for web apps" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "samples/insecure_arm.json" + }, + "region": { + "startLine": 319, + "endLine": 328, + "snippet": { + "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites\",\n \"kind\": \"functionapp\",\n \"name\": \"FunctionApp_NoSitesConfig\",\n \"location\": \"[parameters('location')]\",\n \"properties\": {\n \"httpsOnly\": true\n }\n }\n" + } + } + } + } + ], + "fingerprints": { + "gdnPrimarySignature": "47829e0ae136b8b26a4176f73de53c99044bba251a284cf106812e2600802361", + "gdnAlternativeSignature0": "0a441e95438cb23ebbfb5ba5d34958a96417b8b4a440e329223843a090eab255" + }, + "attachments": [] + }, + { + "ruleId": "CKV_AZURE_15", + "ruleIndex": 31, + "message": { + "text": "Ensure web app is using the latest version of TLS encryption" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "samples/insecure_arm.json" + }, + "region": { + "startLine": 319, + "endLine": 328, + "snippet": { + "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites\",\n \"kind\": \"functionapp\",\n \"name\": \"FunctionApp_NoSitesConfig\",\n \"location\": \"[parameters('location')]\",\n \"properties\": {\n \"httpsOnly\": true\n }\n }\n" + } + } + } + } + ], + "fingerprints": { + "gdnPrimarySignature": "0563668dc60ab562ba7553e4059ccb2600d2aee6505b99813a4d2edad7d7cab8", + "gdnAlternativeSignature0": "71db655b881a2f569a03dc4a80cf4f01371a09611c4f9780e1ac3eba24b4e2f8" + }, + "attachments": [] + }, + { + "ruleId": "CKV_AZURE_222", + "ruleIndex": 32, + "message": { + "text": "Ensure that Azure Web App public network access is disabled" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "samples/insecure_arm.json" + }, + "region": { + "startLine": 319, + "endLine": 328, + "snippet": { + "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites\",\n \"kind\": \"functionapp\",\n \"name\": \"FunctionApp_NoSitesConfig\",\n \"location\": \"[parameters('location')]\",\n \"properties\": {\n \"httpsOnly\": true\n }\n }\n" + } + } + } + } + ], + "fingerprints": { + "gdnPrimarySignature": "4f0638c743b2d1843ef77d55d462748d273aee152bbb618ceaa5a51f793330fc", + "gdnAlternativeSignature0": "e4025758f0b783be95138fa9820d245cb4c1db229e4353bd0a20f699ee9e616a" + }, + "attachments": [] + }, + { + "ruleId": "CKV_AZURE_67", + "ruleIndex": 34, + "message": { + "text": "Ensure that 'HTTP Version' is the latest, if used to run the Function app" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "samples/insecure_arm.json" + }, + "region": { + "startLine": 319, + "endLine": 328, + "snippet": { + "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites\",\n \"kind\": \"functionapp\",\n \"name\": \"FunctionApp_NoSitesConfig\",\n \"location\": \"[parameters('location')]\",\n \"properties\": {\n \"httpsOnly\": true\n }\n }\n" + } + } + } + } + ], + "fingerprints": { + "gdnPrimarySignature": "ca846feb1e4469b819a99002b3cec670caeab114d5f1c85c81ed5830745e8c77", + "gdnAlternativeSignature0": "962bde0a801111d2d1cefcb5d5bb60e8c031e3c31f4e4527dc4ab9fb05b23991" + }, + "attachments": [] + }, + { + "ruleId": "CKV_K8S_25", + "ruleIndex": 10, + "level": "note", + "message": { + "text": "Minimize the admission of containers with added capability" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "samples/K8s-cassandra-statefulset.yaml" + }, + "region": { + "startLine": 1, + "endLine": 96, + "snippet": { + "text": "apiVersion: \"apps/v1\" # for k8s versions before 1.9.0 use apps/v1beta2 and before 1.8.0 use extensions/v1beta1\nkind: StatefulSet\nmetadata:\n name: cassandra\n labels:\n app: cassandra\nspec:\n serviceName: cassandra\n replicas: 3\n selector:\n matchLabels:\n app: cassandra\n template:\n metadata:\n labels:\n app: cassandra\n spec:\n terminationGracePeriodSeconds: 1800\n containers:\n - name: cassandra\n image: gcr.io/google-samples/cassandra:v14\n imagePullPolicy: Always\n ports:\n - containerPort: 7000\n name: intra-node\n - containerPort: 7001\n name: tls-intra-node\n - containerPort: 7199\n name: jmx\n - containerPort: 9042\n name: cql\n resources:\n limits:\n cpu: \"500m\"\n memory: 1Gi\n requests:\n cpu: \"500m\"\n memory: 1Gi\n securityContext:\n capabilities:\n add:\n - IPC_LOCK\n lifecycle:\n preStop:\n exec:\n command:\n - /bin/sh\n - -c\n - nodetool drain\n env:\n - name: MAX_HEAP_SIZE\n value: 512M\n - name: HEAP_NEWSIZE\n value: 100M\n - name: CASSANDRA_SEEDS\n value: \"cassandra-0.cassandra.default.svc.cluster.local\"\n - name: CASSANDRA_CLUSTER_NAME\n value: \"K8Demo\"\n - name: CASSANDRA_DC\n value: \"DC1-K8Demo\"\n - name: CASSANDRA_RACK\n value: \"Rack1-K8Demo\"\n - name: CASSANDRA_SEED_PROVIDER\n value: io.k8s.cassandra.KubernetesSeedProvider\n - name: POD_IP\n valueFrom:\n fieldRef:\n fieldPath: status.podIP\n readinessProbe:\n exec:\n command:\n - /bin/bash\n - -c\n - /ready-probe.sh\n initialDelaySeconds: 15\n timeoutSeconds: 5\n # These volume mounts are persistent. They are like inline claims,\n # but not exactly because the names need to match exactly one of\n # the stateful pod volumes.\n volumeMounts:\n - name: cassandra-data\n mountPath: /var/lib/cassandra\n # These are converted to volume claims by the controller\n # and mounted at the paths mentioned above.\n # do not use these in production until ssd GCEPersistentDisk or other ssd pd\n volumeClaimTemplates:\n - metadata:\n name: cassandra-data\n annotations:\n volume.beta.kubernetes.io/storage-class: fast\n spec:\n accessModes: [ \"ReadWriteOnce\" ]\n resources:\n requests:\n storage: 1Gi\n---\n" + } + } + } + } + ], + "fingerprints": { + "gdnPrimarySignature": "a73a10ebaed1bcca5045392cd0e24ff11412eeae435f8a66bd90d64a40f09958", + "gdnAlternativeSignature0": "681910e9bced9366623d2dd9e93781a0f1a15f148fa6523a13e9a0058492d662" + }, + "attachments": [] + }, + { + "ruleId": "CKV_K8S_20", + "ruleIndex": 11, + "message": { + "text": "Containers should not run with allowPrivilegeEscalation" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "samples/K8s-cassandra-statefulset.yaml" + }, + "region": { + "startLine": 1, + "endLine": 96, + "snippet": { + "text": "apiVersion: \"apps/v1\" # for k8s versions before 1.9.0 use apps/v1beta2 and before 1.8.0 use extensions/v1beta1\nkind: StatefulSet\nmetadata:\n name: cassandra\n labels:\n app: cassandra\nspec:\n serviceName: cassandra\n replicas: 3\n selector:\n matchLabels:\n app: cassandra\n template:\n metadata:\n labels:\n app: cassandra\n spec:\n terminationGracePeriodSeconds: 1800\n containers:\n - name: cassandra\n image: gcr.io/google-samples/cassandra:v14\n imagePullPolicy: Always\n ports:\n - containerPort: 7000\n name: intra-node\n - containerPort: 7001\n name: tls-intra-node\n - containerPort: 7199\n name: jmx\n - containerPort: 9042\n name: cql\n resources:\n limits:\n cpu: \"500m\"\n memory: 1Gi\n requests:\n cpu: \"500m\"\n memory: 1Gi\n securityContext:\n capabilities:\n add:\n - IPC_LOCK\n lifecycle:\n preStop:\n exec:\n command:\n - /bin/sh\n - -c\n - nodetool drain\n env:\n - name: MAX_HEAP_SIZE\n value: 512M\n - name: HEAP_NEWSIZE\n value: 100M\n - name: CASSANDRA_SEEDS\n value: \"cassandra-0.cassandra.default.svc.cluster.local\"\n - name: CASSANDRA_CLUSTER_NAME\n value: \"K8Demo\"\n - name: CASSANDRA_DC\n value: \"DC1-K8Demo\"\n - name: CASSANDRA_RACK\n value: \"Rack1-K8Demo\"\n - name: CASSANDRA_SEED_PROVIDER\n value: io.k8s.cassandra.KubernetesSeedProvider\n - name: POD_IP\n valueFrom:\n fieldRef:\n fieldPath: status.podIP\n readinessProbe:\n exec:\n command:\n - /bin/bash\n - -c\n - /ready-probe.sh\n initialDelaySeconds: 15\n timeoutSeconds: 5\n # These volume mounts are persistent. They are like inline claims,\n # but not exactly because the names need to match exactly one of\n # the stateful pod volumes.\n volumeMounts:\n - name: cassandra-data\n mountPath: /var/lib/cassandra\n # These are converted to volume claims by the controller\n # and mounted at the paths mentioned above.\n # do not use these in production until ssd GCEPersistentDisk or other ssd pd\n volumeClaimTemplates:\n - metadata:\n name: cassandra-data\n annotations:\n volume.beta.kubernetes.io/storage-class: fast\n spec:\n accessModes: [ \"ReadWriteOnce\" ]\n resources:\n requests:\n storage: 1Gi\n---\n" + } + } + } + } + ], + "fingerprints": { + "gdnPrimarySignature": "692c38842f145cb9c1ee25b48643b65a41b423830a016a149dc12712814602af", + "gdnAlternativeSignature0": "970e4c551a08367b382ed411f7ccca59e201e8e34e32717929767a568630af1e" + }, + "attachments": [] + }, + { + "ruleId": "CKV_K8S_21", + "ruleIndex": 12, + "level": "note", + "message": { + "text": "The default namespace should not be used" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "samples/K8s-cassandra-statefulset.yaml" + }, + "region": { + "startLine": 1, + "endLine": 96, + "snippet": { + "text": "apiVersion: \"apps/v1\" # for k8s versions before 1.9.0 use apps/v1beta2 and before 1.8.0 use extensions/v1beta1\nkind: StatefulSet\nmetadata:\n name: cassandra\n labels:\n app: cassandra\nspec:\n serviceName: cassandra\n replicas: 3\n selector:\n matchLabels:\n app: cassandra\n template:\n metadata:\n labels:\n app: cassandra\n spec:\n terminationGracePeriodSeconds: 1800\n containers:\n - name: cassandra\n image: gcr.io/google-samples/cassandra:v14\n imagePullPolicy: Always\n ports:\n - containerPort: 7000\n name: intra-node\n - containerPort: 7001\n name: tls-intra-node\n - containerPort: 7199\n name: jmx\n - containerPort: 9042\n name: cql\n resources:\n limits:\n cpu: \"500m\"\n memory: 1Gi\n requests:\n cpu: \"500m\"\n memory: 1Gi\n securityContext:\n capabilities:\n add:\n - IPC_LOCK\n lifecycle:\n preStop:\n exec:\n command:\n - /bin/sh\n - -c\n - nodetool drain\n env:\n - name: MAX_HEAP_SIZE\n value: 512M\n - name: HEAP_NEWSIZE\n value: 100M\n - name: CASSANDRA_SEEDS\n value: \"cassandra-0.cassandra.default.svc.cluster.local\"\n - name: CASSANDRA_CLUSTER_NAME\n value: \"K8Demo\"\n - name: CASSANDRA_DC\n value: \"DC1-K8Demo\"\n - name: CASSANDRA_RACK\n value: \"Rack1-K8Demo\"\n - name: CASSANDRA_SEED_PROVIDER\n value: io.k8s.cassandra.KubernetesSeedProvider\n - name: POD_IP\n valueFrom:\n fieldRef:\n fieldPath: status.podIP\n readinessProbe:\n exec:\n command:\n - /bin/bash\n - -c\n - /ready-probe.sh\n initialDelaySeconds: 15\n timeoutSeconds: 5\n # These volume mounts are persistent. They are like inline claims,\n # but not exactly because the names need to match exactly one of\n # the stateful pod volumes.\n volumeMounts:\n - name: cassandra-data\n mountPath: /var/lib/cassandra\n # These are converted to volume claims by the controller\n # and mounted at the paths mentioned above.\n # do not use these in production until ssd GCEPersistentDisk or other ssd pd\n volumeClaimTemplates:\n - metadata:\n name: cassandra-data\n annotations:\n volume.beta.kubernetes.io/storage-class: fast\n spec:\n accessModes: [ \"ReadWriteOnce\" ]\n resources:\n requests:\n storage: 1Gi\n---\n" + } + } + } + } + ], + "fingerprints": { + "gdnPrimarySignature": "0378eb8b121cbc93bfe8a78bc75aeb8987f5e31d530ec0adf577e7cf03ee717d", + "gdnAlternativeSignature0": "fffebb6a7b3891cdd01cc402002cc3f81150a080fef1ea60dfe1e2f6f69eb601" + }, + "attachments": [] + }, + { + "ruleId": "CKV_K8S_28", + "ruleIndex": 13, + "level": "note", + "message": { + "text": "Minimize the admission of containers with the NET_RAW capability" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "samples/K8s-cassandra-statefulset.yaml" + }, + "region": { + "startLine": 1, + "endLine": 96, + "snippet": { + "text": "apiVersion: \"apps/v1\" # for k8s versions before 1.9.0 use apps/v1beta2 and before 1.8.0 use extensions/v1beta1\nkind: StatefulSet\nmetadata:\n name: cassandra\n labels:\n app: cassandra\nspec:\n serviceName: cassandra\n replicas: 3\n selector:\n matchLabels:\n app: cassandra\n template:\n metadata:\n labels:\n app: cassandra\n spec:\n terminationGracePeriodSeconds: 1800\n containers:\n - name: cassandra\n image: gcr.io/google-samples/cassandra:v14\n imagePullPolicy: Always\n ports:\n - containerPort: 7000\n name: intra-node\n - containerPort: 7001\n name: tls-intra-node\n - containerPort: 7199\n name: jmx\n - containerPort: 9042\n name: cql\n resources:\n limits:\n cpu: \"500m\"\n memory: 1Gi\n requests:\n cpu: \"500m\"\n memory: 1Gi\n securityContext:\n capabilities:\n add:\n - IPC_LOCK\n lifecycle:\n preStop:\n exec:\n command:\n - /bin/sh\n - -c\n - nodetool drain\n env:\n - name: MAX_HEAP_SIZE\n value: 512M\n - name: HEAP_NEWSIZE\n value: 100M\n - name: CASSANDRA_SEEDS\n value: \"cassandra-0.cassandra.default.svc.cluster.local\"\n - name: CASSANDRA_CLUSTER_NAME\n value: \"K8Demo\"\n - name: CASSANDRA_DC\n value: \"DC1-K8Demo\"\n - name: CASSANDRA_RACK\n value: \"Rack1-K8Demo\"\n - name: CASSANDRA_SEED_PROVIDER\n value: io.k8s.cassandra.KubernetesSeedProvider\n - name: POD_IP\n valueFrom:\n fieldRef:\n fieldPath: status.podIP\n readinessProbe:\n exec:\n command:\n - /bin/bash\n - -c\n - /ready-probe.sh\n initialDelaySeconds: 15\n timeoutSeconds: 5\n # These volume mounts are persistent. They are like inline claims,\n # but not exactly because the names need to match exactly one of\n # the stateful pod volumes.\n volumeMounts:\n - name: cassandra-data\n mountPath: /var/lib/cassandra\n # These are converted to volume claims by the controller\n # and mounted at the paths mentioned above.\n # do not use these in production until ssd GCEPersistentDisk or other ssd pd\n volumeClaimTemplates:\n - metadata:\n name: cassandra-data\n annotations:\n volume.beta.kubernetes.io/storage-class: fast\n spec:\n accessModes: [ \"ReadWriteOnce\" ]\n resources:\n requests:\n storage: 1Gi\n---\n" + } + } + } + } + ], + "fingerprints": { + "gdnPrimarySignature": "70f66e4afeb0264ac95ebee5085b90a23e7a9a54107832fb271bd1f1aa298522", + "gdnAlternativeSignature0": "0f11dc2ccb44a7216c78769edb10df097f8a1fc681f56dfdfa93d7c2b802f9b7" + }, + "attachments": [] + }, + { + "ruleId": "CKV_K8S_43", + "ruleIndex": 14, + "level": "note", + "message": { + "text": "Image should use digest" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "samples/K8s-cassandra-statefulset.yaml" + }, + "region": { + "startLine": 1, + "endLine": 96, + "snippet": { + "text": "apiVersion: \"apps/v1\" # for k8s versions before 1.9.0 use apps/v1beta2 and before 1.8.0 use extensions/v1beta1\nkind: StatefulSet\nmetadata:\n name: cassandra\n labels:\n app: cassandra\nspec:\n serviceName: cassandra\n replicas: 3\n selector:\n matchLabels:\n app: cassandra\n template:\n metadata:\n labels:\n app: cassandra\n spec:\n terminationGracePeriodSeconds: 1800\n containers:\n - name: cassandra\n image: gcr.io/google-samples/cassandra:v14\n imagePullPolicy: Always\n ports:\n - containerPort: 7000\n name: intra-node\n - containerPort: 7001\n name: tls-intra-node\n - containerPort: 7199\n name: jmx\n - containerPort: 9042\n name: cql\n resources:\n limits:\n cpu: \"500m\"\n memory: 1Gi\n requests:\n cpu: \"500m\"\n memory: 1Gi\n securityContext:\n capabilities:\n add:\n - IPC_LOCK\n lifecycle:\n preStop:\n exec:\n command:\n - /bin/sh\n - -c\n - nodetool drain\n env:\n - name: MAX_HEAP_SIZE\n value: 512M\n - name: HEAP_NEWSIZE\n value: 100M\n - name: CASSANDRA_SEEDS\n value: \"cassandra-0.cassandra.default.svc.cluster.local\"\n - name: CASSANDRA_CLUSTER_NAME\n value: \"K8Demo\"\n - name: CASSANDRA_DC\n value: \"DC1-K8Demo\"\n - name: CASSANDRA_RACK\n value: \"Rack1-K8Demo\"\n - name: CASSANDRA_SEED_PROVIDER\n value: io.k8s.cassandra.KubernetesSeedProvider\n - name: POD_IP\n valueFrom:\n fieldRef:\n fieldPath: status.podIP\n readinessProbe:\n exec:\n command:\n - /bin/bash\n - -c\n - /ready-probe.sh\n initialDelaySeconds: 15\n timeoutSeconds: 5\n # These volume mounts are persistent. They are like inline claims,\n # but not exactly because the names need to match exactly one of\n # the stateful pod volumes.\n volumeMounts:\n - name: cassandra-data\n mountPath: /var/lib/cassandra\n # These are converted to volume claims by the controller\n # and mounted at the paths mentioned above.\n # do not use these in production until ssd GCEPersistentDisk or other ssd pd\n volumeClaimTemplates:\n - metadata:\n name: cassandra-data\n annotations:\n volume.beta.kubernetes.io/storage-class: fast\n spec:\n accessModes: [ \"ReadWriteOnce\" ]\n resources:\n requests:\n storage: 1Gi\n---\n" + } + } + } + } + ], + "fingerprints": { + "gdnPrimarySignature": "d54de20ef46f5565573d6411cce2a3baaf5b309cdc9e73bd2e0948dd98363d46", + "gdnAlternativeSignature0": "4e3e18739d7eee6105acea4f65c463484b66649a68e864755fc68c7030743359" + }, + "attachments": [] + }, + { + "ruleId": "CKV_K8S_8", + "ruleIndex": 15, + "level": "note", + "message": { + "text": "Liveness Probe Should be Configured" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "samples/K8s-cassandra-statefulset.yaml" + }, + "region": { + "startLine": 1, + "endLine": 96, + "snippet": { + "text": "apiVersion: \"apps/v1\" # for k8s versions before 1.9.0 use apps/v1beta2 and before 1.8.0 use extensions/v1beta1\nkind: StatefulSet\nmetadata:\n name: cassandra\n labels:\n app: cassandra\nspec:\n serviceName: cassandra\n replicas: 3\n selector:\n matchLabels:\n app: cassandra\n template:\n metadata:\n labels:\n app: cassandra\n spec:\n terminationGracePeriodSeconds: 1800\n containers:\n - name: cassandra\n image: gcr.io/google-samples/cassandra:v14\n imagePullPolicy: Always\n ports:\n - containerPort: 7000\n name: intra-node\n - containerPort: 7001\n name: tls-intra-node\n - containerPort: 7199\n name: jmx\n - containerPort: 9042\n name: cql\n resources:\n limits:\n cpu: \"500m\"\n memory: 1Gi\n requests:\n cpu: \"500m\"\n memory: 1Gi\n securityContext:\n capabilities:\n add:\n - IPC_LOCK\n lifecycle:\n preStop:\n exec:\n command:\n - /bin/sh\n - -c\n - nodetool drain\n env:\n - name: MAX_HEAP_SIZE\n value: 512M\n - name: HEAP_NEWSIZE\n value: 100M\n - name: CASSANDRA_SEEDS\n value: \"cassandra-0.cassandra.default.svc.cluster.local\"\n - name: CASSANDRA_CLUSTER_NAME\n value: \"K8Demo\"\n - name: CASSANDRA_DC\n value: \"DC1-K8Demo\"\n - name: CASSANDRA_RACK\n value: \"Rack1-K8Demo\"\n - name: CASSANDRA_SEED_PROVIDER\n value: io.k8s.cassandra.KubernetesSeedProvider\n - name: POD_IP\n valueFrom:\n fieldRef:\n fieldPath: status.podIP\n readinessProbe:\n exec:\n command:\n - /bin/bash\n - -c\n - /ready-probe.sh\n initialDelaySeconds: 15\n timeoutSeconds: 5\n # These volume mounts are persistent. They are like inline claims,\n # but not exactly because the names need to match exactly one of\n # the stateful pod volumes.\n volumeMounts:\n - name: cassandra-data\n mountPath: /var/lib/cassandra\n # These are converted to volume claims by the controller\n # and mounted at the paths mentioned above.\n # do not use these in production until ssd GCEPersistentDisk or other ssd pd\n volumeClaimTemplates:\n - metadata:\n name: cassandra-data\n annotations:\n volume.beta.kubernetes.io/storage-class: fast\n spec:\n accessModes: [ \"ReadWriteOnce\" ]\n resources:\n requests:\n storage: 1Gi\n---\n" + } + } + } + } + ], + "fingerprints": { + "gdnPrimarySignature": "2e737794eca54186f3ad53c5fe3a9a7e34d4e9617064e5f844c785e4082877e3", + "gdnAlternativeSignature0": "1efa25c9281d5272c63c1bd7aa7a55673eeb2696c3df5d258c0291cb3d22eff6" + }, + "attachments": [] + }, + { + "ruleId": "CKV_K8S_37", + "ruleIndex": 16, + "level": "note", + "message": { + "text": "Minimize the admission of containers with capabilities assigned" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "samples/K8s-cassandra-statefulset.yaml" + }, + "region": { + "startLine": 1, + "endLine": 96, + "snippet": { + "text": "apiVersion: \"apps/v1\" # for k8s versions before 1.9.0 use apps/v1beta2 and before 1.8.0 use extensions/v1beta1\nkind: StatefulSet\nmetadata:\n name: cassandra\n labels:\n app: cassandra\nspec:\n serviceName: cassandra\n replicas: 3\n selector:\n matchLabels:\n app: cassandra\n template:\n metadata:\n labels:\n app: cassandra\n spec:\n terminationGracePeriodSeconds: 1800\n containers:\n - name: cassandra\n image: gcr.io/google-samples/cassandra:v14\n imagePullPolicy: Always\n ports:\n - containerPort: 7000\n name: intra-node\n - containerPort: 7001\n name: tls-intra-node\n - containerPort: 7199\n name: jmx\n - containerPort: 9042\n name: cql\n resources:\n limits:\n cpu: \"500m\"\n memory: 1Gi\n requests:\n cpu: \"500m\"\n memory: 1Gi\n securityContext:\n capabilities:\n add:\n - IPC_LOCK\n lifecycle:\n preStop:\n exec:\n command:\n - /bin/sh\n - -c\n - nodetool drain\n env:\n - name: MAX_HEAP_SIZE\n value: 512M\n - name: HEAP_NEWSIZE\n value: 100M\n - name: CASSANDRA_SEEDS\n value: \"cassandra-0.cassandra.default.svc.cluster.local\"\n - name: CASSANDRA_CLUSTER_NAME\n value: \"K8Demo\"\n - name: CASSANDRA_DC\n value: \"DC1-K8Demo\"\n - name: CASSANDRA_RACK\n value: \"Rack1-K8Demo\"\n - name: CASSANDRA_SEED_PROVIDER\n value: io.k8s.cassandra.KubernetesSeedProvider\n - name: POD_IP\n valueFrom:\n fieldRef:\n fieldPath: status.podIP\n readinessProbe:\n exec:\n command:\n - /bin/bash\n - -c\n - /ready-probe.sh\n initialDelaySeconds: 15\n timeoutSeconds: 5\n # These volume mounts are persistent. They are like inline claims,\n # but not exactly because the names need to match exactly one of\n # the stateful pod volumes.\n volumeMounts:\n - name: cassandra-data\n mountPath: /var/lib/cassandra\n # These are converted to volume claims by the controller\n # and mounted at the paths mentioned above.\n # do not use these in production until ssd GCEPersistentDisk or other ssd pd\n volumeClaimTemplates:\n - metadata:\n name: cassandra-data\n annotations:\n volume.beta.kubernetes.io/storage-class: fast\n spec:\n accessModes: [ \"ReadWriteOnce\" ]\n resources:\n requests:\n storage: 1Gi\n---\n" + } + } + } + } + ], + "fingerprints": { + "gdnPrimarySignature": "09e2a7056dc2cd2bb024c4a44a0111d6f1e72d32b6b4a76c8f02e14817384044", + "gdnAlternativeSignature0": "d3bc404f8a377bc479f16b07ba7be8098c6d7a10735ee0bc15be7f48c5f089f4" + }, + "attachments": [] + }, + { + "ruleId": "CKV_K8S_29", + "ruleIndex": 17, + "level": "note", + "message": { + "text": "Apply security context to your pods and containers" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "samples/K8s-cassandra-statefulset.yaml" + }, + "region": { + "startLine": 1, + "endLine": 96, + "snippet": { + "text": "apiVersion: \"apps/v1\" # for k8s versions before 1.9.0 use apps/v1beta2 and before 1.8.0 use extensions/v1beta1\nkind: StatefulSet\nmetadata:\n name: cassandra\n labels:\n app: cassandra\nspec:\n serviceName: cassandra\n replicas: 3\n selector:\n matchLabels:\n app: cassandra\n template:\n metadata:\n labels:\n app: cassandra\n spec:\n terminationGracePeriodSeconds: 1800\n containers:\n - name: cassandra\n image: gcr.io/google-samples/cassandra:v14\n imagePullPolicy: Always\n ports:\n - containerPort: 7000\n name: intra-node\n - containerPort: 7001\n name: tls-intra-node\n - containerPort: 7199\n name: jmx\n - containerPort: 9042\n name: cql\n resources:\n limits:\n cpu: \"500m\"\n memory: 1Gi\n requests:\n cpu: \"500m\"\n memory: 1Gi\n securityContext:\n capabilities:\n add:\n - IPC_LOCK\n lifecycle:\n preStop:\n exec:\n command:\n - /bin/sh\n - -c\n - nodetool drain\n env:\n - name: MAX_HEAP_SIZE\n value: 512M\n - name: HEAP_NEWSIZE\n value: 100M\n - name: CASSANDRA_SEEDS\n value: \"cassandra-0.cassandra.default.svc.cluster.local\"\n - name: CASSANDRA_CLUSTER_NAME\n value: \"K8Demo\"\n - name: CASSANDRA_DC\n value: \"DC1-K8Demo\"\n - name: CASSANDRA_RACK\n value: \"Rack1-K8Demo\"\n - name: CASSANDRA_SEED_PROVIDER\n value: io.k8s.cassandra.KubernetesSeedProvider\n - name: POD_IP\n valueFrom:\n fieldRef:\n fieldPath: status.podIP\n readinessProbe:\n exec:\n command:\n - /bin/bash\n - -c\n - /ready-probe.sh\n initialDelaySeconds: 15\n timeoutSeconds: 5\n # These volume mounts are persistent. They are like inline claims,\n # but not exactly because the names need to match exactly one of\n # the stateful pod volumes.\n volumeMounts:\n - name: cassandra-data\n mountPath: /var/lib/cassandra\n # These are converted to volume claims by the controller\n # and mounted at the paths mentioned above.\n # do not use these in production until ssd GCEPersistentDisk or other ssd pd\n volumeClaimTemplates:\n - metadata:\n name: cassandra-data\n annotations:\n volume.beta.kubernetes.io/storage-class: fast\n spec:\n accessModes: [ \"ReadWriteOnce\" ]\n resources:\n requests:\n storage: 1Gi\n---\n" + } + } + } + } + ], + "fingerprints": { + "gdnPrimarySignature": "2fb25b212960e5a8760b6523d4a4c2b47c5a0482186059c1d23c41446faf72b7", + "gdnAlternativeSignature0": "85a6f0ad55f847141b45ccf6ef907b5a180d07d0d29cac32bcc1829e8eb8b2ea" + }, + "attachments": [] + }, + { + "ruleId": "CKV_K8S_22", + "ruleIndex": 18, + "level": "note", + "message": { + "text": "Use read-only filesystem for containers where possible" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "samples/K8s-cassandra-statefulset.yaml" + }, + "region": { + "startLine": 1, + "endLine": 96, + "snippet": { + "text": "apiVersion: \"apps/v1\" # for k8s versions before 1.9.0 use apps/v1beta2 and before 1.8.0 use extensions/v1beta1\nkind: StatefulSet\nmetadata:\n name: cassandra\n labels:\n app: cassandra\nspec:\n serviceName: cassandra\n replicas: 3\n selector:\n matchLabels:\n app: cassandra\n template:\n metadata:\n labels:\n app: cassandra\n spec:\n terminationGracePeriodSeconds: 1800\n containers:\n - name: cassandra\n image: gcr.io/google-samples/cassandra:v14\n imagePullPolicy: Always\n ports:\n - containerPort: 7000\n name: intra-node\n - containerPort: 7001\n name: tls-intra-node\n - containerPort: 7199\n name: jmx\n - containerPort: 9042\n name: cql\n resources:\n limits:\n cpu: \"500m\"\n memory: 1Gi\n requests:\n cpu: \"500m\"\n memory: 1Gi\n securityContext:\n capabilities:\n add:\n - IPC_LOCK\n lifecycle:\n preStop:\n exec:\n command:\n - /bin/sh\n - -c\n - nodetool drain\n env:\n - name: MAX_HEAP_SIZE\n value: 512M\n - name: HEAP_NEWSIZE\n value: 100M\n - name: CASSANDRA_SEEDS\n value: \"cassandra-0.cassandra.default.svc.cluster.local\"\n - name: CASSANDRA_CLUSTER_NAME\n value: \"K8Demo\"\n - name: CASSANDRA_DC\n value: \"DC1-K8Demo\"\n - name: CASSANDRA_RACK\n value: \"Rack1-K8Demo\"\n - name: CASSANDRA_SEED_PROVIDER\n value: io.k8s.cassandra.KubernetesSeedProvider\n - name: POD_IP\n valueFrom:\n fieldRef:\n fieldPath: status.podIP\n readinessProbe:\n exec:\n command:\n - /bin/bash\n - -c\n - /ready-probe.sh\n initialDelaySeconds: 15\n timeoutSeconds: 5\n # These volume mounts are persistent. They are like inline claims,\n # but not exactly because the names need to match exactly one of\n # the stateful pod volumes.\n volumeMounts:\n - name: cassandra-data\n mountPath: /var/lib/cassandra\n # These are converted to volume claims by the controller\n # and mounted at the paths mentioned above.\n # do not use these in production until ssd GCEPersistentDisk or other ssd pd\n volumeClaimTemplates:\n - metadata:\n name: cassandra-data\n annotations:\n volume.beta.kubernetes.io/storage-class: fast\n spec:\n accessModes: [ \"ReadWriteOnce\" ]\n resources:\n requests:\n storage: 1Gi\n---\n" + } + } + } + } + ], + "fingerprints": { + "gdnPrimarySignature": "da115818e9e2ffadf20a6b9d1cb1c02e963eb192dae03af8c39e6fce8bcc097e", + "gdnAlternativeSignature0": "d8c06cf85b8fbddd0ad8ba2f86285da2ad52245291c6cab6fd69f3fce31127d7" + }, + "attachments": [] + }, + { + "ruleId": "CKV_K8S_23", + "ruleIndex": 19, + "message": { + "text": "Minimize the admission of root containers" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "samples/K8s-cassandra-statefulset.yaml" + }, + "region": { + "startLine": 1, + "endLine": 96, + "snippet": { + "text": "apiVersion: \"apps/v1\" # for k8s versions before 1.9.0 use apps/v1beta2 and before 1.8.0 use extensions/v1beta1\nkind: StatefulSet\nmetadata:\n name: cassandra\n labels:\n app: cassandra\nspec:\n serviceName: cassandra\n replicas: 3\n selector:\n matchLabels:\n app: cassandra\n template:\n metadata:\n labels:\n app: cassandra\n spec:\n terminationGracePeriodSeconds: 1800\n containers:\n - name: cassandra\n image: gcr.io/google-samples/cassandra:v14\n imagePullPolicy: Always\n ports:\n - containerPort: 7000\n name: intra-node\n - containerPort: 7001\n name: tls-intra-node\n - containerPort: 7199\n name: jmx\n - containerPort: 9042\n name: cql\n resources:\n limits:\n cpu: \"500m\"\n memory: 1Gi\n requests:\n cpu: \"500m\"\n memory: 1Gi\n securityContext:\n capabilities:\n add:\n - IPC_LOCK\n lifecycle:\n preStop:\n exec:\n command:\n - /bin/sh\n - -c\n - nodetool drain\n env:\n - name: MAX_HEAP_SIZE\n value: 512M\n - name: HEAP_NEWSIZE\n value: 100M\n - name: CASSANDRA_SEEDS\n value: \"cassandra-0.cassandra.default.svc.cluster.local\"\n - name: CASSANDRA_CLUSTER_NAME\n value: \"K8Demo\"\n - name: CASSANDRA_DC\n value: \"DC1-K8Demo\"\n - name: CASSANDRA_RACK\n value: \"Rack1-K8Demo\"\n - name: CASSANDRA_SEED_PROVIDER\n value: io.k8s.cassandra.KubernetesSeedProvider\n - name: POD_IP\n valueFrom:\n fieldRef:\n fieldPath: status.podIP\n readinessProbe:\n exec:\n command:\n - /bin/bash\n - -c\n - /ready-probe.sh\n initialDelaySeconds: 15\n timeoutSeconds: 5\n # These volume mounts are persistent. They are like inline claims,\n # but not exactly because the names need to match exactly one of\n # the stateful pod volumes.\n volumeMounts:\n - name: cassandra-data\n mountPath: /var/lib/cassandra\n # These are converted to volume claims by the controller\n # and mounted at the paths mentioned above.\n # do not use these in production until ssd GCEPersistentDisk or other ssd pd\n volumeClaimTemplates:\n - metadata:\n name: cassandra-data\n annotations:\n volume.beta.kubernetes.io/storage-class: fast\n spec:\n accessModes: [ \"ReadWriteOnce\" ]\n resources:\n requests:\n storage: 1Gi\n---\n" + } + } + } + } + ], + "fingerprints": { + "gdnPrimarySignature": "c1be36e7556627562c7357f53bacdfea88d2fd6839ffad11f41bff594ddd0f83", + "gdnAlternativeSignature0": "e149f6402cc34c6663973655fb12e532f6c670a7e0374081fae82fd6575dab65" + }, + "attachments": [] + }, + { + "ruleId": "CKV_K8S_40", + "ruleIndex": 20, + "level": "note", + "message": { + "text": "Containers should run as a high UID to avoid host conflict" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "samples/K8s-cassandra-statefulset.yaml" + }, + "region": { + "startLine": 1, + "endLine": 96, + "snippet": { + "text": "apiVersion: \"apps/v1\" # for k8s versions before 1.9.0 use apps/v1beta2 and before 1.8.0 use extensions/v1beta1\nkind: StatefulSet\nmetadata:\n name: cassandra\n labels:\n app: cassandra\nspec:\n serviceName: cassandra\n replicas: 3\n selector:\n matchLabels:\n app: cassandra\n template:\n metadata:\n labels:\n app: cassandra\n spec:\n terminationGracePeriodSeconds: 1800\n containers:\n - name: cassandra\n image: gcr.io/google-samples/cassandra:v14\n imagePullPolicy: Always\n ports:\n - containerPort: 7000\n name: intra-node\n - containerPort: 7001\n name: tls-intra-node\n - containerPort: 7199\n name: jmx\n - containerPort: 9042\n name: cql\n resources:\n limits:\n cpu: \"500m\"\n memory: 1Gi\n requests:\n cpu: \"500m\"\n memory: 1Gi\n securityContext:\n capabilities:\n add:\n - IPC_LOCK\n lifecycle:\n preStop:\n exec:\n command:\n - /bin/sh\n - -c\n - nodetool drain\n env:\n - name: MAX_HEAP_SIZE\n value: 512M\n - name: HEAP_NEWSIZE\n value: 100M\n - name: CASSANDRA_SEEDS\n value: \"cassandra-0.cassandra.default.svc.cluster.local\"\n - name: CASSANDRA_CLUSTER_NAME\n value: \"K8Demo\"\n - name: CASSANDRA_DC\n value: \"DC1-K8Demo\"\n - name: CASSANDRA_RACK\n value: \"Rack1-K8Demo\"\n - name: CASSANDRA_SEED_PROVIDER\n value: io.k8s.cassandra.KubernetesSeedProvider\n - name: POD_IP\n valueFrom:\n fieldRef:\n fieldPath: status.podIP\n readinessProbe:\n exec:\n command:\n - /bin/bash\n - -c\n - /ready-probe.sh\n initialDelaySeconds: 15\n timeoutSeconds: 5\n # These volume mounts are persistent. They are like inline claims,\n # but not exactly because the names need to match exactly one of\n # the stateful pod volumes.\n volumeMounts:\n - name: cassandra-data\n mountPath: /var/lib/cassandra\n # These are converted to volume claims by the controller\n # and mounted at the paths mentioned above.\n # do not use these in production until ssd GCEPersistentDisk or other ssd pd\n volumeClaimTemplates:\n - metadata:\n name: cassandra-data\n annotations:\n volume.beta.kubernetes.io/storage-class: fast\n spec:\n accessModes: [ \"ReadWriteOnce\" ]\n resources:\n requests:\n storage: 1Gi\n---\n" + } + } + } + } + ], + "fingerprints": { + "gdnPrimarySignature": "25c05ca1359bd4c2edaee66ac2d7fdc6c213eebfa5d139a0555ed06ea2c573c7", + "gdnAlternativeSignature0": "a73c63b0f812757918d4198fe20e0100bcf3d60c9a9a37f67cd321a74a14f72b" + }, + "attachments": [] + }, + { + "ruleId": "CKV_K8S_31", + "ruleIndex": 21, + "level": "note", + "message": { + "text": "Ensure that the seccomp profile is set to docker/default or runtime/default" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "samples/K8s-cassandra-statefulset.yaml" + }, + "region": { + "startLine": 1, + "endLine": 96, + "snippet": { + "text": "apiVersion: \"apps/v1\" # for k8s versions before 1.9.0 use apps/v1beta2 and before 1.8.0 use extensions/v1beta1\nkind: StatefulSet\nmetadata:\n name: cassandra\n labels:\n app: cassandra\nspec:\n serviceName: cassandra\n replicas: 3\n selector:\n matchLabels:\n app: cassandra\n template:\n metadata:\n labels:\n app: cassandra\n spec:\n terminationGracePeriodSeconds: 1800\n containers:\n - name: cassandra\n image: gcr.io/google-samples/cassandra:v14\n imagePullPolicy: Always\n ports:\n - containerPort: 7000\n name: intra-node\n - containerPort: 7001\n name: tls-intra-node\n - containerPort: 7199\n name: jmx\n - containerPort: 9042\n name: cql\n resources:\n limits:\n cpu: \"500m\"\n memory: 1Gi\n requests:\n cpu: \"500m\"\n memory: 1Gi\n securityContext:\n capabilities:\n add:\n - IPC_LOCK\n lifecycle:\n preStop:\n exec:\n command:\n - /bin/sh\n - -c\n - nodetool drain\n env:\n - name: MAX_HEAP_SIZE\n value: 512M\n - name: HEAP_NEWSIZE\n value: 100M\n - name: CASSANDRA_SEEDS\n value: \"cassandra-0.cassandra.default.svc.cluster.local\"\n - name: CASSANDRA_CLUSTER_NAME\n value: \"K8Demo\"\n - name: CASSANDRA_DC\n value: \"DC1-K8Demo\"\n - name: CASSANDRA_RACK\n value: \"Rack1-K8Demo\"\n - name: CASSANDRA_SEED_PROVIDER\n value: io.k8s.cassandra.KubernetesSeedProvider\n - name: POD_IP\n valueFrom:\n fieldRef:\n fieldPath: status.podIP\n readinessProbe:\n exec:\n command:\n - /bin/bash\n - -c\n - /ready-probe.sh\n initialDelaySeconds: 15\n timeoutSeconds: 5\n # These volume mounts are persistent. They are like inline claims,\n # but not exactly because the names need to match exactly one of\n # the stateful pod volumes.\n volumeMounts:\n - name: cassandra-data\n mountPath: /var/lib/cassandra\n # These are converted to volume claims by the controller\n # and mounted at the paths mentioned above.\n # do not use these in production until ssd GCEPersistentDisk or other ssd pd\n volumeClaimTemplates:\n - metadata:\n name: cassandra-data\n annotations:\n volume.beta.kubernetes.io/storage-class: fast\n spec:\n accessModes: [ \"ReadWriteOnce\" ]\n resources:\n requests:\n storage: 1Gi\n---\n" + } + } + } + } + ], + "fingerprints": { + "gdnPrimarySignature": "70378cd13d8568d09ced49362abbf35160b842273ca5ec57bf69c71c378a6321", + "gdnAlternativeSignature0": "3bfe46e3cda430aa1ce3f452e781cdc43697d087821cc36fd104604f940ae43a" + }, + "attachments": [] + }, + { + "ruleId": "CKV_K8S_38", + "ruleIndex": 22, + "level": "note", + "message": { + "text": "Ensure that Service Account Tokens are only mounted where necessary" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "samples/K8s-cassandra-statefulset.yaml" + }, + "region": { + "startLine": 1, + "endLine": 96, + "snippet": { + "text": "apiVersion: \"apps/v1\" # for k8s versions before 1.9.0 use apps/v1beta2 and before 1.8.0 use extensions/v1beta1\nkind: StatefulSet\nmetadata:\n name: cassandra\n labels:\n app: cassandra\nspec:\n serviceName: cassandra\n replicas: 3\n selector:\n matchLabels:\n app: cassandra\n template:\n metadata:\n labels:\n app: cassandra\n spec:\n terminationGracePeriodSeconds: 1800\n containers:\n - name: cassandra\n image: gcr.io/google-samples/cassandra:v14\n imagePullPolicy: Always\n ports:\n - containerPort: 7000\n name: intra-node\n - containerPort: 7001\n name: tls-intra-node\n - containerPort: 7199\n name: jmx\n - containerPort: 9042\n name: cql\n resources:\n limits:\n cpu: \"500m\"\n memory: 1Gi\n requests:\n cpu: \"500m\"\n memory: 1Gi\n securityContext:\n capabilities:\n add:\n - IPC_LOCK\n lifecycle:\n preStop:\n exec:\n command:\n - /bin/sh\n - -c\n - nodetool drain\n env:\n - name: MAX_HEAP_SIZE\n value: 512M\n - name: HEAP_NEWSIZE\n value: 100M\n - name: CASSANDRA_SEEDS\n value: \"cassandra-0.cassandra.default.svc.cluster.local\"\n - name: CASSANDRA_CLUSTER_NAME\n value: \"K8Demo\"\n - name: CASSANDRA_DC\n value: \"DC1-K8Demo\"\n - name: CASSANDRA_RACK\n value: \"Rack1-K8Demo\"\n - name: CASSANDRA_SEED_PROVIDER\n value: io.k8s.cassandra.KubernetesSeedProvider\n - name: POD_IP\n valueFrom:\n fieldRef:\n fieldPath: status.podIP\n readinessProbe:\n exec:\n command:\n - /bin/bash\n - -c\n - /ready-probe.sh\n initialDelaySeconds: 15\n timeoutSeconds: 5\n # These volume mounts are persistent. They are like inline claims,\n # but not exactly because the names need to match exactly one of\n # the stateful pod volumes.\n volumeMounts:\n - name: cassandra-data\n mountPath: /var/lib/cassandra\n # These are converted to volume claims by the controller\n # and mounted at the paths mentioned above.\n # do not use these in production until ssd GCEPersistentDisk or other ssd pd\n volumeClaimTemplates:\n - metadata:\n name: cassandra-data\n annotations:\n volume.beta.kubernetes.io/storage-class: fast\n spec:\n accessModes: [ \"ReadWriteOnce\" ]\n resources:\n requests:\n storage: 1Gi\n---\n" + } + } + } + } + ], + "fingerprints": { + "gdnPrimarySignature": "97d3e19a31f43aac84ccd148a5c258209c1727f5900e0b2b1435e8ab08b647b3", + "gdnAlternativeSignature0": "218768ca543d9e02181e0769e8f9a3c7e5e2318fb0742bed2736ea116b7b8f4e" + }, + "attachments": [] + }, + { + "ruleId": "CKV2_K8S_6", + "ruleIndex": 23, + "message": { + "text": "Minimize the admission of pods which lack an associated NetworkPolicy" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "samples/K8s-cassandra-statefulset.yaml" + }, + "region": { + "startLine": 1, + "endLine": 96, + "snippet": { + "text": "apiVersion: \"apps/v1\" # for k8s versions before 1.9.0 use apps/v1beta2 and before 1.8.0 use extensions/v1beta1\nkind: StatefulSet\nmetadata:\n name: cassandra\n labels:\n app: cassandra\nspec:\n serviceName: cassandra\n replicas: 3\n selector:\n matchLabels:\n app: cassandra\n template:\n metadata:\n labels:\n app: cassandra\n spec:\n terminationGracePeriodSeconds: 1800\n containers:\n - name: cassandra\n image: gcr.io/google-samples/cassandra:v14\n imagePullPolicy: Always\n ports:\n - containerPort: 7000\n name: intra-node\n - containerPort: 7001\n name: tls-intra-node\n - containerPort: 7199\n name: jmx\n - containerPort: 9042\n name: cql\n resources:\n limits:\n cpu: \"500m\"\n memory: 1Gi\n requests:\n cpu: \"500m\"\n memory: 1Gi\n securityContext:\n capabilities:\n add:\n - IPC_LOCK\n lifecycle:\n preStop:\n exec:\n command:\n - /bin/sh\n - -c\n - nodetool drain\n env:\n - name: MAX_HEAP_SIZE\n value: 512M\n - name: HEAP_NEWSIZE\n value: 100M\n - name: CASSANDRA_SEEDS\n value: \"cassandra-0.cassandra.default.svc.cluster.local\"\n - name: CASSANDRA_CLUSTER_NAME\n value: \"K8Demo\"\n - name: CASSANDRA_DC\n value: \"DC1-K8Demo\"\n - name: CASSANDRA_RACK\n value: \"Rack1-K8Demo\"\n - name: CASSANDRA_SEED_PROVIDER\n value: io.k8s.cassandra.KubernetesSeedProvider\n - name: POD_IP\n valueFrom:\n fieldRef:\n fieldPath: status.podIP\n readinessProbe:\n exec:\n command:\n - /bin/bash\n - -c\n - /ready-probe.sh\n initialDelaySeconds: 15\n timeoutSeconds: 5\n # These volume mounts are persistent. They are like inline claims,\n # but not exactly because the names need to match exactly one of\n # the stateful pod volumes.\n volumeMounts:\n - name: cassandra-data\n mountPath: /var/lib/cassandra\n # These are converted to volume claims by the controller\n # and mounted at the paths mentioned above.\n # do not use these in production until ssd GCEPersistentDisk or other ssd pd\n volumeClaimTemplates:\n - metadata:\n name: cassandra-data\n annotations:\n volume.beta.kubernetes.io/storage-class: fast\n spec:\n accessModes: [ \"ReadWriteOnce\" ]\n resources:\n requests:\n storage: 1Gi\n---\n" + } + } + } + } + ], + "fingerprints": { + "gdnPrimarySignature": "2c09fe5d58637920ffb2f45d2e9e47b6d24f94f9a5a6318e86d5b119d90dc136", + "gdnAlternativeSignature0": "52664a33e0000747d7d55032ea8ff784c99f191108fd7b0a4405b4b4b1787c90" + }, + "attachments": [] + }, + { + "ruleId": "CKV_AZURE_59", + "ruleIndex": 0, + "level": "note", + "message": { + "text": "Ensure that Storage accounts disallow public access" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "samples/IaCMapping/main.tf" + }, + "region": { + "startLine": 19, + "endLine": 29, + "snippet": { + "text": "resource \"azurerm_storage_account\" \"terraformaccount1\" {\n name = \"iacmapping1212\"\n resource_group_name = azurerm_resource_group.resourcegroup.name\n location = \"Central US\"\n account_tier = \"Standard\"\n account_replication_type = \"GRS\"\n\n tags = {\n \"mapping_tag\" = \"6189b638-15a5-42ec-b934-0d2b8e035ce1\"\n }\n}\n" + } + } + } + } + ], + "fingerprints": { + "gdnPrimarySignature": "d7f32900926833945cac2ead4c1ed6c351aabf9fee418b413e3bfe46c8fc54f3", + "gdnAlternativeSignature0": "a3fc19e10564a2494f31f34241b921013aeb4aef2a9ef7ef9731f2fe7fd95ce9" + }, + "attachments": [] + }, + { + "ruleId": "CKV_AZURE_33", + "ruleIndex": 1, + "message": { + "text": "Ensure Storage logging is enabled for Queue service for read, write and delete requests" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "samples/IaCMapping/main.tf" + }, + "region": { + "startLine": 19, + "endLine": 29, + "snippet": { + "text": "resource \"azurerm_storage_account\" \"terraformaccount1\" {\n name = \"iacmapping1212\"\n resource_group_name = azurerm_resource_group.resourcegroup.name\n location = \"Central US\"\n account_tier = \"Standard\"\n account_replication_type = \"GRS\"\n\n tags = {\n \"mapping_tag\" = \"6189b638-15a5-42ec-b934-0d2b8e035ce1\"\n }\n}\n" + } + } + } + } + ], + "fingerprints": { + "gdnPrimarySignature": "641b61a3a4b3c0d759acd57a321d6db4044b47347cd764c152f071e8341faea0", + "gdnAlternativeSignature0": "83a8dfca2a610d8e67e683b30391980c336f3c1722ce80fb2afacb2a01b0a799" + }, + "attachments": [] + }, + { + "ruleId": "CKV_AZURE_44", + "ruleIndex": 2, + "message": { + "text": "Ensure Storage Account is using the latest version of TLS encryption" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "samples/IaCMapping/main.tf" + }, + "region": { + "startLine": 19, + "endLine": 29, + "snippet": { + "text": "resource \"azurerm_storage_account\" \"terraformaccount1\" {\n name = \"iacmapping1212\"\n resource_group_name = azurerm_resource_group.resourcegroup.name\n location = \"Central US\"\n account_tier = \"Standard\"\n account_replication_type = \"GRS\"\n\n tags = {\n \"mapping_tag\" = \"6189b638-15a5-42ec-b934-0d2b8e035ce1\"\n }\n}\n" + } + } + } + } + ], + "fingerprints": { + "gdnPrimarySignature": "9805631179c91f5535eda5e1f2a9d29d2295ca1bec013d3174a1285a9be83d60", + "gdnAlternativeSignature0": "05b8f7f1708c13235397e5a11b0fd243e02f41d8c5085efc269c1d4e73d2b39a" + }, + "attachments": [] + }, + { + "ruleId": "CKV_AZURE_190", + "ruleIndex": 3, + "level": "error", + "message": { + "text": "Ensure that Storage blobs restrict public access" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "samples/IaCMapping/main.tf" + }, + "region": { + "startLine": 19, + "endLine": 29, + "snippet": { + "text": "resource \"azurerm_storage_account\" \"terraformaccount1\" {\n name = \"iacmapping1212\"\n resource_group_name = azurerm_resource_group.resourcegroup.name\n location = \"Central US\"\n account_tier = \"Standard\"\n account_replication_type = \"GRS\"\n\n tags = {\n \"mapping_tag\" = \"6189b638-15a5-42ec-b934-0d2b8e035ce1\"\n }\n}\n" + } + } + } + } + ], + "fingerprints": { + "gdnPrimarySignature": "a34ff2ab3988f90969a68250eef2b1c1e687c5b58396f198c2615a955b8db206", + "gdnAlternativeSignature0": "9c23a512d4110d27fefdb36bb130958e046b17463df5a7ef245d584c9f943363" + }, + "attachments": [] + }, + { + "ruleId": "CKV2_AZURE_40", + "ruleIndex": 4, + "message": { + "text": "Ensure storage account is not configured with Shared Key authorization" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "samples/IaCMapping/main.tf" + }, + "region": { + "startLine": 19, + "endLine": 29, + "snippet": { + "text": "resource \"azurerm_storage_account\" \"terraformaccount1\" {\n name = \"iacmapping1212\"\n resource_group_name = azurerm_resource_group.resourcegroup.name\n location = \"Central US\"\n account_tier = \"Standard\"\n account_replication_type = \"GRS\"\n\n tags = {\n \"mapping_tag\" = \"6189b638-15a5-42ec-b934-0d2b8e035ce1\"\n }\n}\n" + } + } + } + } + ], + "fingerprints": { + "gdnPrimarySignature": "e9deaf9a38127ba6222b800492a1b840017f9907c25f9fba842d8c85ae861f33", + "gdnAlternativeSignature0": "bf8101fb23c886bf671ac5c24d8b62f3028e2d9b5e8fc2e106d6789aa8070b76" + }, + "attachments": [] + }, + { + "ruleId": "CKV2_AZURE_47", + "ruleIndex": 5, + "message": { + "text": "Ensure storage account is configured without blob anonymous access" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "samples/IaCMapping/main.tf" + }, + "region": { + "startLine": 19, + "endLine": 29, + "snippet": { + "text": "resource \"azurerm_storage_account\" \"terraformaccount1\" {\n name = \"iacmapping1212\"\n resource_group_name = azurerm_resource_group.resourcegroup.name\n location = \"Central US\"\n account_tier = \"Standard\"\n account_replication_type = \"GRS\"\n\n tags = {\n \"mapping_tag\" = \"6189b638-15a5-42ec-b934-0d2b8e035ce1\"\n }\n}\n" + } + } + } + } + ], + "fingerprints": { + "gdnPrimarySignature": "1d3bb7599e6f934ddc2badeee51d506051093f4e718c3199d4efd83c6e74ec12", + "gdnAlternativeSignature0": "edfaa2046c397a63e4856e499fc9a7166c96e5bb51978d37f2426cefa1af8457" + }, + "attachments": [] + }, + { + "ruleId": "CKV2_AZURE_33", + "ruleIndex": 6, + "message": { + "text": "Ensure storage account is configured with private endpoint" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "samples/IaCMapping/main.tf" + }, + "region": { + "startLine": 19, + "endLine": 29, + "snippet": { + "text": "resource \"azurerm_storage_account\" \"terraformaccount1\" {\n name = \"iacmapping1212\"\n resource_group_name = azurerm_resource_group.resourcegroup.name\n location = \"Central US\"\n account_tier = \"Standard\"\n account_replication_type = \"GRS\"\n\n tags = {\n \"mapping_tag\" = \"6189b638-15a5-42ec-b934-0d2b8e035ce1\"\n }\n}\n" + } + } + } + } + ], + "fingerprints": { + "gdnPrimarySignature": "43638c4e55b51ed9f346ab462c059ca30a19b570565c7de7ea7b5daee1d6d9ef", + "gdnAlternativeSignature0": "4b4ba219a803a0d61f213eab7cfdf2792eda5bd536ccf4992d1b5d9342e26ac3" + }, + "attachments": [] + }, + { + "ruleId": "CKV2_AZURE_41", + "ruleIndex": 7, + "message": { + "text": "Ensure storage account is configured with SAS expiration policy" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "samples/IaCMapping/main.tf" + }, + "region": { + "startLine": 19, + "endLine": 29, + "snippet": { + "text": "resource \"azurerm_storage_account\" \"terraformaccount1\" {\n name = \"iacmapping1212\"\n resource_group_name = azurerm_resource_group.resourcegroup.name\n location = \"Central US\"\n account_tier = \"Standard\"\n account_replication_type = \"GRS\"\n\n tags = {\n \"mapping_tag\" = \"6189b638-15a5-42ec-b934-0d2b8e035ce1\"\n }\n}\n" + } + } + } + } + ], + "fingerprints": { + "gdnPrimarySignature": "761254b9af4e347b1a2a05bc08bd77da3c0a640e44671e27f0fa7cbbc88d2b93", + "gdnAlternativeSignature0": "3358ef85a8762cda2cea0b4f31eebe014dc97571753cefc4394067b9f23cf0f2" + }, + "attachments": [] + }, + { + "ruleId": "CKV2_AZURE_38", + "ruleIndex": 8, + "message": { + "text": "Ensure soft-delete is enabled on Azure storage account" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "samples/IaCMapping/main.tf" + }, + "region": { + "startLine": 19, + "endLine": 29, + "snippet": { + "text": "resource \"azurerm_storage_account\" \"terraformaccount1\" {\n name = \"iacmapping1212\"\n resource_group_name = azurerm_resource_group.resourcegroup.name\n location = \"Central US\"\n account_tier = \"Standard\"\n account_replication_type = \"GRS\"\n\n tags = {\n \"mapping_tag\" = \"6189b638-15a5-42ec-b934-0d2b8e035ce1\"\n }\n}\n" + } + } + } + } + ], + "fingerprints": { + "gdnPrimarySignature": "8fdd2b7bd19cdd5ce21a89b95330d3a80ecd9efbe30f89c35f0b146a42a65d0f", + "gdnAlternativeSignature0": "e05ba2b227cc43fd36ea7fe66359bf553cdf88de6ff3aa184fc24ed97fa3c3c4" + }, + "attachments": [] + }, + { + "ruleId": "CKV2_AZURE_1", + "ruleIndex": 9, + "level": "error", + "message": { + "text": "Ensure storage for critical data are encrypted with Customer Managed Key" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "samples/IaCMapping/main.tf" + }, + "region": { + "startLine": 19, + "endLine": 29, + "snippet": { + "text": "resource \"azurerm_storage_account\" \"terraformaccount1\" {\n name = \"iacmapping1212\"\n resource_group_name = azurerm_resource_group.resourcegroup.name\n location = \"Central US\"\n account_tier = \"Standard\"\n account_replication_type = \"GRS\"\n\n tags = {\n \"mapping_tag\" = \"6189b638-15a5-42ec-b934-0d2b8e035ce1\"\n }\n}\n" + } + } + } + } + ], + "fingerprints": { + "gdnPrimarySignature": "b6600702be50525edb979f621ecf387776351f02b51dc4d37b822d660e575787", + "gdnAlternativeSignature0": "d1feda229fb89c3ecbaaaf3edec8f23599c5bccd3a725020863ea9b593ae4375" + }, + "attachments": [] + } + ], + "columnKind": "utf16CodeUnits", + "policies": [ + { + "name": "Microsoft", + "version": "2.0.3" + } + ], + "properties": { + "toolInfoId": "checkov>>6>>202411062057" + } + } + ], + "properties": { + "producer": "MicrosoftSecurityDevOps", + "pipelineRunUrl": "Unknown", + "sourcePipelineId": "Unknown" + } +} \ No newline at end of file diff --git a/src/msdo-helpers.ts b/src/msdo-helpers.ts index d12e9e18..72b13f14 100644 --- a/src/msdo-helpers.ts +++ b/src/msdo-helpers.ts @@ -11,7 +11,8 @@ export enum Inputs { Categories = 'categories', Languages = 'languages', Tools = 'tools', - IncludeTools = 'includeTools' + IncludeTools = 'includeTools', + ExistingFilename = 'existingFilename' } /** @@ -29,6 +30,7 @@ export enum RunnerType { export enum Tools { Bandit = 'bandit', Binskim = 'binskim', + Checkov = 'checkov', ContainerMapping = 'container-mapping', ESLint = 'eslint', TemplateAnalyzer = 'templateanalyzer', diff --git a/src/msdo.ts b/src/msdo.ts index bdbd0e4a..c95399ca 100644 --- a/src/msdo.ts +++ b/src/msdo.ts @@ -25,66 +25,77 @@ export class MicrosoftSecurityDevOps implements IMicrosoftSecurityDevOps { public async runMain() { core.debug('MicrosoftSecurityDevOps.runMain - Running MSDO...'); - let args: string[] = ['run']; + let args: string[] = undefined; - let config: string = core.getInput('config'); - if (!common.isNullOrWhiteSpace(config)) { - args.push('-c'); - args.push(config); + // Check job type - might be existing file + let existingFilename = core.getInput('existingFilename'); + if (!common.isNullOrWhiteSpace(existingFilename)) { + args = ['upload', '--file', existingFilename]; } - let policy: string = core.getInput('policy'); - if (common.isNullOrWhiteSpace(policy)) { - policy = "GitHub"; - } + // Nope, run the tool as intended + else { + args = ['run']; + + let config: string = core.getInput('config'); + if (!common.isNullOrWhiteSpace(config)) { + args.push('-c'); + args.push(config); + } + + let policy: string = core.getInput('policy'); + if (common.isNullOrWhiteSpace(policy)) { + policy = "GitHub"; + } + + args.push('-p'); + args.push(policy); - args.push('-p'); - args.push(policy); - - let categoriesString: string = core.getInput('categories'); - if (!common.isNullOrWhiteSpace(categoriesString)) { - args.push('--categories'); - let categories = categoriesString.split(','); - for (let i = 0; i < categories.length; i++) { - let category = categories[i]; - if (!common.isNullOrWhiteSpace(category)) { - args.push(category.trim()); + let categoriesString: string = core.getInput('categories'); + if (!common.isNullOrWhiteSpace(categoriesString)) { + args.push('--categories'); + let categories = categoriesString.split(','); + for (let i = 0; i < categories.length; i++) { + let category = categories[i]; + if (!common.isNullOrWhiteSpace(category)) { + args.push(category.trim()); + } } } - } - let languagesString: string = core.getInput('languages'); - if (!common.isNullOrWhiteSpace(languagesString)) { - args.push('--languages'); - let languages = languagesString.split(','); - for (let i = 0; i < languages.length; i++) { - let language = languages[i]; - if (!common.isNullOrWhiteSpace(language)) { - args.push(language.trim()); + let languagesString: string = core.getInput('languages'); + if (!common.isNullOrWhiteSpace(languagesString)) { + args.push('--languages'); + let languages = languagesString.split(','); + for (let i = 0; i < languages.length; i++) { + let language = languages[i]; + if (!common.isNullOrWhiteSpace(language)) { + args.push(language.trim()); + } } } - } - let toolsString: string = core.getInput('tools'); - let includedTools = []; - if (!common.isNullOrWhiteSpace(toolsString)) { - let tools = toolsString.split(','); - for (let i = 0; i < tools.length; i++) { - let tool = tools[i]; - let toolTrimmed = tool.trim(); - if (!common.isNullOrWhiteSpace(tool) - && tool != Tools.ContainerMapping // This tool is not handled by this executor - && includedTools.indexOf(toolTrimmed) == -1) { - if (includedTools.length == 0) { - args.push('--tool'); + let toolsString: string = core.getInput('tools'); + let includedTools = []; + if (!common.isNullOrWhiteSpace(toolsString)) { + let tools = toolsString.split(','); + for (let i = 0; i < tools.length; i++) { + let tool = tools[i]; + let toolTrimmed = tool.trim(); + if (!common.isNullOrWhiteSpace(tool) + && tool != Tools.ContainerMapping // This tool is not handled by this executor + && includedTools.indexOf(toolTrimmed) == -1) { + if (includedTools.length == 0) { + args.push('--tool'); + } + args.push(toolTrimmed); + includedTools.push(toolTrimmed); } - args.push(toolTrimmed); - includedTools.push(toolTrimmed); } } - } - args.push('--github'); + args.push('--github'); + } await client.run(args, 'microsoft/security-devops-action'); }