From 25f9a1a60953ffc8fd80a60a6a148acc1ca336f6 Mon Sep 17 00:00:00 2001 From: Chris Nielsen Date: Tue, 30 Jul 2024 09:59:15 -0700 Subject: [PATCH 01/17] Add official build workflow to compile TypeScript into JavaScript --- .github/workflows/official-build.yml | 39 ++++++++++++++++++++++++++++ 1 file changed, 39 insertions(+) create mode 100644 .github/workflows/official-build.yml diff --git a/.github/workflows/official-build.yml b/.github/workflows/official-build.yml new file mode 100644 index 0000000..847bf78 --- /dev/null +++ b/.github/workflows/official-build.yml @@ -0,0 +1,39 @@ +name: security-devops-action Official Build + +on: + push: + branches: + - main + pull_request: + branches: + - main + +jobs: + build: + runs-on: ubuntu-latest + + steps: + - name: Checkout repository + uses: actions/checkout@v2 + + - name: Set up Node.js + uses: actions/setup-node@v2 + with: + node-version: '14' + + - name: Install dependencies + run: npm install + + - name: Compile TypeScript + run: npm run build + + - name: Commit compiled JavaScript + if: github.actor != 'github-actions[bot]' + run: | + git config --global user.name 'github-actions[bot]' + git config --global user.email 'github-actions[bot]@users.noreply.github.com' + git add . + git commit -m 'Compile TypeScript to JavaScript' + git push + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} \ No newline at end of file From 393c837557d30bf1c63e8b2f47eaed427cbecb44 Mon Sep 17 00:00:00 2001 From: Chris Nielsen Date: Tue, 30 Jul 2024 10:17:58 -0700 Subject: [PATCH 02/17] Fix checkov warning about overly permissive workflow --- .github/workflows/official-build.yml | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/.github/workflows/official-build.yml b/.github/workflows/official-build.yml index 847bf78..4c79437 100644 --- a/.github/workflows/official-build.yml +++ b/.github/workflows/official-build.yml @@ -8,10 +8,16 @@ on: branches: - main +permissions: + contents: read + jobs: build: runs-on: ubuntu-latest + permissions: + contents: write + steps: - name: Checkout repository uses: actions/checkout@v2 From 1ed2a07dc73452aa9d994c87fb499425c349a552 Mon Sep 17 00:00:00 2001 From: Chris Nielsen Date: Tue, 30 Jul 2024 14:31:27 -0700 Subject: [PATCH 03/17] Add secret token for npm package download --- .github/workflows/official-build.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/.github/workflows/official-build.yml b/.github/workflows/official-build.yml index 4c79437..ee47cd0 100644 --- a/.github/workflows/official-build.yml +++ b/.github/workflows/official-build.yml @@ -27,6 +27,9 @@ jobs: with: node-version: '14' + - name: Configure npm to use GitHub Packages + run: echo "//npm.pkg.github.com/:_authToken=${{ secrets.NPM_TOKEN }}" > ~/.npmrc + - name: Install dependencies run: npm install From ab9d458e3a8eec8cda4c3c6cb466b83984d77cd3 Mon Sep 17 00:00:00 2001 From: Chris Nielsen Date: Tue, 30 Jul 2024 14:43:07 -0700 Subject: [PATCH 04/17] Give the git push a target branch --- .github/workflows/official-build.yml | 5 +---- 1 file changed, 1 insertion(+), 4 deletions(-) diff --git a/.github/workflows/official-build.yml b/.github/workflows/official-build.yml index ee47cd0..5635657 100644 --- a/.github/workflows/official-build.yml +++ b/.github/workflows/official-build.yml @@ -1,9 +1,6 @@ name: security-devops-action Official Build on: - push: - branches: - - main pull_request: branches: - main @@ -43,6 +40,6 @@ jobs: git config --global user.email 'github-actions[bot]@users.noreply.github.com' git add . git commit -m 'Compile TypeScript to JavaScript' - git push + git push origin HEAD:release/vNext env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} \ No newline at end of file From 04e361d50988c028231e717ee920e5f73ad70f94 Mon Sep 17 00:00:00 2001 From: Chris Nielsen Date: Tue, 30 Jul 2024 16:38:18 -0700 Subject: [PATCH 05/17] Update pipeline to pull branch before pushing --- .github/workflows/official-build.yml | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/.github/workflows/official-build.yml b/.github/workflows/official-build.yml index 5635657..bd2cb73 100644 --- a/.github/workflows/official-build.yml +++ b/.github/workflows/official-build.yml @@ -19,6 +19,11 @@ jobs: - name: Checkout repository uses: actions/checkout@v2 + - name: Extract branch name + shell: bash + run: echo "branch=${GITHUB_HEAD_REF:-${GITHUB_REF#refs/heads/}}" >> $GITHUB_OUTPUT + id: extract_branch + - name: Set up Node.js uses: actions/setup-node@v2 with: @@ -38,8 +43,9 @@ jobs: run: | git config --global user.name 'github-actions[bot]' git config --global user.email 'github-actions[bot]@users.noreply.github.com' + git pull origin ${{ steps.extract_branch.outputs.branch }} git add . git commit -m 'Compile TypeScript to JavaScript' - git push origin HEAD:release/vNext + git push origin HEAD:${{ steps.extract_branch.outputs.branch }} env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} \ No newline at end of file From 3af6ecf369ee7832d1fc3f30d2d5ad5a5a7667f6 Mon Sep 17 00:00:00 2001 From: Chris Nielsen Date: Tue, 30 Jul 2024 16:40:51 -0700 Subject: [PATCH 06/17] Ensure workflow only triggers for vNext -> main PRs --- .github/workflows/official-build.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/.github/workflows/official-build.yml b/.github/workflows/official-build.yml index bd2cb73..1bcfb94 100644 --- a/.github/workflows/official-build.yml +++ b/.github/workflows/official-build.yml @@ -5,6 +5,9 @@ on: branches: - main + paths: + - 'release/vNext/**' + permissions: contents: read From 65aadca676873a69770a8328768af64121a85268 Mon Sep 17 00:00:00 2001 From: Chris Nielsen Date: Tue, 30 Jul 2024 16:41:34 -0700 Subject: [PATCH 07/17] Ensure workflow only triggers for vNext -> main PRs --- .github/workflows/official-build.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/official-build.yml b/.github/workflows/official-build.yml index 1bcfb94..93decec 100644 --- a/.github/workflows/official-build.yml +++ b/.github/workflows/official-build.yml @@ -6,7 +6,7 @@ on: - main paths: - - 'release/vNext/**' + - 'release/vNext' permissions: contents: read From 9d14c8f8974e56ba0a451216b41fdfefa2f638d9 Mon Sep 17 00:00:00 2001 From: Chris Nielsen Date: Tue, 30 Jul 2024 16:46:04 -0700 Subject: [PATCH 08/17] Ensure workflow only triggers for vNext -> main PRs --- .github/workflows/official-build.yml | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) diff --git a/.github/workflows/official-build.yml b/.github/workflows/official-build.yml index 93decec..bd5d03f 100644 --- a/.github/workflows/official-build.yml +++ b/.github/workflows/official-build.yml @@ -5,14 +5,12 @@ on: branches: - main - paths: - - 'release/vNext' - permissions: contents: read jobs: build: + if: github.base_ref == 'main' && github.head_ref == 'release/vNext' runs-on: ubuntu-latest permissions: @@ -48,7 +46,7 @@ jobs: git config --global user.email 'github-actions[bot]@users.noreply.github.com' git pull origin ${{ steps.extract_branch.outputs.branch }} git add . - git commit -m 'Compile TypeScript to JavaScript' + git commit -m 'Official Build: Compile TypeScript to JavaScript' git push origin HEAD:${{ steps.extract_branch.outputs.branch }} env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} \ No newline at end of file From 68f4b76afa613d669c463695b6d27bb62dd52e59 Mon Sep 17 00:00:00 2001 From: Chris Nielsen Date: Tue, 30 Jul 2024 16:51:31 -0700 Subject: [PATCH 09/17] Use force push for only javascript files to avoid any merge issues --- .github/workflows/official-build.yml | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/.github/workflows/official-build.yml b/.github/workflows/official-build.yml index bd5d03f..8df886b 100644 --- a/.github/workflows/official-build.yml +++ b/.github/workflows/official-build.yml @@ -44,9 +44,8 @@ jobs: run: | git config --global user.name 'github-actions[bot]' git config --global user.email 'github-actions[bot]@users.noreply.github.com' - git pull origin ${{ steps.extract_branch.outputs.branch }} - git add . + git add lib/. git commit -m 'Official Build: Compile TypeScript to JavaScript' - git push origin HEAD:${{ steps.extract_branch.outputs.branch }} + git push --force origin HEAD:${{ steps.extract_branch.outputs.branch }} env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} \ No newline at end of file From 068dec3445163abff438a2fe2b43424d5c4aef35 Mon Sep 17 00:00:00 2001 From: Chris Nielsen Date: Wed, 31 Jul 2024 12:04:31 -0700 Subject: [PATCH 10/17] Add Checkov to tool list to check effects of updating typescript with new build workflow --- src/msdo-helpers.ts | 1 + 1 file changed, 1 insertion(+) diff --git a/src/msdo-helpers.ts b/src/msdo-helpers.ts index d12e9e1..45fb2b5 100644 --- a/src/msdo-helpers.ts +++ b/src/msdo-helpers.ts @@ -29,6 +29,7 @@ export enum RunnerType { export enum Tools { Bandit = 'bandit', Binskim = 'binskim', + Checkov = 'checkov', ContainerMapping = 'container-mapping', ESLint = 'eslint', TemplateAnalyzer = 'templateanalyzer', From 3702461008505ecfa8259308e1bea14a38908854 Mon Sep 17 00:00:00 2001 From: Chris Nielsen Date: Wed, 31 Jul 2024 13:57:04 -0700 Subject: [PATCH 11/17] Update official build to run on PRs to release/vNext instead of to main --- .github/workflows/official-build.yml | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/.github/workflows/official-build.yml b/.github/workflows/official-build.yml index 8df886b..5c82489 100644 --- a/.github/workflows/official-build.yml +++ b/.github/workflows/official-build.yml @@ -3,14 +3,13 @@ name: security-devops-action Official Build on: pull_request: branches: - - main + - release/vNext permissions: contents: read jobs: build: - if: github.base_ref == 'main' && github.head_ref == 'release/vNext' runs-on: ubuntu-latest permissions: @@ -40,7 +39,6 @@ jobs: run: npm run build - name: Commit compiled JavaScript - if: github.actor != 'github-actions[bot]' run: | git config --global user.name 'github-actions[bot]' git config --global user.email 'github-actions[bot]@users.noreply.github.com' From fb4fcd53814ced2045cfecc42a761df662a30e61 Mon Sep 17 00:00:00 2001 From: "github-actions[bot]" Date: Wed, 31 Jul 2024 20:59:10 +0000 Subject: [PATCH 12/17] Official Build: Compile TypeScript to JavaScript --- lib/msdo-helpers.js | 1 + 1 file changed, 1 insertion(+) diff --git a/lib/msdo-helpers.js b/lib/msdo-helpers.js index ead0ff5..dce4b36 100644 --- a/lib/msdo-helpers.js +++ b/lib/msdo-helpers.js @@ -25,6 +25,7 @@ var Tools; (function (Tools) { Tools["Bandit"] = "bandit"; Tools["Binskim"] = "binskim"; + Tools["Checkov"] = "checkov"; Tools["ContainerMapping"] = "container-mapping"; Tools["ESLint"] = "eslint"; Tools["TemplateAnalyzer"] = "templateanalyzer"; From 9c7c4b2dff858a9600ab2ee1cff8139c1bad9dca Mon Sep 17 00:00:00 2001 From: richardtucker <158097221+richardtucker@users.noreply.github.com> Date: Fri, 23 Aug 2024 16:01:44 -0700 Subject: [PATCH 13/17] Update insecure.py commented out code to pass scan Signed-off-by: richardtucker <158097221+richardtucker@users.noreply.github.com> --- samples/insecure.py | 44 +++++++++++++++++++++++--------------------- 1 file changed, 23 insertions(+), 21 deletions(-) diff --git a/samples/insecure.py b/samples/insecure.py index d43c0b3..f9d4921 100644 --- a/samples/insecure.py +++ b/samples/insecure.py @@ -1,24 +1,26 @@ -import hashlib -print("I am very insecure. Bandit thinks so too.") -#B110 -xs=[1,2,3,4,5,6,7,8] -try: - print(xs[7]) - print(xs[8]) -except: pass +# Commented out sample to pass scanning +# +#import hashlib +# print("I am very insecure. Bandit thinks so too.") +# #B110 +# xs=[1,2,3,4,5,6,7,8] +# try: +# print(xs[7]) +# print(xs[8]) +# except: pass -ys=[1, 2, None, None] -for y in ys: - try: - print(str(y+3)) #TypeErrors ahead - except: continue #not how to handle them +# ys=[1, 2, None, None] +# for y in ys: +# try: +# print(str(y+3)) #TypeErrors ahead +# except: continue #not how to handle them -#some imports -import telnetlib -import ftplib +# #some imports +# import telnetlib +# import ftplib -#B303 and B324 -s = b"I am a string" -print("MD5: " +hashlib.md5(s).hexdigest()) -print("SHA1: " +hashlib.sha1(s).hexdigest()) -print("SHA256: " +hashlib.sha256(s).hexdigest()) +# #B303 and B324 +# s = b"I am a string" +# print("MD5: " +hashlib.md5(s).hexdigest()) +# print("SHA1: " +hashlib.sha1(s).hexdigest()) +# print("SHA256: " +hashlib.sha256(s).hexdigest()) From 4854159501bc1cdfd8ad88f0eaae7422e04dc57c Mon Sep 17 00:00:00 2001 From: James Brotsos Date: Thu, 17 Oct 2024 19:36:19 -0700 Subject: [PATCH 14/17] Update README.md Added Checkov as a security tool Signed-off-by: James Brotsos --- README.md | 1 + 1 file changed, 1 insertion(+) diff --git a/README.md b/README.md index fdb3f76..efdf6ac 100644 --- a/README.md +++ b/README.md @@ -66,6 +66,7 @@ To only run specific analyzers, use the `tools` command. This command is a comma | [AntiMalware](https://www.microsoft.com/en-us/windows/comprehensive-security) | code, artifacts | - | | [Bandit](https://github.com/PyCQA/bandit) | python | [Apache License 2.0](https://github.com/PyCQA/bandit/blob/master/LICENSE) | | [BinSkim](https://github.com/Microsoft/binskim) | binary - Windows, ELF | [MIT License](https://github.com/microsoft/binskim/blob/main/LICENSE) | +| [Checkov](https://github.com/bridgecrewio/checkov) | Terraform, Terraform plan, Cloudformation, AWS SAM, Kubernetes, Helm charts, Kustomize, Dockerfile, Serverless, Bicep, OpenAPI, ARM Templates, or OpenTofu | [Apache License 2.0](https://github.com/bridgecrewio/checkov/blob/main/LICENSE) | | [ESlint](https://github.com/eslint/eslint) | JavaScript | [MIT License](https://github.com/eslint/eslint/blob/main/LICENSE) | | [Template Analyzer](https://github.com/Azure/template-analyzer) | Infrastructure-as-code (IaC), ARM templates, Bicep files | [MIT License](https://github.com/Azure/template-analyzer/blob/main/LICENSE.txt) | | [Terrascan](https://github.com/accurics/terrascan) | Infrastructure-as-code (IaC), Terraform (HCL2), Kubernetes (JSON/YAML), Helm v3, Kustomize, Dockerfiles, Cloudformation | [Apache License 2.0](https://github.com/accurics/terrascan/blob/master/LICENSE) | From adfc9da357e14704be03c5eaf80ebf666e55efb8 Mon Sep 17 00:00:00 2001 From: James Brotsos Date: Fri, 18 Oct 2024 09:45:58 -0700 Subject: [PATCH 15/17] Update README.md Signed-off-by: James Brotsos --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index efdf6ac..1ec0931 100644 --- a/README.md +++ b/README.md @@ -66,7 +66,7 @@ To only run specific analyzers, use the `tools` command. This command is a comma | [AntiMalware](https://www.microsoft.com/en-us/windows/comprehensive-security) | code, artifacts | - | | [Bandit](https://github.com/PyCQA/bandit) | python | [Apache License 2.0](https://github.com/PyCQA/bandit/blob/master/LICENSE) | | [BinSkim](https://github.com/Microsoft/binskim) | binary - Windows, ELF | [MIT License](https://github.com/microsoft/binskim/blob/main/LICENSE) | -| [Checkov](https://github.com/bridgecrewio/checkov) | Terraform, Terraform plan, Cloudformation, AWS SAM, Kubernetes, Helm charts, Kustomize, Dockerfile, Serverless, Bicep, OpenAPI, ARM Templates, or OpenTofu | [Apache License 2.0](https://github.com/bridgecrewio/checkov/blob/main/LICENSE) | +| [Checkov](https://github.com/bridgecrewio/checkov) | Infrastructure-as-code (IaC), Terraform, Terraform plan, Cloudformation, AWS SAM, Kubernetes, Helm charts, Kustomize, Dockerfile, Serverless, Bicep, OpenAPI, ARM Templates, or OpenTofu | [Apache License 2.0](https://github.com/bridgecrewio/checkov/blob/main/LICENSE) | | [ESlint](https://github.com/eslint/eslint) | JavaScript | [MIT License](https://github.com/eslint/eslint/blob/main/LICENSE) | | [Template Analyzer](https://github.com/Azure/template-analyzer) | Infrastructure-as-code (IaC), ARM templates, Bicep files | [MIT License](https://github.com/Azure/template-analyzer/blob/main/LICENSE.txt) | | [Terrascan](https://github.com/accurics/terrascan) | Infrastructure-as-code (IaC), Terraform (HCL2), Kubernetes (JSON/YAML), Helm v3, Kustomize, Dockerfiles, Cloudformation | [Apache License 2.0](https://github.com/accurics/terrascan/blob/master/LICENSE) | From b7f8f71fbdb663d39dd2b48f24c25db799a7b492 Mon Sep 17 00:00:00 2001 From: Chris Nielsen Date: Fri, 18 Oct 2024 12:51:15 -0700 Subject: [PATCH 16/17] Updating to node20 --- action.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/action.yml b/action.yml index 0e07337..11904b9 100644 --- a/action.yml +++ b/action.yml @@ -24,7 +24,7 @@ outputs: sarifFile: description: A file path to a SARIF results file. runs: - using: 'node16' + using: 'node20' main: 'lib/main.js' pre: 'lib/pre.js' post: 'lib/post.js' From c641f74ca180eaae3b9af702a32a16cceadff46c Mon Sep 17 00:00:00 2001 From: Adam Reynolds Date: Thu, 7 Nov 2024 14:10:20 -0800 Subject: [PATCH 17/17] Support the upload verb if an existing file is set --- action.yml | 2 + lib/msdo-helpers.js | 1 + lib/msdo.js | 95 +- node_modules/.bin/uuid | 6 +- node_modules/.package-lock.json | 9 +- .../msdo-client.js | 27 +- .../package.json | 2 +- package-lock.json | 19 +- package.json | 4 +- sda.sarif | 9259 +++++++++++++++++ src/msdo-helpers.ts | 3 +- src/msdo.ts | 103 +- 12 files changed, 9410 insertions(+), 120 deletions(-) create mode 100644 sda.sarif diff --git a/action.yml b/action.yml index 11904b9..9bf8334 100644 --- a/action.yml +++ b/action.yml @@ -20,6 +20,8 @@ inputs: description: A comma separated list of analyzer to run. Example bandit, binskim, container-mapping, eslint, templateanalyzer, terrascan, trivy. includeTools: description: Deprecated + existingFilename: + description: A SARIF filename that already exists. If it does, then the normal run will not take place and the file will instead be uploaded to MSDO backend. outputs: sarifFile: description: A file path to a SARIF results file. diff --git a/lib/msdo-helpers.js b/lib/msdo-helpers.js index dce4b36..3a060a5 100644 --- a/lib/msdo-helpers.js +++ b/lib/msdo-helpers.js @@ -14,6 +14,7 @@ var Inputs; Inputs["Languages"] = "languages"; Inputs["Tools"] = "tools"; Inputs["IncludeTools"] = "includeTools"; + Inputs["ExistingFilename"] = "existingFilename"; })(Inputs || (exports.Inputs = Inputs = {})); var RunnerType; (function (RunnerType) { diff --git a/lib/msdo.js b/lib/msdo.js index 0d2ef30..e15b453 100644 --- a/lib/msdo.js +++ b/lib/msdo.js @@ -52,59 +52,66 @@ class MicrosoftSecurityDevOps { runMain() { return __awaiter(this, void 0, void 0, function* () { core.debug('MicrosoftSecurityDevOps.runMain - Running MSDO...'); - let args = ['run']; - let config = core.getInput('config'); - if (!common.isNullOrWhiteSpace(config)) { - args.push('-c'); - args.push(config); + let args = undefined; + let existingFilename = core.getInput('existingFilename'); + if (!common.isNullOrWhiteSpace(existingFilename)) { + args = ['upload', '--file', existingFilename]; } - let policy = core.getInput('policy'); - if (common.isNullOrWhiteSpace(policy)) { - policy = "GitHub"; - } - args.push('-p'); - args.push(policy); - let categoriesString = core.getInput('categories'); - if (!common.isNullOrWhiteSpace(categoriesString)) { - args.push('--categories'); - let categories = categoriesString.split(','); - for (let i = 0; i < categories.length; i++) { - let category = categories[i]; - if (!common.isNullOrWhiteSpace(category)) { - args.push(category.trim()); + else { + args = ['run']; + let config = core.getInput('config'); + if (!common.isNullOrWhiteSpace(config)) { + args.push('-c'); + args.push(config); + } + let policy = core.getInput('policy'); + if (common.isNullOrWhiteSpace(policy)) { + policy = "GitHub"; + } + args.push('-p'); + args.push(policy); + let categoriesString = core.getInput('categories'); + if (!common.isNullOrWhiteSpace(categoriesString)) { + args.push('--categories'); + let categories = categoriesString.split(','); + for (let i = 0; i < categories.length; i++) { + let category = categories[i]; + if (!common.isNullOrWhiteSpace(category)) { + args.push(category.trim()); + } } } - } - let languagesString = core.getInput('languages'); - if (!common.isNullOrWhiteSpace(languagesString)) { - args.push('--languages'); - let languages = languagesString.split(','); - for (let i = 0; i < languages.length; i++) { - let language = languages[i]; - if (!common.isNullOrWhiteSpace(language)) { - args.push(language.trim()); + let languagesString = core.getInput('languages'); + if (!common.isNullOrWhiteSpace(languagesString)) { + args.push('--languages'); + let languages = languagesString.split(','); + for (let i = 0; i < languages.length; i++) { + let language = languages[i]; + if (!common.isNullOrWhiteSpace(language)) { + args.push(language.trim()); + } } } - } - let toolsString = core.getInput('tools'); - let includedTools = []; - if (!common.isNullOrWhiteSpace(toolsString)) { - let tools = toolsString.split(','); - for (let i = 0; i < tools.length; i++) { - let tool = tools[i]; - let toolTrimmed = tool.trim(); - if (!common.isNullOrWhiteSpace(tool) - && tool != msdo_helpers_1.Tools.ContainerMapping - && includedTools.indexOf(toolTrimmed) == -1) { - if (includedTools.length == 0) { - args.push('--tool'); + let toolsString = core.getInput('tools'); + let includedTools = []; + if (!common.isNullOrWhiteSpace(toolsString)) { + let tools = toolsString.split(','); + for (let i = 0; i < tools.length; i++) { + let tool = tools[i]; + let toolTrimmed = tool.trim(); + if (!common.isNullOrWhiteSpace(tool) + && tool != msdo_helpers_1.Tools.ContainerMapping + && includedTools.indexOf(toolTrimmed) == -1) { + if (includedTools.length == 0) { + args.push('--tool'); + } + args.push(toolTrimmed); + includedTools.push(toolTrimmed); } - args.push(toolTrimmed); - includedTools.push(toolTrimmed); } } + args.push('--github'); } - args.push('--github'); yield client.run(args, 'microsoft/security-devops-action'); }); } diff --git a/node_modules/.bin/uuid b/node_modules/.bin/uuid index c3ec003..0c2d469 100644 --- a/node_modules/.bin/uuid +++ b/node_modules/.bin/uuid @@ -2,7 +2,11 @@ basedir=$(dirname "$(echo "$0" | sed -e 's,\\,/,g')") case `uname` in - *CYGWIN*|*MINGW*|*MSYS*) basedir=`cygpath -w "$basedir"`;; + *CYGWIN*|*MINGW*|*MSYS*) + if command -v cygpath > /dev/null 2>&1; then + basedir=`cygpath -w "$basedir"` + fi + ;; esac if [ -x "$basedir/node" ]; then diff --git a/node_modules/.package-lock.json b/node_modules/.package-lock.json index cbf3808..3d2207b 100644 --- a/node_modules/.package-lock.json +++ b/node_modules/.package-lock.json @@ -1,6 +1,6 @@ { "name": "microsoft-security-devops-action", - "version": "1.10.0", + "version": "1.12.0", "lockfileVersion": 3, "requires": true, "packages": { @@ -31,9 +31,9 @@ "license": "MIT" }, "node_modules/@microsoft/security-devops-actions-toolkit": { - "version": "1.10.0", - "resolved": "https://npm.pkg.github.com/download/@microsoft/security-devops-actions-toolkit/1.10.0/f22bf01b5f678e9b9ed9965d45d9889fb39b1dd9", - "integrity": "sha512-jOJ3FlqgHdcBzEcoxb039h8+W+mGp0xwV/HMA8gx1TlCzR4kGCOfYyJUlAtGFoiU9slDMDE3EbziDszAF1+L5Q==", + "version": "1.11.0", + "resolved": "https://npm.pkg.github.com/download/@microsoft/security-devops-actions-toolkit/1.11.0/04fef883382f5a7c9b9ac2015dcc419009e2a858", + "integrity": "sha512-dcuMhkEa8uqVpsT05E/nSMfBRtKzEhiQ/KFqEbTd5sAs7ChVP+Ke+ZMEgw4gP4LdA2cO7mH7VTfJ8xxlmwEwUw==", "license": "MIT", "dependencies": { "@actions/core": "1.10.0", @@ -1851,6 +1851,7 @@ "resolved": "https://registry.npmjs.org/gulp/-/gulp-4.0.2.tgz", "integrity": "sha512-dvEs27SCZt2ibF29xYgmnwwCYZxdxhQ/+LFWlbAW8y7jt68L/65402Lz3+CKy0Ov4rOs+NERmDq7YlZaDqUIfA==", "dev": true, + "license": "MIT", "dependencies": { "glob-watcher": "^5.0.3", "gulp-cli": "^2.2.0", diff --git a/node_modules/@microsoft/security-devops-actions-toolkit/msdo-client.js b/node_modules/@microsoft/security-devops-actions-toolkit/msdo-client.js index 821e2c1..f08baae 100644 --- a/node_modules/@microsoft/security-devops-actions-toolkit/msdo-client.js +++ b/node_modules/@microsoft/security-devops-actions-toolkit/msdo-client.js @@ -97,27 +97,30 @@ function run(inputArgs, telemetryEnvironment = 'github') { yield init(); cliFilePath = process.env.MSDO_FILEPATH; core.debug(`cliFilePath = ${cliFilePath}`); - if (inputArgs != null) { + if (inputArgs != null && inputArgs.length != 0) { for (let i = 0; i < inputArgs.length; i++) { args.push(inputArgs[i]); } } - args.push('--not-break-on-detections'); if (core.isDebug()) { args.push('--logger-level'); args.push('trace'); } - let sarifFile = path.join(process.env.GITHUB_WORKSPACE, '.gdn', 'msdo.sarif'); - core.debug(`sarifFile = ${sarifFile}`); - core.exportVariable('MSDO_SARIF_FILE', sarifFile); - core.setOutput('sarifFile', sarifFile); - if (common.isVersionGreaterThanOrEqualTo(process.env.MSDO_INSTALLEDVERSION, '0.183.0')) { - args.push('--export-file'); - } - else { - args.push('--export-breaking-results-to-file'); + let isUploadExisting = inputArgs[0] == "upload"; + if (!isUploadExisting) { + args.push('--not-break-on-detections'); + let sarifFile = path.join(process.env.GITHUB_WORKSPACE, '.gdn', 'msdo.sarif'); + core.debug(`sarifFile = ${sarifFile}`); + core.exportVariable('MSDO_SARIF_FILE', sarifFile); + core.setOutput('sarifFile', sarifFile); + if (common.isVersionGreaterThanOrEqualTo(process.env.MSDO_INSTALLEDVERSION, '0.183.0')) { + args.push('--export-file'); + } + else { + args.push('--export-breaking-results-to-file'); + } + args.push(sarifFile); } - args.push(sarifFile); args.push('--telemetry-environment'); args.push(telemetryEnvironment); core.debug(`GdnDebugDrop = ${debugDrop}`); diff --git a/node_modules/@microsoft/security-devops-actions-toolkit/package.json b/node_modules/@microsoft/security-devops-actions-toolkit/package.json index d60e82e..a621b3e 100644 --- a/node_modules/@microsoft/security-devops-actions-toolkit/package.json +++ b/node_modules/@microsoft/security-devops-actions-toolkit/package.json @@ -1,6 +1,6 @@ { "name": "@microsoft/security-devops-actions-toolkit", - "version": "1.10.0", + "version": "1.11.0", "description": "Microsoft Security DevOps for GitHub Actions toolkit.", "author": "Microsoft Corporation", "license": "MIT", diff --git a/package-lock.json b/package-lock.json index 0943744..e5854f3 100644 --- a/package-lock.json +++ b/package-lock.json @@ -1,17 +1,17 @@ { "name": "microsoft-security-devops-action", - "version": "1.10.0", + "version": "1.12.0", "lockfileVersion": 2, "requires": true, "packages": { "": { "name": "microsoft-security-devops-action", - "version": "1.10.0", + "version": "1.12.0", "license": "MIT", "dependencies": { "@actions/core": "1.10.0", "@actions/exec": "1.1.1", - "@microsoft/security-devops-actions-toolkit": "1.10.0" + "@microsoft/security-devops-actions-toolkit": "1.11.0" }, "devDependencies": { "@types/mocha": "^2.2.44", @@ -55,9 +55,9 @@ "license": "MIT" }, "node_modules/@microsoft/security-devops-actions-toolkit": { - "version": "1.10.0", - "resolved": "https://npm.pkg.github.com/download/@microsoft/security-devops-actions-toolkit/1.10.0/f22bf01b5f678e9b9ed9965d45d9889fb39b1dd9", - "integrity": "sha512-jOJ3FlqgHdcBzEcoxb039h8+W+mGp0xwV/HMA8gx1TlCzR4kGCOfYyJUlAtGFoiU9slDMDE3EbziDszAF1+L5Q==", + "version": "1.11.0", + "resolved": "https://npm.pkg.github.com/download/@microsoft/security-devops-actions-toolkit/1.11.0/04fef883382f5a7c9b9ac2015dcc419009e2a858", + "integrity": "sha512-dcuMhkEa8uqVpsT05E/nSMfBRtKzEhiQ/KFqEbTd5sAs7ChVP+Ke+ZMEgw4gP4LdA2cO7mH7VTfJ8xxlmwEwUw==", "license": "MIT", "dependencies": { "@actions/core": "1.10.0", @@ -1875,6 +1875,7 @@ "resolved": "https://registry.npmjs.org/gulp/-/gulp-4.0.2.tgz", "integrity": "sha512-dvEs27SCZt2ibF29xYgmnwwCYZxdxhQ/+LFWlbAW8y7jt68L/65402Lz3+CKy0Ov4rOs+NERmDq7YlZaDqUIfA==", "dev": true, + "license": "MIT", "dependencies": { "glob-watcher": "^5.0.3", "gulp-cli": "^2.2.0", @@ -5493,9 +5494,9 @@ "version": "1.0.2" }, "@microsoft/security-devops-actions-toolkit": { - "version": "1.10.0", - "resolved": "https://npm.pkg.github.com/download/@microsoft/security-devops-actions-toolkit/1.10.0/f22bf01b5f678e9b9ed9965d45d9889fb39b1dd9", - "integrity": "sha512-jOJ3FlqgHdcBzEcoxb039h8+W+mGp0xwV/HMA8gx1TlCzR4kGCOfYyJUlAtGFoiU9slDMDE3EbziDszAF1+L5Q==", + "version": "1.11.0", + "resolved": "https://npm.pkg.github.com/download/@microsoft/security-devops-actions-toolkit/1.11.0/04fef883382f5a7c9b9ac2015dcc419009e2a858", + "integrity": "sha512-dcuMhkEa8uqVpsT05E/nSMfBRtKzEhiQ/KFqEbTd5sAs7ChVP+Ke+ZMEgw4gP4LdA2cO7mH7VTfJ8xxlmwEwUw==", "requires": { "@actions/core": "1.10.0", "@actions/exec": "1.1.1", diff --git a/package.json b/package.json index 04af9be..0de9e27 100644 --- a/package.json +++ b/package.json @@ -1,6 +1,6 @@ { "name": "microsoft-security-devops-action", - "version": "1.11.0", + "version": "1.12.0", "description": "Node dependencies for the microsoft/security-devops-action.", "scripts": { "build": "npx gulp", @@ -13,7 +13,7 @@ "dependencies": { "@actions/core": "1.10.0", "@actions/exec": "1.1.1", - "@microsoft/security-devops-actions-toolkit": "1.10.0" + "@microsoft/security-devops-actions-toolkit": "1.11.0" }, "devDependencies": { "@types/mocha": "^2.2.44", diff --git a/sda.sarif b/sda.sarif new file mode 100644 index 0000000..46a3e92 --- /dev/null +++ b/sda.sarif @@ -0,0 +1,9259 @@ +{ + "$schema": "https://schemastore.azurewebsites.net/schemas/json/sarif-2.1.0-rtm.5.json", + "version": "2.1.0", + "runs": [ + { + "tool": { + "driver": { + "name": "antimalware", + "rules": [ + { + "id": "NoThreatsFound", + "name": "No threats were found by AntiMalware." + } + ], + "properties": { + "RawName": "antimalware" + } + } + }, + "invocations": [ + { + "commandLine": "\"C:\\ProgramData\\Microsoft\\Windows Defender\\Platform\\4.18.24090.11-0\\MpCmdRun.exe\" -Scan -ScanType 3 -DisableRemediation -File D:\\source\\security-devops-action", + "executionSuccessful": true + } + ], + "versionControlProvenance": [ + { + "repositoryUri": "https://github.com/reynoldsa/security-devops-action", + "revisionId": "c5bc432f9640469fd713f651b4d18af73867f27a", + "branch": "main", + "properties": { + "RepositoryRoot": "D:\\source\\security-devops-action" + } + } + ], + "results": [], + "columnKind": "utf16CodeUnits", + "policies": [ + { + "name": "Microsoft", + "version": "2.0.3" + } + ], + "properties": { + "toolInfoId": "antimalware>>0>>202411062057" + } + }, + { + "tool": { + "driver": { + "name": "bandit", + "properties": { + "RawName": "bandit" + } + } + }, + "invocations": [ + { + "endTimeUtc": "2024-11-07T04:56:49.000Z", + "executionSuccessful": true + } + ], + "versionControlProvenance": [ + { + "repositoryUri": "https://github.com/reynoldsa/security-devops-action", + "revisionId": "c5bc432f9640469fd713f651b4d18af73867f27a", + "branch": "main", + "properties": { + "RepositoryRoot": "D:\\source\\security-devops-action" + } + } + ], + "results": [], + "columnKind": "utf16CodeUnits", + "policies": [ + { + "name": "Microsoft", + "version": "2.0.3" + } + ], + "properties": { + "metrics": {"_totals":{"loc":0,"nosec":0,"SEVERITY.UNDEFINED":0.0,"CONFIDENCE.UNDEFINED":0.0,"SEVERITY.LOW":0.0,"CONFIDENCE.LOW":0.0,"SEVERITY.MEDIUM":0.0,"CONFIDENCE.MEDIUM":0.0,"SEVERITY.HIGH":0.0,"CONFIDENCE.HIGH":0.0},"D:\\source\\security-devops-action\\samples\\insecure.py":{"loc":0,"nosec":0,"SEVERITY.UNDEFINED":0.0,"SEVERITY.LOW":0.0,"SEVERITY.MEDIUM":0.0,"SEVERITY.HIGH":0.0,"CONFIDENCE.UNDEFINED":0.0,"CONFIDENCE.LOW":0.0,"CONFIDENCE.MEDIUM":0.0,"CONFIDENCE.HIGH":0.0}}, + "toolInfoId": "bandit>>1>>202411062057" + } + }, + { + "tool": { + "driver": { + "name": "credscan", + "organization": "Microsoft Corporation", + "product": "Microsoft Security Credential Scanner Client", + "fullName": "CredentialScanner 2.5.1.13", + "version": "2.5.1.13", + "semanticVersion": "2.5.1", + "rules": [ + { + "id": "CSCAN-GENERAL0020", + "name": "X.509 Certificate Private Key", + "fullDescription": { + "text": "used as a private component in SSL certificates." + }, + "shortDescription": { + "text": "X.509 Certificate Private Key." + }, + "messageStrings": { + "Default": { + "text": "A potential secret was detected. Validate file contains secrets, remove, rotate credential, and use approved store. For additional information on secret remediation see the remediation section at https://aka.ms/CredScanDocs " + } + }, + "helpUri": "https://aka.ms/CredScanDocs" + } + ], + "properties": { + "Comments": "CredentialScanner is an Azure security tool to scan for credentials & other sensitive data in source code and/or system files.", + "RawName": "credscan" + } + }, + "properties": { + "IsPreview": true + } + }, + "invocations": [ + { + "startTimeUtc": "2024-11-07T04:57:07.500Z", + "endTimeUtc": "2024-11-07T04:57:15.725Z", + "executionSuccessful": true + } + ], + "versionControlProvenance": [ + { + "repositoryUri": "https://github.com/reynoldsa/security-devops-action", + "revisionId": "c5bc432f9640469fd713f651b4d18af73867f27a", + "branch": "main", + "properties": { + "RepositoryRoot": "D:\\source\\security-devops-action" + } + } + ], + "originalUriBaseIds": { + "file:///D:/source/security-devops-action/": { + "uri": "file:///D:/source/security-devops-action/" + } + }, + "results": [ + { + "ruleId": "CSCAN-GENERAL0020", + "ruleIndex": 0, + "rule": { + "id": "CSCAN-GENERAL0020" + }, + "level": "error", + "message": { + "text": "A potential secret was detected. Validate file contains secrets, remove, rotate credential, and use approved store. For additional information on secret remediation see the remediation section at https://aka.ms/CredScanDocs " + }, + "analysisTarget": { + "uri": ".gdn/i/nuget/Microsoft.Guardian.BanditRedist_windows_amd64.1.6.3.1/tools/lib/test/allsans.pem", + "uriBaseId": "file:///D:/source/security-devops-action/" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": ".gdn/i/nuget/Microsoft.Guardian.BanditRedist_windows_amd64.1.6.3.1/tools/lib/test/allsans.pem", + "uriBaseId": "file:///D:/source/security-devops-action/" + }, + "region": { + "startLine": 1, + "startColumn": 1, + "endLine": 1, + "endColumn": 27 + } + } + } + ], + "fingerprints": { + "HashCode": "K4LFfz40Tf2WjHYSwHcxzmrGBXdPbp+75ngl6MIfimE=", + "gdnPrimarySignature": "ad80df55e021c410c64bbdc3c768739c9b7fd32cfe9d37e5049efe305a7cabbe", + "gdnAlternativeSignature0": "471e593e20b5c75c62e499b8249c85f1835dc7f99dc9553a8a66b1be2550515d" + }, + "suppressions": [], + "rank": 94.0, + "properties": { + "DefectCode": "SecretInFile", + "MatchingScore": 94.41, + "EnrichmentScore": 112.5, + "Severity": 94.0, + "Validation": "NoValidationRequested", + "Risk": "100" + } + }, + { + "ruleId": "CSCAN-GENERAL0020", + "ruleIndex": 0, + "rule": { + "id": "CSCAN-GENERAL0020" + }, + "level": "error", + "message": { + "text": "A potential secret was detected. Validate file contains secrets, remove, rotate credential, and use approved store. For additional information on secret remediation see the remediation section at https://aka.ms/CredScanDocs " + }, + "analysisTarget": { + "uri": ".gdn/i/nuget/Microsoft.Guardian.BanditRedist_windows_amd64.1.6.3.1/tools/lib/test/badcert.pem", + "uriBaseId": "file:///D:/source/security-devops-action/" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": ".gdn/i/nuget/Microsoft.Guardian.BanditRedist_windows_amd64.1.6.3.1/tools/lib/test/badcert.pem", + "uriBaseId": "file:///D:/source/security-devops-action/" + }, + "region": { + "startLine": 19, + "startColumn": 1, + "endLine": 19, + "endColumn": 31 + } + } + } + ], + "fingerprints": { + "HashCode": "fdZwTjfxyQHIYf+BmyPXyLEOqdG4U2NLBuFNLckqc/s=", + "gdnPrimarySignature": "8c4f1c7c24033f5c2d1af110b7167b907f6c213c8da0388cc94da267b3b26053", + "gdnAlternativeSignature0": "370b8fdda16cd6662fa9f668df5eb3d0a34e6a7df7f9a47aa8e76ca6db6d7ceb" + }, + "suppressions": [], + "rank": 94.0, + "properties": { + "DefectCode": "SecretInFile", + "MatchingScore": 94.41, + "EnrichmentScore": 112.5, + "Severity": 94.0, + "Validation": "NoValidationRequested", + "Risk": "100" + } + }, + { + "ruleId": "CSCAN-GENERAL0020", + "ruleIndex": 0, + "rule": { + "id": "CSCAN-GENERAL0020" + }, + "level": "error", + "message": { + "text": "A potential secret was detected. Validate file contains secrets, remove, rotate credential, and use approved store. For additional information on secret remediation see the remediation section at https://aka.ms/CredScanDocs " + }, + "analysisTarget": { + "uri": ".gdn/i/nuget/Microsoft.Guardian.BanditRedist_windows_amd64.1.6.3.1/tools/lib/test/idnsans.pem", + "uriBaseId": "file:///D:/source/security-devops-action/" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": ".gdn/i/nuget/Microsoft.Guardian.BanditRedist_windows_amd64.1.6.3.1/tools/lib/test/idnsans.pem", + "uriBaseId": "file:///D:/source/security-devops-action/" + }, + "region": { + "startLine": 1, + "startColumn": 1, + "endLine": 1, + "endColumn": 27 + } + } + } + ], + "fingerprints": { + "HashCode": "K4LFfz40Tf2WjHYSwHcxzmrGBXdPbp+75ngl6MIfimE=", + "gdnPrimarySignature": "e0143173968f10743c164db98a97f2f2ad51665ef207fc2e5ed568dadf16daa4", + "gdnAlternativeSignature0": "6a0059872bc6e5a9f1910e1c20b82a8c9770991596470214159c8d720884cf3c" + }, + "suppressions": [], + "rank": 94.0, + "properties": { + "DefectCode": "SecretInFile", + "MatchingScore": 94.41, + "EnrichmentScore": 112.5, + "Severity": 94.0, + "Validation": "NoValidationRequested", + "Risk": "100" + } + }, + { + "ruleId": "CSCAN-GENERAL0020", + "ruleIndex": 0, + "rule": { + "id": "CSCAN-GENERAL0020" + }, + "level": "error", + "message": { + "text": "A potential secret was detected. Validate file contains secrets, remove, rotate credential, and use approved store. For additional information on secret remediation see the remediation section at https://aka.ms/CredScanDocs " + }, + "analysisTarget": { + "uri": ".gdn/i/nuget/Microsoft.Guardian.BanditRedist_windows_amd64.1.6.3.1/tools/lib/test/keycert.passwd.pem", + "uriBaseId": "file:///D:/source/security-devops-action/" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": ".gdn/i/nuget/Microsoft.Guardian.BanditRedist_windows_amd64.1.6.3.1/tools/lib/test/keycert.passwd.pem", + "uriBaseId": "file:///D:/source/security-devops-action/" + }, + "region": { + "startLine": 1, + "startColumn": 1, + "endLine": 1, + "endColumn": 37 + } + } + } + ], + "fingerprints": { + "HashCode": "vIPMvs25zTEA4CvYd/yXI5Q3s9TvruLN5sjPEqmD9Qo=", + "gdnPrimarySignature": "81cfc42c1d0b6a44b58032508492c13a1da8709259d9b955b7818b54375d7454", + "gdnAlternativeSignature0": "a3834b8e54bd96dedf30634b2195d9c1b45ffc9ac2d0cf9e7d72fb01ab2be4b6" + }, + "suppressions": [], + "rank": 94.0, + "properties": { + "DefectCode": "SecretInFile", + "MatchingScore": 94.41, + "EnrichmentScore": 112.5, + "Severity": 94.0, + "Validation": "NoValidationRequested", + "Risk": "100" + } + }, + { + "ruleId": "CSCAN-GENERAL0020", + "ruleIndex": 0, + "rule": { + "id": "CSCAN-GENERAL0020" + }, + "level": "error", + "message": { + "text": "A potential secret was detected. Validate file contains secrets, remove, rotate credential, and use approved store. For additional information on secret remediation see the remediation section at https://aka.ms/CredScanDocs " + }, + "analysisTarget": { + "uri": ".gdn/i/nuget/Microsoft.Guardian.BanditRedist_windows_amd64.1.6.3.1/tools/lib/test/keycert.pem", + "uriBaseId": "file:///D:/source/security-devops-action/" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": ".gdn/i/nuget/Microsoft.Guardian.BanditRedist_windows_amd64.1.6.3.1/tools/lib/test/keycert.pem", + "uriBaseId": "file:///D:/source/security-devops-action/" + }, + "region": { + "startLine": 1, + "startColumn": 1, + "endLine": 1, + "endColumn": 27 + } + } + } + ], + "fingerprints": { + "HashCode": "K4LFfz40Tf2WjHYSwHcxzmrGBXdPbp+75ngl6MIfimE=", + "gdnPrimarySignature": "a5673d23e7575ac45ddbdc1d2e29a20164ef7e82f569408bffe292ceb779806a", + "gdnAlternativeSignature0": "13b90a64372a219e131bd44c942fb99d2e0499c28a050af144f432498b71b0b7" + }, + "suppressions": [], + "rank": 94.0, + "properties": { + "DefectCode": "SecretInFile", + "MatchingScore": 94.41, + "EnrichmentScore": 112.5, + "Severity": 94.0, + "Validation": "NoValidationRequested", + "Risk": "100" + } + }, + { + "ruleId": "CSCAN-GENERAL0020", + "ruleIndex": 0, + "rule": { + "id": "CSCAN-GENERAL0020" + }, + "level": "error", + "message": { + "text": "A potential secret was detected. Validate file contains secrets, remove, rotate credential, and use approved store. For additional information on secret remediation see the remediation section at https://aka.ms/CredScanDocs " + }, + "analysisTarget": { + "uri": ".gdn/i/nuget/Microsoft.Guardian.BanditRedist_windows_amd64.1.6.3.1/tools/lib/test/keycert2.pem", + "uriBaseId": "file:///D:/source/security-devops-action/" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": ".gdn/i/nuget/Microsoft.Guardian.BanditRedist_windows_amd64.1.6.3.1/tools/lib/test/keycert2.pem", + "uriBaseId": "file:///D:/source/security-devops-action/" + }, + "region": { + "startLine": 1, + "startColumn": 1, + "endLine": 1, + "endColumn": 27 + } + } + } + ], + "fingerprints": { + "HashCode": "K4LFfz40Tf2WjHYSwHcxzmrGBXdPbp+75ngl6MIfimE=", + "gdnPrimarySignature": "0e05cea19167aed8b8ae01c841a7334ccb9c7fd7b993406580ff2832d15f7ce5", + "gdnAlternativeSignature0": "17f42847401af81a1d829e8aeac516090ae6c41935d0265f19c20dc5208ce44b" + }, + "suppressions": [], + "rank": 94.0, + "properties": { + "DefectCode": "SecretInFile", + "MatchingScore": 94.41, + "EnrichmentScore": 112.5, + "Severity": 94.0, + "Validation": "NoValidationRequested", + "Risk": "100" + } + }, + { + "ruleId": "CSCAN-GENERAL0020", + "ruleIndex": 0, + "rule": { + "id": "CSCAN-GENERAL0020" + }, + "level": "error", + "message": { + "text": "A potential secret was detected. Validate file contains secrets, remove, rotate credential, and use approved store. For additional information on secret remediation see the remediation section at https://aka.ms/CredScanDocs " + }, + "analysisTarget": { + "uri": ".gdn/i/nuget/Microsoft.Guardian.BanditRedist_windows_amd64.1.6.3.1/tools/lib/test/keycert3.pem", + "uriBaseId": "file:///D:/source/security-devops-action/" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": ".gdn/i/nuget/Microsoft.Guardian.BanditRedist_windows_amd64.1.6.3.1/tools/lib/test/keycert3.pem", + "uriBaseId": "file:///D:/source/security-devops-action/" + }, + "region": { + "startLine": 1, + "startColumn": 1, + "endLine": 1, + "endColumn": 27 + } + } + } + ], + "fingerprints": { + "HashCode": "K4LFfz40Tf2WjHYSwHcxzmrGBXdPbp+75ngl6MIfimE=", + "gdnPrimarySignature": "cc2c869c6af3917c188f3405a5cab29825b895ad248b5e8d5657be11a3575e97", + "gdnAlternativeSignature0": "77b87003353fbbbdd842e915e87ceb94a00295aaa14b394e046cfc2e3d4c70a3" + }, + "suppressions": [], + "rank": 94.0, + "properties": { + "DefectCode": "SecretInFile", + "MatchingScore": 94.41, + "EnrichmentScore": 112.5, + "Severity": 94.0, + "Validation": "NoValidationRequested", + "Risk": "100" + } + }, + { + "ruleId": "CSCAN-GENERAL0020", + "ruleIndex": 0, + "rule": { + "id": "CSCAN-GENERAL0020" + }, + "level": "error", + "message": { + "text": "A potential secret was detected. Validate file contains secrets, remove, rotate credential, and use approved store. For additional information on secret remediation see the remediation section at https://aka.ms/CredScanDocs " + }, + "analysisTarget": { + "uri": ".gdn/i/nuget/Microsoft.Guardian.BanditRedist_windows_amd64.1.6.3.1/tools/lib/test/keycert4.pem", + "uriBaseId": "file:///D:/source/security-devops-action/" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": ".gdn/i/nuget/Microsoft.Guardian.BanditRedist_windows_amd64.1.6.3.1/tools/lib/test/keycert4.pem", + "uriBaseId": "file:///D:/source/security-devops-action/" + }, + "region": { + "startLine": 1, + "startColumn": 1, + "endLine": 1, + "endColumn": 27 + } + } + } + ], + "fingerprints": { + "HashCode": "K4LFfz40Tf2WjHYSwHcxzmrGBXdPbp+75ngl6MIfimE=", + "gdnPrimarySignature": "c778616f1b5c561f1c66d5843f0e4759cbccf82ba1868f8af267ba96077086df", + "gdnAlternativeSignature0": "c387065dadee4e1320aee04842ec83e45758e802066fcc8deba5055695bfe565" + }, + "suppressions": [], + "rank": 94.0, + "properties": { + "DefectCode": "SecretInFile", + "MatchingScore": 94.41, + "EnrichmentScore": 112.5, + "Severity": 94.0, + "Validation": "NoValidationRequested", + "Risk": "100" + } + }, + { + "ruleId": "CSCAN-GENERAL0020", + "ruleIndex": 0, + "rule": { + "id": "CSCAN-GENERAL0020" + }, + "level": "error", + "message": { + "text": "A potential secret was detected. Validate file contains secrets, remove, rotate credential, and use approved store. For additional information on secret remediation see the remediation section at https://aka.ms/CredScanDocs " + }, + "analysisTarget": { + "uri": ".gdn/i/nuget/Microsoft.Guardian.BanditRedist_windows_amd64.1.6.3.1/tools/lib/test/keycertecc.pem", + "uriBaseId": "file:///D:/source/security-devops-action/" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": ".gdn/i/nuget/Microsoft.Guardian.BanditRedist_windows_amd64.1.6.3.1/tools/lib/test/keycertecc.pem", + "uriBaseId": "file:///D:/source/security-devops-action/" + }, + "region": { + "startLine": 1, + "startColumn": 1, + "endLine": 1, + "endColumn": 27 + } + } + } + ], + "fingerprints": { + "HashCode": "K4LFfz40Tf2WjHYSwHcxzmrGBXdPbp+75ngl6MIfimE=", + "gdnPrimarySignature": "07fc5532f6969723a59a30bbf4679124b3408c52ad141644aefd5a5ee5ce3187", + "gdnAlternativeSignature0": "c3edc90bf722fd1545c98c99e988dc5405b162ce917767cb0aa7f53ac4954506" + }, + "suppressions": [], + "rank": 94.0, + "properties": { + "DefectCode": "SecretInFile", + "MatchingScore": 94.41, + "EnrichmentScore": 112.5, + "Severity": 94.0, + "Validation": "NoValidationRequested", + "Risk": "100" + } + }, + { + "ruleId": "CSCAN-GENERAL0020", + "ruleIndex": 0, + "rule": { + "id": "CSCAN-GENERAL0020" + }, + "level": "error", + "message": { + "text": "A potential secret was detected. Validate file contains secrets, remove, rotate credential, and use approved store. For additional information on secret remediation see the remediation section at https://aka.ms/CredScanDocs " + }, + "analysisTarget": { + "uri": ".gdn/i/nuget/Microsoft.Guardian.BanditRedist_windows_amd64.1.6.3.1/tools/lib/test/pycakey.pem", + "uriBaseId": "file:///D:/source/security-devops-action/" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": ".gdn/i/nuget/Microsoft.Guardian.BanditRedist_windows_amd64.1.6.3.1/tools/lib/test/pycakey.pem", + "uriBaseId": "file:///D:/source/security-devops-action/" + }, + "region": { + "startLine": 1, + "startColumn": 1, + "endLine": 1, + "endColumn": 27 + } + } + } + ], + "fingerprints": { + "HashCode": "K4LFfz40Tf2WjHYSwHcxzmrGBXdPbp+75ngl6MIfimE=", + "gdnPrimarySignature": "4d5d643001bdc9ca750ddc12572d03f20c6ea6b00ccec260daad81b2cbaad937", + "gdnAlternativeSignature0": "5940924f309382ed130dc9019b7ddc750982599de02152e9f2badb1a4def1c77" + }, + "suppressions": [], + "rank": 94.0, + "properties": { + "DefectCode": "SecretInFile", + "MatchingScore": 94.41, + "EnrichmentScore": 112.5, + "Severity": 94.0, + "Validation": "NoValidationRequested", + "Risk": "100" + } + }, + { + "ruleId": "CSCAN-GENERAL0020", + "ruleIndex": 0, + "rule": { + "id": "CSCAN-GENERAL0020" + }, + "level": "error", + "message": { + "text": "A potential secret was detected. Validate file contains secrets, remove, rotate credential, and use approved store. For additional information on secret remediation see the remediation section at https://aka.ms/CredScanDocs " + }, + "analysisTarget": { + "uri": ".gdn/i/nuget/Microsoft.Guardian.BanditRedist_windows_amd64.1.6.3.1/tools/lib/test/ssl_key.passwd.pem", + "uriBaseId": "file:///D:/source/security-devops-action/" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": ".gdn/i/nuget/Microsoft.Guardian.BanditRedist_windows_amd64.1.6.3.1/tools/lib/test/ssl_key.passwd.pem", + "uriBaseId": "file:///D:/source/security-devops-action/" + }, + "region": { + "startLine": 1, + "startColumn": 1, + "endLine": 1, + "endColumn": 37 + } + } + } + ], + "fingerprints": { + "HashCode": "vIPMvs25zTEA4CvYd/yXI5Q3s9TvruLN5sjPEqmD9Qo=", + "gdnPrimarySignature": "78f7c576f77b65667382d3cd1f98088d2a5e607d39cc22af6729d55e1f62f28c", + "gdnAlternativeSignature0": "45c71b1ac1f0538e9be6aba276dcb1484749f62e1ed6c955b8d06b3a034f4295" + }, + "suppressions": [], + "rank": 94.0, + "properties": { + "DefectCode": "SecretInFile", + "MatchingScore": 94.41, + "EnrichmentScore": 112.5, + "Severity": 94.0, + "Validation": "NoValidationRequested", + "Risk": "100" + } + }, + { + "ruleId": "CSCAN-GENERAL0020", + "ruleIndex": 0, + "rule": { + "id": "CSCAN-GENERAL0020" + }, + "level": "error", + "message": { + "text": "A potential secret was detected. Validate file contains secrets, remove, rotate credential, and use approved store. For additional information on secret remediation see the remediation section at https://aka.ms/CredScanDocs " + }, + "analysisTarget": { + "uri": ".gdn/i/nuget/Microsoft.Guardian.BanditRedist_windows_amd64.1.6.3.1/tools/lib/test/ssl_key.pem", + "uriBaseId": "file:///D:/source/security-devops-action/" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": ".gdn/i/nuget/Microsoft.Guardian.BanditRedist_windows_amd64.1.6.3.1/tools/lib/test/ssl_key.pem", + "uriBaseId": "file:///D:/source/security-devops-action/" + }, + "region": { + "startLine": 1, + "startColumn": 1, + "endLine": 1, + "endColumn": 27 + } + } + } + ], + "fingerprints": { + "HashCode": "K4LFfz40Tf2WjHYSwHcxzmrGBXdPbp+75ngl6MIfimE=", + "gdnPrimarySignature": "1f4b7943f9d0c70caa2b1022c17ac1978128ebd3cf36afb1375dbd8dade2cd89", + "gdnAlternativeSignature0": "47585da2145382121fadbbbe66ef8b7f20a193b4b38372d031552b996edb0fea" + }, + "suppressions": [], + "rank": 94.0, + "properties": { + "DefectCode": "SecretInFile", + "MatchingScore": 94.41, + "EnrichmentScore": 112.5, + "Severity": 94.0, + "Validation": "NoValidationRequested", + "Risk": "100" + } + } + ], + "columnKind": "utf16CodeUnits", + "policies": [ + { + "name": "Microsoft", + "version": "2.0.3" + } + ], + "properties": { + "toolInfoId": "credscan>>2>>202411062057" + } + }, + { + "tool": { + "driver": { + "name": "eslint", + "version": "8.56.0", + "informationUri": "https://eslint.org", + "properties": { + "RawName": "eslint" + } + } + }, + "invocations": [ + { + "toolConfigurationNotifications": [ + { + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "file:///D:/source/security-devops-action/gulpfile.js", + "index": 0 + }, + "region": { + "startLine": 1, + "startColumn": 1 + } + } + } + ], + "message": { + "text": "Parsing error: The keyword 'const' is reserved" + }, + "level": "error", + "descriptor": { + "id": "ESL0999" + } + }, + { + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "file:///D:/source/security-devops-action/lib/container-mapping.js", + "index": 1 + }, + "region": { + "startLine": 36, + "startColumn": 1 + } + } + } + ], + "message": { + "text": "Parsing error: The keyword 'const' is reserved" + }, + "level": "error", + "descriptor": { + "id": "ESL0999" + } + }, + { + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "file:///D:/source/security-devops-action/lib/main.js", + "index": 2 + }, + "region": { + "startLine": 35, + "startColumn": 1 + } + } + } + ], + "message": { + "text": "Parsing error: The keyword 'const' is reserved" + }, + "level": "error", + "descriptor": { + "id": "ESL0999" + } + }, + { + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "file:///D:/source/security-devops-action/lib/msdo-helpers.js", + "index": 3 + }, + "region": { + "startLine": 7, + "startColumn": 1 + } + } + } + ], + "message": { + "text": "Parsing error: The keyword 'const' is reserved" + }, + "level": "error", + "descriptor": { + "id": "ESL0999" + } + }, + { + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "file:///D:/source/security-devops-action/lib/msdo.js", + "index": 5 + }, + "region": { + "startLine": 36, + "startColumn": 1 + } + } + } + ], + "message": { + "text": "Parsing error: The keyword 'const' is reserved" + }, + "level": "error", + "descriptor": { + "id": "ESL0999" + } + }, + { + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "file:///D:/source/security-devops-action/lib/post.js", + "index": 6 + }, + "region": { + "startLine": 35, + "startColumn": 1 + } + } + } + ], + "message": { + "text": "Parsing error: The keyword 'const' is reserved" + }, + "level": "error", + "descriptor": { + "id": "ESL0999" + } + }, + { + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "file:///D:/source/security-devops-action/lib/pre.js", + "index": 7 + }, + "region": { + "startLine": 35, + "startColumn": 1 + } + } + } + ], + "message": { + "text": "Parsing error: The keyword 'const' is reserved" + }, + "level": "error", + "descriptor": { + "id": "ESL0999" + } + }, + { + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "file:///D:/source/security-devops-action/samples/insecure.js", + "index": 8 + }, + "region": { + "startLine": 1, + "startColumn": 5 + } + } + } + ], + "message": { + "text": "Parsing error: Unexpected token injection" + }, + "level": "error", + "descriptor": { + "id": "ESL0999" + } + }, + { + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "file:///D:/source/security-devops-action/src/container-mapping.ts", + "index": 9 + }, + "region": { + "startLine": 1, + "startColumn": 1 + } + } + } + ], + "message": { + "text": "Parsing error: The keyword 'import' is reserved" + }, + "level": "error", + "descriptor": { + "id": "ESL0999" + } + }, + { + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "file:///D:/source/security-devops-action/src/main.ts", + "index": 10 + }, + "region": { + "startLine": 1, + "startColumn": 1 + } + } + } + ], + "message": { + "text": "Parsing error: The keyword 'import' is reserved" + }, + "level": "error", + "descriptor": { + "id": "ESL0999" + } + }, + { + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "file:///D:/source/security-devops-action/src/msdo-helpers.ts", + "index": 11 + }, + "region": { + "startLine": 1, + "startColumn": 1 + } + } + } + ], + "message": { + "text": "Parsing error: The keyword 'import' is reserved" + }, + "level": "error", + "descriptor": { + "id": "ESL0999" + } + }, + { + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "file:///D:/source/security-devops-action/src/msdo-interface.ts", + "index": 12 + }, + "region": { + "startLine": 4, + "startColumn": 1 + } + } + } + ], + "message": { + "text": "Parsing error: The keyword 'export' is reserved" + }, + "level": "error", + "descriptor": { + "id": "ESL0999" + } + }, + { + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "file:///D:/source/security-devops-action/src/msdo.ts", + "index": 13 + }, + "region": { + "startLine": 1, + "startColumn": 1 + } + } + } + ], + "message": { + "text": "Parsing error: The keyword 'import' is reserved" + }, + "level": "error", + "descriptor": { + "id": "ESL0999" + } + }, + { + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "file:///D:/source/security-devops-action/src/post.ts", + "index": 14 + }, + "region": { + "startLine": 1, + "startColumn": 1 + } + } + } + ], + "message": { + "text": "Parsing error: The keyword 'import' is reserved" + }, + "level": "error", + "descriptor": { + "id": "ESL0999" + } + }, + { + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "file:///D:/source/security-devops-action/src/pre.ts", + "index": 15 + }, + "region": { + "startLine": 1, + "startColumn": 1 + } + } + } + ], + "message": { + "text": "Parsing error: The keyword 'import' is reserved" + }, + "level": "error", + "descriptor": { + "id": "ESL0999" + } + }, + { + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "file:///D:/source/security-devops-action/test/post.tests.ts", + "index": 16 + }, + "region": { + "startLine": 1, + "startColumn": 1 + } + } + } + ], + "message": { + "text": "Parsing error: The keyword 'import' is reserved" + }, + "level": "error", + "descriptor": { + "id": "ESL0999" + } + }, + { + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "file:///D:/source/security-devops-action/test/pre.tests.ts", + "index": 17 + }, + "region": { + "startLine": 1, + "startColumn": 1 + } + } + } + ], + "message": { + "text": "Parsing error: The keyword 'import' is reserved" + }, + "level": "error", + "descriptor": { + "id": "ESL0999" + } + }, + { + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "file:///D:/source/security-devops-action/test/testCommon.ts", + "index": 18 + }, + "region": { + "startLine": 1, + "startColumn": 1 + } + } + } + ], + "message": { + "text": "Parsing error: The keyword 'import' is reserved" + }, + "level": "error", + "descriptor": { + "id": "ESL0999" + } + } + ], + "executionSuccessful": false + } + ], + "versionControlProvenance": [ + { + "repositoryUri": "https://github.com/reynoldsa/security-devops-action", + "revisionId": "c5bc432f9640469fd713f651b4d18af73867f27a", + "branch": "main", + "properties": { + "RepositoryRoot": "D:\\source\\security-devops-action" + } + } + ], + "artifacts": [ + { + "location": { + "uri": "file:///D:/source/security-devops-action/gulpfile.js" + } + }, + { + "location": { + "uri": "file:///D:/source/security-devops-action/lib/container-mapping.js" + } + }, + { + "location": { + "uri": "file:///D:/source/security-devops-action/lib/main.js" + } + }, + { + "location": { + "uri": "file:///D:/source/security-devops-action/lib/msdo-helpers.js" + } + }, + { + "location": { + "uri": "file:///D:/source/security-devops-action/lib/msdo-interface.js" + } + }, + { + "location": { + "uri": "file:///D:/source/security-devops-action/lib/msdo.js" + } + }, + { + "location": { + "uri": "file:///D:/source/security-devops-action/lib/post.js" + } + }, + { + "location": { + "uri": "file:///D:/source/security-devops-action/lib/pre.js" + } + }, + { + "location": { + "uri": "file:///D:/source/security-devops-action/samples/insecure.js" + } + }, + { + "location": { + "uri": "file:///D:/source/security-devops-action/src/container-mapping.ts" + } + }, + { + "location": { + "uri": "file:///D:/source/security-devops-action/src/main.ts" + } + }, + { + "location": { + "uri": "file:///D:/source/security-devops-action/src/msdo-helpers.ts" + } + }, + { + "location": { + "uri": "file:///D:/source/security-devops-action/src/msdo-interface.ts" + } + }, + { + "location": { + "uri": "file:///D:/source/security-devops-action/src/msdo.ts" + } + }, + { + "location": { + "uri": "file:///D:/source/security-devops-action/src/post.ts" + } + }, + { + "location": { + "uri": "file:///D:/source/security-devops-action/src/pre.ts" + } + }, + { + "location": { + "uri": "file:///D:/source/security-devops-action/test/post.tests.ts" + } + }, + { + "location": { + "uri": "file:///D:/source/security-devops-action/test/pre.tests.ts" + } + }, + { + "location": { + "uri": "file:///D:/source/security-devops-action/test/testCommon.ts" + } + } + ], + "results": [], + "columnKind": "utf16CodeUnits", + "policies": [ + { + "name": "Microsoft", + "version": "2.0.3" + } + ], + "properties": { + "toolInfoId": "eslint>>3>>202411062057" + } + }, + { + "tool": { + "driver": { + "name": "iacfilescanner", + "organization": "Microsoft", + "fullName": "IaC File Scanner", + "version": "0.1.3", + "rules": [ + { + "id": "IFS-1", + "name": "TagForResource", + "help": { + "text": "An IaC tag(s) was found on this resource. If there is a supported mapping tag, it will be used for code-to-cloud mapping." + }, + "shortDescription": { + "text": "An IaC tag(s) was found on this resource." + }, + "messageStrings": { + "default": { + "text": "An IaC tag(s) was found on this resource." + } + } + } + ], + "properties": { + "RawName": "iacfilescanner" + } + } + }, + "invocations": [ + { + "startTimeUtc": "2024-11-07T04:57:38.817Z", + "endTimeUtc": "2024-11-07T04:57:38.863Z", + "executionSuccessful": true + } + ], + "versionControlProvenance": [ + { + "repositoryUri": "https://github.com/reynoldsa/security-devops-action", + "revisionId": "c5bc432f9640469fd713f651b4d18af73867f27a", + "branch": "main", + "properties": { + "RepositoryRoot": "D:\\source\\security-devops-action" + } + } + ], + "originalUriBaseIds": { + "ROOTPATH": { + "uri": "file:///D:/source/security-devops-action" + } + }, + "artifacts": [ + { + "location": { + "uri": "samples/IaCMapping/main.tf", + "uriBaseId": "ROOTPATH" + } + } + ], + "results": [ + { + "ruleId": "IFS-1", + "ruleIndex": 0, + "level": "note", + "message": { + "id": "default" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "samples/IaCMapping/main.tf", + "uriBaseId": "ROOTPATH" + }, + "region": { + "startLine": 1 + } + }, + "logicalLocations": [ + { + "fullyQualifiedName": "iacmapping1212", + "kind": "azurerm_storage_account" + } + ], + "properties": { + "mappingTagDictionary": {"mapping_tag":"6189b638-15a5-42ec-b934-0d2b8e035ce1"} + } + } + ], + "fingerprints": { + "gdnPrimarySignature": "6a2b2a71245a88c5e349c7097ea77bb21272924e2d7d7fb032670e63664912bd", + "gdnAlternativeSignature0": "21dbf0708629d98ff73f008fe2a43b6e0848c2e9ab665049176189097f037ace" + } + } + ], + "columnKind": "utf16CodeUnits", + "policies": [ + { + "name": "Microsoft", + "version": "2.0.3" + } + ], + "properties": { + "toolInfoId": "iacfilescanner>>4>>202411062057" + } + }, + { + "tool": { + "driver": { + "name": "templateanalyzer", + "organization": "Microsoft", + "fullName": "Template Analyzer", + "version": "0.8.0+1ba73133c28786a16b2c19e5d5eef09eb2324538", + "informationUri": "https://github.com/Azure/template-analyzer", + "rules": [ + { + "id": "TA-000001", + "name": "AppService.EnableDiagnosticLogs", + "fullDescription": { + "text": "Enable auditing of diagnostic logs on the app. This enables you to recreate activity trails for investigation purposes if a security incident occurs or your network is compromised." + }, + "help": { + "text": "Enable diagnostic logs in App Service." + }, + "shortDescription": { + "text": "Diagnostic logs in App Service should be enabled." + }, + "messageStrings": { + "default": { + "text": "Enable auditing of diagnostic logs on the app. This enables you to recreate activity trails for investigation purposes if a security incident occurs or your network is compromised." + } + }, + "helpUri": "https://github.com/Azure/template-analyzer/blob/main/docs/built-in-rules.md/#ta-000001-diagnostic-logs-in-app-service-should-be-enabled" + }, + { + "id": "TA-000003", + "name": "AppServiceAPIApp.OnlyFTPS", + "fullDescription": { + "text": "Enable FTPS enforcement for enhanced security." + }, + "help": { + "text": "Enable FTPS enforcement for enhanced security." + }, + "shortDescription": { + "text": "FTPS only should be required in your API app." + }, + "messageStrings": { + "default": { + "text": "Enable FTPS enforcement for enhanced security." + } + }, + "defaultConfiguration": { + "level": "error" + }, + "helpUri": "https://github.com/Azure/template-analyzer/blob/main/docs/built-in-rules.md/#ta-000003-ftps-only-should-be-required-in-your-api-app" + }, + { + "id": "TA-000004", + "name": "AppServiceAPIApp.OnlyHTTPS", + "fullDescription": { + "text": "API apps should require HTTPS to ensure connections are made to the expected server and data in transit is protected from network layer eavesdropping attacks." + }, + "help": { + "text": "Use HTTPS to ensure server/service authentication and protect data in transit from network layer eavesdropping attacks." + }, + "shortDescription": { + "text": "API app should only be accessible over HTTPS." + }, + "messageStrings": { + "default": { + "text": "API apps should require HTTPS to ensure connections are made to the expected server and data in transit is protected from network layer eavesdropping attacks." + } + }, + "helpUri": "https://github.com/Azure/template-analyzer/blob/main/docs/built-in-rules.md#ta-000004-api-app-should-only-be-accessible-over-https" + }, + { + "id": "TA-000005", + "name": "AppServiceAPIApp.UseLatestTLS", + "fullDescription": { + "text": "API apps should require the latest TLS version." + }, + "help": { + "text": "Upgrade to the latest TLS version." + }, + "shortDescription": { + "text": "Latest TLS version should be used in your API app." + }, + "messageStrings": { + "default": { + "text": "API apps should require the latest TLS version." + } + }, + "defaultConfiguration": { + "level": "error" + }, + "helpUri": "https://github.com/Azure/template-analyzer/blob/main/docs/built-in-rules.md/#ta-000005-latest-tls-version-should-be-used-in-your-api-app" + }, + { + "id": "TA-000006", + "name": "AppServiceAPIApp.RestrictCORSAccess", + "fullDescription": { + "text": "Cross-Origin Resource Sharing (CORS) should not allow all domains to access your API app. Allow only required domains to interact with your API app." + }, + "help": { + "text": "Allow only required domains to interact with your API app." + }, + "shortDescription": { + "text": "CORS should not allow every resource to access your API app." + }, + "messageStrings": { + "default": { + "text": "Cross-Origin Resource Sharing (CORS) should not allow all domains to access your API app. Allow only required domains to interact with your API app." + } + }, + "defaultConfiguration": { + "level": "note" + }, + "helpUri": "https://github.com/Azure/template-analyzer/blob/main/docs/built-in-rules.md/#ta-000006-cors-should-not-allow-every-resource-to-access-your-api-app" + }, + { + "id": "TA-000007", + "name": "AppServiceAPIApp.UseManagedIdentity", + "fullDescription": { + "text": "For enhanced authentication security, use a managed identity. On Azure, managed identities eliminate the need for developers to have to manage credentials by providing an identity for the Azure resource in Azure AD and using it to obtain Azure Active Directory (Azure AD) tokens." + }, + "help": { + "text": "Use a managed identity for enhanced authentication security." + }, + "shortDescription": { + "text": "Managed identity should be used in your API app." + }, + "messageStrings": { + "default": { + "text": "For enhanced authentication security, use a managed identity. On Azure, managed identities eliminate the need for developers to have to manage credentials by providing an identity for the Azure resource in Azure AD and using it to obtain Azure Active Directory (Azure AD) tokens." + } + }, + "helpUri": "https://github.com/Azure/template-analyzer/blob/main/docs/built-in-rules.md/#ta-000007-managed-identity-should-be-used-in-your-api-app" + }, + { + "id": "TA-000009", + "name": "AppServiceFunctionApp.OnlyFTPS", + "fullDescription": { + "text": "Enable FTPS enforcement for enhanced security." + }, + "help": { + "text": "Enable FTPS enforcement for enhanced security." + }, + "shortDescription": { + "text": "FTPS only should be required in your function app." + }, + "messageStrings": { + "default": { + "text": "Enable FTPS enforcement for enhanced security." + } + }, + "defaultConfiguration": { + "level": "error" + }, + "helpUri": "https://github.com/Azure/template-analyzer/blob/main/docs/built-in-rules.md/#ta-000009-ftps-only-should-be-required-in-your-function-app" + }, + { + "id": "TA-000010", + "name": "AppServiceFunctionApp.OnlyHTTPS", + "fullDescription": { + "text": "Function apps should require HTTPS to ensure connections are made to the expected server and data in transit is protected from network layer eavesdropping attacks." + }, + "help": { + "text": "Use HTTPS to ensure server/service authentication and protect data in transit from network layer eavesdropping attacks." + }, + "shortDescription": { + "text": "Function app should only be accessible over HTTPS." + }, + "messageStrings": { + "default": { + "text": "Function apps should require HTTPS to ensure connections are made to the expected server and data in transit is protected from network layer eavesdropping attacks." + } + }, + "helpUri": "https://github.com/Azure/template-analyzer/blob/main/docs/built-in-rules.md/#ta-000010-function-app-should-only-be-accessible-over-https" + }, + { + "id": "TA-000011", + "name": "AppServiceFunctionApp.UseLatestTLS", + "fullDescription": { + "text": "Function apps should require the latest TLS version." + }, + "help": { + "text": "Upgrade to the latest TLS version." + }, + "shortDescription": { + "text": "Latest TLS version should be used in your function app." + }, + "messageStrings": { + "default": { + "text": "Function apps should require the latest TLS version." + } + }, + "defaultConfiguration": { + "level": "error" + }, + "helpUri": "https://github.com/Azure/template-analyzer/blob/main/docs/built-in-rules.md/#ta-000011-latest-tls-version-should-be-used-in-your-function-app" + }, + { + "id": "TA-000012", + "name": "AppServiceFunctionApp.RestrictCORSAccess", + "fullDescription": { + "text": "Cross-Origin Resource Sharing (CORS) should not allow all domains to access your function app. Allow only required domains to interact with your function app." + }, + "help": { + "text": "Allow only required domains to interact with your function app." + }, + "shortDescription": { + "text": "CORS should not allow every resource to access your function app." + }, + "messageStrings": { + "default": { + "text": "Cross-Origin Resource Sharing (CORS) should not allow all domains to access your function app. Allow only required domains to interact with your function app." + } + }, + "defaultConfiguration": { + "level": "note" + }, + "helpUri": "https://github.com/Azure/template-analyzer/blob/main/docs/built-in-rules.md/#ta-000012-cors-should-not-allow-every-resource-to-access-your-function-app" + }, + { + "id": "TA-000013", + "name": "AppServiceFunctionApp.UseManagedIdentity", + "fullDescription": { + "text": "For enhanced authentication security, use a managed identity. On Azure, managed identities eliminate the need for developers to have to manage credentials by providing an identity for the Azure resource in Azure AD and using it to obtain Azure Active Directory (Azure AD) tokens." + }, + "help": { + "text": "Use a managed identity for enhanced authentication security." + }, + "shortDescription": { + "text": "Managed identity should be used in your function app." + }, + "messageStrings": { + "default": { + "text": "For enhanced authentication security, use a managed identity. On Azure, managed identities eliminate the need for developers to have to manage credentials by providing an identity for the Azure resource in Azure AD and using it to obtain Azure Active Directory (Azure AD) tokens." + } + }, + "helpUri": "https://github.com/Azure/template-analyzer/blob/main/docs/built-in-rules.md/#ta-000013-managed-identity-should-be-used-in-your-function-app" + }, + { + "id": "TA-000015", + "name": "AppServiceWebApp.OnlyFTPS", + "fullDescription": { + "text": "Enable FTPS enforcement for enhanced security." + }, + "help": { + "text": "Enable FTPS enforcement for enhanced security." + }, + "shortDescription": { + "text": "FTPS only should be required in your web app." + }, + "messageStrings": { + "default": { + "text": "Enable FTPS enforcement for enhanced security." + } + }, + "defaultConfiguration": { + "level": "error" + }, + "helpUri": "https://github.com/Azure/template-analyzer/blob/main/docs/built-in-rules.md/#ta-000015-ftps-only-should-be-required-in-your-web-app" + }, + { + "id": "TA-000016", + "name": "AppServiceWebApp.OnlyHTTPS", + "fullDescription": { + "text": "Web apps should require HTTPS to ensure connections are made to the expected server and data in transit is protected from network layer eavesdropping attacks." + }, + "help": { + "text": "Use HTTPS to ensure server/service authentication and protect data in transit from network layer eavesdropping attacks." + }, + "shortDescription": { + "text": "Web apps should only be accessible over HTTPS." + }, + "messageStrings": { + "default": { + "text": "Web apps should require HTTPS to ensure connections are made to the expected server and data in transit is protected from network layer eavesdropping attacks." + } + }, + "helpUri": "https://github.com/Azure/template-analyzer/blob/main/docs/built-in-rules.md/#ta-000016-web-apps-should-only-be-accessible-over-https" + }, + { + "id": "TA-000017", + "name": "AppServiceWebApp.UseLatestTLS", + "fullDescription": { + "text": "Web apps should require the latest TLS version." + }, + "help": { + "text": "Upgrade to the latest TLS version." + }, + "shortDescription": { + "text": "Latest TLS version should be used in your web app." + }, + "messageStrings": { + "default": { + "text": "Web apps should require the latest TLS version." + } + }, + "defaultConfiguration": { + "level": "error" + }, + "helpUri": "https://github.com/Azure/template-analyzer/blob/main/docs/built-in-rules.md/#ta-000017-latest-tls-version-should-be-used-in-your-web-app" + }, + { + "id": "TA-000018", + "name": "AppServiceWebApp.RestrictCORSAccess", + "fullDescription": { + "text": "Cross-Origin Resource Sharing (CORS) should not allow all domains to access your web application. Allow only required domains to interact with your web app." + }, + "help": { + "text": "Allow only required domains to interact with your web app." + }, + "shortDescription": { + "text": "CORS should not allow every resource to access your web apps." + }, + "messageStrings": { + "default": { + "text": "Cross-Origin Resource Sharing (CORS) should not allow all domains to access your web application. Allow only required domains to interact with your web app." + } + }, + "defaultConfiguration": { + "level": "note" + }, + "helpUri": "https://github.com/Azure/template-analyzer/blob/main/docs/built-in-rules.md/#ta-000018-cors-should-not-allow-every-resource-to-access-your-web-apps" + }, + { + "id": "TA-000019", + "name": "AppServiceWebApp.UseManagedIdentity", + "fullDescription": { + "text": "For enhanced authentication security, use a managed identity. On Azure, managed identities eliminate the need for developers to have to manage credentials by providing an identity for the Azure resource in Azure AD and using it to obtain Azure Active Directory (Azure AD) tokens." + }, + "help": { + "text": "Use a managed identity for enhanced authentication security." + }, + "shortDescription": { + "text": "Managed identity should be used in your web app." + }, + "messageStrings": { + "default": { + "text": "For enhanced authentication security, use a managed identity. On Azure, managed identities eliminate the need for developers to have to manage credentials by providing an identity for the Azure resource in Azure AD and using it to obtain Azure Active Directory (Azure AD) tokens." + } + }, + "helpUri": "https://github.com/Azure/template-analyzer/blob/main/docs/built-in-rules.md/#ta-000019-managed-identity-should-be-used-in-your-web-app" + } + ], + "properties": { + "RawName": "templateanalyzer" + } + } + }, + "invocations": [ + { + "startTimeUtc": "2024-11-07T04:57:57.369Z", + "endTimeUtc": "2024-11-07T04:58:02.943Z", + "toolExecutionNotifications": [ + { + "message": { + "text": "Discovered 1 template-parameter pairs to analyze" + }, + "level": "note" + } + ], + "executionSuccessful": true + } + ], + "versionControlProvenance": [ + { + "repositoryUri": "https://github.com/reynoldsa/security-devops-action", + "revisionId": "c5bc432f9640469fd713f651b4d18af73867f27a", + "branch": "main", + "properties": { + "RepositoryRoot": "D:\\source\\security-devops-action" + } + } + ], + "originalUriBaseIds": { + "ROOTPATH": { + "uri": "file:///D:/source/security-devops-action" + } + }, + "artifacts": [ + { + "location": { + "uri": "samples/insecure_arm.json", + "uriBaseId": "ROOTPATH" + } + } + ], + "results": [ + { + "ruleId": "TA-000001", + "ruleIndex": 0, + "level": "error", + "message": { + "id": "default" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "samples/insecure_arm.json", + "uriBaseId": "ROOTPATH" + }, + "region": { + "startLine": 264 + } + } + } + ], + "fingerprints": { + "gdnPrimarySignature": "be38ef4a5beacf017f220b3d98472e58b2a22f36fd9be444d705a6da0156fd74", + "gdnAlternativeSignature0": "ed2c5f6d187878540408f5bbb17875166e824df9cd545c2071e66b80f6c4bb01" + } + }, + { + "ruleId": "TA-000001", + "ruleIndex": 0, + "level": "error", + "message": { + "id": "default" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "samples/insecure_arm.json", + "uriBaseId": "ROOTPATH" + }, + "region": { + "startLine": 179 + } + } + }, + { + "physicalLocation": { + "artifactLocation": { + "uri": "samples/insecure_arm.json", + "uriBaseId": "ROOTPATH" + }, + "region": { + "startLine": 215 + } + } + }, + { + "physicalLocation": { + "artifactLocation": { + "uri": "samples/insecure_arm.json", + "uriBaseId": "ROOTPATH" + }, + "region": { + "startLine": 280 + } + } + } + ], + "fingerprints": { + "gdnPrimarySignature": "d37d8282e31133b27146eb024c2736f1d7b65bdd6a42c08607bdb2bead9b5423", + "gdnAlternativeSignature0": "4c40d2cc63ce679ba6157fdc72d12b40481a893ab13296c36239c7ed8622cb86" + } + }, + { + "ruleId": "TA-000003", + "ruleIndex": 1, + "level": "error", + "message": { + "id": "default" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "samples/insecure_arm.json", + "uriBaseId": "ROOTPATH" + }, + "region": { + "startLine": 165 + } + } + }, + { + "physicalLocation": { + "artifactLocation": { + "uri": "samples/insecure_arm.json", + "uriBaseId": "ROOTPATH" + }, + "region": { + "startLine": 179 + } + } + }, + { + "physicalLocation": { + "artifactLocation": { + "uri": "samples/insecure_arm.json", + "uriBaseId": "ROOTPATH" + }, + "region": { + "startLine": 215 + } + } + } + ], + "fingerprints": { + "gdnPrimarySignature": "3549d0b318441c8b49bd89ca36ea85f70bf45f022ab8c0609706ff5f5a88d2d8", + "gdnAlternativeSignature0": "0edb0e1b59eb8e8d3fc182d647d80d92147876a0454f610aa836842fb52181e5" + } + }, + { + "ruleId": "TA-000003", + "ruleIndex": 1, + "level": "error", + "message": { + "id": "default" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "samples/insecure_arm.json", + "uriBaseId": "ROOTPATH" + }, + "region": { + "startLine": 195 + } + } + } + ], + "fingerprints": { + "gdnPrimarySignature": "8dbbe99de40dee0eb3c9eb6568f8e48c5effeec820c694f77be3999efaad513b", + "gdnAlternativeSignature0": "f244a0d31df3eeaba0ca511703721d84fe79f8beb849b3cc4453a7f7e9ffc9c1" + } + }, + { + "ruleId": "TA-000004", + "ruleIndex": 2, + "level": "error", + "message": { + "id": "default" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "samples/insecure_arm.json", + "uriBaseId": "ROOTPATH" + }, + "region": { + "startLine": 29 + } + } + } + ], + "fingerprints": { + "gdnPrimarySignature": "d1a766811373af8220668a1819fa53325b88ba36dffbf2706701e95dfa1e0aed", + "gdnAlternativeSignature0": "f0153f08d6d8174a8d76708b6935ba0ef2b38e06ff62758758e948d72ef1be52" + } + }, + { + "ruleId": "TA-000004", + "ruleIndex": 2, + "level": "error", + "message": { + "id": "default" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "samples/insecure_arm.json", + "uriBaseId": "ROOTPATH" + }, + "region": { + "startLine": 44 + } + } + } + ], + "fingerprints": { + "gdnPrimarySignature": "6e9b1515330559d9ab46e4c5b6afdd2ee9a07fc5122b6c3748c3688cfeca2789", + "gdnAlternativeSignature0": "c0dd2c03abc529e58717d3191f4fd5e673d3316a39093ba7bd9b964920239290" + } + }, + { + "ruleId": "TA-000005", + "ruleIndex": 3, + "level": "error", + "message": { + "id": "default" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "samples/insecure_arm.json", + "uriBaseId": "ROOTPATH" + }, + "region": { + "startLine": 165 + } + } + }, + { + "physicalLocation": { + "artifactLocation": { + "uri": "samples/insecure_arm.json", + "uriBaseId": "ROOTPATH" + }, + "region": { + "startLine": 179 + } + } + }, + { + "physicalLocation": { + "artifactLocation": { + "uri": "samples/insecure_arm.json", + "uriBaseId": "ROOTPATH" + }, + "region": { + "startLine": 215 + } + } + } + ], + "fingerprints": { + "gdnPrimarySignature": "b7e1a7ec5ef845a37f73c0407622bd567cdd07b2dfedc75a099d29862f374762", + "gdnAlternativeSignature0": "1cdb3b2f11971c7558e88df98da50f7e9a361b97dd3668a26543df13716d7597" + } + }, + { + "ruleId": "TA-000005", + "ruleIndex": 3, + "level": "error", + "message": { + "id": "default" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "samples/insecure_arm.json", + "uriBaseId": "ROOTPATH" + }, + "region": { + "startLine": 195 + } + } + } + ], + "fingerprints": { + "gdnPrimarySignature": "4643d07151b417ee81f093352a1a712e3536febd4f9c68cb9774bc20578541ec", + "gdnAlternativeSignature0": "c90df3b94d648eb7354b444cbe823e580310b5eda0a5391f3f4c80b4c05317f9" + } + }, + { + "ruleId": "TA-000006", + "ruleIndex": 4, + "level": "error", + "message": { + "id": "default" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "samples/insecure_arm.json", + "uriBaseId": "ROOTPATH" + }, + "region": { + "startLine": 218 + } + } + } + ], + "fingerprints": { + "gdnPrimarySignature": "65526fef72a3bd5686e08978f894f58ee0c94d6b14333616137c1197168771c2", + "gdnAlternativeSignature0": "6738218eca8210aa235b6a000d75d9cd8ec306669ef6783344d819eea5ad16a3" + } + }, + { + "ruleId": "TA-000006", + "ruleIndex": 4, + "level": "error", + "message": { + "id": "default" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "samples/insecure_arm.json", + "uriBaseId": "ROOTPATH" + }, + "region": { + "startLine": 199 + } + } + } + ], + "fingerprints": { + "gdnPrimarySignature": "74875f7d2bcd35300850f78ef8d77d9ccba6f1f3e01f8aa8126148d78a157a60", + "gdnAlternativeSignature0": "02e4138fc76c7af81aa05894a92ac4d606d31021aa410b0aa62abbdd6eba5eed" + } + }, + { + "ruleId": "TA-000007", + "ruleIndex": 5, + "level": "error", + "message": { + "id": "default" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "samples/insecure_arm.json", + "uriBaseId": "ROOTPATH" + }, + "region": { + "startLine": 187 + } + } + } + ], + "fingerprints": { + "gdnPrimarySignature": "be7e0b3fdbf227e31c46e9fd7b3a36bd67a5577fe93fabe7de457fb26f58dc34", + "gdnAlternativeSignature0": "b76e97cfdd95980416531f989be2fa221fd4f3689c9ca167b515e573bc729d04" + } + }, + { + "ruleId": "TA-000009", + "ruleIndex": 6, + "level": "error", + "message": { + "id": "default" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "samples/insecure_arm.json", + "uriBaseId": "ROOTPATH" + }, + "region": { + "startLine": 309 + } + } + } + ], + "fingerprints": { + "gdnPrimarySignature": "265486bd8e28eea8810483d45dcc81f731cd9776eed60a7893943e33d9b07b6f", + "gdnAlternativeSignature0": "ed44340ff877ba9d68523648797c4f0f7b56c7c028d93312e55d5c4dc2cdf0a8" + } + }, + { + "ruleId": "TA-000009", + "ruleIndex": 6, + "level": "error", + "message": { + "id": "default" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "samples/insecure_arm.json", + "uriBaseId": "ROOTPATH" + }, + "region": { + "startLine": 179 + } + } + }, + { + "physicalLocation": { + "artifactLocation": { + "uri": "samples/insecure_arm.json", + "uriBaseId": "ROOTPATH" + }, + "region": { + "startLine": 215 + } + } + }, + { + "physicalLocation": { + "artifactLocation": { + "uri": "samples/insecure_arm.json", + "uriBaseId": "ROOTPATH" + }, + "region": { + "startLine": 325 + } + } + } + ], + "fingerprints": { + "gdnPrimarySignature": "d70937da25c2f4c4bf54334ccc495634c22918258a3b46e45fcd389fd482855f", + "gdnAlternativeSignature0": "34c1f242e862c9a4b1ccceb99a33b1aac0df47aadcc5e6b4cc6a9957bfa60ddb" + } + }, + { + "ruleId": "TA-000010", + "ruleIndex": 7, + "level": "error", + "message": { + "id": "default" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "samples/insecure_arm.json", + "uriBaseId": "ROOTPATH" + }, + "region": { + "startLine": 70 + } + } + } + ], + "fingerprints": { + "gdnPrimarySignature": "f09e415fda3660cc86a250ca8b35c87db6d6f5d15c69693c1cee3d5a1bd841c4", + "gdnAlternativeSignature0": "c11ab3206f07476269883239e183c0a38d77630a64dc0a0fac178d45f7f0cb8b" + } + }, + { + "ruleId": "TA-000010", + "ruleIndex": 7, + "level": "error", + "message": { + "id": "default" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "samples/insecure_arm.json", + "uriBaseId": "ROOTPATH" + }, + "region": { + "startLine": 85 + } + } + } + ], + "fingerprints": { + "gdnPrimarySignature": "b3eb7244e83ec91b3b2fdcadbdd498b8f8095140b6c23b74883b5ca61878a994", + "gdnAlternativeSignature0": "3a37f05c16ebd9b493c603024eeb1c5f9c35a5a44d2378a11b6c33003fba815f" + } + }, + { + "ruleId": "TA-000011", + "ruleIndex": 8, + "level": "error", + "message": { + "id": "default" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "samples/insecure_arm.json", + "uriBaseId": "ROOTPATH" + }, + "region": { + "startLine": 309 + } + } + } + ], + "fingerprints": { + "gdnPrimarySignature": "03a4354b8e006461fb34be109fe4601b633f817d7b237a02dbf2f1346d91e0b4", + "gdnAlternativeSignature0": "c490246cd2a3ee33ab981814e002c687938d33fba3eefb891fd8db2c7a92d64c" + } + }, + { + "ruleId": "TA-000011", + "ruleIndex": 8, + "level": "error", + "message": { + "id": "default" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "samples/insecure_arm.json", + "uriBaseId": "ROOTPATH" + }, + "region": { + "startLine": 179 + } + } + }, + { + "physicalLocation": { + "artifactLocation": { + "uri": "samples/insecure_arm.json", + "uriBaseId": "ROOTPATH" + }, + "region": { + "startLine": 215 + } + } + }, + { + "physicalLocation": { + "artifactLocation": { + "uri": "samples/insecure_arm.json", + "uriBaseId": "ROOTPATH" + }, + "region": { + "startLine": 325 + } + } + } + ], + "fingerprints": { + "gdnPrimarySignature": "24126068b178d605ced2a12989a4fa2ebd4d15eb30c7c2c37b9d3c6cab349686", + "gdnAlternativeSignature0": "c5923a6a520bd145ef3957d75a6c9d8cbf1025fcd4915449e60bbb02bd10a9e8" + } + }, + { + "ruleId": "TA-000012", + "ruleIndex": 9, + "level": "error", + "message": { + "id": "default" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "samples/insecure_arm.json", + "uriBaseId": "ROOTPATH" + }, + "region": { + "startLine": 313 + } + } + } + ], + "fingerprints": { + "gdnPrimarySignature": "36e23dcaac28961df21b197c601391bc76f0c90d72380a56f1fa29327bd0017c", + "gdnAlternativeSignature0": "3fa84bc1cc49b60bb7204fb88c7fada8faa63e5f8c9984e10e1b83d3b95bb9e7" + } + }, + { + "ruleId": "TA-000012", + "ruleIndex": 9, + "level": "error", + "message": { + "id": "default" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "samples/insecure_arm.json", + "uriBaseId": "ROOTPATH" + }, + "region": { + "startLine": 218 + } + } + } + ], + "fingerprints": { + "gdnPrimarySignature": "b20e23b6ed47125967e4d087e615c9d4a9aba6d7dd9e2176ed151efcebb82d02", + "gdnAlternativeSignature0": "2ee68544e8b6b6a54363c95df7bd3d1422cf1c193ed005dddba038439e9650d7" + } + }, + { + "ruleId": "TA-000013", + "ruleIndex": 10, + "level": "error", + "message": { + "id": "default" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "samples/insecure_arm.json", + "uriBaseId": "ROOTPATH" + }, + "region": { + "startLine": 319 + } + } + } + ], + "fingerprints": { + "gdnPrimarySignature": "ed0363b6f87f1d4e7c0807f68e051e1b3787bafbd2455d4528a10bf4d94b9edf", + "gdnAlternativeSignature0": "72d1e7c2a57d35fa08e178c56264746e48ed563a4da2d7f5dc8570438ed5d90c" + } + }, + { + "ruleId": "TA-000015", + "ruleIndex": 11, + "level": "error", + "message": { + "id": "default" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "samples/insecure_arm.json", + "uriBaseId": "ROOTPATH" + }, + "region": { + "startLine": 264 + } + } + } + ], + "fingerprints": { + "gdnPrimarySignature": "ec6f5ed98134d472df3077d9c883d07c25923b8e2f9f0ee4ad62438d0a72b4f4", + "gdnAlternativeSignature0": "5e86cd98e6560ffb14e4eb72c99c8a11042feb183a1713a37c682f8417eca214" + } + }, + { + "ruleId": "TA-000015", + "ruleIndex": 11, + "level": "error", + "message": { + "id": "default" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "samples/insecure_arm.json", + "uriBaseId": "ROOTPATH" + }, + "region": { + "startLine": 179 + } + } + }, + { + "physicalLocation": { + "artifactLocation": { + "uri": "samples/insecure_arm.json", + "uriBaseId": "ROOTPATH" + }, + "region": { + "startLine": 215 + } + } + }, + { + "physicalLocation": { + "artifactLocation": { + "uri": "samples/insecure_arm.json", + "uriBaseId": "ROOTPATH" + }, + "region": { + "startLine": 280 + } + } + } + ], + "fingerprints": { + "gdnPrimarySignature": "38abf206aa092efe2a8fa6d3546f1a342e08c86f4b25be558b8afd5bcb532651", + "gdnAlternativeSignature0": "f53e1db90f911dfc29b77e08c01fc16a609b9720473da74edae88428a4e2bc1c" + } + }, + { + "ruleId": "TA-000016", + "ruleIndex": 12, + "level": "error", + "message": { + "id": "default" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "samples/insecure_arm.json", + "uriBaseId": "ROOTPATH" + }, + "region": { + "startLine": 111 + } + } + } + ], + "fingerprints": { + "gdnPrimarySignature": "408e1546a1bb4ad4b304b67d08fe6d99943c94a173d95edb8ddaa25a03798989", + "gdnAlternativeSignature0": "84d16425f679ebd232bade7a449c0cdbfef3776b9b928279599f00b71fbcfb22" + } + }, + { + "ruleId": "TA-000016", + "ruleIndex": 12, + "level": "error", + "message": { + "id": "default" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "samples/insecure_arm.json", + "uriBaseId": "ROOTPATH" + }, + "region": { + "startLine": 125 + } + } + } + ], + "fingerprints": { + "gdnPrimarySignature": "bce4367d8d17dfed8e0504a56bdbde591cfc253f3632a2f21142dffcac9e33a5", + "gdnAlternativeSignature0": "e76df0666939f84d4c4ef2f13e863a131ecb5f7e36060126730de3bd7aee8734" + } + }, + { + "ruleId": "TA-000017", + "ruleIndex": 13, + "level": "error", + "message": { + "id": "default" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "samples/insecure_arm.json", + "uriBaseId": "ROOTPATH" + }, + "region": { + "startLine": 264 + } + } + } + ], + "fingerprints": { + "gdnPrimarySignature": "84b7be1aa526d0d05c2de90d3e202c9ac537835e7b3140c871e452ee53505cf7", + "gdnAlternativeSignature0": "059a393d058cffaa8cdbe2fad159ee89d4f04ea63fcbee3981408888a39432e8" + } + }, + { + "ruleId": "TA-000017", + "ruleIndex": 13, + "level": "error", + "message": { + "id": "default" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "samples/insecure_arm.json", + "uriBaseId": "ROOTPATH" + }, + "region": { + "startLine": 179 + } + } + }, + { + "physicalLocation": { + "artifactLocation": { + "uri": "samples/insecure_arm.json", + "uriBaseId": "ROOTPATH" + }, + "region": { + "startLine": 215 + } + } + }, + { + "physicalLocation": { + "artifactLocation": { + "uri": "samples/insecure_arm.json", + "uriBaseId": "ROOTPATH" + }, + "region": { + "startLine": 280 + } + } + } + ], + "fingerprints": { + "gdnPrimarySignature": "c8faed1d99ea5b1ced01439da3370660d482769c59a7665dda694f69f336bc76", + "gdnAlternativeSignature0": "216e7a3be42bfa5aae23ed3abf7bccf0d48aa5ad6ae0f617088f0de77723da89" + } + }, + { + "ruleId": "TA-000018", + "ruleIndex": 14, + "level": "error", + "message": { + "id": "default" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "samples/insecure_arm.json", + "uriBaseId": "ROOTPATH" + }, + "region": { + "startLine": 268 + } + } + } + ], + "fingerprints": { + "gdnPrimarySignature": "b17d79fb40da84e43645bcdc62e3f720f8039e9be3454fd847cbef27623eea6f", + "gdnAlternativeSignature0": "4050ebca29a424898a464da3b851e5ae90c32384f653b4478a38a331c2639fa8" + } + }, + { + "ruleId": "TA-000018", + "ruleIndex": 14, + "level": "error", + "message": { + "id": "default" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "samples/insecure_arm.json", + "uriBaseId": "ROOTPATH" + }, + "region": { + "startLine": 218 + } + } + } + ], + "fingerprints": { + "gdnPrimarySignature": "478c565e6f29f52f64c42e08aca4fe0c94a9ed37a629ab4529d58c764580df69", + "gdnAlternativeSignature0": "0a4753c9c18e6f31fb4d238774fa74f694731b7aff4566b256d7a4f2c93536cd" + } + }, + { + "ruleId": "TA-000019", + "ruleIndex": 15, + "level": "error", + "message": { + "id": "default" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "samples/insecure_arm.json", + "uriBaseId": "ROOTPATH" + }, + "region": { + "startLine": 274 + } + } + } + ], + "fingerprints": { + "gdnPrimarySignature": "b7f8fadd8a0cbc8600952d828f4f4f59c163cd99350430230e976a126d8c9a89", + "gdnAlternativeSignature0": "1dad07739d9b4f2d7845f7a709da12b240d41c1a3536217dc80b23b104ea5362" + } + } + ], + "columnKind": "utf16CodeUnits", + "policies": [ + { + "name": "Microsoft", + "version": "2.0.3" + } + ], + "properties": { + "toolInfoId": "templateanalyzer>>5>>202411062057" + } + }, + { + "tool": { + "driver": { + "name": "checkov", + "organization": "bridgecrew", + "version": "3.2.199", + "informationUri": "https://checkov.io", + "rules": [ + { + "id": "CKV_AZURE_59", + "name": "Ensure that Storage accounts disallow public access", + "fullDescription": { + "text": "Ensure that Storage accounts disallow public access" + }, + "help": { + "text": "Ensure that Storage accounts disallow public access\nResource: azurerm_storage_account.terraformaccount1" + }, + "defaultConfiguration": { + "level": "error" + }, + "helpUri": "https://docs.prismacloud.io/en/enterprise-edition/policy-reference/azure-policies/azure-networking-policies/ensure-that-storage-accounts-disallow-public-access" + }, + { + "id": "CKV_AZURE_33", + "name": "Ensure Storage logging is enabled for Queue service for read, write and delete requests", + "fullDescription": { + "text": "Ensure Storage logging is enabled for Queue service for read, write and delete requests" + }, + "help": { + "text": "Ensure Storage logging is enabled for Queue service for read, write and delete requests\nResource: azurerm_storage_account.terraformaccount1" + }, + "defaultConfiguration": { + "level": "error" + }, + "helpUri": "https://docs.prismacloud.io/en/enterprise-edition/policy-reference/azure-policies/azure-logging-policies/enable-requests-on-storage-logging-for-queue-service" + }, + { + "id": "CKV_AZURE_44", + "name": "Ensure Storage Account is using the latest version of TLS encryption", + "fullDescription": { + "text": "Ensure Storage Account is using the latest version of TLS encryption" + }, + "help": { + "text": "Ensure Storage Account is using the latest version of TLS encryption\nResource: azurerm_storage_account.terraformaccount1" + }, + "defaultConfiguration": { + "level": "error" + }, + "helpUri": "https://docs.prismacloud.io/en/enterprise-edition/policy-reference/azure-policies/azure-storage-policies/bc-azr-storage-2" + }, + { + "id": "CKV_AZURE_190", + "name": "Ensure that Storage blobs restrict public access", + "fullDescription": { + "text": "Ensure that Storage blobs restrict public access" + }, + "help": { + "text": "Ensure that Storage blobs restrict public access\nResource: azurerm_storage_account.terraformaccount1" + }, + "defaultConfiguration": { + "level": "error" + }, + "helpUri": "https://docs.prismacloud.io/en/enterprise-edition/policy-reference/azure-policies/azure-networking-policies/azr-networking-190" + }, + { + "id": "CKV2_AZURE_40", + "name": "Ensure storage account is not configured with Shared Key authorization", + "fullDescription": { + "text": "Ensure storage account is not configured with Shared Key authorization" + }, + "help": { + "text": "Ensure storage account is not configured with Shared Key authorization\nResource: azurerm_storage_account.terraformaccount1" + }, + "defaultConfiguration": { + "level": "error" + }, + "helpUri": "https://docs.prismacloud.io/en/enterprise-edition/policy-reference/azure-policies/azure-iam-policies/bc-azure-2-40" + }, + { + "id": "CKV2_AZURE_47", + "name": "Ensure storage account is configured without blob anonymous access", + "fullDescription": { + "text": "Ensure storage account is configured without blob anonymous access" + }, + "help": { + "text": "Ensure storage account is configured without blob anonymous access\nResource: azurerm_storage_account.terraformaccount1" + }, + "defaultConfiguration": { + "level": "error" + }, + "helpUri": "https://docs.prismacloud.io/en/enterprise-edition/policy-reference/azure-policies/azure-iam-policies/bc-azure-2-47" + }, + { + "id": "CKV2_AZURE_33", + "name": "Ensure storage account is configured with private endpoint", + "fullDescription": { + "text": "Ensure storage account is configured with private endpoint" + }, + "help": { + "text": "Ensure storage account is configured with private endpoint\nResource: azurerm_storage_account.terraformaccount1" + }, + "defaultConfiguration": { + "level": "error" + }, + "helpUri": "https://docs.prismacloud.io/en/enterprise-edition/policy-reference/azure-policies/azure-general-policies/bc-azure-2-33" + }, + { + "id": "CKV2_AZURE_41", + "name": "Ensure storage account is configured with SAS expiration policy", + "fullDescription": { + "text": "Ensure storage account is configured with SAS expiration policy" + }, + "help": { + "text": "Ensure storage account is configured with SAS expiration policy\nResource: azurerm_storage_account.terraformaccount1" + }, + "defaultConfiguration": { + "level": "error" + }, + "helpUri": "https://docs.prismacloud.io/en/enterprise-edition/policy-reference/azure-policies/azure-iam-policies/bc-azure-2-41" + }, + { + "id": "CKV2_AZURE_38", + "name": "Ensure soft-delete is enabled on Azure storage account", + "fullDescription": { + "text": "Ensure soft-delete is enabled on Azure storage account" + }, + "help": { + "text": "Ensure soft-delete is enabled on Azure storage account\nResource: azurerm_storage_account.terraformaccount1" + }, + "defaultConfiguration": { + "level": "error" + }, + "helpUri": "https://docs.prismacloud.io/en/enterprise-edition/policy-reference/azure-policies/azure-general-policies/bc-azure-2-38" + }, + { + "id": "CKV2_AZURE_1", + "name": "Ensure storage for critical data are encrypted with Customer Managed Key", + "fullDescription": { + "text": "Ensure storage for critical data are encrypted with Customer Managed Key" + }, + "help": { + "text": "Ensure storage for critical data are encrypted with Customer Managed Key\nResource: azurerm_storage_account.terraformaccount1" + }, + "defaultConfiguration": { + "level": "error" + }, + "helpUri": "https://docs.prismacloud.io/en/enterprise-edition/policy-reference/azure-policies/azure-general-policies/ensure-storage-for-critical-data-are-encrypted-with-customer-managed-key" + }, + { + "id": "CKV_K8S_25", + "name": "Minimize the admission of containers with added capability", + "fullDescription": { + "text": "Minimize the admission of containers with added capability" + }, + "help": { + "text": "Minimize the admission of containers with added capability\nResource: StatefulSet.default.cassandra" + }, + "defaultConfiguration": { + "level": "error" + }, + "helpUri": "https://docs.prismacloud.io/en/enterprise-edition/policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-24" + }, + { + "id": "CKV_K8S_20", + "name": "Containers should not run with allowPrivilegeEscalation", + "fullDescription": { + "text": "Containers should not run with allowPrivilegeEscalation" + }, + "help": { + "text": "Containers should not run with allowPrivilegeEscalation\nResource: StatefulSet.default.cassandra" + }, + "defaultConfiguration": { + "level": "error" + }, + "helpUri": "https://docs.prismacloud.io/en/enterprise-edition/policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-19" + }, + { + "id": "CKV_K8S_21", + "name": "The default namespace should not be used", + "fullDescription": { + "text": "The default namespace should not be used" + }, + "help": { + "text": "The default namespace should not be used\nResource: StatefulSet.default.cassandra" + }, + "defaultConfiguration": { + "level": "error" + }, + "helpUri": "https://docs.prismacloud.io/en/enterprise-edition/policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20" + }, + { + "id": "CKV_K8S_28", + "name": "Minimize the admission of containers with the NET_RAW capability", + "fullDescription": { + "text": "Minimize the admission of containers with the NET_RAW capability" + }, + "help": { + "text": "Minimize the admission of containers with the NET_RAW capability\nResource: StatefulSet.default.cassandra" + }, + "defaultConfiguration": { + "level": "error" + }, + "helpUri": "https://docs.prismacloud.io/en/enterprise-edition/policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27" + }, + { + "id": "CKV_K8S_43", + "name": "Image should use digest", + "fullDescription": { + "text": "Image should use digest" + }, + "help": { + "text": "Image should use digest\nResource: StatefulSet.default.cassandra" + }, + "defaultConfiguration": { + "level": "error" + }, + "helpUri": "https://docs.prismacloud.io/en/enterprise-edition/policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39" + }, + { + "id": "CKV_K8S_8", + "name": "Liveness Probe Should be Configured", + "fullDescription": { + "text": "Liveness Probe Should be Configured" + }, + "help": { + "text": "Liveness Probe Should be Configured\nResource: StatefulSet.default.cassandra" + }, + "defaultConfiguration": { + "level": "error" + }, + "helpUri": "https://docs.prismacloud.io/en/enterprise-edition/policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-7" + }, + { + "id": "CKV_K8S_37", + "name": "Minimize the admission of containers with capabilities assigned", + "fullDescription": { + "text": "Minimize the admission of containers with capabilities assigned" + }, + "help": { + "text": "Minimize the admission of containers with capabilities assigned\nResource: StatefulSet.default.cassandra" + }, + "defaultConfiguration": { + "level": "error" + }, + "helpUri": "https://docs.prismacloud.io/en/enterprise-edition/policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-34" + }, + { + "id": "CKV_K8S_29", + "name": "Apply security context to your pods and containers", + "fullDescription": { + "text": "Apply security context to your pods and containers" + }, + "help": { + "text": "Apply security context to your pods and containers\nResource: StatefulSet.default.cassandra" + }, + "defaultConfiguration": { + "level": "error" + }, + "helpUri": "https://docs.prismacloud.io/en/enterprise-edition/policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-securitycontext-is-applied-to-pods-and-containers" + }, + { + "id": "CKV_K8S_22", + "name": "Use read-only filesystem for containers where possible", + "fullDescription": { + "text": "Use read-only filesystem for containers where possible" + }, + "help": { + "text": "Use read-only filesystem for containers where possible\nResource: StatefulSet.default.cassandra" + }, + "defaultConfiguration": { + "level": "error" + }, + "helpUri": "https://docs.prismacloud.io/en/enterprise-edition/policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-21" + }, + { + "id": "CKV_K8S_23", + "name": "Minimize the admission of root containers", + "fullDescription": { + "text": "Minimize the admission of root containers" + }, + "help": { + "text": "Minimize the admission of root containers\nResource: StatefulSet.default.cassandra" + }, + "defaultConfiguration": { + "level": "error" + }, + "helpUri": "https://docs.prismacloud.io/en/enterprise-edition/policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-22" + }, + { + "id": "CKV_K8S_40", + "name": "Containers should run as a high UID to avoid host conflict", + "fullDescription": { + "text": "Containers should run as a high UID to avoid host conflict" + }, + "help": { + "text": "Containers should run as a high UID to avoid host conflict\nResource: StatefulSet.default.cassandra" + }, + "defaultConfiguration": { + "level": "error" + }, + "helpUri": "https://docs.prismacloud.io/en/enterprise-edition/policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-37" + }, + { + "id": "CKV_K8S_31", + "name": "Ensure that the seccomp profile is set to docker/default or runtime/default", + "fullDescription": { + "text": "Ensure that the seccomp profile is set to docker/default or runtime/default" + }, + "help": { + "text": "Ensure that the seccomp profile is set to docker/default or runtime/default\nResource: StatefulSet.default.cassandra" + }, + "defaultConfiguration": { + "level": "error" + }, + "helpUri": "https://docs.prismacloud.io/en/enterprise-edition/policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-29" + }, + { + "id": "CKV_K8S_38", + "name": "Ensure that Service Account Tokens are only mounted where necessary", + "fullDescription": { + "text": "Ensure that Service Account Tokens are only mounted where necessary" + }, + "help": { + "text": "Ensure that Service Account Tokens are only mounted where necessary\nResource: StatefulSet.default.cassandra" + }, + "defaultConfiguration": { + "level": "error" + }, + "helpUri": "https://docs.prismacloud.io/en/enterprise-edition/policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-35" + }, + { + "id": "CKV2_K8S_6", + "name": "Minimize the admission of pods which lack an associated NetworkPolicy", + "fullDescription": { + "text": "Minimize the admission of pods which lack an associated NetworkPolicy" + }, + "help": { + "text": "Minimize the admission of pods which lack an associated NetworkPolicy\nResource: Pod.default.cassandra.app-cassandra" + }, + "defaultConfiguration": { + "level": "error" + } + }, + { + "id": "CKV_AZURE_225", + "name": "Ensure the App Service Plan is zone redundant", + "fullDescription": { + "text": "Ensure the App Service Plan is zone redundant" + }, + "help": { + "text": "Ensure the App Service Plan is zone redundant\nResource: Microsoft.Web/serverfarms.serverFarm" + }, + "defaultConfiguration": { + "level": "error" + }, + "helpUri": "https://docs.prismacloud.io/en/enterprise-edition/policy-reference/azure-policies/azure-storage-policies/bc-azure-225" + }, + { + "id": "CKV_AZURE_17", + "name": "Ensure the web app has 'Client Certificates (Incoming client certificates)' set", + "fullDescription": { + "text": "Ensure the web app has 'Client Certificates (Incoming client certificates)' set" + }, + "help": { + "text": "Ensure the web app has 'Client Certificates (Incoming client certificates)' set\nResource: Microsoft.Web/sites.ApiAppNoHttps" + }, + "defaultConfiguration": { + "level": "error" + }, + "helpUri": "https://docs.prismacloud.io/en/enterprise-edition/policy-reference/azure-policies/azure-networking-policies/bc-azr-networking-7" + }, + { + "id": "CKV_AZURE_78", + "name": "Ensure FTP deployments are disabled", + "fullDescription": { + "text": "Ensure FTP deployments are disabled" + }, + "help": { + "text": "Ensure FTP deployments are disabled\nResource: Microsoft.Web/sites.ApiAppNoHttps" + }, + "defaultConfiguration": { + "level": "error" + }, + "helpUri": "https://docs.prismacloud.io/en/enterprise-edition/policy-reference/azure-policies/azure-general-policies/ensure-ftp-deployments-are-disabled" + }, + { + "id": "CKV_AZURE_18", + "name": "Ensure that 'HTTP Version' is the latest if used to run the web app", + "fullDescription": { + "text": "Ensure that 'HTTP Version' is the latest if used to run the web app" + }, + "help": { + "text": "Ensure that 'HTTP Version' is the latest if used to run the web app\nResource: Microsoft.Web/sites.ApiAppNoHttps" + }, + "defaultConfiguration": { + "level": "error" + }, + "helpUri": "https://docs.prismacloud.io/en/enterprise-edition/policy-reference/azure-policies/azure-networking-policies/bc-azr-networking-8" + }, + { + "id": "CKV_AZURE_14", + "name": "Ensure web app redirects all HTTP traffic to HTTPS in Azure App Service", + "fullDescription": { + "text": "Ensure web app redirects all HTTP traffic to HTTPS in Azure App Service" + }, + "help": { + "text": "Ensure web app redirects all HTTP traffic to HTTPS in Azure App Service\nResource: Microsoft.Web/sites.ApiAppNoHttps" + }, + "defaultConfiguration": { + "level": "error" + }, + "helpUri": "https://docs.prismacloud.io/en/enterprise-edition/policy-reference/azure-policies/azure-networking-policies/bc-azr-networking-5" + }, + { + "id": "CKV_AZURE_16", + "name": "Ensure that Register with Azure Active Directory is enabled on App Service", + "fullDescription": { + "text": "Ensure that Register with Azure Active Directory is enabled on App Service" + }, + "help": { + "text": "Ensure that Register with Azure Active Directory is enabled on App Service\nResource: Microsoft.Web/sites.ApiAppNoHttps" + }, + "defaultConfiguration": { + "level": "error" + }, + "helpUri": "https://docs.prismacloud.io/en/enterprise-edition/policy-reference/azure-policies/azure-iam-policies/bc-azr-iam-1" + }, + { + "id": "CKV_AZURE_71", + "name": "Ensure that Managed identity provider is enabled for web apps", + "fullDescription": { + "text": "Ensure that Managed identity provider is enabled for web apps" + }, + "help": { + "text": "Ensure that Managed identity provider is enabled for web apps\nResource: Microsoft.Web/sites.ApiAppNoHttps" + }, + "defaultConfiguration": { + "level": "error" + }, + "helpUri": "https://docs.prismacloud.io/en/enterprise-edition/policy-reference/azure-policies/azure-general-policies/ensure-that-managed-identity-provider-is-enabled-for-app-services" + }, + { + "id": "CKV_AZURE_15", + "name": "Ensure web app is using the latest version of TLS encryption", + "fullDescription": { + "text": "Ensure web app is using the latest version of TLS encryption" + }, + "help": { + "text": "Ensure web app is using the latest version of TLS encryption\nResource: Microsoft.Web/sites.ApiAppNoHttps" + }, + "defaultConfiguration": { + "level": "error" + }, + "helpUri": "https://docs.prismacloud.io/en/enterprise-edition/policy-reference/azure-policies/azure-networking-policies/bc-azr-networking-6" + }, + { + "id": "CKV_AZURE_222", + "name": "Ensure that Azure Web App public network access is disabled", + "fullDescription": { + "text": "Ensure that Azure Web App public network access is disabled" + }, + "help": { + "text": "Ensure that Azure Web App public network access is disabled\nResource: Microsoft.Web/sites.ApiAppNoHttps" + }, + "defaultConfiguration": { + "level": "error" + }, + "helpUri": "https://docs.prismacloud.io/en/enterprise-edition/policy-reference/azure-policies/azure-networking-policies/azr-networking-63" + }, + { + "id": "CKV_AZURE_153", + "name": "Ensure web app redirects all HTTP traffic to HTTPS in Azure App Service Slot", + "fullDescription": { + "text": "Ensure web app redirects all HTTP traffic to HTTPS in Azure App Service Slot" + }, + "help": { + "text": "Ensure web app redirects all HTTP traffic to HTTPS in Azure App Service Slot\nResource: Microsoft.Web/sites.ApiAppNoHttps" + }, + "defaultConfiguration": { + "level": "error" + }, + "helpUri": "https://docs.prismacloud.io/en/enterprise-edition/policy-reference/azure-policies/azure-networking-policies/ensure-azure-web-app-redirects-all-http-traffic-to-https-in-azure-app-service-slot" + }, + { + "id": "CKV_AZURE_67", + "name": "Ensure that 'HTTP Version' is the latest, if used to run the Function app", + "fullDescription": { + "text": "Ensure that 'HTTP Version' is the latest, if used to run the Function app" + }, + "help": { + "text": "Ensure that 'HTTP Version' is the latest, if used to run the Function app\nResource: Microsoft.Web/sites.ApiAppNoHttps" + }, + "defaultConfiguration": { + "level": "error" + }, + "helpUri": "https://docs.prismacloud.io/en/enterprise-edition/policy-reference/azure-policies/azure-general-policies/ensure-that-http-version-is-the-latest-if-used-to-run-the-function-app" + }, + { + "id": "CKV_AZURE_70", + "name": "Ensure that Function apps is only accessible over HTTPS", + "fullDescription": { + "text": "Ensure that Function apps is only accessible over HTTPS" + }, + "help": { + "text": "Ensure that Function apps is only accessible over HTTPS\nResource: Microsoft.Web/sites.ApiAppNoHttps" + }, + "defaultConfiguration": { + "level": "error" + }, + "helpUri": "https://docs.prismacloud.io/en/enterprise-edition/policy-reference/azure-policies/azure-networking-policies/ensure-that-function-apps-is-only-accessible-over-https" + }, + { + "id": "CKV_AZURE_13", + "name": "Ensure App Service Authentication is set on Azure App Service", + "fullDescription": { + "text": "Ensure App Service Authentication is set on Azure App Service" + }, + "help": { + "text": "Ensure App Service Authentication is set on Azure App Service\nResource: Microsoft.Web/sites/config.SitesConfig/RestrictedCORSAccess_web" + }, + "defaultConfiguration": { + "level": "error" + }, + "helpUri": "https://docs.prismacloud.io/en/enterprise-edition/policy-reference/azure-policies/azure-general-policies/bc-azr-general-2" + }, + { + "id": "CKV_AZURE_65", + "name": "Ensure that App service enables detailed error messages", + "fullDescription": { + "text": "Ensure that App service enables detailed error messages" + }, + "help": { + "text": "Ensure that App service enables detailed error messages\nResource: Microsoft.Web/sites/config.SitesConfig/RestrictedCORSAccess_web" + }, + "defaultConfiguration": { + "level": "error" + }, + "helpUri": "https://docs.prismacloud.io/en/enterprise-edition/policy-reference/azure-policies/azure-logging-policies/tbdensure-that-app-service-enables-detailed-error-messages" + }, + { + "id": "CKV_AZURE_80", + "name": "Ensure that 'Net Framework' version is the latest, if used as a part of the web app", + "fullDescription": { + "text": "Ensure that 'Net Framework' version is the latest, if used as a part of the web app" + }, + "help": { + "text": "Ensure that 'Net Framework' version is the latest, if used as a part of the web app\nResource: Microsoft.Web/sites/config.SitesConfig/RestrictedCORSAccess_web" + }, + "defaultConfiguration": { + "level": "error" + }, + "helpUri": "https://docs.prismacloud.io/en/enterprise-edition/policy-reference/azure-policies/azure-general-policies/ensure-that-net-framework-version-is-the-latest-if-used-as-a-part-of-the-web-app" + }, + { + "id": "CKV_AZURE_66", + "name": "Ensure that App service enables failed request tracing", + "fullDescription": { + "text": "Ensure that App service enables failed request tracing" + }, + "help": { + "text": "Ensure that App service enables failed request tracing\nResource: Microsoft.Web/sites/config.SitesConfig/RestrictedCORSAccess_web" + }, + "defaultConfiguration": { + "level": "error" + }, + "helpUri": "https://docs.prismacloud.io/en/enterprise-edition/policy-reference/azure-policies/azure-logging-policies/ensure-that-app-service-enables-failed-request-tracing" + }, + { + "id": "CKV_AZURE_63", + "name": "Ensure that App service enables HTTP logging", + "fullDescription": { + "text": "Ensure that App service enables HTTP logging" + }, + "help": { + "text": "Ensure that App service enables HTTP logging\nResource: Microsoft.Web/sites/config.SitesConfig/RestrictedCORSAccess_web" + }, + "defaultConfiguration": { + "level": "error" + }, + "helpUri": "https://docs.prismacloud.io/en/enterprise-edition/policy-reference/azure-policies/azure-logging-policies/ensure-that-app-service-enables-http-logging" + }, + { + "id": "CKV_AZURE_88", + "name": "Ensure that app services use Azure Files", + "fullDescription": { + "text": "Ensure that app services use Azure Files" + }, + "help": { + "text": "Ensure that app services use Azure Files\nResource: Microsoft.Web/sites/config.SitesConfig/RestrictedCORSAccess_web" + }, + "defaultConfiguration": { + "level": "error" + }, + "helpUri": "https://docs.prismacloud.io/en/enterprise-edition/policy-reference/azure-policies/azure-general-policies/ensure-that-app-services-use-azure-files" + }, + { + "id": "CKV_DOCKER_2", + "name": "Ensure that HEALTHCHECK instructions have been added to container images", + "fullDescription": { + "text": "Ensure that HEALTHCHECK instructions have been added to container images" + }, + "help": { + "text": "Ensure that HEALTHCHECK instructions have been added to container images\nResource: /samples\\Dockerfile." + }, + "defaultConfiguration": { + "level": "error" + }, + "helpUri": "https://docs.prismacloud.io/en/enterprise-edition/policy-reference/docker-policies/docker-policy-index/ensure-that-healthcheck-instructions-have-been-added-to-container-images" + }, + { + "id": "CKV_DOCKER_3", + "name": "Ensure that a user for the container has been created", + "fullDescription": { + "text": "Ensure that a user for the container has been created" + }, + "help": { + "text": "Ensure that a user for the container has been created\nResource: /samples\\Dockerfile." + }, + "defaultConfiguration": { + "level": "error" + }, + "helpUri": "https://docs.prismacloud.io/en/enterprise-edition/policy-reference/docker-policies/docker-policy-index/ensure-that-a-user-for-the-container-has-been-created" + } + ], + "properties": { + "RawName": "checkov" + } + } + }, + "versionControlProvenance": [ + { + "repositoryUri": "https://github.com/reynoldsa/security-devops-action", + "revisionId": "c5bc432f9640469fd713f651b4d18af73867f27a", + "branch": "main", + "properties": { + "RepositoryRoot": "D:\\source\\security-devops-action" + } + } + ], + "results": [ + { + "ruleId": "CKV_DOCKER_2", + "ruleIndex": 42, + "level": "note", + "message": { + "text": "Ensure that HEALTHCHECK instructions have been added to container images" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "samples/Dockerfile" + }, + "region": { + "startLine": 1, + "endLine": 2, + "snippet": { + "text": "FROM alpine:3.14.0\nRUN echo \"testuser:x:10999:10999:,,,:/home/testuser:/bin/bash\" >> /etc/passwd && echo \"testuser::18761:0:99999:7:::\" >> /etc/shadow\n" + } + } + } + } + ], + "fingerprints": { + "gdnPrimarySignature": "d575ad4cda6d50d0a5b22693f2455c3705f7c36bb4b15adc9192690133bf9374", + "gdnAlternativeSignature0": "b638b75acb82e58442ebe3ecff85569f7009ac136ba3db701680ba599b613c84" + }, + "attachments": [] + }, + { + "ruleId": "CKV_DOCKER_3", + "ruleIndex": 43, + "level": "note", + "message": { + "text": "Ensure that a user for the container has been created" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "samples/Dockerfile" + }, + "region": { + "startLine": 1, + "endLine": 2, + "snippet": { + "text": "FROM alpine:3.14.0\nRUN echo \"testuser:x:10999:10999:,,,:/home/testuser:/bin/bash\" >> /etc/passwd && echo \"testuser::18761:0:99999:7:::\" >> /etc/shadow\n" + } + } + } + } + ], + "fingerprints": { + "gdnPrimarySignature": "1242a262a0e0dc6e681ad67a81a121ae66f0b2562d1d669a066233daaa7a615a", + "gdnAlternativeSignature0": "81662655dc607bf53d1554c1d9b11df48d1d564eac1529173b8d0a2e61969e63" + }, + "attachments": [] + }, + { + "ruleId": "CKV_AZURE_225", + "ruleIndex": 24, + "message": { + "text": "Ensure the App Service Plan is zone redundant" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "samples/insecure_arm.json" + }, + "region": { + "startLine": 14, + "endLine": 19, + "snippet": { + "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/serverfarms\",\n \"name\": \"serverFarm\",\n \"location\": \"[parameters('location')]\"\n },\n" + } + } + } + } + ], + "fingerprints": { + "gdnPrimarySignature": "5221a67299814f524df6a6522077373a0fd22c2d3f1748e6025a8552333f7141", + "gdnAlternativeSignature0": "e6aab96518196be0b417589447f9a67fea4ac7f6f0a89667d1394f61195916f6" + }, + "attachments": [] + }, + { + "ruleId": "CKV_AZURE_17", + "ruleIndex": 25, + "message": { + "text": "Ensure the web app has 'Client Certificates (Incoming client certificates)' set" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "samples/insecure_arm.json" + }, + "region": { + "startLine": 20, + "endLine": 32, + "snippet": { + "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites\",\n \"kind\": \"api\",\n \"name\": \"ApiAppNoHttps\",\n \"location\": \"[parameters('location')]\",\n \"dependsOn\": [\n \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\"\n ],\n \"properties\": {\n \"serverFarmId\": \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\"\n }\n },\n" + } + } + } + } + ], + "fingerprints": { + "gdnPrimarySignature": "2052f152b6d5766a7b59a9c7b4f1d29a0f7bb9060b894b7a65b9e58207a28318", + "gdnAlternativeSignature0": "e18fdea947ebaa5eeda8e3c09e3f041d81794a440563fc2ff6526653c22c9300" + }, + "attachments": [] + }, + { + "ruleId": "CKV_AZURE_78", + "ruleIndex": 26, + "message": { + "text": "Ensure FTP deployments are disabled" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "samples/insecure_arm.json" + }, + "region": { + "startLine": 20, + "endLine": 32, + "snippet": { + "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites\",\n \"kind\": \"api\",\n \"name\": \"ApiAppNoHttps\",\n \"location\": \"[parameters('location')]\",\n \"dependsOn\": [\n \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\"\n ],\n \"properties\": {\n \"serverFarmId\": \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\"\n }\n },\n" + } + } + } + } + ], + "fingerprints": { + "gdnPrimarySignature": "5f73cccef9e3e5de304868ce267f1b16ddbbad0c9c52f4c39866f9e347b7d5d2", + "gdnAlternativeSignature0": "7806091df62a7f1ac9e2fd4c6a8f834a76f61fa22e8e6b577272499b3e942104" + }, + "attachments": [] + }, + { + "ruleId": "CKV_AZURE_18", + "ruleIndex": 27, + "message": { + "text": "Ensure that 'HTTP Version' is the latest if used to run the web app" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "samples/insecure_arm.json" + }, + "region": { + "startLine": 20, + "endLine": 32, + "snippet": { + "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites\",\n \"kind\": \"api\",\n \"name\": \"ApiAppNoHttps\",\n \"location\": \"[parameters('location')]\",\n \"dependsOn\": [\n \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\"\n ],\n \"properties\": {\n \"serverFarmId\": \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\"\n }\n },\n" + } + } + } + } + ], + "fingerprints": { + "gdnPrimarySignature": "b9354cf1c73339ba30adcd102787a08181f25aaff9f6782332e185ca65fb9a6b", + "gdnAlternativeSignature0": "c95f4a7cc4fb4eab5c51d2885069bf453fc79e65aac23ff2d04b015fe36717d0" + }, + "attachments": [] + }, + { + "ruleId": "CKV_AZURE_14", + "ruleIndex": 28, + "message": { + "text": "Ensure web app redirects all HTTP traffic to HTTPS in Azure App Service" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "samples/insecure_arm.json" + }, + "region": { + "startLine": 20, + "endLine": 32, + "snippet": { + "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites\",\n \"kind\": \"api\",\n \"name\": \"ApiAppNoHttps\",\n \"location\": \"[parameters('location')]\",\n \"dependsOn\": [\n \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\"\n ],\n \"properties\": {\n \"serverFarmId\": \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\"\n }\n },\n" + } + } + } + } + ], + "fingerprints": { + "gdnPrimarySignature": "be5f727a2ce11c634799422c02b8a4786d9b57ab5402571c6025b43e6b077b3d", + "gdnAlternativeSignature0": "30eef084050fc6c74f476b1ce8aa4c766974299647bbfbf548e37ddd1fc1ceb1" + }, + "attachments": [] + }, + { + "ruleId": "CKV_AZURE_16", + "ruleIndex": 29, + "message": { + "text": "Ensure that Register with Azure Active Directory is enabled on App Service" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "samples/insecure_arm.json" + }, + "region": { + "startLine": 20, + "endLine": 32, + "snippet": { + "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites\",\n \"kind\": \"api\",\n \"name\": \"ApiAppNoHttps\",\n \"location\": \"[parameters('location')]\",\n \"dependsOn\": [\n \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\"\n ],\n \"properties\": {\n \"serverFarmId\": \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\"\n }\n },\n" + } + } + } + } + ], + "fingerprints": { + "gdnPrimarySignature": "8ec0cf28cfe77f1886c419e78389f8a6102878cb7612535c76516fd29c664889", + "gdnAlternativeSignature0": "b35de61bb549b7a7050bd10b59810d2d6c10f19155d87b4bd9b1f6a92ac87ae8" + }, + "attachments": [] + }, + { + "ruleId": "CKV_AZURE_71", + "ruleIndex": 30, + "level": "note", + "message": { + "text": "Ensure that Managed identity provider is enabled for web apps" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "samples/insecure_arm.json" + }, + "region": { + "startLine": 20, + "endLine": 32, + "snippet": { + "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites\",\n \"kind\": \"api\",\n \"name\": \"ApiAppNoHttps\",\n \"location\": \"[parameters('location')]\",\n \"dependsOn\": [\n \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\"\n ],\n \"properties\": {\n \"serverFarmId\": \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\"\n }\n },\n" + } + } + } + } + ], + "fingerprints": { + "gdnPrimarySignature": "ee7a8721be19f071f11af14aaa7aca9576415f4d4d1e62346a853f58100c82e4", + "gdnAlternativeSignature0": "ec622e49b27f8e22a9e6f643cf8cf907eb559102eae22be4e991b94720701355" + }, + "attachments": [] + }, + { + "ruleId": "CKV_AZURE_15", + "ruleIndex": 31, + "message": { + "text": "Ensure web app is using the latest version of TLS encryption" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "samples/insecure_arm.json" + }, + "region": { + "startLine": 20, + "endLine": 32, + "snippet": { + "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites\",\n \"kind\": \"api\",\n \"name\": \"ApiAppNoHttps\",\n \"location\": \"[parameters('location')]\",\n \"dependsOn\": [\n \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\"\n ],\n \"properties\": {\n \"serverFarmId\": \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\"\n }\n },\n" + } + } + } + } + ], + "fingerprints": { + "gdnPrimarySignature": "ef9b889940362ecd85475a4717800814cf44656011817a1d3370a3bcab0f9006", + "gdnAlternativeSignature0": "e8b887b9e4630d128d846a53822b5d4d36f7078245f4e138644f951d5da1c04b" + }, + "attachments": [] + }, + { + "ruleId": "CKV_AZURE_222", + "ruleIndex": 32, + "message": { + "text": "Ensure that Azure Web App public network access is disabled" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "samples/insecure_arm.json" + }, + "region": { + "startLine": 20, + "endLine": 32, + "snippet": { + "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites\",\n \"kind\": \"api\",\n \"name\": \"ApiAppNoHttps\",\n \"location\": \"[parameters('location')]\",\n \"dependsOn\": [\n \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\"\n ],\n \"properties\": {\n \"serverFarmId\": \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\"\n }\n },\n" + } + } + } + } + ], + "fingerprints": { + "gdnPrimarySignature": "e1dc47b6e2369dd39565addd153d327dd0d76de16d44d15949739b4ece89857b", + "gdnAlternativeSignature0": "d43a14c244c9f2b15c1ba3cec391a15f1baf94ac985c7db47cad796ef60a075e" + }, + "attachments": [] + }, + { + "ruleId": "CKV_AZURE_153", + "ruleIndex": 33, + "level": "note", + "message": { + "text": "Ensure web app redirects all HTTP traffic to HTTPS in Azure App Service Slot" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "samples/insecure_arm.json" + }, + "region": { + "startLine": 20, + "endLine": 32, + "snippet": { + "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites\",\n \"kind\": \"api\",\n \"name\": \"ApiAppNoHttps\",\n \"location\": \"[parameters('location')]\",\n \"dependsOn\": [\n \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\"\n ],\n \"properties\": {\n \"serverFarmId\": \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\"\n }\n },\n" + } + } + } + } + ], + "fingerprints": { + "gdnPrimarySignature": "97d7ca490bf520d069c13ebdb0d71a09b89fcd7769dde3ce13a56b628553002e", + "gdnAlternativeSignature0": "4900509f0378a44b7fbeba8ec8bf1dbc277cdf17e6f3726e7111c71d23884b5a" + }, + "attachments": [] + }, + { + "ruleId": "CKV_AZURE_67", + "ruleIndex": 34, + "message": { + "text": "Ensure that 'HTTP Version' is the latest, if used to run the Function app" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "samples/insecure_arm.json" + }, + "region": { + "startLine": 20, + "endLine": 32, + "snippet": { + "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites\",\n \"kind\": \"api\",\n \"name\": \"ApiAppNoHttps\",\n \"location\": \"[parameters('location')]\",\n \"dependsOn\": [\n \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\"\n ],\n \"properties\": {\n \"serverFarmId\": \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\"\n }\n },\n" + } + } + } + } + ], + "fingerprints": { + "gdnPrimarySignature": "c56f175caf69b08d44542457468251bc934009d1db105d9b7bbebcbcb3beb452", + "gdnAlternativeSignature0": "913aa909429d17a84df0c1e8748ff6aea024d4ef99d8904de01b8ebfebb6ef2c" + }, + "attachments": [] + }, + { + "ruleId": "CKV_AZURE_70", + "ruleIndex": 35, + "message": { + "text": "Ensure that Function apps is only accessible over HTTPS" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "samples/insecure_arm.json" + }, + "region": { + "startLine": 20, + "endLine": 32, + "snippet": { + "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites\",\n \"kind\": \"api\",\n \"name\": \"ApiAppNoHttps\",\n \"location\": \"[parameters('location')]\",\n \"dependsOn\": [\n \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\"\n ],\n \"properties\": {\n \"serverFarmId\": \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\"\n }\n },\n" + } + } + } + } + ], + "fingerprints": { + "gdnPrimarySignature": "2f45d4e06de44a01421e37f361501aad833ff822c1204548527c417f387a4bfd", + "gdnAlternativeSignature0": "c1176515ad6f738679a0735507229cb7137334a387d241a6f6f16e99fe2c2751" + }, + "attachments": [] + }, + { + "ruleId": "CKV_AZURE_17", + "ruleIndex": 25, + "message": { + "text": "Ensure the web app has 'Client Certificates (Incoming client certificates)' set" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "samples/insecure_arm.json" + }, + "region": { + "startLine": 33, + "endLine": 46, + "snippet": { + "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites\",\n \"kind\": \"api\",\n \"name\": \"ApiApp_HttpsFalse\",\n \"location\": \"[parameters('location')]\",\n \"dependsOn\": [\n \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\"\n ],\n \"properties\": {\n \"serverFarmId\": \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\",\n \"httpsOnly\": false\n }\n },\n" + } + } + } + } + ], + "fingerprints": { + "gdnPrimarySignature": "77217b91fc3a35c94077b14d569129379554bc6c475fef0ed13e21ee3f64e356", + "gdnAlternativeSignature0": "a92fd4c7fd1c82fb5c7c4e2b973b97bd202817cb9be0631ec7ec94540eca12a0" + }, + "attachments": [] + }, + { + "ruleId": "CKV_AZURE_78", + "ruleIndex": 26, + "message": { + "text": "Ensure FTP deployments are disabled" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "samples/insecure_arm.json" + }, + "region": { + "startLine": 33, + "endLine": 46, + "snippet": { + "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites\",\n \"kind\": \"api\",\n \"name\": \"ApiApp_HttpsFalse\",\n \"location\": \"[parameters('location')]\",\n \"dependsOn\": [\n \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\"\n ],\n \"properties\": {\n \"serverFarmId\": \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\",\n \"httpsOnly\": false\n }\n },\n" + } + } + } + } + ], + "fingerprints": { + "gdnPrimarySignature": "96272a03ccdc56a5a8b96c5109daa200cb64585bf6cb129647e817d4f08a4bfd", + "gdnAlternativeSignature0": "3e23e70479065b8d7df9e45448b64661427e6438fbe37d04a36266ce32bee78a" + }, + "attachments": [] + }, + { + "ruleId": "CKV_AZURE_18", + "ruleIndex": 27, + "message": { + "text": "Ensure that 'HTTP Version' is the latest if used to run the web app" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "samples/insecure_arm.json" + }, + "region": { + "startLine": 33, + "endLine": 46, + "snippet": { + "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites\",\n \"kind\": \"api\",\n \"name\": \"ApiApp_HttpsFalse\",\n \"location\": \"[parameters('location')]\",\n \"dependsOn\": [\n \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\"\n ],\n \"properties\": {\n \"serverFarmId\": \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\",\n \"httpsOnly\": false\n }\n },\n" + } + } + } + } + ], + "fingerprints": { + "gdnPrimarySignature": "67cba71b0950ef66e3a3a355b9a91d2d202c0813fe7f8b95e741f7812d7033fc", + "gdnAlternativeSignature0": "fbff0c06779ae5a02c627c32a5286e16208ac4855c442d93ca1238f9c34e1d11" + }, + "attachments": [] + }, + { + "ruleId": "CKV_AZURE_14", + "ruleIndex": 28, + "message": { + "text": "Ensure web app redirects all HTTP traffic to HTTPS in Azure App Service" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "samples/insecure_arm.json" + }, + "region": { + "startLine": 33, + "endLine": 46, + "snippet": { + "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites\",\n \"kind\": \"api\",\n \"name\": \"ApiApp_HttpsFalse\",\n \"location\": \"[parameters('location')]\",\n \"dependsOn\": [\n \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\"\n ],\n \"properties\": {\n \"serverFarmId\": \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\",\n \"httpsOnly\": false\n }\n },\n" + } + } + } + } + ], + "fingerprints": { + "gdnPrimarySignature": "2f0e38a86c95c2a52024f64d67bcd131909536c1a0e5b97ad5e093d03574efea", + "gdnAlternativeSignature0": "5ecca9431ae6ccf7833666998b89928bef027106342ff5293dbcea4fbfd8985f" + }, + "attachments": [] + }, + { + "ruleId": "CKV_AZURE_16", + "ruleIndex": 29, + "message": { + "text": "Ensure that Register with Azure Active Directory is enabled on App Service" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "samples/insecure_arm.json" + }, + "region": { + "startLine": 33, + "endLine": 46, + "snippet": { + "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites\",\n \"kind\": \"api\",\n \"name\": \"ApiApp_HttpsFalse\",\n \"location\": \"[parameters('location')]\",\n \"dependsOn\": [\n \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\"\n ],\n \"properties\": {\n \"serverFarmId\": \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\",\n \"httpsOnly\": false\n }\n },\n" + } + } + } + } + ], + "fingerprints": { + "gdnPrimarySignature": "047e97aec3e3db452cd6494fac807837f79de6dbf49057a6af9fa720f29866cd", + "gdnAlternativeSignature0": "4d3bb1bfb723ab4e801290b50a7f708428b9978d60d75e9d4b421ce3261e987e" + }, + "attachments": [] + }, + { + "ruleId": "CKV_AZURE_71", + "ruleIndex": 30, + "level": "note", + "message": { + "text": "Ensure that Managed identity provider is enabled for web apps" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "samples/insecure_arm.json" + }, + "region": { + "startLine": 33, + "endLine": 46, + "snippet": { + "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites\",\n \"kind\": \"api\",\n \"name\": \"ApiApp_HttpsFalse\",\n \"location\": \"[parameters('location')]\",\n \"dependsOn\": [\n \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\"\n ],\n \"properties\": {\n \"serverFarmId\": \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\",\n \"httpsOnly\": false\n }\n },\n" + } + } + } + } + ], + "fingerprints": { + "gdnPrimarySignature": "60a28f98c4f08919941b75af5cb9983b3d6d0d4fdbdfd72f0090398ec41d78b8", + "gdnAlternativeSignature0": "81e9acc15fdef5820327f3e7ba5bb7d63c7bc0ff05365b47c155fc8b5bf089f7" + }, + "attachments": [] + }, + { + "ruleId": "CKV_AZURE_15", + "ruleIndex": 31, + "message": { + "text": "Ensure web app is using the latest version of TLS encryption" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "samples/insecure_arm.json" + }, + "region": { + "startLine": 33, + "endLine": 46, + "snippet": { + "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites\",\n \"kind\": \"api\",\n \"name\": \"ApiApp_HttpsFalse\",\n \"location\": \"[parameters('location')]\",\n \"dependsOn\": [\n \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\"\n ],\n \"properties\": {\n \"serverFarmId\": \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\",\n \"httpsOnly\": false\n }\n },\n" + } + } + } + } + ], + "fingerprints": { + "gdnPrimarySignature": "661df7e8e64bd5bdd34a1d439102b29529c13c746e5feb730fac1b89383a4443", + "gdnAlternativeSignature0": "20930ab9036a0597b410e4bbb9a3ae46121270bb3384764cabfe9af8664ee4c2" + }, + "attachments": [] + }, + { + "ruleId": "CKV_AZURE_222", + "ruleIndex": 32, + "message": { + "text": "Ensure that Azure Web App public network access is disabled" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "samples/insecure_arm.json" + }, + "region": { + "startLine": 33, + "endLine": 46, + "snippet": { + "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites\",\n \"kind\": \"api\",\n \"name\": \"ApiApp_HttpsFalse\",\n \"location\": \"[parameters('location')]\",\n \"dependsOn\": [\n \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\"\n ],\n \"properties\": {\n \"serverFarmId\": \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\",\n \"httpsOnly\": false\n }\n },\n" + } + } + } + } + ], + "fingerprints": { + "gdnPrimarySignature": "eef8e08eefe99efe6383c19a6c2f6896c9ef94af166789c535a44e439faff96b", + "gdnAlternativeSignature0": "d9cfc31c8fd621cb84b4ac6e4aebe8fbdc58ac745ec38f3cad71e0d6516cac75" + }, + "attachments": [] + }, + { + "ruleId": "CKV_AZURE_153", + "ruleIndex": 33, + "level": "note", + "message": { + "text": "Ensure web app redirects all HTTP traffic to HTTPS in Azure App Service Slot" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "samples/insecure_arm.json" + }, + "region": { + "startLine": 33, + "endLine": 46, + "snippet": { + "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites\",\n \"kind\": \"api\",\n \"name\": \"ApiApp_HttpsFalse\",\n \"location\": \"[parameters('location')]\",\n \"dependsOn\": [\n \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\"\n ],\n \"properties\": {\n \"serverFarmId\": \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\",\n \"httpsOnly\": false\n }\n },\n" + } + } + } + } + ], + "fingerprints": { + "gdnPrimarySignature": "b6eaac00912ec69927074d73bba19050e90b93d7c2863034c5f57ac14b6c3f56", + "gdnAlternativeSignature0": "63b91b45615d3139f0c8994573f3c9045d8602acb32fa9a2b56ff7b1e8c030d3" + }, + "attachments": [] + }, + { + "ruleId": "CKV_AZURE_67", + "ruleIndex": 34, + "message": { + "text": "Ensure that 'HTTP Version' is the latest, if used to run the Function app" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "samples/insecure_arm.json" + }, + "region": { + "startLine": 33, + "endLine": 46, + "snippet": { + "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites\",\n \"kind\": \"api\",\n \"name\": \"ApiApp_HttpsFalse\",\n \"location\": \"[parameters('location')]\",\n \"dependsOn\": [\n \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\"\n ],\n \"properties\": {\n \"serverFarmId\": \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\",\n \"httpsOnly\": false\n }\n },\n" + } + } + } + } + ], + "fingerprints": { + "gdnPrimarySignature": "1a28305cc04bfcb6e7d6cd127478774b1bee41fc46643d7798536ede530ea751", + "gdnAlternativeSignature0": "0f393c4096130800e7805e4a66f1950cf2d771868201e4632b04ce44be71df65" + }, + "attachments": [] + }, + { + "ruleId": "CKV_AZURE_70", + "ruleIndex": 35, + "message": { + "text": "Ensure that Function apps is only accessible over HTTPS" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "samples/insecure_arm.json" + }, + "region": { + "startLine": 33, + "endLine": 46, + "snippet": { + "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites\",\n \"kind\": \"api\",\n \"name\": \"ApiApp_HttpsFalse\",\n \"location\": \"[parameters('location')]\",\n \"dependsOn\": [\n \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\"\n ],\n \"properties\": {\n \"serverFarmId\": \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\",\n \"httpsOnly\": false\n }\n },\n" + } + } + } + } + ], + "fingerprints": { + "gdnPrimarySignature": "b7e0569871e364eb4f1ad13804f6bbac0225d2b791ccc53683c54d880a8d56ad", + "gdnAlternativeSignature0": "558d0b90f8a67d09495fad85b33c5877cb89b0319b670c21c57f4959cca1eaf1" + }, + "attachments": [] + }, + { + "ruleId": "CKV_AZURE_17", + "ruleIndex": 25, + "message": { + "text": "Ensure the web app has 'Client Certificates (Incoming client certificates)' set" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "samples/insecure_arm.json" + }, + "region": { + "startLine": 47, + "endLine": 60, + "snippet": { + "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites\",\n \"kind\": \"api\",\n \"name\": \"ApiApp_HttpsTrue\",\n \"location\": \"[parameters('location')]\",\n \"dependsOn\": [\n \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\"\n ],\n \"properties\": {\n \"serverFarmId\": \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\",\n \"httpsOnly\": true\n }\n },\n" + } + } + } + } + ], + "fingerprints": { + "gdnPrimarySignature": "aaddab01eb68ff517e9444b2e9d93377d31950dea3e82ddb8ab944c5dfee7c1f", + "gdnAlternativeSignature0": "57cebe241ad3cf45ef799f306169e2b2264d43b4510f8e0752726be7131ab490" + }, + "attachments": [] + }, + { + "ruleId": "CKV_AZURE_78", + "ruleIndex": 26, + "message": { + "text": "Ensure FTP deployments are disabled" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "samples/insecure_arm.json" + }, + "region": { + "startLine": 47, + "endLine": 60, + "snippet": { + "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites\",\n \"kind\": \"api\",\n \"name\": \"ApiApp_HttpsTrue\",\n \"location\": \"[parameters('location')]\",\n \"dependsOn\": [\n \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\"\n ],\n \"properties\": {\n \"serverFarmId\": \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\",\n \"httpsOnly\": true\n }\n },\n" + } + } + } + } + ], + "fingerprints": { + "gdnPrimarySignature": "590ff9987116abb8a3400496eddeb58c1f024d384c76051a44dc2c39e4e49283", + "gdnAlternativeSignature0": "61d1b562f5d44f6ddbc3c5c2814e820572971c9d99d41830d74ee6dab9e8b1b8" + }, + "attachments": [] + }, + { + "ruleId": "CKV_AZURE_18", + "ruleIndex": 27, + "message": { + "text": "Ensure that 'HTTP Version' is the latest if used to run the web app" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "samples/insecure_arm.json" + }, + "region": { + "startLine": 47, + "endLine": 60, + "snippet": { + "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites\",\n \"kind\": \"api\",\n \"name\": \"ApiApp_HttpsTrue\",\n \"location\": \"[parameters('location')]\",\n \"dependsOn\": [\n \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\"\n ],\n \"properties\": {\n \"serverFarmId\": \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\",\n \"httpsOnly\": true\n }\n },\n" + } + } + } + } + ], + "fingerprints": { + "gdnPrimarySignature": "db280dfff3e2790244c8b505a80423b5448fc8e75d59a62250b7a79536cf7ff1", + "gdnAlternativeSignature0": "ac8dbe3cffb76f8661fc62b1f0f4da58be581b4d0ef2caa7f3cd204caca2463e" + }, + "attachments": [] + }, + { + "ruleId": "CKV_AZURE_16", + "ruleIndex": 29, + "message": { + "text": "Ensure that Register with Azure Active Directory is enabled on App Service" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "samples/insecure_arm.json" + }, + "region": { + "startLine": 47, + "endLine": 60, + "snippet": { + "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites\",\n \"kind\": \"api\",\n \"name\": \"ApiApp_HttpsTrue\",\n \"location\": \"[parameters('location')]\",\n \"dependsOn\": [\n \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\"\n ],\n \"properties\": {\n \"serverFarmId\": \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\",\n \"httpsOnly\": true\n }\n },\n" + } + } + } + } + ], + "fingerprints": { + "gdnPrimarySignature": "aea92e244aca978f643e2e1ac665f53ebba318185bd336a66cd47a0b665060ec", + "gdnAlternativeSignature0": "b48782f8c3aa23c586d734684f31424229a47093f158458dc6b2d60685e3d769" + }, + "attachments": [] + }, + { + "ruleId": "CKV_AZURE_71", + "ruleIndex": 30, + "level": "note", + "message": { + "text": "Ensure that Managed identity provider is enabled for web apps" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "samples/insecure_arm.json" + }, + "region": { + "startLine": 47, + "endLine": 60, + "snippet": { + "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites\",\n \"kind\": \"api\",\n \"name\": \"ApiApp_HttpsTrue\",\n \"location\": \"[parameters('location')]\",\n \"dependsOn\": [\n \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\"\n ],\n \"properties\": {\n \"serverFarmId\": \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\",\n \"httpsOnly\": true\n }\n },\n" + } + } + } + } + ], + "fingerprints": { + "gdnPrimarySignature": "798c50dcd9acde7329ed5009c3d07a2217acf11fec1f31004c527083961c540d", + "gdnAlternativeSignature0": "165dd9555e9c9161445bf7503e05d3cbed8dcbb6302f42637d6b45ccaca0ff58" + }, + "attachments": [] + }, + { + "ruleId": "CKV_AZURE_15", + "ruleIndex": 31, + "message": { + "text": "Ensure web app is using the latest version of TLS encryption" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "samples/insecure_arm.json" + }, + "region": { + "startLine": 47, + "endLine": 60, + "snippet": { + "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites\",\n \"kind\": \"api\",\n \"name\": \"ApiApp_HttpsTrue\",\n \"location\": \"[parameters('location')]\",\n \"dependsOn\": [\n \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\"\n ],\n \"properties\": {\n \"serverFarmId\": \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\",\n \"httpsOnly\": true\n }\n },\n" + } + } + } + } + ], + "fingerprints": { + "gdnPrimarySignature": "4c5dfc4574f7685bcd89ddc5a65c7d0c511987abf75c9de4430457d1727af8af", + "gdnAlternativeSignature0": "d2ce914431dc4d3c206c55b66c4b6dca1bb2031972528496dbf84c655535f145" + }, + "attachments": [] + }, + { + "ruleId": "CKV_AZURE_222", + "ruleIndex": 32, + "message": { + "text": "Ensure that Azure Web App public network access is disabled" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "samples/insecure_arm.json" + }, + "region": { + "startLine": 47, + "endLine": 60, + "snippet": { + "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites\",\n \"kind\": \"api\",\n \"name\": \"ApiApp_HttpsTrue\",\n \"location\": \"[parameters('location')]\",\n \"dependsOn\": [\n \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\"\n ],\n \"properties\": {\n \"serverFarmId\": \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\",\n \"httpsOnly\": true\n }\n },\n" + } + } + } + } + ], + "fingerprints": { + "gdnPrimarySignature": "44c94e00b2108329c9f76c78147b2604cc20cabbf31e7f8e4299bf4d2fd94f14", + "gdnAlternativeSignature0": "61c01b83b4d60836ee555f3f704f36d40cb7a30c25a0d5dcd09b5f172423448a" + }, + "attachments": [] + }, + { + "ruleId": "CKV_AZURE_67", + "ruleIndex": 34, + "message": { + "text": "Ensure that 'HTTP Version' is the latest, if used to run the Function app" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "samples/insecure_arm.json" + }, + "region": { + "startLine": 47, + "endLine": 60, + "snippet": { + "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites\",\n \"kind\": \"api\",\n \"name\": \"ApiApp_HttpsTrue\",\n \"location\": \"[parameters('location')]\",\n \"dependsOn\": [\n \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\"\n ],\n \"properties\": {\n \"serverFarmId\": \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\",\n \"httpsOnly\": true\n }\n },\n" + } + } + } + } + ], + "fingerprints": { + "gdnPrimarySignature": "235d3319b06d373c3b2babd6236b29e3ee46066a92409d48434ecf54474c4f3d", + "gdnAlternativeSignature0": "781e42feb7fc10ca262f5cce84e3a566206e0d9abfe2465ba0a1fb45a98eef9e" + }, + "attachments": [] + }, + { + "ruleId": "CKV_AZURE_17", + "ruleIndex": 25, + "message": { + "text": "Ensure the web app has 'Client Certificates (Incoming client certificates)' set" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "samples/insecure_arm.json" + }, + "region": { + "startLine": 61, + "endLine": 73, + "snippet": { + "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites\",\n \"kind\": \"functionapp\",\n \"name\": \"FunctionAppNoHttps\",\n \"location\": \"[parameters('location')]\",\n \"dependsOn\": [\n \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\"\n ],\n \"properties\": {\n \"serverFarmId\": \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\"\n }\n },\n" + } + } + } + } + ], + "fingerprints": { + "gdnPrimarySignature": "3645ea9051ae5673c813896b86a7ba9dd2b3b5e32c23cafc80908b2f2524f944", + "gdnAlternativeSignature0": "3f5299a9cafa29f11de4de69e3fd6545bbed0d8ef6dfdc23e989ccbd39b25cdd" + }, + "attachments": [] + }, + { + "ruleId": "CKV_AZURE_78", + "ruleIndex": 26, + "message": { + "text": "Ensure FTP deployments are disabled" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "samples/insecure_arm.json" + }, + "region": { + "startLine": 61, + "endLine": 73, + "snippet": { + "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites\",\n \"kind\": \"functionapp\",\n \"name\": \"FunctionAppNoHttps\",\n \"location\": \"[parameters('location')]\",\n \"dependsOn\": [\n \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\"\n ],\n \"properties\": {\n \"serverFarmId\": \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\"\n }\n },\n" + } + } + } + } + ], + "fingerprints": { + "gdnPrimarySignature": "ca7a9cc04d61e4c2746e08d814a13bfce97322ab3330c23ac6a3a046e1da28cb", + "gdnAlternativeSignature0": "7223771f7f45cc448238ef3189a578bb9838dc9dcd6954b1769a77b8828299a3" + }, + "attachments": [] + }, + { + "ruleId": "CKV_AZURE_18", + "ruleIndex": 27, + "message": { + "text": "Ensure that 'HTTP Version' is the latest if used to run the web app" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "samples/insecure_arm.json" + }, + "region": { + "startLine": 61, + "endLine": 73, + "snippet": { + "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites\",\n \"kind\": \"functionapp\",\n \"name\": \"FunctionAppNoHttps\",\n \"location\": \"[parameters('location')]\",\n \"dependsOn\": [\n \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\"\n ],\n \"properties\": {\n \"serverFarmId\": \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\"\n }\n },\n" + } + } + } + } + ], + "fingerprints": { + "gdnPrimarySignature": "71dc14fcd10f9c9553a4da8ac502b6435b2ed0db62277cd987cca6d551c6d181", + "gdnAlternativeSignature0": "d43fc88acb8d338e40410db7c591108b80e3d46c28060e62437919f14f722dfe" + }, + "attachments": [] + }, + { + "ruleId": "CKV_AZURE_14", + "ruleIndex": 28, + "message": { + "text": "Ensure web app redirects all HTTP traffic to HTTPS in Azure App Service" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "samples/insecure_arm.json" + }, + "region": { + "startLine": 61, + "endLine": 73, + "snippet": { + "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites\",\n \"kind\": \"functionapp\",\n \"name\": \"FunctionAppNoHttps\",\n \"location\": \"[parameters('location')]\",\n \"dependsOn\": [\n \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\"\n ],\n \"properties\": {\n \"serverFarmId\": \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\"\n }\n },\n" + } + } + } + } + ], + "fingerprints": { + "gdnPrimarySignature": "3c0093298905723cba273ae4a7665878ab158eed129e338a933ea628f12cea27", + "gdnAlternativeSignature0": "3e6753aa3addf5ba0305dc624bf944236f65feb3fb342a87052ac03331c29086" + }, + "attachments": [] + }, + { + "ruleId": "CKV_AZURE_16", + "ruleIndex": 29, + "message": { + "text": "Ensure that Register with Azure Active Directory is enabled on App Service" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "samples/insecure_arm.json" + }, + "region": { + "startLine": 61, + "endLine": 73, + "snippet": { + "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites\",\n \"kind\": \"functionapp\",\n \"name\": \"FunctionAppNoHttps\",\n \"location\": \"[parameters('location')]\",\n \"dependsOn\": [\n \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\"\n ],\n \"properties\": {\n \"serverFarmId\": \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\"\n }\n },\n" + } + } + } + } + ], + "fingerprints": { + "gdnPrimarySignature": "d1a5aac95999bad7e7b5c9e0e255d9d2ca11a7cea6fa5dc385222d4feaf488c3", + "gdnAlternativeSignature0": "33369208b079f75cbe0cab69fc1bf20ac7c43ea8f2b7536e1b4f13a771190cb6" + }, + "attachments": [] + }, + { + "ruleId": "CKV_AZURE_71", + "ruleIndex": 30, + "level": "note", + "message": { + "text": "Ensure that Managed identity provider is enabled for web apps" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "samples/insecure_arm.json" + }, + "region": { + "startLine": 61, + "endLine": 73, + "snippet": { + "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites\",\n \"kind\": \"functionapp\",\n \"name\": \"FunctionAppNoHttps\",\n \"location\": \"[parameters('location')]\",\n \"dependsOn\": [\n \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\"\n ],\n \"properties\": {\n \"serverFarmId\": \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\"\n }\n },\n" + } + } + } + } + ], + "fingerprints": { + "gdnPrimarySignature": "d73af49617110ba351d090184b05165dc8855332c51a8857ed25280cf9afad44", + "gdnAlternativeSignature0": "09a999b4a9287158b3cca86c7e300c895a1350f7ef5816c5b55efc9f3ea7ce55" + }, + "attachments": [] + }, + { + "ruleId": "CKV_AZURE_15", + "ruleIndex": 31, + "message": { + "text": "Ensure web app is using the latest version of TLS encryption" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "samples/insecure_arm.json" + }, + "region": { + "startLine": 61, + "endLine": 73, + "snippet": { + "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites\",\n \"kind\": \"functionapp\",\n \"name\": \"FunctionAppNoHttps\",\n \"location\": \"[parameters('location')]\",\n \"dependsOn\": [\n \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\"\n ],\n \"properties\": {\n \"serverFarmId\": \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\"\n }\n },\n" + } + } + } + } + ], + "fingerprints": { + "gdnPrimarySignature": "03753151129aae06d95a6bf05714f3962691cc58c210d7d9e1834d8fd0ccfbf9", + "gdnAlternativeSignature0": "ee019a6f911abaec8264daa5ce7e95edb613bb130a37c20e98d07b6ce408aa71" + }, + "attachments": [] + }, + { + "ruleId": "CKV_AZURE_222", + "ruleIndex": 32, + "message": { + "text": "Ensure that Azure Web App public network access is disabled" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "samples/insecure_arm.json" + }, + "region": { + "startLine": 61, + "endLine": 73, + "snippet": { + "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites\",\n \"kind\": \"functionapp\",\n \"name\": \"FunctionAppNoHttps\",\n \"location\": \"[parameters('location')]\",\n \"dependsOn\": [\n \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\"\n ],\n \"properties\": {\n \"serverFarmId\": \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\"\n }\n },\n" + } + } + } + } + ], + "fingerprints": { + "gdnPrimarySignature": "b8b0b37b159d4ac33da5cc0f6c8e629f574c8e2989630facb7ed998b4fbd3e2b", + "gdnAlternativeSignature0": "c33ac75db46382ebd17cb142c0ac1e4ad6899e74b3a7aba6452e31cff4a58b91" + }, + "attachments": [] + }, + { + "ruleId": "CKV_AZURE_153", + "ruleIndex": 33, + "level": "note", + "message": { + "text": "Ensure web app redirects all HTTP traffic to HTTPS in Azure App Service Slot" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "samples/insecure_arm.json" + }, + "region": { + "startLine": 61, + "endLine": 73, + "snippet": { + "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites\",\n \"kind\": \"functionapp\",\n \"name\": \"FunctionAppNoHttps\",\n \"location\": \"[parameters('location')]\",\n \"dependsOn\": [\n \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\"\n ],\n \"properties\": {\n \"serverFarmId\": \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\"\n }\n },\n" + } + } + } + } + ], + "fingerprints": { + "gdnPrimarySignature": "e964440f1574351b358e9ad24c3716799d68e1fff901003018bb171fe1731425", + "gdnAlternativeSignature0": "d665f8f5eb905b17e8a1114333ea0f968495576f17e39f7aa042a5e10d58f6dd" + }, + "attachments": [] + }, + { + "ruleId": "CKV_AZURE_67", + "ruleIndex": 34, + "message": { + "text": "Ensure that 'HTTP Version' is the latest, if used to run the Function app" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "samples/insecure_arm.json" + }, + "region": { + "startLine": 61, + "endLine": 73, + "snippet": { + "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites\",\n \"kind\": \"functionapp\",\n \"name\": \"FunctionAppNoHttps\",\n \"location\": \"[parameters('location')]\",\n \"dependsOn\": [\n \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\"\n ],\n \"properties\": {\n \"serverFarmId\": \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\"\n }\n },\n" + } + } + } + } + ], + "fingerprints": { + "gdnPrimarySignature": "46bcafa5ef7682f49218b2cdae86203af9bd2d6676b1305517ff82ed2534c8a4", + "gdnAlternativeSignature0": "3aa93e2f42f94795cf57ca2abb96bbaf98d85c457a25083f5dc76fd25f6c828d" + }, + "attachments": [] + }, + { + "ruleId": "CKV_AZURE_70", + "ruleIndex": 35, + "message": { + "text": "Ensure that Function apps is only accessible over HTTPS" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "samples/insecure_arm.json" + }, + "region": { + "startLine": 61, + "endLine": 73, + "snippet": { + "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites\",\n \"kind\": \"functionapp\",\n \"name\": \"FunctionAppNoHttps\",\n \"location\": \"[parameters('location')]\",\n \"dependsOn\": [\n \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\"\n ],\n \"properties\": {\n \"serverFarmId\": \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\"\n }\n },\n" + } + } + } + } + ], + "fingerprints": { + "gdnPrimarySignature": "8897f68b7d0cfd331d551cfe62263a1a37c12f1b2fa6cc72ced0fb70f1d07bea", + "gdnAlternativeSignature0": "1e32293b35ee682f0207bfc6b97b03f98947a3c42b123d602986180ab02349dd" + }, + "attachments": [] + }, + { + "ruleId": "CKV_AZURE_17", + "ruleIndex": 25, + "message": { + "text": "Ensure the web app has 'Client Certificates (Incoming client certificates)' set" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "samples/insecure_arm.json" + }, + "region": { + "startLine": 74, + "endLine": 87, + "snippet": { + "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites\",\n \"kind\": \"functionapp,linux\",\n \"name\": \"FunctionApp_HttpsFalse\",\n \"location\": \"[parameters('location')]\",\n \"dependsOn\": [\n \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\"\n ],\n \"properties\": {\n \"serverFarmId\": \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\",\n \"httpsOnly\": false\n }\n },\n" + } + } + } + } + ], + "fingerprints": { + "gdnPrimarySignature": "e19ab0fdf6b41c60416ec1789e435d14b225c9059e0cb0e72b85621eaa9a6a86", + "gdnAlternativeSignature0": "9c76d0ac3067ddae324af883867178b01d2394b6293865422cfd1c2a0d8f2322" + }, + "attachments": [] + }, + { + "ruleId": "CKV_AZURE_78", + "ruleIndex": 26, + "message": { + "text": "Ensure FTP deployments are disabled" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "samples/insecure_arm.json" + }, + "region": { + "startLine": 74, + "endLine": 87, + "snippet": { + "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites\",\n \"kind\": \"functionapp,linux\",\n \"name\": \"FunctionApp_HttpsFalse\",\n \"location\": \"[parameters('location')]\",\n \"dependsOn\": [\n \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\"\n ],\n \"properties\": {\n \"serverFarmId\": \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\",\n \"httpsOnly\": false\n }\n },\n" + } + } + } + } + ], + "fingerprints": { + "gdnPrimarySignature": "9ccd2eec805423da588e0e4fb39a20af8824e7b43e64c3e4b69ef404665c32cc", + "gdnAlternativeSignature0": "f564ab2518131f06da69f86eb0b8f61753018f7a7779cfb057eddd15551977ee" + }, + "attachments": [] + }, + { + "ruleId": "CKV_AZURE_18", + "ruleIndex": 27, + "message": { + "text": "Ensure that 'HTTP Version' is the latest if used to run the web app" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "samples/insecure_arm.json" + }, + "region": { + "startLine": 74, + "endLine": 87, + "snippet": { + "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites\",\n \"kind\": \"functionapp,linux\",\n \"name\": \"FunctionApp_HttpsFalse\",\n \"location\": \"[parameters('location')]\",\n \"dependsOn\": [\n \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\"\n ],\n \"properties\": {\n \"serverFarmId\": \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\",\n \"httpsOnly\": false\n }\n },\n" + } + } + } + } + ], + "fingerprints": { + "gdnPrimarySignature": "9359461703908a57a96cb32c9d317be3fe28b28f0bf8392611a279a831e3c47d", + "gdnAlternativeSignature0": "4e87df39b2999630b9a10e9ecb92008f17baf6e351e0b208887f85e9931397af" + }, + "attachments": [] + }, + { + "ruleId": "CKV_AZURE_14", + "ruleIndex": 28, + "message": { + "text": "Ensure web app redirects all HTTP traffic to HTTPS in Azure App Service" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "samples/insecure_arm.json" + }, + "region": { + "startLine": 74, + "endLine": 87, + "snippet": { + "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites\",\n \"kind\": \"functionapp,linux\",\n \"name\": \"FunctionApp_HttpsFalse\",\n \"location\": \"[parameters('location')]\",\n \"dependsOn\": [\n \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\"\n ],\n \"properties\": {\n \"serverFarmId\": \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\",\n \"httpsOnly\": false\n }\n },\n" + } + } + } + } + ], + "fingerprints": { + "gdnPrimarySignature": "52979741c27ad8788e0a869cb9c45f1dd101ad482c8c5157b8812f78991baf31", + "gdnAlternativeSignature0": "5058e736e60a56f62767c611d9a6aa94a5845c6ee0c4aa10fb6626a2aa2a70bf" + }, + "attachments": [] + }, + { + "ruleId": "CKV_AZURE_16", + "ruleIndex": 29, + "message": { + "text": "Ensure that Register with Azure Active Directory is enabled on App Service" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "samples/insecure_arm.json" + }, + "region": { + "startLine": 74, + "endLine": 87, + "snippet": { + "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites\",\n \"kind\": \"functionapp,linux\",\n \"name\": \"FunctionApp_HttpsFalse\",\n \"location\": \"[parameters('location')]\",\n \"dependsOn\": [\n \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\"\n ],\n \"properties\": {\n \"serverFarmId\": \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\",\n \"httpsOnly\": false\n }\n },\n" + } + } + } + } + ], + "fingerprints": { + "gdnPrimarySignature": "31f0c7f30ad4509ee75d1a179af6e021694beb27d3a38ff0b5bcf0fd5d9bfec0", + "gdnAlternativeSignature0": "1129123e54ead9a5143b8feca94087caf7d35b5ae8251eafbe5b7cc169c2321e" + }, + "attachments": [] + }, + { + "ruleId": "CKV_AZURE_71", + "ruleIndex": 30, + "level": "note", + "message": { + "text": "Ensure that Managed identity provider is enabled for web apps" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "samples/insecure_arm.json" + }, + "region": { + "startLine": 74, + "endLine": 87, + "snippet": { + "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites\",\n \"kind\": \"functionapp,linux\",\n \"name\": \"FunctionApp_HttpsFalse\",\n \"location\": \"[parameters('location')]\",\n \"dependsOn\": [\n \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\"\n ],\n \"properties\": {\n \"serverFarmId\": \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\",\n \"httpsOnly\": false\n }\n },\n" + } + } + } + } + ], + "fingerprints": { + "gdnPrimarySignature": "0768d45c77ded4c1385d2feae675b811f3c643696bda9156a8bfccd599aff704", + "gdnAlternativeSignature0": "a60f942f7a1141f3ee5bceb13b7991b3a42f1f9d9b467e82a0d3f2b9ba339d7c" + }, + "attachments": [] + }, + { + "ruleId": "CKV_AZURE_15", + "ruleIndex": 31, + "message": { + "text": "Ensure web app is using the latest version of TLS encryption" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "samples/insecure_arm.json" + }, + "region": { + "startLine": 74, + "endLine": 87, + "snippet": { + "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites\",\n \"kind\": \"functionapp,linux\",\n \"name\": \"FunctionApp_HttpsFalse\",\n \"location\": \"[parameters('location')]\",\n \"dependsOn\": [\n \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\"\n ],\n \"properties\": {\n \"serverFarmId\": \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\",\n \"httpsOnly\": false\n }\n },\n" + } + } + } + } + ], + "fingerprints": { + "gdnPrimarySignature": "6401e6c3c7b71999c46c38b67aac9488aa986bc7b294124d85576bda8a4c0a9a", + "gdnAlternativeSignature0": "4dfd2fb00d7468e4b5ec7f9be6f463d7ce9654014d94abd3d367315c073cb7bb" + }, + "attachments": [] + }, + { + "ruleId": "CKV_AZURE_222", + "ruleIndex": 32, + "message": { + "text": "Ensure that Azure Web App public network access is disabled" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "samples/insecure_arm.json" + }, + "region": { + "startLine": 74, + "endLine": 87, + "snippet": { + "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites\",\n \"kind\": \"functionapp,linux\",\n \"name\": \"FunctionApp_HttpsFalse\",\n \"location\": \"[parameters('location')]\",\n \"dependsOn\": [\n \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\"\n ],\n \"properties\": {\n \"serverFarmId\": \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\",\n \"httpsOnly\": false\n }\n },\n" + } + } + } + } + ], + "fingerprints": { + "gdnPrimarySignature": "e32c0ff998fcef5e2c8dc7044fad00fee70e804ea115377e31bb12a7f59a2c10", + "gdnAlternativeSignature0": "439c05a50fad4d75ec8d278a58719987c9009948631a2f11782251d73c8f4200" + }, + "attachments": [] + }, + { + "ruleId": "CKV_AZURE_153", + "ruleIndex": 33, + "level": "note", + "message": { + "text": "Ensure web app redirects all HTTP traffic to HTTPS in Azure App Service Slot" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "samples/insecure_arm.json" + }, + "region": { + "startLine": 74, + "endLine": 87, + "snippet": { + "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites\",\n \"kind\": \"functionapp,linux\",\n \"name\": \"FunctionApp_HttpsFalse\",\n \"location\": \"[parameters('location')]\",\n \"dependsOn\": [\n \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\"\n ],\n \"properties\": {\n \"serverFarmId\": \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\",\n \"httpsOnly\": false\n }\n },\n" + } + } + } + } + ], + "fingerprints": { + "gdnPrimarySignature": "a5c04b13d6677bc41f4b3715f1e01ce95036675d6de4df8dc0439de074a03d73", + "gdnAlternativeSignature0": "49b98e30d0dd7ce696a9b0b481e3281fd671f0fd70de26dd6fb7510b705e0f87" + }, + "attachments": [] + }, + { + "ruleId": "CKV_AZURE_67", + "ruleIndex": 34, + "message": { + "text": "Ensure that 'HTTP Version' is the latest, if used to run the Function app" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "samples/insecure_arm.json" + }, + "region": { + "startLine": 74, + "endLine": 87, + "snippet": { + "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites\",\n \"kind\": \"functionapp,linux\",\n \"name\": \"FunctionApp_HttpsFalse\",\n \"location\": \"[parameters('location')]\",\n \"dependsOn\": [\n \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\"\n ],\n \"properties\": {\n \"serverFarmId\": \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\",\n \"httpsOnly\": false\n }\n },\n" + } + } + } + } + ], + "fingerprints": { + "gdnPrimarySignature": "e6301a23f58d4b667b0f9399522c3093c2289a6533a91c5cdcf22d245d526fa9", + "gdnAlternativeSignature0": "6091c16fd0d417e61913fb8a205a0381ceb3beab6ee091ecdef880751180c796" + }, + "attachments": [] + }, + { + "ruleId": "CKV_AZURE_70", + "ruleIndex": 35, + "message": { + "text": "Ensure that Function apps is only accessible over HTTPS" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "samples/insecure_arm.json" + }, + "region": { + "startLine": 74, + "endLine": 87, + "snippet": { + "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites\",\n \"kind\": \"functionapp,linux\",\n \"name\": \"FunctionApp_HttpsFalse\",\n \"location\": \"[parameters('location')]\",\n \"dependsOn\": [\n \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\"\n ],\n \"properties\": {\n \"serverFarmId\": \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\",\n \"httpsOnly\": false\n }\n },\n" + } + } + } + } + ], + "fingerprints": { + "gdnPrimarySignature": "0f2797770c6de1cf13dc915a59ed4540e23f915d86778fdb7e6b17a631c027fa", + "gdnAlternativeSignature0": "7f942a785576efce2530b9d5e5138b37b95f67caaaf4f068e03450ac35bc9b27" + }, + "attachments": [] + }, + { + "ruleId": "CKV_AZURE_17", + "ruleIndex": 25, + "message": { + "text": "Ensure the web app has 'Client Certificates (Incoming client certificates)' set" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "samples/insecure_arm.json" + }, + "region": { + "startLine": 88, + "endLine": 101, + "snippet": { + "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites\",\n \"kind\": \"functionapp\",\n \"name\": \"FunctionApp_HttpsTrue\",\n \"location\": \"[parameters('location')]\",\n \"dependsOn\": [\n \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\"\n ],\n \"properties\": {\n \"serverFarmId\": \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\",\n \"httpsOnly\": true\n }\n },\n" + } + } + } + } + ], + "fingerprints": { + "gdnPrimarySignature": "8a917df4e8c678506a78db5559479538775f940b8c14aa146822e79c821a287e", + "gdnAlternativeSignature0": "536e095efb39b0a59bf24cda2950cc9d7a939e228a53bf159bf8cd0fb1b8da6e" + }, + "attachments": [] + }, + { + "ruleId": "CKV_AZURE_78", + "ruleIndex": 26, + "message": { + "text": "Ensure FTP deployments are disabled" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "samples/insecure_arm.json" + }, + "region": { + "startLine": 88, + "endLine": 101, + "snippet": { + "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites\",\n \"kind\": \"functionapp\",\n \"name\": \"FunctionApp_HttpsTrue\",\n \"location\": \"[parameters('location')]\",\n \"dependsOn\": [\n \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\"\n ],\n \"properties\": {\n \"serverFarmId\": \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\",\n \"httpsOnly\": true\n }\n },\n" + } + } + } + } + ], + "fingerprints": { + "gdnPrimarySignature": "012a7cc9d1337a51d3b90f52d7866f9183fa75c796a6b444a5792554db38986e", + "gdnAlternativeSignature0": "a0b181e8b990ea5f29718c2f802c61d0e3d160d0fea9394c335ce70582b89c12" + }, + "attachments": [] + }, + { + "ruleId": "CKV_AZURE_18", + "ruleIndex": 27, + "message": { + "text": "Ensure that 'HTTP Version' is the latest if used to run the web app" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "samples/insecure_arm.json" + }, + "region": { + "startLine": 88, + "endLine": 101, + "snippet": { + "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites\",\n \"kind\": \"functionapp\",\n \"name\": \"FunctionApp_HttpsTrue\",\n \"location\": \"[parameters('location')]\",\n \"dependsOn\": [\n \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\"\n ],\n \"properties\": {\n \"serverFarmId\": \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\",\n \"httpsOnly\": true\n }\n },\n" + } + } + } + } + ], + "fingerprints": { + "gdnPrimarySignature": "07162ca3946165f6599af87465895d93e3a4672e03b47519894ce51b2c5cc9bd", + "gdnAlternativeSignature0": "74128bc18a6b19a6678aa9cbd0384858bae0f0270c9c36bed84570fd26bfbaca" + }, + "attachments": [] + }, + { + "ruleId": "CKV_AZURE_16", + "ruleIndex": 29, + "message": { + "text": "Ensure that Register with Azure Active Directory is enabled on App Service" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "samples/insecure_arm.json" + }, + "region": { + "startLine": 88, + "endLine": 101, + "snippet": { + "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites\",\n \"kind\": \"functionapp\",\n \"name\": \"FunctionApp_HttpsTrue\",\n \"location\": \"[parameters('location')]\",\n \"dependsOn\": [\n \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\"\n ],\n \"properties\": {\n \"serverFarmId\": \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\",\n \"httpsOnly\": true\n }\n },\n" + } + } + } + } + ], + "fingerprints": { + "gdnPrimarySignature": "a69519b3c5b094db4ab476ddeb127f3a19304d1a0dceaaa0990a3438551fa084", + "gdnAlternativeSignature0": "be3bd3018a1fbfa842ccab409f12e02b083c1afa3058a47b84c9fff1d4da82b3" + }, + "attachments": [] + }, + { + "ruleId": "CKV_AZURE_71", + "ruleIndex": 30, + "level": "note", + "message": { + "text": "Ensure that Managed identity provider is enabled for web apps" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "samples/insecure_arm.json" + }, + "region": { + "startLine": 88, + "endLine": 101, + "snippet": { + "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites\",\n \"kind\": \"functionapp\",\n \"name\": \"FunctionApp_HttpsTrue\",\n \"location\": \"[parameters('location')]\",\n \"dependsOn\": [\n \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\"\n ],\n \"properties\": {\n \"serverFarmId\": \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\",\n \"httpsOnly\": true\n }\n },\n" + } + } + } + } + ], + "fingerprints": { + "gdnPrimarySignature": "736147b83648552df9d3f8b2b392ab48a9bf9ab58620fb7a3818f40f07bbfc61", + "gdnAlternativeSignature0": "f27f79c0de60ef21728d0f1fc1410e6a2cea4efb033b119007e4e6ab0626384a" + }, + "attachments": [] + }, + { + "ruleId": "CKV_AZURE_15", + "ruleIndex": 31, + "message": { + "text": "Ensure web app is using the latest version of TLS encryption" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "samples/insecure_arm.json" + }, + "region": { + "startLine": 88, + "endLine": 101, + "snippet": { + "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites\",\n \"kind\": \"functionapp\",\n \"name\": \"FunctionApp_HttpsTrue\",\n \"location\": \"[parameters('location')]\",\n \"dependsOn\": [\n \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\"\n ],\n \"properties\": {\n \"serverFarmId\": \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\",\n \"httpsOnly\": true\n }\n },\n" + } + } + } + } + ], + "fingerprints": { + "gdnPrimarySignature": "a4b11836c10056ef0cdbbdb6afefc25c31906aaa79ca3bdbc1bdb18ed2d011b7", + "gdnAlternativeSignature0": "07b6c44a303c8c16e35003d2412596b49a13368ed484ff649ffa144d2b5771f8" + }, + "attachments": [] + }, + { + "ruleId": "CKV_AZURE_222", + "ruleIndex": 32, + "message": { + "text": "Ensure that Azure Web App public network access is disabled" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "samples/insecure_arm.json" + }, + "region": { + "startLine": 88, + "endLine": 101, + "snippet": { + "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites\",\n \"kind\": \"functionapp\",\n \"name\": \"FunctionApp_HttpsTrue\",\n \"location\": \"[parameters('location')]\",\n \"dependsOn\": [\n \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\"\n ],\n \"properties\": {\n \"serverFarmId\": \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\",\n \"httpsOnly\": true\n }\n },\n" + } + } + } + } + ], + "fingerprints": { + "gdnPrimarySignature": "ac27e5bae66e1875d76fc175bccaf11c9f0a10e45ac8385025f5dde90c69e4fb", + "gdnAlternativeSignature0": "9a5fdc81a5d1e596583d75f0a2da7b28dd82d0c9155a0baf2b57fd32cf33e21d" + }, + "attachments": [] + }, + { + "ruleId": "CKV_AZURE_67", + "ruleIndex": 34, + "message": { + "text": "Ensure that 'HTTP Version' is the latest, if used to run the Function app" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "samples/insecure_arm.json" + }, + "region": { + "startLine": 88, + "endLine": 101, + "snippet": { + "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites\",\n \"kind\": \"functionapp\",\n \"name\": \"FunctionApp_HttpsTrue\",\n \"location\": \"[parameters('location')]\",\n \"dependsOn\": [\n \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\"\n ],\n \"properties\": {\n \"serverFarmId\": \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\",\n \"httpsOnly\": true\n }\n },\n" + } + } + } + } + ], + "fingerprints": { + "gdnPrimarySignature": "d06586685b31f55d3be4de5084e13b421c700e4c87a7437bffe41291bf65d35b", + "gdnAlternativeSignature0": "dcb4c97d8e1a7a14524f2c6534312187b0272594e87ed98fe98e172b43b7dff9" + }, + "attachments": [] + }, + { + "ruleId": "CKV_AZURE_17", + "ruleIndex": 25, + "message": { + "text": "Ensure the web app has 'Client Certificates (Incoming client certificates)' set" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "samples/insecure_arm.json" + }, + "region": { + "startLine": 102, + "endLine": 114, + "snippet": { + "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites\",\n \"kind\": \"app,linux\",\n \"name\": \"WebAppNoHttps\",\n \"location\": \"[parameters('location')]\",\n \"dependsOn\": [\n \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\"\n ],\n \"properties\": {\n \"serverFarmId\": \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\"\n }\n },\n" + } + } + } + } + ], + "fingerprints": { + "gdnPrimarySignature": "0207769333b739f934c6c2472c0f269001ca3b1e973fe1cce2d2472d8bc56399", + "gdnAlternativeSignature0": "c00d75f61dc4dfb1d452c9fa66da4eea57d1fd4fada176b36c66d53d5b9b1cb0" + }, + "attachments": [] + }, + { + "ruleId": "CKV_AZURE_78", + "ruleIndex": 26, + "message": { + "text": "Ensure FTP deployments are disabled" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "samples/insecure_arm.json" + }, + "region": { + "startLine": 102, + "endLine": 114, + "snippet": { + "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites\",\n \"kind\": \"app,linux\",\n \"name\": \"WebAppNoHttps\",\n \"location\": \"[parameters('location')]\",\n \"dependsOn\": [\n \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\"\n ],\n \"properties\": {\n \"serverFarmId\": \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\"\n }\n },\n" + } + } + } + } + ], + "fingerprints": { + "gdnPrimarySignature": "5d7890ffeb37cacd07b107299144f625fa773f8e8fb28a62a7c0dea16025a0ee", + "gdnAlternativeSignature0": "089e7957dda409a966a18b7e294c4573d4ec68ad4e24b23938e321a8e82b030d" + }, + "attachments": [] + }, + { + "ruleId": "CKV_AZURE_18", + "ruleIndex": 27, + "message": { + "text": "Ensure that 'HTTP Version' is the latest if used to run the web app" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "samples/insecure_arm.json" + }, + "region": { + "startLine": 102, + "endLine": 114, + "snippet": { + "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites\",\n \"kind\": \"app,linux\",\n \"name\": \"WebAppNoHttps\",\n \"location\": \"[parameters('location')]\",\n \"dependsOn\": [\n \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\"\n ],\n \"properties\": {\n \"serverFarmId\": \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\"\n }\n },\n" + } + } + } + } + ], + "fingerprints": { + "gdnPrimarySignature": "c29ee62ee70b4965bc0d67ef69030f6b70e617d9fcd3ac8200b68198192b7dc1", + "gdnAlternativeSignature0": "b4ba90b3e3e84e928c796f1c7ebb2e6797dea862b0e44cef5199dbe9bfe5e6aa" + }, + "attachments": [] + }, + { + "ruleId": "CKV_AZURE_14", + "ruleIndex": 28, + "message": { + "text": "Ensure web app redirects all HTTP traffic to HTTPS in Azure App Service" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "samples/insecure_arm.json" + }, + "region": { + "startLine": 102, + "endLine": 114, + "snippet": { + "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites\",\n \"kind\": \"app,linux\",\n \"name\": \"WebAppNoHttps\",\n \"location\": \"[parameters('location')]\",\n \"dependsOn\": [\n \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\"\n ],\n \"properties\": {\n \"serverFarmId\": \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\"\n }\n },\n" + } + } + } + } + ], + "fingerprints": { + "gdnPrimarySignature": "ee8d746b0689b235f3208999ce7df1653fa45d2711d41a5d6e7ba90fd50c388c", + "gdnAlternativeSignature0": "ea3506129a69e11e59a2393a8e401e15c35473f82a143746cf124f0aceb0f013" + }, + "attachments": [] + }, + { + "ruleId": "CKV_AZURE_16", + "ruleIndex": 29, + "message": { + "text": "Ensure that Register with Azure Active Directory is enabled on App Service" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "samples/insecure_arm.json" + }, + "region": { + "startLine": 102, + "endLine": 114, + "snippet": { + "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites\",\n \"kind\": \"app,linux\",\n \"name\": \"WebAppNoHttps\",\n \"location\": \"[parameters('location')]\",\n \"dependsOn\": [\n \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\"\n ],\n \"properties\": {\n \"serverFarmId\": \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\"\n }\n },\n" + } + } + } + } + ], + "fingerprints": { + "gdnPrimarySignature": "7b591f479f9723771411f3c953ee4ab3beda88856ae3ab53a88a64d61214e01d", + "gdnAlternativeSignature0": "0ac09190fd50243610f0dc1cefc1f8f5bf5340c6554465ca85333d39814c3094" + }, + "attachments": [] + }, + { + "ruleId": "CKV_AZURE_71", + "ruleIndex": 30, + "level": "note", + "message": { + "text": "Ensure that Managed identity provider is enabled for web apps" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "samples/insecure_arm.json" + }, + "region": { + "startLine": 102, + "endLine": 114, + "snippet": { + "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites\",\n \"kind\": \"app,linux\",\n \"name\": \"WebAppNoHttps\",\n \"location\": \"[parameters('location')]\",\n \"dependsOn\": [\n \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\"\n ],\n \"properties\": {\n \"serverFarmId\": \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\"\n }\n },\n" + } + } + } + } + ], + "fingerprints": { + "gdnPrimarySignature": "f3eef46d00d6fe15f0b4da40bda2f0ab16e3c91fcec06df3545e1c7fe7d8ff6d", + "gdnAlternativeSignature0": "6d2fd3507d1f39e715802fc90b4f9779fa4a250936446362dfb3a3c8675b600b" + }, + "attachments": [] + }, + { + "ruleId": "CKV_AZURE_15", + "ruleIndex": 31, + "message": { + "text": "Ensure web app is using the latest version of TLS encryption" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "samples/insecure_arm.json" + }, + "region": { + "startLine": 102, + "endLine": 114, + "snippet": { + "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites\",\n \"kind\": \"app,linux\",\n \"name\": \"WebAppNoHttps\",\n \"location\": \"[parameters('location')]\",\n \"dependsOn\": [\n \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\"\n ],\n \"properties\": {\n \"serverFarmId\": \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\"\n }\n },\n" + } + } + } + } + ], + "fingerprints": { + "gdnPrimarySignature": "52578dfe3657d9104db6fe82cafe200490942428064ed7a2ba755d780c8365a3", + "gdnAlternativeSignature0": "c54bc8f04da699379969061f974819212592deb962782dc7070937bd22ff33c6" + }, + "attachments": [] + }, + { + "ruleId": "CKV_AZURE_222", + "ruleIndex": 32, + "message": { + "text": "Ensure that Azure Web App public network access is disabled" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "samples/insecure_arm.json" + }, + "region": { + "startLine": 102, + "endLine": 114, + "snippet": { + "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites\",\n \"kind\": \"app,linux\",\n \"name\": \"WebAppNoHttps\",\n \"location\": \"[parameters('location')]\",\n \"dependsOn\": [\n \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\"\n ],\n \"properties\": {\n \"serverFarmId\": \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\"\n }\n },\n" + } + } + } + } + ], + "fingerprints": { + "gdnPrimarySignature": "a5c0013a8fd9f0097d45e444d88054036ed8f442fe330587d0eae9d3714ec87c", + "gdnAlternativeSignature0": "10e9ab48939200696e4f91afa907175cea23e4c9aea63613a7ca13160da48477" + }, + "attachments": [] + }, + { + "ruleId": "CKV_AZURE_153", + "ruleIndex": 33, + "level": "note", + "message": { + "text": "Ensure web app redirects all HTTP traffic to HTTPS in Azure App Service Slot" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "samples/insecure_arm.json" + }, + "region": { + "startLine": 102, + "endLine": 114, + "snippet": { + "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites\",\n \"kind\": \"app,linux\",\n \"name\": \"WebAppNoHttps\",\n \"location\": \"[parameters('location')]\",\n \"dependsOn\": [\n \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\"\n ],\n \"properties\": {\n \"serverFarmId\": \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\"\n }\n },\n" + } + } + } + } + ], + "fingerprints": { + "gdnPrimarySignature": "c8b8eb4f5fd69ed893f62f660e2df19dc69d3bb4a56c750d27505476f1cfd972", + "gdnAlternativeSignature0": "3bc11347887444d838588cd7d6dfcda7b36d4137a8406b9064dff980db330958" + }, + "attachments": [] + }, + { + "ruleId": "CKV_AZURE_67", + "ruleIndex": 34, + "message": { + "text": "Ensure that 'HTTP Version' is the latest, if used to run the Function app" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "samples/insecure_arm.json" + }, + "region": { + "startLine": 102, + "endLine": 114, + "snippet": { + "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites\",\n \"kind\": \"app,linux\",\n \"name\": \"WebAppNoHttps\",\n \"location\": \"[parameters('location')]\",\n \"dependsOn\": [\n \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\"\n ],\n \"properties\": {\n \"serverFarmId\": \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\"\n }\n },\n" + } + } + } + } + ], + "fingerprints": { + "gdnPrimarySignature": "7a9df9fe206d31f6b88c7461cbbedd1791b9500136c048ba6c5a1a70390f97ac", + "gdnAlternativeSignature0": "69eb37c4e01e77eaee89dd5c5159883cb79b66d176282e18fcb6e2926e00a887" + }, + "attachments": [] + }, + { + "ruleId": "CKV_AZURE_70", + "ruleIndex": 35, + "message": { + "text": "Ensure that Function apps is only accessible over HTTPS" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "samples/insecure_arm.json" + }, + "region": { + "startLine": 102, + "endLine": 114, + "snippet": { + "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites\",\n \"kind\": \"app,linux\",\n \"name\": \"WebAppNoHttps\",\n \"location\": \"[parameters('location')]\",\n \"dependsOn\": [\n \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\"\n ],\n \"properties\": {\n \"serverFarmId\": \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\"\n }\n },\n" + } + } + } + } + ], + "fingerprints": { + "gdnPrimarySignature": "67339bfd8472664e8e86c3dc86cc304bf7b9e1d32dfd00de0e6fbaeb2beea398", + "gdnAlternativeSignature0": "3e179c62893671bd328f85697d3c649cb45309fb6525b65b76a9aa5a649adc58" + }, + "attachments": [] + }, + { + "ruleId": "CKV_AZURE_17", + "ruleIndex": 25, + "message": { + "text": "Ensure the web app has 'Client Certificates (Incoming client certificates)' set" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "samples/insecure_arm.json" + }, + "region": { + "startLine": 115, + "endLine": 127, + "snippet": { + "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites\",\n \"name\": \"WebApp_HttpsFalse\",\n \"location\": \"[parameters('location')]\",\n \"dependsOn\": [\n \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\"\n ],\n \"properties\": {\n \"serverFarmId\": \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\",\n \"httpsOnly\": false\n }\n },\n" + } + } + } + } + ], + "fingerprints": { + "gdnPrimarySignature": "4f72f1e4d99a8378d05b185cebfa8825d333a71cd5ef5b0bf186468bdbefea17", + "gdnAlternativeSignature0": "c78d4a844035a2ce61548f8d60784616fb2403fb930f340915bc4bfcc468716f" + }, + "attachments": [] + }, + { + "ruleId": "CKV_AZURE_78", + "ruleIndex": 26, + "message": { + "text": "Ensure FTP deployments are disabled" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "samples/insecure_arm.json" + }, + "region": { + "startLine": 115, + "endLine": 127, + "snippet": { + "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites\",\n \"name\": \"WebApp_HttpsFalse\",\n \"location\": \"[parameters('location')]\",\n \"dependsOn\": [\n \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\"\n ],\n \"properties\": {\n \"serverFarmId\": \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\",\n \"httpsOnly\": false\n }\n },\n" + } + } + } + } + ], + "fingerprints": { + "gdnPrimarySignature": "cd8cdaf3f142d7a4565c43f60507169bdc01b2286039cf1255d61c596ba3101f", + "gdnAlternativeSignature0": "bd5c17ecc6b46d6513f8eca0a60db649dd30c9a1eb735d04fbc624a1b4b79f51" + }, + "attachments": [] + }, + { + "ruleId": "CKV_AZURE_18", + "ruleIndex": 27, + "message": { + "text": "Ensure that 'HTTP Version' is the latest if used to run the web app" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "samples/insecure_arm.json" + }, + "region": { + "startLine": 115, + "endLine": 127, + "snippet": { + "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites\",\n \"name\": \"WebApp_HttpsFalse\",\n \"location\": \"[parameters('location')]\",\n \"dependsOn\": [\n \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\"\n ],\n \"properties\": {\n \"serverFarmId\": \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\",\n \"httpsOnly\": false\n }\n },\n" + } + } + } + } + ], + "fingerprints": { + "gdnPrimarySignature": "f7e0232cacef22c54066a9584d66a2197c9c74c0e03f83d8eb7c4e0134444dd0", + "gdnAlternativeSignature0": "7d8d600175945563c3b4bfe9e2c144473bb0a6ad19b8148501a70cdc8061004d" + }, + "attachments": [] + }, + { + "ruleId": "CKV_AZURE_14", + "ruleIndex": 28, + "message": { + "text": "Ensure web app redirects all HTTP traffic to HTTPS in Azure App Service" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "samples/insecure_arm.json" + }, + "region": { + "startLine": 115, + "endLine": 127, + "snippet": { + "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites\",\n \"name\": \"WebApp_HttpsFalse\",\n \"location\": \"[parameters('location')]\",\n \"dependsOn\": [\n \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\"\n ],\n \"properties\": {\n \"serverFarmId\": \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\",\n \"httpsOnly\": false\n }\n },\n" + } + } + } + } + ], + "fingerprints": { + "gdnPrimarySignature": "ae3081631a2091bd9163df6f1ee42da0cb7854cc3bd2d6b398ceb8157d47c295", + "gdnAlternativeSignature0": "89901158631e4d71235d05997a134e895b4ccc2e4ef71ec40ae5b8fe13439adb" + }, + "attachments": [] + }, + { + "ruleId": "CKV_AZURE_16", + "ruleIndex": 29, + "message": { + "text": "Ensure that Register with Azure Active Directory is enabled on App Service" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "samples/insecure_arm.json" + }, + "region": { + "startLine": 115, + "endLine": 127, + "snippet": { + "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites\",\n \"name\": \"WebApp_HttpsFalse\",\n \"location\": \"[parameters('location')]\",\n \"dependsOn\": [\n \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\"\n ],\n \"properties\": {\n \"serverFarmId\": \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\",\n \"httpsOnly\": false\n }\n },\n" + } + } + } + } + ], + "fingerprints": { + "gdnPrimarySignature": "255f7613ce31bf6755bb2ecceee14742ed8cff561d5a310b501ef17b7a9297d3", + "gdnAlternativeSignature0": "b96b4d533c88a6a70fd777af318af980187826608f3a569474d34858e2dfe22c" + }, + "attachments": [] + }, + { + "ruleId": "CKV_AZURE_71", + "ruleIndex": 30, + "level": "note", + "message": { + "text": "Ensure that Managed identity provider is enabled for web apps" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "samples/insecure_arm.json" + }, + "region": { + "startLine": 115, + "endLine": 127, + "snippet": { + "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites\",\n \"name\": \"WebApp_HttpsFalse\",\n \"location\": \"[parameters('location')]\",\n \"dependsOn\": [\n \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\"\n ],\n \"properties\": {\n \"serverFarmId\": \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\",\n \"httpsOnly\": false\n }\n },\n" + } + } + } + } + ], + "fingerprints": { + "gdnPrimarySignature": "0b1fb05ccebfce0be5690acbadf661f9c2c441ad9d90eadd8db28efb2a5c574a", + "gdnAlternativeSignature0": "8835bcf442c7e87a2f87b12a5afeea783d9963935c9e670d58841eeee02b0fe0" + }, + "attachments": [] + }, + { + "ruleId": "CKV_AZURE_15", + "ruleIndex": 31, + "message": { + "text": "Ensure web app is using the latest version of TLS encryption" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "samples/insecure_arm.json" + }, + "region": { + "startLine": 115, + "endLine": 127, + "snippet": { + "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites\",\n \"name\": \"WebApp_HttpsFalse\",\n \"location\": \"[parameters('location')]\",\n \"dependsOn\": [\n \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\"\n ],\n \"properties\": {\n \"serverFarmId\": \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\",\n \"httpsOnly\": false\n }\n },\n" + } + } + } + } + ], + "fingerprints": { + "gdnPrimarySignature": "2b2824300dc3a47d41fe35895bcc7cad5518ad6adbeecd51da01c157e6c984c0", + "gdnAlternativeSignature0": "7649a4df3f008f0807c7e8a88a1a2dc1343615f1b82341ecdf1c0191b0c59f89" + }, + "attachments": [] + }, + { + "ruleId": "CKV_AZURE_222", + "ruleIndex": 32, + "message": { + "text": "Ensure that Azure Web App public network access is disabled" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "samples/insecure_arm.json" + }, + "region": { + "startLine": 115, + "endLine": 127, + "snippet": { + "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites\",\n \"name\": \"WebApp_HttpsFalse\",\n \"location\": \"[parameters('location')]\",\n \"dependsOn\": [\n \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\"\n ],\n \"properties\": {\n \"serverFarmId\": \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\",\n \"httpsOnly\": false\n }\n },\n" + } + } + } + } + ], + "fingerprints": { + "gdnPrimarySignature": "91cfeca6c81755244c63c7c01d9c91da11cbcf416444876ee05b92c981358129", + "gdnAlternativeSignature0": "c4fc2fbf31a7a52d60660e3c94d040c2abb912507c60f5b084cb0d8eae09c334" + }, + "attachments": [] + }, + { + "ruleId": "CKV_AZURE_153", + "ruleIndex": 33, + "level": "note", + "message": { + "text": "Ensure web app redirects all HTTP traffic to HTTPS in Azure App Service Slot" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "samples/insecure_arm.json" + }, + "region": { + "startLine": 115, + "endLine": 127, + "snippet": { + "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites\",\n \"name\": \"WebApp_HttpsFalse\",\n \"location\": \"[parameters('location')]\",\n \"dependsOn\": [\n \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\"\n ],\n \"properties\": {\n \"serverFarmId\": \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\",\n \"httpsOnly\": false\n }\n },\n" + } + } + } + } + ], + "fingerprints": { + "gdnPrimarySignature": "12fdacf2d5aa3a1ee71cd5c41c350cfba3e252cd7cbe4d579fed9cb23ab77388", + "gdnAlternativeSignature0": "26f89be242e3ae985b8f53b8ee3c67bead4ae71123378bf3dee7dc2d8263e6d5" + }, + "attachments": [] + }, + { + "ruleId": "CKV_AZURE_67", + "ruleIndex": 34, + "message": { + "text": "Ensure that 'HTTP Version' is the latest, if used to run the Function app" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "samples/insecure_arm.json" + }, + "region": { + "startLine": 115, + "endLine": 127, + "snippet": { + "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites\",\n \"name\": \"WebApp_HttpsFalse\",\n \"location\": \"[parameters('location')]\",\n \"dependsOn\": [\n \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\"\n ],\n \"properties\": {\n \"serverFarmId\": \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\",\n \"httpsOnly\": false\n }\n },\n" + } + } + } + } + ], + "fingerprints": { + "gdnPrimarySignature": "54ced1e9e7299882c21663f45e6f27de7eb21223e77344e814efcd89b8eed40a", + "gdnAlternativeSignature0": "33f9e2f7e0ddc2d74628ef9e4d55b535c2ddb446f42351f4ba30926022834e1a" + }, + "attachments": [] + }, + { + "ruleId": "CKV_AZURE_70", + "ruleIndex": 35, + "message": { + "text": "Ensure that Function apps is only accessible over HTTPS" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "samples/insecure_arm.json" + }, + "region": { + "startLine": 115, + "endLine": 127, + "snippet": { + "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites\",\n \"name\": \"WebApp_HttpsFalse\",\n \"location\": \"[parameters('location')]\",\n \"dependsOn\": [\n \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\"\n ],\n \"properties\": {\n \"serverFarmId\": \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\",\n \"httpsOnly\": false\n }\n },\n" + } + } + } + } + ], + "fingerprints": { + "gdnPrimarySignature": "288291d4755ccee48c5333b7d63f37c8e0706cf06714117660c84507a289ebc0", + "gdnAlternativeSignature0": "f5a45e007c2154338b28247a0731d64cd6c700e52b86171ebfab23be42290c88" + }, + "attachments": [] + }, + { + "ruleId": "CKV_AZURE_17", + "ruleIndex": 25, + "message": { + "text": "Ensure the web app has 'Client Certificates (Incoming client certificates)' set" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "samples/insecure_arm.json" + }, + "region": { + "startLine": 128, + "endLine": 141, + "snippet": { + "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites\",\n \"kind\": \"app\",\n \"name\": \"WebApp_HttpsTrue\",\n \"location\": \"[parameters('location')]\",\n \"dependsOn\": [\n \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\"\n ],\n \"properties\": {\n \"serverFarmId\": \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\",\n \"httpsOnly\": true\n }\n },\n" + } + } + } + } + ], + "fingerprints": { + "gdnPrimarySignature": "08008df0f45ad8f64f4f9486ca9d1d20053d77608610e41a01834c68b1cc3a09", + "gdnAlternativeSignature0": "7f7317b8b44e4c8b52c5da46edf6e775d451d85bc442fbf7d98ac9b0ecdf9b1a" + }, + "attachments": [] + }, + { + "ruleId": "CKV_AZURE_78", + "ruleIndex": 26, + "message": { + "text": "Ensure FTP deployments are disabled" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "samples/insecure_arm.json" + }, + "region": { + "startLine": 128, + "endLine": 141, + "snippet": { + "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites\",\n \"kind\": \"app\",\n \"name\": \"WebApp_HttpsTrue\",\n \"location\": \"[parameters('location')]\",\n \"dependsOn\": [\n \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\"\n ],\n \"properties\": {\n \"serverFarmId\": \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\",\n \"httpsOnly\": true\n }\n },\n" + } + } + } + } + ], + "fingerprints": { + "gdnPrimarySignature": "a2fcaa633cbc5e8689c4c980a1b76805afde139435d0d92003f29dbc1adb25d2", + "gdnAlternativeSignature0": "02fc484de3908421bf498b943a3501de05c15edb775e37cb7257ad89b4e1ea9b" + }, + "attachments": [] + }, + { + "ruleId": "CKV_AZURE_18", + "ruleIndex": 27, + "message": { + "text": "Ensure that 'HTTP Version' is the latest if used to run the web app" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "samples/insecure_arm.json" + }, + "region": { + "startLine": 128, + "endLine": 141, + "snippet": { + "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites\",\n \"kind\": \"app\",\n \"name\": \"WebApp_HttpsTrue\",\n \"location\": \"[parameters('location')]\",\n \"dependsOn\": [\n \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\"\n ],\n \"properties\": {\n \"serverFarmId\": \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\",\n \"httpsOnly\": true\n }\n },\n" + } + } + } + } + ], + "fingerprints": { + "gdnPrimarySignature": "bf112ad4ff0c1f3dbda36d12b6d980c83e9448f3cea1fab2124874b363e2ac33", + "gdnAlternativeSignature0": "ddde80d77251f9ab96e8180febb6470c41bad8598a1751ecf3205201e04032d6" + }, + "attachments": [] + }, + { + "ruleId": "CKV_AZURE_16", + "ruleIndex": 29, + "message": { + "text": "Ensure that Register with Azure Active Directory is enabled on App Service" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "samples/insecure_arm.json" + }, + "region": { + "startLine": 128, + "endLine": 141, + "snippet": { + "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites\",\n \"kind\": \"app\",\n \"name\": \"WebApp_HttpsTrue\",\n \"location\": \"[parameters('location')]\",\n \"dependsOn\": [\n \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\"\n ],\n \"properties\": {\n \"serverFarmId\": \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\",\n \"httpsOnly\": true\n }\n },\n" + } + } + } + } + ], + "fingerprints": { + "gdnPrimarySignature": "adf211c29e22998dc5e478d0f175052925f2426ac7b3c077d75a3d438bf01a71", + "gdnAlternativeSignature0": "4b079ac338cf1fa4d757290e73fb9b247e37983f28925e314c9d61debdca8a29" + }, + "attachments": [] + }, + { + "ruleId": "CKV_AZURE_71", + "ruleIndex": 30, + "level": "note", + "message": { + "text": "Ensure that Managed identity provider is enabled for web apps" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "samples/insecure_arm.json" + }, + "region": { + "startLine": 128, + "endLine": 141, + "snippet": { + "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites\",\n \"kind\": \"app\",\n \"name\": \"WebApp_HttpsTrue\",\n \"location\": \"[parameters('location')]\",\n \"dependsOn\": [\n \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\"\n ],\n \"properties\": {\n \"serverFarmId\": \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\",\n \"httpsOnly\": true\n }\n },\n" + } + } + } + } + ], + "fingerprints": { + "gdnPrimarySignature": "12cdce98f0d5aa4daf69793f9157ef1dd1dfd49ee3ef333f6d57ae4bad06477b", + "gdnAlternativeSignature0": "9ddb0eff72c95cda99852373789fe69e358faf69c9dd5a9fb90d415e957f67f3" + }, + "attachments": [] + }, + { + "ruleId": "CKV_AZURE_15", + "ruleIndex": 31, + "message": { + "text": "Ensure web app is using the latest version of TLS encryption" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "samples/insecure_arm.json" + }, + "region": { + "startLine": 128, + "endLine": 141, + "snippet": { + "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites\",\n \"kind\": \"app\",\n \"name\": \"WebApp_HttpsTrue\",\n \"location\": \"[parameters('location')]\",\n \"dependsOn\": [\n \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\"\n ],\n \"properties\": {\n \"serverFarmId\": \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\",\n \"httpsOnly\": true\n }\n },\n" + } + } + } + } + ], + "fingerprints": { + "gdnPrimarySignature": "a01b7d7f752ca024104d998b10919091141c26bbd9d73412d05e9b7df9363f16", + "gdnAlternativeSignature0": "7df932c190b3ca666346a7f0465861d381530f106e254076b900a704cda36707" + }, + "attachments": [] + }, + { + "ruleId": "CKV_AZURE_222", + "ruleIndex": 32, + "message": { + "text": "Ensure that Azure Web App public network access is disabled" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "samples/insecure_arm.json" + }, + "region": { + "startLine": 128, + "endLine": 141, + "snippet": { + "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites\",\n \"kind\": \"app\",\n \"name\": \"WebApp_HttpsTrue\",\n \"location\": \"[parameters('location')]\",\n \"dependsOn\": [\n \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\"\n ],\n \"properties\": {\n \"serverFarmId\": \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\",\n \"httpsOnly\": true\n }\n },\n" + } + } + } + } + ], + "fingerprints": { + "gdnPrimarySignature": "92ce11dc062621efb46ffb9f89dfd1b9c12dded0b94b04f3b0595f9420c0511a", + "gdnAlternativeSignature0": "7305d34c7a68da6a3a1c357d001602242c92f53fa425b0b2b7cac8681b8720c0" + }, + "attachments": [] + }, + { + "ruleId": "CKV_AZURE_67", + "ruleIndex": 34, + "message": { + "text": "Ensure that 'HTTP Version' is the latest, if used to run the Function app" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "samples/insecure_arm.json" + }, + "region": { + "startLine": 128, + "endLine": 141, + "snippet": { + "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites\",\n \"kind\": \"app\",\n \"name\": \"WebApp_HttpsTrue\",\n \"location\": \"[parameters('location')]\",\n \"dependsOn\": [\n \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\"\n ],\n \"properties\": {\n \"serverFarmId\": \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\",\n \"httpsOnly\": true\n }\n },\n" + } + } + } + } + ], + "fingerprints": { + "gdnPrimarySignature": "66c95de9831d167d19805f23da1ed5e5e7187f6b898fd2c379923be413ebaed2", + "gdnAlternativeSignature0": "493078216959af69095559e71e4e85917a9850e8ea90fd13cae9e6e6378b602b" + }, + "attachments": [] + }, + { + "ruleId": "CKV_AZURE_17", + "ruleIndex": 25, + "message": { + "text": "Ensure the web app has 'Client Certificates (Incoming client certificates)' set" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "samples/insecure_arm.json" + }, + "region": { + "startLine": 142, + "endLine": 158, + "snippet": { + "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites\",\n \"kind\": \"api\",\n \"name\": \"ApiApp_RestrictedCORSAccess_EmbeddedSitesConfig\",\n \"location\": \"[parameters('location')]\",\n \"properties\": {\n \"httpsOnly\": true,\n \"siteConfig\": {\n \"cors\": {\n \"allowedOrigins\": [\n \"someIP\"\n ]\n }\n }\n }\n },\n" + } + } + } + } + ], + "fingerprints": { + "gdnPrimarySignature": "dae96b9aa7c9155ac642e29b28b9fd890e6e1c9fa6412927d964aa22c026cce4", + "gdnAlternativeSignature0": "9b8c72895461d25ee31a8c5b1b5bdda37dc3c8b032c14663c43538cf838a7484" + }, + "attachments": [] + }, + { + "ruleId": "CKV_AZURE_78", + "ruleIndex": 26, + "message": { + "text": "Ensure FTP deployments are disabled" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "samples/insecure_arm.json" + }, + "region": { + "startLine": 142, + "endLine": 158, + "snippet": { + "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites\",\n \"kind\": \"api\",\n \"name\": \"ApiApp_RestrictedCORSAccess_EmbeddedSitesConfig\",\n \"location\": \"[parameters('location')]\",\n \"properties\": {\n \"httpsOnly\": true,\n \"siteConfig\": {\n \"cors\": {\n \"allowedOrigins\": [\n \"someIP\"\n ]\n }\n }\n }\n },\n" + } + } + } + } + ], + "fingerprints": { + "gdnPrimarySignature": "0e15991fa47fbdff46caf4d88b4a2be08fb7309de35a5105df283f2cd3ef226f", + "gdnAlternativeSignature0": "b0664718fd5e7c63444d10f083239952773ba1744dbab54ba4179b90213c162b" + }, + "attachments": [] + }, + { + "ruleId": "CKV_AZURE_18", + "ruleIndex": 27, + "message": { + "text": "Ensure that 'HTTP Version' is the latest if used to run the web app" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "samples/insecure_arm.json" + }, + "region": { + "startLine": 142, + "endLine": 158, + "snippet": { + "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites\",\n \"kind\": \"api\",\n \"name\": \"ApiApp_RestrictedCORSAccess_EmbeddedSitesConfig\",\n \"location\": \"[parameters('location')]\",\n \"properties\": {\n \"httpsOnly\": true,\n \"siteConfig\": {\n \"cors\": {\n \"allowedOrigins\": [\n \"someIP\"\n ]\n }\n }\n }\n },\n" + } + } + } + } + ], + "fingerprints": { + "gdnPrimarySignature": "f413c46ab964537bc7ae7dfcb7b2ffcef2f4859e417da785d2d693af373bbc72", + "gdnAlternativeSignature0": "90284155b27b35d9aa40959078e6e324d16c9ad43994fb20812c5b87ab3da8fe" + }, + "attachments": [] + }, + { + "ruleId": "CKV_AZURE_16", + "ruleIndex": 29, + "message": { + "text": "Ensure that Register with Azure Active Directory is enabled on App Service" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "samples/insecure_arm.json" + }, + "region": { + "startLine": 142, + "endLine": 158, + "snippet": { + "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites\",\n \"kind\": \"api\",\n \"name\": \"ApiApp_RestrictedCORSAccess_EmbeddedSitesConfig\",\n \"location\": \"[parameters('location')]\",\n \"properties\": {\n \"httpsOnly\": true,\n \"siteConfig\": {\n \"cors\": {\n \"allowedOrigins\": [\n \"someIP\"\n ]\n }\n }\n }\n },\n" + } + } + } + } + ], + "fingerprints": { + "gdnPrimarySignature": "7720ed6c8b5f7baf81abe1e027fc660ee7213935e400dae0edcfd3446026ac34", + "gdnAlternativeSignature0": "19a91cb4fc78c2570287be6094778b7b3129af76dc046331d5a63c1adc857126" + }, + "attachments": [] + }, + { + "ruleId": "CKV_AZURE_71", + "ruleIndex": 30, + "level": "note", + "message": { + "text": "Ensure that Managed identity provider is enabled for web apps" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "samples/insecure_arm.json" + }, + "region": { + "startLine": 142, + "endLine": 158, + "snippet": { + "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites\",\n \"kind\": \"api\",\n \"name\": \"ApiApp_RestrictedCORSAccess_EmbeddedSitesConfig\",\n \"location\": \"[parameters('location')]\",\n \"properties\": {\n \"httpsOnly\": true,\n \"siteConfig\": {\n \"cors\": {\n \"allowedOrigins\": [\n \"someIP\"\n ]\n }\n }\n }\n },\n" + } + } + } + } + ], + "fingerprints": { + "gdnPrimarySignature": "31eeaa41cb930b4da2b791b254b14fe3f8abf8fb09a3f4592f23195d8b3d32ac", + "gdnAlternativeSignature0": "852e81a1be9daed64c584b0a57f48572b61750d22f9558ca1b3cc6dabca55ddf" + }, + "attachments": [] + }, + { + "ruleId": "CKV_AZURE_15", + "ruleIndex": 31, + "message": { + "text": "Ensure web app is using the latest version of TLS encryption" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "samples/insecure_arm.json" + }, + "region": { + "startLine": 142, + "endLine": 158, + "snippet": { + "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites\",\n \"kind\": \"api\",\n \"name\": \"ApiApp_RestrictedCORSAccess_EmbeddedSitesConfig\",\n \"location\": \"[parameters('location')]\",\n \"properties\": {\n \"httpsOnly\": true,\n \"siteConfig\": {\n \"cors\": {\n \"allowedOrigins\": [\n \"someIP\"\n ]\n }\n }\n }\n },\n" + } + } + } + } + ], + "fingerprints": { + "gdnPrimarySignature": "d41a5fe9e3ea723beaa68eaf7d4285ce450d5356436fcf3239c57109fab2e3f3", + "gdnAlternativeSignature0": "2a0982291cb4f11f796e6292520001696fa061f3549a3b4b6874c119b0dc8939" + }, + "attachments": [] + }, + { + "ruleId": "CKV_AZURE_222", + "ruleIndex": 32, + "message": { + "text": "Ensure that Azure Web App public network access is disabled" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "samples/insecure_arm.json" + }, + "region": { + "startLine": 142, + "endLine": 158, + "snippet": { + "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites\",\n \"kind\": \"api\",\n \"name\": \"ApiApp_RestrictedCORSAccess_EmbeddedSitesConfig\",\n \"location\": \"[parameters('location')]\",\n \"properties\": {\n \"httpsOnly\": true,\n \"siteConfig\": {\n \"cors\": {\n \"allowedOrigins\": [\n \"someIP\"\n ]\n }\n }\n }\n },\n" + } + } + } + } + ], + "fingerprints": { + "gdnPrimarySignature": "0ae6105850f99ccaf95cf627c1995f3d7919bd31dc28f2945bcbf79f503fe118", + "gdnAlternativeSignature0": "72596372d73524682d0e517eb7a46d563f86d56830f27c9461e4d32ba4a781f2" + }, + "attachments": [] + }, + { + "ruleId": "CKV_AZURE_67", + "ruleIndex": 34, + "message": { + "text": "Ensure that 'HTTP Version' is the latest, if used to run the Function app" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "samples/insecure_arm.json" + }, + "region": { + "startLine": 142, + "endLine": 158, + "snippet": { + "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites\",\n \"kind\": \"api\",\n \"name\": \"ApiApp_RestrictedCORSAccess_EmbeddedSitesConfig\",\n \"location\": \"[parameters('location')]\",\n \"properties\": {\n \"httpsOnly\": true,\n \"siteConfig\": {\n \"cors\": {\n \"allowedOrigins\": [\n \"someIP\"\n ]\n }\n }\n }\n },\n" + } + } + } + } + ], + "fingerprints": { + "gdnPrimarySignature": "7681cb3edcfb2659c2d32f2e7974f467446481d6b8f2b69ebae4df96958593db", + "gdnAlternativeSignature0": "a0af6fe2a04fe4a682850851dd4abb0ce07f4da5c8164df732c5042397d0f297" + }, + "attachments": [] + }, + { + "ruleId": "CKV_AZURE_17", + "ruleIndex": 25, + "message": { + "text": "Ensure the web app has 'Client Certificates (Incoming client certificates)' set" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "samples/insecure_arm.json" + }, + "region": { + "startLine": 159, + "endLine": 168, + "snippet": { + "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites\",\n \"kind\": \"api\",\n \"name\": \"ApiApp_NoSitesConfig\",\n \"location\": \"[parameters('location')]\",\n \"properties\": {\n \"httpsOnly\": true\n }\n },\n" + } + } + } + } + ], + "fingerprints": { + "gdnPrimarySignature": "4df01be86e5e4147c31aff5bef0d87d3e3a0fea9898be19a88df8f6060c6e582", + "gdnAlternativeSignature0": "a3bda844d97fdd08c544d09a457ab85e6f4f33118537eec7ee0be628841a0253" + }, + "attachments": [] + }, + { + "ruleId": "CKV_AZURE_78", + "ruleIndex": 26, + "message": { + "text": "Ensure FTP deployments are disabled" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "samples/insecure_arm.json" + }, + "region": { + "startLine": 159, + "endLine": 168, + "snippet": { + "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites\",\n \"kind\": \"api\",\n \"name\": \"ApiApp_NoSitesConfig\",\n \"location\": \"[parameters('location')]\",\n \"properties\": {\n \"httpsOnly\": true\n }\n },\n" + } + } + } + } + ], + "fingerprints": { + "gdnPrimarySignature": "7622258391e9aeb5136bfc53200e4631c118a10864775710c6e20c3a1c237687", + "gdnAlternativeSignature0": "481a7ad24af6150821e083f9d4f23bb233fc2533beddacef31c29768569b84d6" + }, + "attachments": [] + }, + { + "ruleId": "CKV_AZURE_18", + "ruleIndex": 27, + "message": { + "text": "Ensure that 'HTTP Version' is the latest if used to run the web app" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "samples/insecure_arm.json" + }, + "region": { + "startLine": 159, + "endLine": 168, + "snippet": { + "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites\",\n \"kind\": \"api\",\n \"name\": \"ApiApp_NoSitesConfig\",\n \"location\": \"[parameters('location')]\",\n \"properties\": {\n \"httpsOnly\": true\n }\n },\n" + } + } + } + } + ], + "fingerprints": { + "gdnPrimarySignature": "ed1a58b3b54cc84e53c7bf600f8fab74e9c11af3031a3f091ec16ba9718b6009", + "gdnAlternativeSignature0": "15c3e8d74638416369e18b9d5385946a799c5d6e07556598bad7ffab2362586e" + }, + "attachments": [] + }, + { + "ruleId": "CKV_AZURE_16", + "ruleIndex": 29, + "message": { + "text": "Ensure that Register with Azure Active Directory is enabled on App Service" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "samples/insecure_arm.json" + }, + "region": { + "startLine": 159, + "endLine": 168, + "snippet": { + "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites\",\n \"kind\": \"api\",\n \"name\": \"ApiApp_NoSitesConfig\",\n \"location\": \"[parameters('location')]\",\n \"properties\": {\n \"httpsOnly\": true\n }\n },\n" + } + } + } + } + ], + "fingerprints": { + "gdnPrimarySignature": "3182a4a340f4f50c65cd416eee5fbc9ded7a6ef32624b4c7474bc837466e224b", + "gdnAlternativeSignature0": "d8a84c842901bc6695e4d2872e84deb0a7baa06a702117331a93c6feadf5a546" + }, + "attachments": [] + }, + { + "ruleId": "CKV_AZURE_71", + "ruleIndex": 30, + "level": "note", + "message": { + "text": "Ensure that Managed identity provider is enabled for web apps" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "samples/insecure_arm.json" + }, + "region": { + "startLine": 159, + "endLine": 168, + "snippet": { + "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites\",\n \"kind\": \"api\",\n \"name\": \"ApiApp_NoSitesConfig\",\n \"location\": \"[parameters('location')]\",\n \"properties\": {\n \"httpsOnly\": true\n }\n },\n" + } + } + } + } + ], + "fingerprints": { + "gdnPrimarySignature": "2c00ee00a620c96918dc4b9545112008c52cc88c30ac68e0b8478f877a16c74f", + "gdnAlternativeSignature0": "0fe0595ae36ffe8d3f8292c1f39136832913fff70668f658520a5a08513d411e" + }, + "attachments": [] + }, + { + "ruleId": "CKV_AZURE_15", + "ruleIndex": 31, + "message": { + "text": "Ensure web app is using the latest version of TLS encryption" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "samples/insecure_arm.json" + }, + "region": { + "startLine": 159, + "endLine": 168, + "snippet": { + "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites\",\n \"kind\": \"api\",\n \"name\": \"ApiApp_NoSitesConfig\",\n \"location\": \"[parameters('location')]\",\n \"properties\": {\n \"httpsOnly\": true\n }\n },\n" + } + } + } + } + ], + "fingerprints": { + "gdnPrimarySignature": "6cdcbc4da68c2815a6d3f0bd78504303b0825e880d14097332cb170407c80128", + "gdnAlternativeSignature0": "1fe507dd25e0339cdc76945f0b74a799aa63dcc0b23cad0285faf8848457d916" + }, + "attachments": [] + }, + { + "ruleId": "CKV_AZURE_222", + "ruleIndex": 32, + "message": { + "text": "Ensure that Azure Web App public network access is disabled" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "samples/insecure_arm.json" + }, + "region": { + "startLine": 159, + "endLine": 168, + "snippet": { + "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites\",\n \"kind\": \"api\",\n \"name\": \"ApiApp_NoSitesConfig\",\n \"location\": \"[parameters('location')]\",\n \"properties\": {\n \"httpsOnly\": true\n }\n },\n" + } + } + } + } + ], + "fingerprints": { + "gdnPrimarySignature": "f3ac1d65124943989cd407b1862791529fab3c4e0eedc65511c90e43edf3404b", + "gdnAlternativeSignature0": "298513397a838c0f2a237b8c715b3e500bcd2a54a0f1f6163bd77768da9dbcca" + }, + "attachments": [] + }, + { + "ruleId": "CKV_AZURE_67", + "ruleIndex": 34, + "message": { + "text": "Ensure that 'HTTP Version' is the latest, if used to run the Function app" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "samples/insecure_arm.json" + }, + "region": { + "startLine": 159, + "endLine": 168, + "snippet": { + "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites\",\n \"kind\": \"api\",\n \"name\": \"ApiApp_NoSitesConfig\",\n \"location\": \"[parameters('location')]\",\n \"properties\": {\n \"httpsOnly\": true\n }\n },\n" + } + } + } + } + ], + "fingerprints": { + "gdnPrimarySignature": "bd6450c773eed311a8e88ceb126978f5c3988a64c332b8ec936cd28ea7aa295b", + "gdnAlternativeSignature0": "f234d72c8e49b23ce2aa32bda1a3f909baa6ad9b4fbbf65d4211d56cbf976848" + }, + "attachments": [] + }, + { + "ruleId": "CKV_AZURE_13", + "ruleIndex": 36, + "message": { + "text": "Ensure App Service Authentication is set on Azure App Service" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "samples/insecure_arm.json" + }, + "region": { + "startLine": 169, + "endLine": 186, + "snippet": { + "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites/config\",\n \"name\": \"SitesConfig/RestrictedCORSAccess_web\",\n \"location\": \"[parameters('location')]\",\n \"dependsOn\": [\n \"ApiApp_NoSitesConfig\",\n \"WebApp_NoSitesConfig\",\n \"FunctionApp_NoSitesConfig\"\n ],\n \"properties\": {\n \"cors\": {\n \"allowedOrigins\": [\n \"someIP\"\n ]\n }\n }\n },\n" + } + } + } + } + ], + "fingerprints": { + "gdnPrimarySignature": "4764b062aa2d198673df7c5f6d2c0e9c01286e83909a609e2372747b782c1ab7", + "gdnAlternativeSignature0": "528e2e7673c1c9c45f2e03b442261956045574d01f03c9004d1d2bef6c09bea0" + }, + "attachments": [] + }, + { + "ruleId": "CKV_AZURE_65", + "ruleIndex": 37, + "level": "note", + "message": { + "text": "Ensure that App service enables detailed error messages" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "samples/insecure_arm.json" + }, + "region": { + "startLine": 169, + "endLine": 186, + "snippet": { + "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites/config\",\n \"name\": \"SitesConfig/RestrictedCORSAccess_web\",\n \"location\": \"[parameters('location')]\",\n \"dependsOn\": [\n \"ApiApp_NoSitesConfig\",\n \"WebApp_NoSitesConfig\",\n \"FunctionApp_NoSitesConfig\"\n ],\n \"properties\": {\n \"cors\": {\n \"allowedOrigins\": [\n \"someIP\"\n ]\n }\n }\n },\n" + } + } + } + } + ], + "fingerprints": { + "gdnPrimarySignature": "b7a5a598012ddeb8be2fd66b67a61ffcdc2b743ee4bdec4d88ff3ec3b35747b5", + "gdnAlternativeSignature0": "1cef927286d0a4b4ea6cf8c1b9c129beffa0889f29a77ce4d2b443c9d83d3669" + }, + "attachments": [] + }, + { + "ruleId": "CKV_AZURE_80", + "ruleIndex": 38, + "level": "note", + "message": { + "text": "Ensure that 'Net Framework' version is the latest, if used as a part of the web app" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "samples/insecure_arm.json" + }, + "region": { + "startLine": 169, + "endLine": 186, + "snippet": { + "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites/config\",\n \"name\": \"SitesConfig/RestrictedCORSAccess_web\",\n \"location\": \"[parameters('location')]\",\n \"dependsOn\": [\n \"ApiApp_NoSitesConfig\",\n \"WebApp_NoSitesConfig\",\n \"FunctionApp_NoSitesConfig\"\n ],\n \"properties\": {\n \"cors\": {\n \"allowedOrigins\": [\n \"someIP\"\n ]\n }\n }\n },\n" + } + } + } + } + ], + "fingerprints": { + "gdnPrimarySignature": "3f0e499426cfa4fe5bdb96a9894cb77d781ce58b0d391af6741cbbb23829d7c9", + "gdnAlternativeSignature0": "e237636bdd6a09fe032da4732bf99d542b96c319747ff963d56185e4298297e4" + }, + "attachments": [] + }, + { + "ruleId": "CKV_AZURE_66", + "ruleIndex": 39, + "level": "note", + "message": { + "text": "Ensure that App service enables failed request tracing" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "samples/insecure_arm.json" + }, + "region": { + "startLine": 169, + "endLine": 186, + "snippet": { + "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites/config\",\n \"name\": \"SitesConfig/RestrictedCORSAccess_web\",\n \"location\": \"[parameters('location')]\",\n \"dependsOn\": [\n \"ApiApp_NoSitesConfig\",\n \"WebApp_NoSitesConfig\",\n \"FunctionApp_NoSitesConfig\"\n ],\n \"properties\": {\n \"cors\": {\n \"allowedOrigins\": [\n \"someIP\"\n ]\n }\n }\n },\n" + } + } + } + } + ], + "fingerprints": { + "gdnPrimarySignature": "ecda7f10c676f4fb72429cae500da0aa6d3a253664f489dd99c37140cc4adbdd", + "gdnAlternativeSignature0": "456c9b0bbba231ac9f76aeb80c65a8f2e4f2395fb0cbc94b7aa38df4ba418c4f" + }, + "attachments": [] + }, + { + "ruleId": "CKV_AZURE_63", + "ruleIndex": 40, + "level": "note", + "message": { + "text": "Ensure that App service enables HTTP logging" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "samples/insecure_arm.json" + }, + "region": { + "startLine": 169, + "endLine": 186, + "snippet": { + "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites/config\",\n \"name\": \"SitesConfig/RestrictedCORSAccess_web\",\n \"location\": \"[parameters('location')]\",\n \"dependsOn\": [\n \"ApiApp_NoSitesConfig\",\n \"WebApp_NoSitesConfig\",\n \"FunctionApp_NoSitesConfig\"\n ],\n \"properties\": {\n \"cors\": {\n \"allowedOrigins\": [\n \"someIP\"\n ]\n }\n }\n },\n" + } + } + } + } + ], + "fingerprints": { + "gdnPrimarySignature": "0debc8b4bed8e61fddb6166094e0f30c9823a2a4bc6e21990d839ce42bbe7faf", + "gdnAlternativeSignature0": "119c560594404bbb1f85c2a4a64be3ba7f355cd183dcc2efa31fd0bc552f5ad5" + }, + "attachments": [] + }, + { + "ruleId": "CKV_AZURE_222", + "ruleIndex": 32, + "message": { + "text": "Ensure that Azure Web App public network access is disabled" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "samples/insecure_arm.json" + }, + "region": { + "startLine": 169, + "endLine": 186, + "snippet": { + "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites/config\",\n \"name\": \"SitesConfig/RestrictedCORSAccess_web\",\n \"location\": \"[parameters('location')]\",\n \"dependsOn\": [\n \"ApiApp_NoSitesConfig\",\n \"WebApp_NoSitesConfig\",\n \"FunctionApp_NoSitesConfig\"\n ],\n \"properties\": {\n \"cors\": {\n \"allowedOrigins\": [\n \"someIP\"\n ]\n }\n }\n },\n" + } + } + } + } + ], + "fingerprints": { + "gdnPrimarySignature": "5c6cabb001d3b83d407085e00b359528524e83c168685191c6a9258098a9d366", + "gdnAlternativeSignature0": "3664e4a542b0f7100774ae71190236958f7e845d9a1d5079ba8b85ebf4ecfd1d" + }, + "attachments": [] + }, + { + "ruleId": "CKV_AZURE_88", + "ruleIndex": 41, + "level": "note", + "message": { + "text": "Ensure that app services use Azure Files" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "samples/insecure_arm.json" + }, + "region": { + "startLine": 169, + "endLine": 186, + "snippet": { + "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites/config\",\n \"name\": \"SitesConfig/RestrictedCORSAccess_web\",\n \"location\": \"[parameters('location')]\",\n \"dependsOn\": [\n \"ApiApp_NoSitesConfig\",\n \"WebApp_NoSitesConfig\",\n \"FunctionApp_NoSitesConfig\"\n ],\n \"properties\": {\n \"cors\": {\n \"allowedOrigins\": [\n \"someIP\"\n ]\n }\n }\n },\n" + } + } + } + } + ], + "fingerprints": { + "gdnPrimarySignature": "6f0de3fde830219d08c3c4083fce6ccd9966859a6cd4143ec03fe04798472dee", + "gdnAlternativeSignature0": "6d432a9079e10e7a68453f21043b67398f44a7095b3b4337ad2a97b879c6adc4" + }, + "attachments": [] + }, + { + "ruleId": "CKV_AZURE_17", + "ruleIndex": 25, + "message": { + "text": "Ensure the web app has 'Client Certificates (Incoming client certificates)' set" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "samples/insecure_arm.json" + }, + "region": { + "startLine": 187, + "endLine": 204, + "snippet": { + "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites\",\n \"kind\": \"api\",\n \"name\": \"ApiApp_UnrestrictedCORSAccess_EmbeddedSitesConfig\",\n \"location\": \"[parameters('location')]\",\n \"properties\": {\n \"httpsOnly\": true,\n \"siteConfig\": {\n \"cors\": {\n \"allowedOrigins\": [\n \"someIP\",\n \"*\"\n ]\n }\n }\n }\n },\n" + } + } + } + } + ], + "fingerprints": { + "gdnPrimarySignature": "dcd550d66ea4f3ffc89adf365fe7cd5bf8d63462acecd1cccb341a7335e9fbc6", + "gdnAlternativeSignature0": "5831a40aa6b645473d2ba22c02586e6993565e63f22aec548d3af0fa06b9fd22" + }, + "attachments": [] + }, + { + "ruleId": "CKV_AZURE_78", + "ruleIndex": 26, + "message": { + "text": "Ensure FTP deployments are disabled" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "samples/insecure_arm.json" + }, + "region": { + "startLine": 187, + "endLine": 204, + "snippet": { + "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites\",\n \"kind\": \"api\",\n \"name\": \"ApiApp_UnrestrictedCORSAccess_EmbeddedSitesConfig\",\n \"location\": \"[parameters('location')]\",\n \"properties\": {\n \"httpsOnly\": true,\n \"siteConfig\": {\n \"cors\": {\n \"allowedOrigins\": [\n \"someIP\",\n \"*\"\n ]\n }\n }\n }\n },\n" + } + } + } + } + ], + "fingerprints": { + "gdnPrimarySignature": "6b0c6b35c56eaa234e454e964d8305e90681f1bb57225e8b47b7d84d4bd9c52f", + "gdnAlternativeSignature0": "25b4881300990c178e3af646a347540425e737d05e462e73ac054f3c73691340" + }, + "attachments": [] + }, + { + "ruleId": "CKV_AZURE_18", + "ruleIndex": 27, + "message": { + "text": "Ensure that 'HTTP Version' is the latest if used to run the web app" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "samples/insecure_arm.json" + }, + "region": { + "startLine": 187, + "endLine": 204, + "snippet": { + "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites\",\n \"kind\": \"api\",\n \"name\": \"ApiApp_UnrestrictedCORSAccess_EmbeddedSitesConfig\",\n \"location\": \"[parameters('location')]\",\n \"properties\": {\n \"httpsOnly\": true,\n \"siteConfig\": {\n \"cors\": {\n \"allowedOrigins\": [\n \"someIP\",\n \"*\"\n ]\n }\n }\n }\n },\n" + } + } + } + } + ], + "fingerprints": { + "gdnPrimarySignature": "9fb5162913194706fc251e38d156beebe0887f9bb6ee8c03671cd6755a952833", + "gdnAlternativeSignature0": "99d41b0689e4d871f9d62281e26dfbfd83c98541d8a02fcc05cae59e1c6e1e61" + }, + "attachments": [] + }, + { + "ruleId": "CKV_AZURE_16", + "ruleIndex": 29, + "message": { + "text": "Ensure that Register with Azure Active Directory is enabled on App Service" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "samples/insecure_arm.json" + }, + "region": { + "startLine": 187, + "endLine": 204, + "snippet": { + "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites\",\n \"kind\": \"api\",\n \"name\": \"ApiApp_UnrestrictedCORSAccess_EmbeddedSitesConfig\",\n \"location\": \"[parameters('location')]\",\n \"properties\": {\n \"httpsOnly\": true,\n \"siteConfig\": {\n \"cors\": {\n \"allowedOrigins\": [\n \"someIP\",\n \"*\"\n ]\n }\n }\n }\n },\n" + } + } + } + } + ], + "fingerprints": { + "gdnPrimarySignature": "e11b584dd233a10ac72c56c29b0abb0a46b40eec0fd60d073902939bb2fa1a7c", + "gdnAlternativeSignature0": "0094ff86f766a290f1f59fd99f98729982d98a5c48687076a1fef7cf652dc8c1" + }, + "attachments": [] + }, + { + "ruleId": "CKV_AZURE_71", + "ruleIndex": 30, + "level": "note", + "message": { + "text": "Ensure that Managed identity provider is enabled for web apps" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "samples/insecure_arm.json" + }, + "region": { + "startLine": 187, + "endLine": 204, + "snippet": { + "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites\",\n \"kind\": \"api\",\n \"name\": \"ApiApp_UnrestrictedCORSAccess_EmbeddedSitesConfig\",\n \"location\": \"[parameters('location')]\",\n \"properties\": {\n \"httpsOnly\": true,\n \"siteConfig\": {\n \"cors\": {\n \"allowedOrigins\": [\n \"someIP\",\n \"*\"\n ]\n }\n }\n }\n },\n" + } + } + } + } + ], + "fingerprints": { + "gdnPrimarySignature": "4750d98ad7c586d98825c46bea9511b196f12dc4264fb696186efd16ab3d94a2", + "gdnAlternativeSignature0": "b8e824ce01520cea292f1a7f62c7bcb8a5f77c5151b5bc056b1412295ff3497a" + }, + "attachments": [] + }, + { + "ruleId": "CKV_AZURE_15", + "ruleIndex": 31, + "message": { + "text": "Ensure web app is using the latest version of TLS encryption" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "samples/insecure_arm.json" + }, + "region": { + "startLine": 187, + "endLine": 204, + "snippet": { + "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites\",\n \"kind\": \"api\",\n \"name\": \"ApiApp_UnrestrictedCORSAccess_EmbeddedSitesConfig\",\n \"location\": \"[parameters('location')]\",\n \"properties\": {\n \"httpsOnly\": true,\n \"siteConfig\": {\n \"cors\": {\n \"allowedOrigins\": [\n \"someIP\",\n \"*\"\n ]\n }\n }\n }\n },\n" + } + } + } + } + ], + "fingerprints": { + "gdnPrimarySignature": "6618f89bf0f657561f12e6f711f090337aa8f3864239d9b428ecc00ca4e734d8", + "gdnAlternativeSignature0": "020034ec5f28ee65e82f5e48c62ebc00c918318b37fb5530d365b705686fd720" + }, + "attachments": [] + }, + { + "ruleId": "CKV_AZURE_222", + "ruleIndex": 32, + "message": { + "text": "Ensure that Azure Web App public network access is disabled" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "samples/insecure_arm.json" + }, + "region": { + "startLine": 187, + "endLine": 204, + "snippet": { + "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites\",\n \"kind\": \"api\",\n \"name\": \"ApiApp_UnrestrictedCORSAccess_EmbeddedSitesConfig\",\n \"location\": \"[parameters('location')]\",\n \"properties\": {\n \"httpsOnly\": true,\n \"siteConfig\": {\n \"cors\": {\n \"allowedOrigins\": [\n \"someIP\",\n \"*\"\n ]\n }\n }\n }\n },\n" + } + } + } + } + ], + "fingerprints": { + "gdnPrimarySignature": "257663068ac706eb48e30972d5ef65ae59a81b05935937b81969fbce76b54284", + "gdnAlternativeSignature0": "7162b78e9cff93e85080d9d077dbd2f6d9c5a765d0da6485890b044204b68786" + }, + "attachments": [] + }, + { + "ruleId": "CKV_AZURE_67", + "ruleIndex": 34, + "message": { + "text": "Ensure that 'HTTP Version' is the latest, if used to run the Function app" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "samples/insecure_arm.json" + }, + "region": { + "startLine": 187, + "endLine": 204, + "snippet": { + "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites\",\n \"kind\": \"api\",\n \"name\": \"ApiApp_UnrestrictedCORSAccess_EmbeddedSitesConfig\",\n \"location\": \"[parameters('location')]\",\n \"properties\": {\n \"httpsOnly\": true,\n \"siteConfig\": {\n \"cors\": {\n \"allowedOrigins\": [\n \"someIP\",\n \"*\"\n ]\n }\n }\n }\n },\n" + } + } + } + } + ], + "fingerprints": { + "gdnPrimarySignature": "2dae51e3df9996d76d22a1ae6f75f332e4bf5bad3f4272e79c26b2b7c999ac94", + "gdnAlternativeSignature0": "8259e76b9c016c2688d043c19e0143fe202feb2d893e108efc9e81c9d35ce4f5" + }, + "attachments": [] + }, + { + "ruleId": "CKV_AZURE_13", + "ruleIndex": 36, + "message": { + "text": "Ensure App Service Authentication is set on Azure App Service" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "samples/insecure_arm.json" + }, + "region": { + "startLine": 205, + "endLine": 222, + "snippet": { + "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites/config\",\n \"name\": \"SitesConfig/UnrestrictedCORSAccess_web\",\n \"location\": \"[parameters('location')]\",\n \"dependsOn\": [\n \"ApiApp_NoSitesConfig\",\n \"WebApp_NoSitesConfig\",\n \"FunctionApp_NoSitesConfig\"\n ],\n \"properties\": {\n \"cors\": {\n \"allowedOrigins\": [\n \"*\"\n ]\n }\n }\n },\n" + } + } + } + } + ], + "fingerprints": { + "gdnPrimarySignature": "0e8af6cde44520ef4bcab2e8711c2dda5a7fd48878091674e03dc681118a266f", + "gdnAlternativeSignature0": "146cabdfaf6092c02eb82036132680f7b6808bdd5432312d46330c9bd3585e72" + }, + "attachments": [] + }, + { + "ruleId": "CKV_AZURE_65", + "ruleIndex": 37, + "level": "note", + "message": { + "text": "Ensure that App service enables detailed error messages" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "samples/insecure_arm.json" + }, + "region": { + "startLine": 205, + "endLine": 222, + "snippet": { + "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites/config\",\n \"name\": \"SitesConfig/UnrestrictedCORSAccess_web\",\n \"location\": \"[parameters('location')]\",\n \"dependsOn\": [\n \"ApiApp_NoSitesConfig\",\n \"WebApp_NoSitesConfig\",\n \"FunctionApp_NoSitesConfig\"\n ],\n \"properties\": {\n \"cors\": {\n \"allowedOrigins\": [\n \"*\"\n ]\n }\n }\n },\n" + } + } + } + } + ], + "fingerprints": { + "gdnPrimarySignature": "ef81362c707d65d3863cae808daf52e6f7ef001be334504a099e1b9ff50e232b", + "gdnAlternativeSignature0": "6b075093c48fdb089dd2354278746e6a51fe721cabb128f140a431cf005127d3" + }, + "attachments": [] + }, + { + "ruleId": "CKV_AZURE_80", + "ruleIndex": 38, + "level": "note", + "message": { + "text": "Ensure that 'Net Framework' version is the latest, if used as a part of the web app" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "samples/insecure_arm.json" + }, + "region": { + "startLine": 205, + "endLine": 222, + "snippet": { + "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites/config\",\n \"name\": \"SitesConfig/UnrestrictedCORSAccess_web\",\n \"location\": \"[parameters('location')]\",\n \"dependsOn\": [\n \"ApiApp_NoSitesConfig\",\n \"WebApp_NoSitesConfig\",\n \"FunctionApp_NoSitesConfig\"\n ],\n \"properties\": {\n \"cors\": {\n \"allowedOrigins\": [\n \"*\"\n ]\n }\n }\n },\n" + } + } + } + } + ], + "fingerprints": { + "gdnPrimarySignature": "0b92428b5f8d657f24f7b113a8e844c8b9f0eb0582cb7ceea6933aa04dafd8ff", + "gdnAlternativeSignature0": "817496a6ee1a0d6d64bb24701e78f9cba8b3fc06268f0bade0689ce46999e311" + }, + "attachments": [] + }, + { + "ruleId": "CKV_AZURE_66", + "ruleIndex": 39, + "level": "note", + "message": { + "text": "Ensure that App service enables failed request tracing" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "samples/insecure_arm.json" + }, + "region": { + "startLine": 205, + "endLine": 222, + "snippet": { + "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites/config\",\n \"name\": \"SitesConfig/UnrestrictedCORSAccess_web\",\n \"location\": \"[parameters('location')]\",\n \"dependsOn\": [\n \"ApiApp_NoSitesConfig\",\n \"WebApp_NoSitesConfig\",\n \"FunctionApp_NoSitesConfig\"\n ],\n \"properties\": {\n \"cors\": {\n \"allowedOrigins\": [\n \"*\"\n ]\n }\n }\n },\n" + } + } + } + } + ], + "fingerprints": { + "gdnPrimarySignature": "3e9ad501881045e5d7309b74094c547164a1dab831701c7dfea6dac72f78ad39", + "gdnAlternativeSignature0": "8d2d4e5f2e7fb6ffe5a3d690ad5075c7a4194060994f0f063c517791e6bd4150" + }, + "attachments": [] + }, + { + "ruleId": "CKV_AZURE_63", + "ruleIndex": 40, + "level": "note", + "message": { + "text": "Ensure that App service enables HTTP logging" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "samples/insecure_arm.json" + }, + "region": { + "startLine": 205, + "endLine": 222, + "snippet": { + "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites/config\",\n \"name\": \"SitesConfig/UnrestrictedCORSAccess_web\",\n \"location\": \"[parameters('location')]\",\n \"dependsOn\": [\n \"ApiApp_NoSitesConfig\",\n \"WebApp_NoSitesConfig\",\n \"FunctionApp_NoSitesConfig\"\n ],\n \"properties\": {\n \"cors\": {\n \"allowedOrigins\": [\n \"*\"\n ]\n }\n }\n },\n" + } + } + } + } + ], + "fingerprints": { + "gdnPrimarySignature": "4f45838aff932f565433ff3fd599bc9de4d7bd434bf4511cee319935dfb28950", + "gdnAlternativeSignature0": "d7afaaf97a739bde64c18fb27889fb4d931b2ba29561244209ab5f03659f4b71" + }, + "attachments": [] + }, + { + "ruleId": "CKV_AZURE_222", + "ruleIndex": 32, + "message": { + "text": "Ensure that Azure Web App public network access is disabled" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "samples/insecure_arm.json" + }, + "region": { + "startLine": 205, + "endLine": 222, + "snippet": { + "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites/config\",\n \"name\": \"SitesConfig/UnrestrictedCORSAccess_web\",\n \"location\": \"[parameters('location')]\",\n \"dependsOn\": [\n \"ApiApp_NoSitesConfig\",\n \"WebApp_NoSitesConfig\",\n \"FunctionApp_NoSitesConfig\"\n ],\n \"properties\": {\n \"cors\": {\n \"allowedOrigins\": [\n \"*\"\n ]\n }\n }\n },\n" + } + } + } + } + ], + "fingerprints": { + "gdnPrimarySignature": "b7d1e0a2597990637571695421255bca16f0c42cb2ec39b943ec7ec98dbf64e8", + "gdnAlternativeSignature0": "1d2b4a62840a1bb054f7389ba3c9215d640240d28ecac6c4dd75531648052b7c" + }, + "attachments": [] + }, + { + "ruleId": "CKV_AZURE_88", + "ruleIndex": 41, + "level": "note", + "message": { + "text": "Ensure that app services use Azure Files" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "samples/insecure_arm.json" + }, + "region": { + "startLine": 205, + "endLine": 222, + "snippet": { + "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites/config\",\n \"name\": \"SitesConfig/UnrestrictedCORSAccess_web\",\n \"location\": \"[parameters('location')]\",\n \"dependsOn\": [\n \"ApiApp_NoSitesConfig\",\n \"WebApp_NoSitesConfig\",\n \"FunctionApp_NoSitesConfig\"\n ],\n \"properties\": {\n \"cors\": {\n \"allowedOrigins\": [\n \"*\"\n ]\n }\n }\n },\n" + } + } + } + } + ], + "fingerprints": { + "gdnPrimarySignature": "7ac28937c766ad8aca6f80f4c1b203c09f14c9b030a09850ddf94906052d3cff", + "gdnAlternativeSignature0": "86dfaece04781f7765ed78900613f50af845e94a4498b5bfe133a0567832350b" + }, + "attachments": [] + }, + { + "ruleId": "CKV_AZURE_17", + "ruleIndex": 25, + "message": { + "text": "Ensure the web app has 'Client Certificates (Incoming client certificates)' set" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "samples/insecure_arm.json" + }, + "region": { + "startLine": 223, + "endLine": 239, + "snippet": { + "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites\",\n \"kind\": \"app\",\n \"name\": \"WebApp_RestrictedCORSAccess_EmbeddedSitesConfig\",\n \"location\": \"[parameters('location')]\",\n \"properties\": {\n \"httpsOnly\": true,\n \"siteConfig\": {\n \"cors\": {\n \"allowedOrigins\": [\n \"someIP\"\n ]\n }\n }\n }\n },\n" + } + } + } + } + ], + "fingerprints": { + "gdnPrimarySignature": "b0458996e102d04b1269a39e6ad2f6d6fa741a778b7821a91a590d13708de75c", + "gdnAlternativeSignature0": "ba1b6ae6482744c512163ee84d83124346fdff55efcc553c93a117827b277dae" + }, + "attachments": [] + }, + { + "ruleId": "CKV_AZURE_78", + "ruleIndex": 26, + "message": { + "text": "Ensure FTP deployments are disabled" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "samples/insecure_arm.json" + }, + "region": { + "startLine": 223, + "endLine": 239, + "snippet": { + "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites\",\n \"kind\": \"app\",\n \"name\": \"WebApp_RestrictedCORSAccess_EmbeddedSitesConfig\",\n \"location\": \"[parameters('location')]\",\n \"properties\": {\n \"httpsOnly\": true,\n \"siteConfig\": {\n \"cors\": {\n \"allowedOrigins\": [\n \"someIP\"\n ]\n }\n }\n }\n },\n" + } + } + } + } + ], + "fingerprints": { + "gdnPrimarySignature": "8e375b5a9dc4728fd4ba4a21882993369de923f2eac2ed78cf8491552d8facaa", + "gdnAlternativeSignature0": "853de3499062ba5a2cb953cc5283596ec4b8e90b4b1b51d5d7ed7fd9ef487dd5" + }, + "attachments": [] + }, + { + "ruleId": "CKV_AZURE_18", + "ruleIndex": 27, + "message": { + "text": "Ensure that 'HTTP Version' is the latest if used to run the web app" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "samples/insecure_arm.json" + }, + "region": { + "startLine": 223, + "endLine": 239, + "snippet": { + "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites\",\n \"kind\": \"app\",\n \"name\": \"WebApp_RestrictedCORSAccess_EmbeddedSitesConfig\",\n \"location\": \"[parameters('location')]\",\n \"properties\": {\n \"httpsOnly\": true,\n \"siteConfig\": {\n \"cors\": {\n \"allowedOrigins\": [\n \"someIP\"\n ]\n }\n }\n }\n },\n" + } + } + } + } + ], + "fingerprints": { + "gdnPrimarySignature": "a127ae6cec02825e2f917c367e3db26bf8017f68b1998857a4ebb175353f6a51", + "gdnAlternativeSignature0": "e1bb268111081a04f49ac60c72a63ed0738145f62892adb59d43e0cdb4181ffc" + }, + "attachments": [] + }, + { + "ruleId": "CKV_AZURE_16", + "ruleIndex": 29, + "message": { + "text": "Ensure that Register with Azure Active Directory is enabled on App Service" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "samples/insecure_arm.json" + }, + "region": { + "startLine": 223, + "endLine": 239, + "snippet": { + "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites\",\n \"kind\": \"app\",\n \"name\": \"WebApp_RestrictedCORSAccess_EmbeddedSitesConfig\",\n \"location\": \"[parameters('location')]\",\n \"properties\": {\n \"httpsOnly\": true,\n \"siteConfig\": {\n \"cors\": {\n \"allowedOrigins\": [\n \"someIP\"\n ]\n }\n }\n }\n },\n" + } + } + } + } + ], + "fingerprints": { + "gdnPrimarySignature": "d351baa7f806ab65257e43138c406148e9c81bb988521fe221f56f7e72e21818", + "gdnAlternativeSignature0": "5c32a35a8c57bffbbce0105bb252897bba594b8d564d6be228aa0d086db40eb6" + }, + "attachments": [] + }, + { + "ruleId": "CKV_AZURE_71", + "ruleIndex": 30, + "level": "note", + "message": { + "text": "Ensure that Managed identity provider is enabled for web apps" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "samples/insecure_arm.json" + }, + "region": { + "startLine": 223, + "endLine": 239, + "snippet": { + "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites\",\n \"kind\": \"app\",\n \"name\": \"WebApp_RestrictedCORSAccess_EmbeddedSitesConfig\",\n \"location\": \"[parameters('location')]\",\n \"properties\": {\n \"httpsOnly\": true,\n \"siteConfig\": {\n \"cors\": {\n \"allowedOrigins\": [\n \"someIP\"\n ]\n }\n }\n }\n },\n" + } + } + } + } + ], + "fingerprints": { + "gdnPrimarySignature": "34cf1285b6c9b01e2163c4235369bba2bd1740e57a71fa21d4945fee87438740", + "gdnAlternativeSignature0": "e681471f7211744f1008218a8212ef79deecebeb44aaf693cb5c6a2ff0c30fbc" + }, + "attachments": [] + }, + { + "ruleId": "CKV_AZURE_15", + "ruleIndex": 31, + "message": { + "text": "Ensure web app is using the latest version of TLS encryption" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "samples/insecure_arm.json" + }, + "region": { + "startLine": 223, + "endLine": 239, + "snippet": { + "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites\",\n \"kind\": \"app\",\n \"name\": \"WebApp_RestrictedCORSAccess_EmbeddedSitesConfig\",\n \"location\": \"[parameters('location')]\",\n \"properties\": {\n \"httpsOnly\": true,\n \"siteConfig\": {\n \"cors\": {\n \"allowedOrigins\": [\n \"someIP\"\n ]\n }\n }\n }\n },\n" + } + } + } + } + ], + "fingerprints": { + "gdnPrimarySignature": "e25dee6e2c2afa0f90032dee4f66872f8022716e6e1870e697e282669a0e6bea", + "gdnAlternativeSignature0": "44100aca6dd76613f2e92578a73695780785c3777bbba30651b6e632ad118318" + }, + "attachments": [] + }, + { + "ruleId": "CKV_AZURE_222", + "ruleIndex": 32, + "message": { + "text": "Ensure that Azure Web App public network access is disabled" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "samples/insecure_arm.json" + }, + "region": { + "startLine": 223, + "endLine": 239, + "snippet": { + "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites\",\n \"kind\": \"app\",\n \"name\": \"WebApp_RestrictedCORSAccess_EmbeddedSitesConfig\",\n \"location\": \"[parameters('location')]\",\n \"properties\": {\n \"httpsOnly\": true,\n \"siteConfig\": {\n \"cors\": {\n \"allowedOrigins\": [\n \"someIP\"\n ]\n }\n }\n }\n },\n" + } + } + } + } + ], + "fingerprints": { + "gdnPrimarySignature": "da1a3fa73f790c28a05f8d7c42c7961059009ddc9e050d309066a52dc28f2964", + "gdnAlternativeSignature0": "b97d0c99d154acece432cd4b25ed97cebdc3307aff68dff7034a8814c9407ae1" + }, + "attachments": [] + }, + { + "ruleId": "CKV_AZURE_67", + "ruleIndex": 34, + "message": { + "text": "Ensure that 'HTTP Version' is the latest, if used to run the Function app" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "samples/insecure_arm.json" + }, + "region": { + "startLine": 223, + "endLine": 239, + "snippet": { + "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites\",\n \"kind\": \"app\",\n \"name\": \"WebApp_RestrictedCORSAccess_EmbeddedSitesConfig\",\n \"location\": \"[parameters('location')]\",\n \"properties\": {\n \"httpsOnly\": true,\n \"siteConfig\": {\n \"cors\": {\n \"allowedOrigins\": [\n \"someIP\"\n ]\n }\n }\n }\n },\n" + } + } + } + } + ], + "fingerprints": { + "gdnPrimarySignature": "c469692cea7b7ca010669e9d28957de550b80aca420639dab41c3b50acb673fd", + "gdnAlternativeSignature0": "0280a30c60f721964ef8f0e1f057cc3823c08e2c877a2f35ecc0bf0cba67aa73" + }, + "attachments": [] + }, + { + "ruleId": "CKV_AZURE_17", + "ruleIndex": 25, + "message": { + "text": "Ensure the web app has 'Client Certificates (Incoming client certificates)' set" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "samples/insecure_arm.json" + }, + "region": { + "startLine": 240, + "endLine": 255, + "snippet": { + "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites\",\n \"name\": \"WebApp_NoKind_RestrictedCORSAccess_EmbeddedSitesConfig\",\n \"location\": \"[parameters('location')]\",\n \"properties\": {\n \"httpsOnly\": true,\n \"siteConfig\": {\n \"cors\": {\n \"allowedOrigins\": [\n \"someIP\"\n ]\n }\n }\n }\n },\n" + } + } + } + } + ], + "fingerprints": { + "gdnPrimarySignature": "4fd9a062f86a13872b9dad7a38cfe0d953f929b117ea32a74b12949f94482d1e", + "gdnAlternativeSignature0": "4313f93aeba30524fe4b597801c38b1eff909f6cbc2cb6ac96c9fc11b4acd52a" + }, + "attachments": [] + }, + { + "ruleId": "CKV_AZURE_78", + "ruleIndex": 26, + "message": { + "text": "Ensure FTP deployments are disabled" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "samples/insecure_arm.json" + }, + "region": { + "startLine": 240, + "endLine": 255, + "snippet": { + "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites\",\n \"name\": \"WebApp_NoKind_RestrictedCORSAccess_EmbeddedSitesConfig\",\n \"location\": \"[parameters('location')]\",\n \"properties\": {\n \"httpsOnly\": true,\n \"siteConfig\": {\n \"cors\": {\n \"allowedOrigins\": [\n \"someIP\"\n ]\n }\n }\n }\n },\n" + } + } + } + } + ], + "fingerprints": { + "gdnPrimarySignature": "6ee562e5d732261eee58f4880f619fded377b21bb88bcc90f9b5abad30ed6398", + "gdnAlternativeSignature0": "e931b536ca4eb49838ef185e4d0af6477b51badbaa93242a6c4ff1b2e1298bf8" + }, + "attachments": [] + }, + { + "ruleId": "CKV_AZURE_18", + "ruleIndex": 27, + "message": { + "text": "Ensure that 'HTTP Version' is the latest if used to run the web app" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "samples/insecure_arm.json" + }, + "region": { + "startLine": 240, + "endLine": 255, + "snippet": { + "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites\",\n \"name\": \"WebApp_NoKind_RestrictedCORSAccess_EmbeddedSitesConfig\",\n \"location\": \"[parameters('location')]\",\n \"properties\": {\n \"httpsOnly\": true,\n \"siteConfig\": {\n \"cors\": {\n \"allowedOrigins\": [\n \"someIP\"\n ]\n }\n }\n }\n },\n" + } + } + } + } + ], + "fingerprints": { + "gdnPrimarySignature": "143778d4f31ab73a5bb75054896253c16373f69b3e0441b850b0369d1bddf1c4", + "gdnAlternativeSignature0": "03129ed6590e6f4bf2f43e9281e29c697a95962f5878ba90589b6fe88fe04380" + }, + "attachments": [] + }, + { + "ruleId": "CKV_AZURE_16", + "ruleIndex": 29, + "message": { + "text": "Ensure that Register with Azure Active Directory is enabled on App Service" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "samples/insecure_arm.json" + }, + "region": { + "startLine": 240, + "endLine": 255, + "snippet": { + "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites\",\n \"name\": \"WebApp_NoKind_RestrictedCORSAccess_EmbeddedSitesConfig\",\n \"location\": \"[parameters('location')]\",\n \"properties\": {\n \"httpsOnly\": true,\n \"siteConfig\": {\n \"cors\": {\n \"allowedOrigins\": [\n \"someIP\"\n ]\n }\n }\n }\n },\n" + } + } + } + } + ], + "fingerprints": { + "gdnPrimarySignature": "8e4a04fbf2e32b4f92897087315fb87884e9f2888146d04906779b927323f6c4", + "gdnAlternativeSignature0": "f321e049084aef0145e1b33f9c49fbfd5cdeb2ab03c824e93f910fbd3adbbd44" + }, + "attachments": [] + }, + { + "ruleId": "CKV_AZURE_71", + "ruleIndex": 30, + "level": "note", + "message": { + "text": "Ensure that Managed identity provider is enabled for web apps" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "samples/insecure_arm.json" + }, + "region": { + "startLine": 240, + "endLine": 255, + "snippet": { + "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites\",\n \"name\": \"WebApp_NoKind_RestrictedCORSAccess_EmbeddedSitesConfig\",\n \"location\": \"[parameters('location')]\",\n \"properties\": {\n \"httpsOnly\": true,\n \"siteConfig\": {\n \"cors\": {\n \"allowedOrigins\": [\n \"someIP\"\n ]\n }\n }\n }\n },\n" + } + } + } + } + ], + "fingerprints": { + "gdnPrimarySignature": "3c4d99dfa4a6499c4718cdbe5c7c7b5fb1667ca31c16bddbc1f0d50f201b0eec", + "gdnAlternativeSignature0": "fe55bb9000959302368aa07dd560c68c98caed221602cf2a2f997e85d4bdd6f6" + }, + "attachments": [] + }, + { + "ruleId": "CKV_AZURE_15", + "ruleIndex": 31, + "message": { + "text": "Ensure web app is using the latest version of TLS encryption" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "samples/insecure_arm.json" + }, + "region": { + "startLine": 240, + "endLine": 255, + "snippet": { + "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites\",\n \"name\": \"WebApp_NoKind_RestrictedCORSAccess_EmbeddedSitesConfig\",\n \"location\": \"[parameters('location')]\",\n \"properties\": {\n \"httpsOnly\": true,\n \"siteConfig\": {\n \"cors\": {\n \"allowedOrigins\": [\n \"someIP\"\n ]\n }\n }\n }\n },\n" + } + } + } + } + ], + "fingerprints": { + "gdnPrimarySignature": "eb4bed8fbe96c4a4bda2d5714d30a37fe5af249e7983c2e529ed2555b2302577", + "gdnAlternativeSignature0": "e5ada8bedea49618df2290b727da8e0b3564bbc4cad4ad22aee82b8a6afd2581" + }, + "attachments": [] + }, + { + "ruleId": "CKV_AZURE_222", + "ruleIndex": 32, + "message": { + "text": "Ensure that Azure Web App public network access is disabled" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "samples/insecure_arm.json" + }, + "region": { + "startLine": 240, + "endLine": 255, + "snippet": { + "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites\",\n \"name\": \"WebApp_NoKind_RestrictedCORSAccess_EmbeddedSitesConfig\",\n \"location\": \"[parameters('location')]\",\n \"properties\": {\n \"httpsOnly\": true,\n \"siteConfig\": {\n \"cors\": {\n \"allowedOrigins\": [\n \"someIP\"\n ]\n }\n }\n }\n },\n" + } + } + } + } + ], + "fingerprints": { + "gdnPrimarySignature": "c7c28aa1f6eb6c981b8dab94041a68bab23a9b72de245b2058c9280c612cac81", + "gdnAlternativeSignature0": "53b134cf1cec93348d12102916d6e3bd4072019df2f026de26b3ef6db3543505" + }, + "attachments": [] + }, + { + "ruleId": "CKV_AZURE_67", + "ruleIndex": 34, + "message": { + "text": "Ensure that 'HTTP Version' is the latest, if used to run the Function app" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "samples/insecure_arm.json" + }, + "region": { + "startLine": 240, + "endLine": 255, + "snippet": { + "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites\",\n \"name\": \"WebApp_NoKind_RestrictedCORSAccess_EmbeddedSitesConfig\",\n \"location\": \"[parameters('location')]\",\n \"properties\": {\n \"httpsOnly\": true,\n \"siteConfig\": {\n \"cors\": {\n \"allowedOrigins\": [\n \"someIP\"\n ]\n }\n }\n }\n },\n" + } + } + } + } + ], + "fingerprints": { + "gdnPrimarySignature": "23dc3709b4a9455bce85771532889a8fb832f85ad458d4f285fe9fb2eb7807ae", + "gdnAlternativeSignature0": "7fa5336cda8b5f2d8c41c95ffc7b95cd3ace43f023bd72dfbf479b585045984b" + }, + "attachments": [] + }, + { + "ruleId": "CKV_AZURE_17", + "ruleIndex": 25, + "message": { + "text": "Ensure the web app has 'Client Certificates (Incoming client certificates)' set" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "samples/insecure_arm.json" + }, + "region": { + "startLine": 256, + "endLine": 273, + "snippet": { + "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites\",\n \"kind\": \"app\",\n \"name\": \"WebApp_UnrestrictedCORSAccess_EmbeddedSitesConfig\",\n \"location\": \"[parameters('location')]\",\n \"properties\": {\n \"httpsOnly\": true,\n \"siteConfig\": {\n \"cors\": {\n \"allowedOrigins\": [\n \"someIP\",\n \"*\"\n ]\n }\n }\n }\n },\n" + } + } + } + } + ], + "fingerprints": { + "gdnPrimarySignature": "4e8cc7e2a4b582670ab605572ebf449e0b91a874db1ab9ef2e8e1202651fb74b", + "gdnAlternativeSignature0": "7fca34e471d5ec9837849486a2e299f93b5ee49824bfbaf0059ddade380c33c5" + }, + "attachments": [] + }, + { + "ruleId": "CKV_AZURE_78", + "ruleIndex": 26, + "message": { + "text": "Ensure FTP deployments are disabled" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "samples/insecure_arm.json" + }, + "region": { + "startLine": 256, + "endLine": 273, + "snippet": { + "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites\",\n \"kind\": \"app\",\n \"name\": \"WebApp_UnrestrictedCORSAccess_EmbeddedSitesConfig\",\n \"location\": \"[parameters('location')]\",\n \"properties\": {\n \"httpsOnly\": true,\n \"siteConfig\": {\n \"cors\": {\n \"allowedOrigins\": [\n \"someIP\",\n \"*\"\n ]\n }\n }\n }\n },\n" + } + } + } + } + ], + "fingerprints": { + "gdnPrimarySignature": "32f70b90c9398c6ab47faf4896ca724cc667414fbdd61f9d37ab64180039afa9", + "gdnAlternativeSignature0": "74ac563e5ceaa5a0e09e489b9fa579c8be0ec02947aed0617c6faddf0243f60c" + }, + "attachments": [] + }, + { + "ruleId": "CKV_AZURE_18", + "ruleIndex": 27, + "message": { + "text": "Ensure that 'HTTP Version' is the latest if used to run the web app" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "samples/insecure_arm.json" + }, + "region": { + "startLine": 256, + "endLine": 273, + "snippet": { + "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites\",\n \"kind\": \"app\",\n \"name\": \"WebApp_UnrestrictedCORSAccess_EmbeddedSitesConfig\",\n \"location\": \"[parameters('location')]\",\n \"properties\": {\n \"httpsOnly\": true,\n \"siteConfig\": {\n \"cors\": {\n \"allowedOrigins\": [\n \"someIP\",\n \"*\"\n ]\n }\n }\n }\n },\n" + } + } + } + } + ], + "fingerprints": { + "gdnPrimarySignature": "f565d488d0ee136a77ca481e53820893ff8ba50cacc9abe76f757c1a84865639", + "gdnAlternativeSignature0": "3fe95bf85179982d04d6323aeb899d481688025a708d5e171859bd82cc1cdd76" + }, + "attachments": [] + }, + { + "ruleId": "CKV_AZURE_16", + "ruleIndex": 29, + "message": { + "text": "Ensure that Register with Azure Active Directory is enabled on App Service" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "samples/insecure_arm.json" + }, + "region": { + "startLine": 256, + "endLine": 273, + "snippet": { + "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites\",\n \"kind\": \"app\",\n \"name\": \"WebApp_UnrestrictedCORSAccess_EmbeddedSitesConfig\",\n \"location\": \"[parameters('location')]\",\n \"properties\": {\n \"httpsOnly\": true,\n \"siteConfig\": {\n \"cors\": {\n \"allowedOrigins\": [\n \"someIP\",\n \"*\"\n ]\n }\n }\n }\n },\n" + } + } + } + } + ], + "fingerprints": { + "gdnPrimarySignature": "88848a38797205708edddcc47234828b56efc3e522b2f791a287bd2e1362ca36", + "gdnAlternativeSignature0": "0c58696e023f4bb523561bf26c5c02916c2411086a669f73ace694130370fd8b" + }, + "attachments": [] + }, + { + "ruleId": "CKV_AZURE_71", + "ruleIndex": 30, + "level": "note", + "message": { + "text": "Ensure that Managed identity provider is enabled for web apps" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "samples/insecure_arm.json" + }, + "region": { + "startLine": 256, + "endLine": 273, + "snippet": { + "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites\",\n \"kind\": \"app\",\n \"name\": \"WebApp_UnrestrictedCORSAccess_EmbeddedSitesConfig\",\n \"location\": \"[parameters('location')]\",\n \"properties\": {\n \"httpsOnly\": true,\n \"siteConfig\": {\n \"cors\": {\n \"allowedOrigins\": [\n \"someIP\",\n \"*\"\n ]\n }\n }\n }\n },\n" + } + } + } + } + ], + "fingerprints": { + "gdnPrimarySignature": "df545930bb8458e5f4d491540b41367072287dd41d4cc413670e820d053b3c59", + "gdnAlternativeSignature0": "b156e3e128bdada88119590b89491ba5637d828eb52a1fd7cb66709f886f4015" + }, + "attachments": [] + }, + { + "ruleId": "CKV_AZURE_15", + "ruleIndex": 31, + "message": { + "text": "Ensure web app is using the latest version of TLS encryption" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "samples/insecure_arm.json" + }, + "region": { + "startLine": 256, + "endLine": 273, + "snippet": { + "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites\",\n \"kind\": \"app\",\n \"name\": \"WebApp_UnrestrictedCORSAccess_EmbeddedSitesConfig\",\n \"location\": \"[parameters('location')]\",\n \"properties\": {\n \"httpsOnly\": true,\n \"siteConfig\": {\n \"cors\": {\n \"allowedOrigins\": [\n \"someIP\",\n \"*\"\n ]\n }\n }\n }\n },\n" + } + } + } + } + ], + "fingerprints": { + "gdnPrimarySignature": "a4a0f2a5361ad3d1b9eae1eee98796fd4b9cb48e588e5ff7e991e03b1fd406f6", + "gdnAlternativeSignature0": "273d89c35b3928f35b2b753a0285d00ac263f3183a4a1488c2f7a79177415611" + }, + "attachments": [] + }, + { + "ruleId": "CKV_AZURE_222", + "ruleIndex": 32, + "message": { + "text": "Ensure that Azure Web App public network access is disabled" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "samples/insecure_arm.json" + }, + "region": { + "startLine": 256, + "endLine": 273, + "snippet": { + "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites\",\n \"kind\": \"app\",\n \"name\": \"WebApp_UnrestrictedCORSAccess_EmbeddedSitesConfig\",\n \"location\": \"[parameters('location')]\",\n \"properties\": {\n \"httpsOnly\": true,\n \"siteConfig\": {\n \"cors\": {\n \"allowedOrigins\": [\n \"someIP\",\n \"*\"\n ]\n }\n }\n }\n },\n" + } + } + } + } + ], + "fingerprints": { + "gdnPrimarySignature": "9719571b68e5b3a885fa6fd8f779399b128f621f8c56f6fab08675f5bab6bad4", + "gdnAlternativeSignature0": "e0db6d935221b8f1a1c87a50acb333285eeab2b10c099cfc8c0e1842c3a55397" + }, + "attachments": [] + }, + { + "ruleId": "CKV_AZURE_67", + "ruleIndex": 34, + "message": { + "text": "Ensure that 'HTTP Version' is the latest, if used to run the Function app" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "samples/insecure_arm.json" + }, + "region": { + "startLine": 256, + "endLine": 273, + "snippet": { + "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites\",\n \"kind\": \"app\",\n \"name\": \"WebApp_UnrestrictedCORSAccess_EmbeddedSitesConfig\",\n \"location\": \"[parameters('location')]\",\n \"properties\": {\n \"httpsOnly\": true,\n \"siteConfig\": {\n \"cors\": {\n \"allowedOrigins\": [\n \"someIP\",\n \"*\"\n ]\n }\n }\n }\n },\n" + } + } + } + } + ], + "fingerprints": { + "gdnPrimarySignature": "c99607a3189b9bc5ab42ae5c2d7df75995a965340270a602883d37aeed0923d9", + "gdnAlternativeSignature0": "95c9c99f71bb81429ee8ccb9608f889801fd91e170be93bd519d0c4aa56ab001" + }, + "attachments": [] + }, + { + "ruleId": "CKV_AZURE_17", + "ruleIndex": 25, + "message": { + "text": "Ensure the web app has 'Client Certificates (Incoming client certificates)' set" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "samples/insecure_arm.json" + }, + "region": { + "startLine": 274, + "endLine": 283, + "snippet": { + "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites\",\n \"kind\": \"app\",\n \"name\": \"WebApp_NoSitesConfig\",\n \"location\": \"[parameters('location')]\",\n \"properties\": {\n \"httpsOnly\": true\n }\n },\n" + } + } + } + } + ], + "fingerprints": { + "gdnPrimarySignature": "ab35f47a9966e5318d1be863b2ec0f17d58d977c71e868ebff0db5b49b68af09", + "gdnAlternativeSignature0": "9c833adad252c499f44a089a84712b55a0a006a47a9aba6c530d01a1bc94f558" + }, + "attachments": [] + }, + { + "ruleId": "CKV_AZURE_78", + "ruleIndex": 26, + "message": { + "text": "Ensure FTP deployments are disabled" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "samples/insecure_arm.json" + }, + "region": { + "startLine": 274, + "endLine": 283, + "snippet": { + "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites\",\n \"kind\": \"app\",\n \"name\": \"WebApp_NoSitesConfig\",\n \"location\": \"[parameters('location')]\",\n \"properties\": {\n \"httpsOnly\": true\n }\n },\n" + } + } + } + } + ], + "fingerprints": { + "gdnPrimarySignature": "602fdea611aaa3d22235f4e83203311f5ffe8e9e22833d6184d440e68f024bf5", + "gdnAlternativeSignature0": "5c17ba6738b8da7c912c45aebf73499fbce4dc65cf6407b66f5a4c274679619c" + }, + "attachments": [] + }, + { + "ruleId": "CKV_AZURE_18", + "ruleIndex": 27, + "message": { + "text": "Ensure that 'HTTP Version' is the latest if used to run the web app" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "samples/insecure_arm.json" + }, + "region": { + "startLine": 274, + "endLine": 283, + "snippet": { + "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites\",\n \"kind\": \"app\",\n \"name\": \"WebApp_NoSitesConfig\",\n \"location\": \"[parameters('location')]\",\n \"properties\": {\n \"httpsOnly\": true\n }\n },\n" + } + } + } + } + ], + "fingerprints": { + "gdnPrimarySignature": "20d3cf16494d80ca62033400936f0feb57be0a8ab23b9cc9b162b2247897388e", + "gdnAlternativeSignature0": "cd1e03ef8f9614165ea4d7a0973270f4bbab817cb3cc52ad0cf36cb647c3b6d9" + }, + "attachments": [] + }, + { + "ruleId": "CKV_AZURE_16", + "ruleIndex": 29, + "message": { + "text": "Ensure that Register with Azure Active Directory is enabled on App Service" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "samples/insecure_arm.json" + }, + "region": { + "startLine": 274, + "endLine": 283, + "snippet": { + "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites\",\n \"kind\": \"app\",\n \"name\": \"WebApp_NoSitesConfig\",\n \"location\": \"[parameters('location')]\",\n \"properties\": {\n \"httpsOnly\": true\n }\n },\n" + } + } + } + } + ], + "fingerprints": { + "gdnPrimarySignature": "78cc949070f476ebc74b2dda7f5c41ae43b805ea3b7daf49d3078c058f79e5a1", + "gdnAlternativeSignature0": "a55b806fb31cb3bf0e6b5c3d01f6ffd490c3b886bb80a722866cc000586f0f8a" + }, + "attachments": [] + }, + { + "ruleId": "CKV_AZURE_71", + "ruleIndex": 30, + "level": "note", + "message": { + "text": "Ensure that Managed identity provider is enabled for web apps" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "samples/insecure_arm.json" + }, + "region": { + "startLine": 274, + "endLine": 283, + "snippet": { + "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites\",\n \"kind\": \"app\",\n \"name\": \"WebApp_NoSitesConfig\",\n \"location\": \"[parameters('location')]\",\n \"properties\": {\n \"httpsOnly\": true\n }\n },\n" + } + } + } + } + ], + "fingerprints": { + "gdnPrimarySignature": "15dc91ac7c730ca245aabad00f156494d8a29ee9b357748967d76f05344eda7f", + "gdnAlternativeSignature0": "5847938307c50605c0610b36925ab50eefcc6634ed7e565f480bda53984af466" + }, + "attachments": [] + }, + { + "ruleId": "CKV_AZURE_15", + "ruleIndex": 31, + "message": { + "text": "Ensure web app is using the latest version of TLS encryption" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "samples/insecure_arm.json" + }, + "region": { + "startLine": 274, + "endLine": 283, + "snippet": { + "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites\",\n \"kind\": \"app\",\n \"name\": \"WebApp_NoSitesConfig\",\n \"location\": \"[parameters('location')]\",\n \"properties\": {\n \"httpsOnly\": true\n }\n },\n" + } + } + } + } + ], + "fingerprints": { + "gdnPrimarySignature": "ea83d615bfff6cce7ff0679906857f978db31bcc20aaf8362758e87312e2d941", + "gdnAlternativeSignature0": "c039abcf9cf88918b4dd9167119722b1a5108ce5e38d75043c0b750fd2981ec3" + }, + "attachments": [] + }, + { + "ruleId": "CKV_AZURE_222", + "ruleIndex": 32, + "message": { + "text": "Ensure that Azure Web App public network access is disabled" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "samples/insecure_arm.json" + }, + "region": { + "startLine": 274, + "endLine": 283, + "snippet": { + "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites\",\n \"kind\": \"app\",\n \"name\": \"WebApp_NoSitesConfig\",\n \"location\": \"[parameters('location')]\",\n \"properties\": {\n \"httpsOnly\": true\n }\n },\n" + } + } + } + } + ], + "fingerprints": { + "gdnPrimarySignature": "b051219a1626ff89706e92b04e25fb0932c1d985ea27f8aecbf7f743c04dc659", + "gdnAlternativeSignature0": "cabf626aade2ee1d730330c88d2aa7d8895dd4c93938eeb77c63f03a052c7679" + }, + "attachments": [] + }, + { + "ruleId": "CKV_AZURE_67", + "ruleIndex": 34, + "message": { + "text": "Ensure that 'HTTP Version' is the latest, if used to run the Function app" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "samples/insecure_arm.json" + }, + "region": { + "startLine": 274, + "endLine": 283, + "snippet": { + "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites\",\n \"kind\": \"app\",\n \"name\": \"WebApp_NoSitesConfig\",\n \"location\": \"[parameters('location')]\",\n \"properties\": {\n \"httpsOnly\": true\n }\n },\n" + } + } + } + } + ], + "fingerprints": { + "gdnPrimarySignature": "6b115656ed41348ad449cf25c954970b70b571ade5d19e1105620b4e7717e2fe", + "gdnAlternativeSignature0": "aa6295e81aa6a4ae09a54ac0c497bf6291b50dd88a72b6e830bd210a1a68aceb" + }, + "attachments": [] + }, + { + "ruleId": "CKV_AZURE_17", + "ruleIndex": 25, + "message": { + "text": "Ensure the web app has 'Client Certificates (Incoming client certificates)' set" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "samples/insecure_arm.json" + }, + "region": { + "startLine": 284, + "endLine": 300, + "snippet": { + "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites\",\n \"kind\": \"functionapp\",\n \"name\": \"FunctionApp_RestrictedCORSAccess_EmbeddedSitesConfig\",\n \"location\": \"[parameters('location')]\",\n \"properties\": {\n \"httpsOnly\": true,\n \"siteConfig\": {\n \"cors\": {\n \"allowedOrigins\": [\n \"someIP\"\n ]\n }\n }\n }\n },\n" + } + } + } + } + ], + "fingerprints": { + "gdnPrimarySignature": "14fcb885307e08a2c5ada1206158c9a84bbe32823e0d5c615704e0bafa8aee79", + "gdnAlternativeSignature0": "fb7374d63bc8d8ab31652d206739a312b4868d345ca64543f8d31991d5b46cfa" + }, + "attachments": [] + }, + { + "ruleId": "CKV_AZURE_78", + "ruleIndex": 26, + "message": { + "text": "Ensure FTP deployments are disabled" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "samples/insecure_arm.json" + }, + "region": { + "startLine": 284, + "endLine": 300, + "snippet": { + "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites\",\n \"kind\": \"functionapp\",\n \"name\": \"FunctionApp_RestrictedCORSAccess_EmbeddedSitesConfig\",\n \"location\": \"[parameters('location')]\",\n \"properties\": {\n \"httpsOnly\": true,\n \"siteConfig\": {\n \"cors\": {\n \"allowedOrigins\": [\n \"someIP\"\n ]\n }\n }\n }\n },\n" + } + } + } + } + ], + "fingerprints": { + "gdnPrimarySignature": "5ed1b342d8a0f06c5b0bb3d15388f5670cf2b409bf65da4b74e438912627892a", + "gdnAlternativeSignature0": "9f5a5eef4cfdb3f4462b7862dcba4b5bef7ef10e97449da469e0495432b1aa9c" + }, + "attachments": [] + }, + { + "ruleId": "CKV_AZURE_18", + "ruleIndex": 27, + "message": { + "text": "Ensure that 'HTTP Version' is the latest if used to run the web app" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "samples/insecure_arm.json" + }, + "region": { + "startLine": 284, + "endLine": 300, + "snippet": { + "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites\",\n \"kind\": \"functionapp\",\n \"name\": \"FunctionApp_RestrictedCORSAccess_EmbeddedSitesConfig\",\n \"location\": \"[parameters('location')]\",\n \"properties\": {\n \"httpsOnly\": true,\n \"siteConfig\": {\n \"cors\": {\n \"allowedOrigins\": [\n \"someIP\"\n ]\n }\n }\n }\n },\n" + } + } + } + } + ], + "fingerprints": { + "gdnPrimarySignature": "f769bd7202fd3a2674861afca95fa1cfc0664bd0b76619913a2f39f87fd2fe8a", + "gdnAlternativeSignature0": "5992da2c97b93015cd5ff7d85e7dca064eea8c61012c16fd094729db911f95a8" + }, + "attachments": [] + }, + { + "ruleId": "CKV_AZURE_16", + "ruleIndex": 29, + "message": { + "text": "Ensure that Register with Azure Active Directory is enabled on App Service" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "samples/insecure_arm.json" + }, + "region": { + "startLine": 284, + "endLine": 300, + "snippet": { + "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites\",\n \"kind\": \"functionapp\",\n \"name\": \"FunctionApp_RestrictedCORSAccess_EmbeddedSitesConfig\",\n \"location\": \"[parameters('location')]\",\n \"properties\": {\n \"httpsOnly\": true,\n \"siteConfig\": {\n \"cors\": {\n \"allowedOrigins\": [\n \"someIP\"\n ]\n }\n }\n }\n },\n" + } + } + } + } + ], + "fingerprints": { + "gdnPrimarySignature": "5bcdda995b38f39e6e644a8b926bad1dda898d677c7095948d0787f601427d9b", + "gdnAlternativeSignature0": "13ea3d62cdfd23a6f501449536936b1c6db8485e0dff7c99196f039ded5323e3" + }, + "attachments": [] + }, + { + "ruleId": "CKV_AZURE_71", + "ruleIndex": 30, + "level": "note", + "message": { + "text": "Ensure that Managed identity provider is enabled for web apps" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "samples/insecure_arm.json" + }, + "region": { + "startLine": 284, + "endLine": 300, + "snippet": { + "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites\",\n \"kind\": \"functionapp\",\n \"name\": \"FunctionApp_RestrictedCORSAccess_EmbeddedSitesConfig\",\n \"location\": \"[parameters('location')]\",\n \"properties\": {\n \"httpsOnly\": true,\n \"siteConfig\": {\n \"cors\": {\n \"allowedOrigins\": [\n \"someIP\"\n ]\n }\n }\n }\n },\n" + } + } + } + } + ], + "fingerprints": { + "gdnPrimarySignature": "01e261f9a2c80b85eac147e32d3398613aacdcc9aba1ad95bed4948b25697177", + "gdnAlternativeSignature0": "06726daca90067656a51c927384b29c2fa63923f996cd8820a67beaac37a348a" + }, + "attachments": [] + }, + { + "ruleId": "CKV_AZURE_15", + "ruleIndex": 31, + "message": { + "text": "Ensure web app is using the latest version of TLS encryption" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "samples/insecure_arm.json" + }, + "region": { + "startLine": 284, + "endLine": 300, + "snippet": { + "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites\",\n \"kind\": \"functionapp\",\n \"name\": \"FunctionApp_RestrictedCORSAccess_EmbeddedSitesConfig\",\n \"location\": \"[parameters('location')]\",\n \"properties\": {\n \"httpsOnly\": true,\n \"siteConfig\": {\n \"cors\": {\n \"allowedOrigins\": [\n \"someIP\"\n ]\n }\n }\n }\n },\n" + } + } + } + } + ], + "fingerprints": { + "gdnPrimarySignature": "72e5f5c502813f23c86f6954f698b653e4357d2982e8bb56333ee89c838fcfad", + "gdnAlternativeSignature0": "faae5ac2227e01f41f73eda05f5b00d5de49e9d7c812dc34cbea14b50d6e9f77" + }, + "attachments": [] + }, + { + "ruleId": "CKV_AZURE_222", + "ruleIndex": 32, + "message": { + "text": "Ensure that Azure Web App public network access is disabled" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "samples/insecure_arm.json" + }, + "region": { + "startLine": 284, + "endLine": 300, + "snippet": { + "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites\",\n \"kind\": \"functionapp\",\n \"name\": \"FunctionApp_RestrictedCORSAccess_EmbeddedSitesConfig\",\n \"location\": \"[parameters('location')]\",\n \"properties\": {\n \"httpsOnly\": true,\n \"siteConfig\": {\n \"cors\": {\n \"allowedOrigins\": [\n \"someIP\"\n ]\n }\n }\n }\n },\n" + } + } + } + } + ], + "fingerprints": { + "gdnPrimarySignature": "64bf46cc4a2b1a39786b447ec202c2052f0686c787af51cc562ff3cb2baeadac", + "gdnAlternativeSignature0": "370f91c60e0d1be39570b5bc47e69e0826dd5835293145c9f61e8fcecac252b6" + }, + "attachments": [] + }, + { + "ruleId": "CKV_AZURE_67", + "ruleIndex": 34, + "message": { + "text": "Ensure that 'HTTP Version' is the latest, if used to run the Function app" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "samples/insecure_arm.json" + }, + "region": { + "startLine": 284, + "endLine": 300, + "snippet": { + "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites\",\n \"kind\": \"functionapp\",\n \"name\": \"FunctionApp_RestrictedCORSAccess_EmbeddedSitesConfig\",\n \"location\": \"[parameters('location')]\",\n \"properties\": {\n \"httpsOnly\": true,\n \"siteConfig\": {\n \"cors\": {\n \"allowedOrigins\": [\n \"someIP\"\n ]\n }\n }\n }\n },\n" + } + } + } + } + ], + "fingerprints": { + "gdnPrimarySignature": "4040613d3dfb88a05ae97881bd42b488d51f9ab73eb119fc0554a783ca548f34", + "gdnAlternativeSignature0": "aa1ce087240db3e7202e98fb6d5d42a12644148791a444e2923686fe70b74fc5" + }, + "attachments": [] + }, + { + "ruleId": "CKV_AZURE_17", + "ruleIndex": 25, + "message": { + "text": "Ensure the web app has 'Client Certificates (Incoming client certificates)' set" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "samples/insecure_arm.json" + }, + "region": { + "startLine": 301, + "endLine": 318, + "snippet": { + "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites\",\n \"kind\": \"functionapp\",\n \"name\": \"FunctionApp_UnrestrictedCORSAccess_EmbeddedSitesConfig\",\n \"location\": \"[parameters('location')]\",\n \"properties\": {\n \"httpsOnly\": true,\n \"siteConfig\": {\n \"cors\": {\n \"allowedOrigins\": [\n \"someIP\",\n \"*\"\n ]\n }\n }\n }\n },\n" + } + } + } + } + ], + "fingerprints": { + "gdnPrimarySignature": "7aa4dc87ad0a059efeb183e063efb6d08c9643371ef92a08431c2d59dbe6d7d8", + "gdnAlternativeSignature0": "efa930281f9711759aae2cbd30e4f5f6dfa8935213ef9d897b14266716dc3a50" + }, + "attachments": [] + }, + { + "ruleId": "CKV_AZURE_78", + "ruleIndex": 26, + "message": { + "text": "Ensure FTP deployments are disabled" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "samples/insecure_arm.json" + }, + "region": { + "startLine": 301, + "endLine": 318, + "snippet": { + "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites\",\n \"kind\": \"functionapp\",\n \"name\": \"FunctionApp_UnrestrictedCORSAccess_EmbeddedSitesConfig\",\n \"location\": \"[parameters('location')]\",\n \"properties\": {\n \"httpsOnly\": true,\n \"siteConfig\": {\n \"cors\": {\n \"allowedOrigins\": [\n \"someIP\",\n \"*\"\n ]\n }\n }\n }\n },\n" + } + } + } + } + ], + "fingerprints": { + "gdnPrimarySignature": "e921d31bfff9b531e071fb26ffdf65b6ad8bbe22352067af06b35cb28e82fb8c", + "gdnAlternativeSignature0": "17ce881dab034d29e0a5df168f9e1c52bdd2c5c975e4fdda06fa613e032d79bf" + }, + "attachments": [] + }, + { + "ruleId": "CKV_AZURE_18", + "ruleIndex": 27, + "message": { + "text": "Ensure that 'HTTP Version' is the latest if used to run the web app" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "samples/insecure_arm.json" + }, + "region": { + "startLine": 301, + "endLine": 318, + "snippet": { + "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites\",\n \"kind\": \"functionapp\",\n \"name\": \"FunctionApp_UnrestrictedCORSAccess_EmbeddedSitesConfig\",\n \"location\": \"[parameters('location')]\",\n \"properties\": {\n \"httpsOnly\": true,\n \"siteConfig\": {\n \"cors\": {\n \"allowedOrigins\": [\n \"someIP\",\n \"*\"\n ]\n }\n }\n }\n },\n" + } + } + } + } + ], + "fingerprints": { + "gdnPrimarySignature": "a1c9a388790b96bca8c54d7e1af1d480c30c7478de1cdf397833aefa8611697a", + "gdnAlternativeSignature0": "6550ec87cae9d511c54e0c344a4cdd2c0de2f8cd89c915cdadf98545ba96361f" + }, + "attachments": [] + }, + { + "ruleId": "CKV_AZURE_16", + "ruleIndex": 29, + "message": { + "text": "Ensure that Register with Azure Active Directory is enabled on App Service" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "samples/insecure_arm.json" + }, + "region": { + "startLine": 301, + "endLine": 318, + "snippet": { + "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites\",\n \"kind\": \"functionapp\",\n \"name\": \"FunctionApp_UnrestrictedCORSAccess_EmbeddedSitesConfig\",\n \"location\": \"[parameters('location')]\",\n \"properties\": {\n \"httpsOnly\": true,\n \"siteConfig\": {\n \"cors\": {\n \"allowedOrigins\": [\n \"someIP\",\n \"*\"\n ]\n }\n }\n }\n },\n" + } + } + } + } + ], + "fingerprints": { + "gdnPrimarySignature": "5f201d5437de55fd80955e36fa892fc93cfb30c65f554f53a86a4df19d91f7a6", + "gdnAlternativeSignature0": "24eb4b238d28c37f127ee733bc68e96c101b7c274ec58a964bb4ef8f105a07ad" + }, + "attachments": [] + }, + { + "ruleId": "CKV_AZURE_71", + "ruleIndex": 30, + "level": "note", + "message": { + "text": "Ensure that Managed identity provider is enabled for web apps" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "samples/insecure_arm.json" + }, + "region": { + "startLine": 301, + "endLine": 318, + "snippet": { + "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites\",\n \"kind\": \"functionapp\",\n \"name\": \"FunctionApp_UnrestrictedCORSAccess_EmbeddedSitesConfig\",\n \"location\": \"[parameters('location')]\",\n \"properties\": {\n \"httpsOnly\": true,\n \"siteConfig\": {\n \"cors\": {\n \"allowedOrigins\": [\n \"someIP\",\n \"*\"\n ]\n }\n }\n }\n },\n" + } + } + } + } + ], + "fingerprints": { + "gdnPrimarySignature": "eb2f9b348b74a7a30a2ccf85154a95c66cbbd999d7f0db1a5515dc50033cd858", + "gdnAlternativeSignature0": "ee26900668b5c483ff485bc262a9dda64ddedd4b96a4e5f956797fc4e31c4d1e" + }, + "attachments": [] + }, + { + "ruleId": "CKV_AZURE_15", + "ruleIndex": 31, + "message": { + "text": "Ensure web app is using the latest version of TLS encryption" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "samples/insecure_arm.json" + }, + "region": { + "startLine": 301, + "endLine": 318, + "snippet": { + "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites\",\n \"kind\": \"functionapp\",\n \"name\": \"FunctionApp_UnrestrictedCORSAccess_EmbeddedSitesConfig\",\n \"location\": \"[parameters('location')]\",\n \"properties\": {\n \"httpsOnly\": true,\n \"siteConfig\": {\n \"cors\": {\n \"allowedOrigins\": [\n \"someIP\",\n \"*\"\n ]\n }\n }\n }\n },\n" + } + } + } + } + ], + "fingerprints": { + "gdnPrimarySignature": "752975926aaa31a34fc4bb75edb0955f8b1b2b7cdd24081443961bd594ef684e", + "gdnAlternativeSignature0": "55cf1c6618e5e7a3be0f2feae175940eb5ec736d17afe66f0895df6997ab216e" + }, + "attachments": [] + }, + { + "ruleId": "CKV_AZURE_222", + "ruleIndex": 32, + "message": { + "text": "Ensure that Azure Web App public network access is disabled" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "samples/insecure_arm.json" + }, + "region": { + "startLine": 301, + "endLine": 318, + "snippet": { + "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites\",\n \"kind\": \"functionapp\",\n \"name\": \"FunctionApp_UnrestrictedCORSAccess_EmbeddedSitesConfig\",\n \"location\": \"[parameters('location')]\",\n \"properties\": {\n \"httpsOnly\": true,\n \"siteConfig\": {\n \"cors\": {\n \"allowedOrigins\": [\n \"someIP\",\n \"*\"\n ]\n }\n }\n }\n },\n" + } + } + } + } + ], + "fingerprints": { + "gdnPrimarySignature": "26f0a1a83d914e1d5687c693993f2e09d71b52f756d23a5682778f4a2085ff5e", + "gdnAlternativeSignature0": "5a8642e916010fccd880c8c0e73e83f149b9d44c76710d50d541dbd4d3c7d72a" + }, + "attachments": [] + }, + { + "ruleId": "CKV_AZURE_67", + "ruleIndex": 34, + "message": { + "text": "Ensure that 'HTTP Version' is the latest, if used to run the Function app" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "samples/insecure_arm.json" + }, + "region": { + "startLine": 301, + "endLine": 318, + "snippet": { + "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites\",\n \"kind\": \"functionapp\",\n \"name\": \"FunctionApp_UnrestrictedCORSAccess_EmbeddedSitesConfig\",\n \"location\": \"[parameters('location')]\",\n \"properties\": {\n \"httpsOnly\": true,\n \"siteConfig\": {\n \"cors\": {\n \"allowedOrigins\": [\n \"someIP\",\n \"*\"\n ]\n }\n }\n }\n },\n" + } + } + } + } + ], + "fingerprints": { + "gdnPrimarySignature": "5add9273a9903c496a94184e7c5ae16aa8c53067ea2f4eecb7f6cc9876a3145b", + "gdnAlternativeSignature0": "a1cb801109625b1081f5c08bf8d85057df4fa338901c035a3c779845e8d973ca" + }, + "attachments": [] + }, + { + "ruleId": "CKV_AZURE_17", + "ruleIndex": 25, + "message": { + "text": "Ensure the web app has 'Client Certificates (Incoming client certificates)' set" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "samples/insecure_arm.json" + }, + "region": { + "startLine": 319, + "endLine": 328, + "snippet": { + "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites\",\n \"kind\": \"functionapp\",\n \"name\": \"FunctionApp_NoSitesConfig\",\n \"location\": \"[parameters('location')]\",\n \"properties\": {\n \"httpsOnly\": true\n }\n }\n" + } + } + } + } + ], + "fingerprints": { + "gdnPrimarySignature": "3f3a80ee3024489c35085570b02f970bafaaf551396274635a00a4b79ac0eae2", + "gdnAlternativeSignature0": "917035e9a96adddabea41ba383c24edf46e1ec39e5e02fc8be4ddbeb01bc5b4e" + }, + "attachments": [] + }, + { + "ruleId": "CKV_AZURE_78", + "ruleIndex": 26, + "message": { + "text": "Ensure FTP deployments are disabled" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "samples/insecure_arm.json" + }, + "region": { + "startLine": 319, + "endLine": 328, + "snippet": { + "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites\",\n \"kind\": \"functionapp\",\n \"name\": \"FunctionApp_NoSitesConfig\",\n \"location\": \"[parameters('location')]\",\n \"properties\": {\n \"httpsOnly\": true\n }\n }\n" + } + } + } + } + ], + "fingerprints": { + "gdnPrimarySignature": "8493bbcbf96e7e1068c6296f576527e894ef7245800bcd2116bc07e72079b43d", + "gdnAlternativeSignature0": "755512e4b82449a08f44e7eaebdb946e29314098160f8e1f39b9870f19dc43f7" + }, + "attachments": [] + }, + { + "ruleId": "CKV_AZURE_18", + "ruleIndex": 27, + "message": { + "text": "Ensure that 'HTTP Version' is the latest if used to run the web app" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "samples/insecure_arm.json" + }, + "region": { + "startLine": 319, + "endLine": 328, + "snippet": { + "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites\",\n \"kind\": \"functionapp\",\n \"name\": \"FunctionApp_NoSitesConfig\",\n \"location\": \"[parameters('location')]\",\n \"properties\": {\n \"httpsOnly\": true\n }\n }\n" + } + } + } + } + ], + "fingerprints": { + "gdnPrimarySignature": "d15577475858e078e31e0a5a4560d3e46f04f5c0af458457d9c46525545d0add", + "gdnAlternativeSignature0": "34f10bce44f8b65d8306df6efd6b8a73666704ebe97281cf5bb20c27415a99c5" + }, + "attachments": [] + }, + { + "ruleId": "CKV_AZURE_16", + "ruleIndex": 29, + "message": { + "text": "Ensure that Register with Azure Active Directory is enabled on App Service" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "samples/insecure_arm.json" + }, + "region": { + "startLine": 319, + "endLine": 328, + "snippet": { + "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites\",\n \"kind\": \"functionapp\",\n \"name\": \"FunctionApp_NoSitesConfig\",\n \"location\": \"[parameters('location')]\",\n \"properties\": {\n \"httpsOnly\": true\n }\n }\n" + } + } + } + } + ], + "fingerprints": { + "gdnPrimarySignature": "21939dfe4c3d1e60adaaab7f75ef7a0b94b4377b2a2950f7670c9afd424de80f", + "gdnAlternativeSignature0": "0054487d755a01b77de504fc5157faecd817a0ecae44d1e4aa91fd1a46e0be8b" + }, + "attachments": [] + }, + { + "ruleId": "CKV_AZURE_71", + "ruleIndex": 30, + "level": "note", + "message": { + "text": "Ensure that Managed identity provider is enabled for web apps" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "samples/insecure_arm.json" + }, + "region": { + "startLine": 319, + "endLine": 328, + "snippet": { + "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites\",\n \"kind\": \"functionapp\",\n \"name\": \"FunctionApp_NoSitesConfig\",\n \"location\": \"[parameters('location')]\",\n \"properties\": {\n \"httpsOnly\": true\n }\n }\n" + } + } + } + } + ], + "fingerprints": { + "gdnPrimarySignature": "47829e0ae136b8b26a4176f73de53c99044bba251a284cf106812e2600802361", + "gdnAlternativeSignature0": "0a441e95438cb23ebbfb5ba5d34958a96417b8b4a440e329223843a090eab255" + }, + "attachments": [] + }, + { + "ruleId": "CKV_AZURE_15", + "ruleIndex": 31, + "message": { + "text": "Ensure web app is using the latest version of TLS encryption" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "samples/insecure_arm.json" + }, + "region": { + "startLine": 319, + "endLine": 328, + "snippet": { + "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites\",\n \"kind\": \"functionapp\",\n \"name\": \"FunctionApp_NoSitesConfig\",\n \"location\": \"[parameters('location')]\",\n \"properties\": {\n \"httpsOnly\": true\n }\n }\n" + } + } + } + } + ], + "fingerprints": { + "gdnPrimarySignature": "0563668dc60ab562ba7553e4059ccb2600d2aee6505b99813a4d2edad7d7cab8", + "gdnAlternativeSignature0": "71db655b881a2f569a03dc4a80cf4f01371a09611c4f9780e1ac3eba24b4e2f8" + }, + "attachments": [] + }, + { + "ruleId": "CKV_AZURE_222", + "ruleIndex": 32, + "message": { + "text": "Ensure that Azure Web App public network access is disabled" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "samples/insecure_arm.json" + }, + "region": { + "startLine": 319, + "endLine": 328, + "snippet": { + "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites\",\n \"kind\": \"functionapp\",\n \"name\": \"FunctionApp_NoSitesConfig\",\n \"location\": \"[parameters('location')]\",\n \"properties\": {\n \"httpsOnly\": true\n }\n }\n" + } + } + } + } + ], + "fingerprints": { + "gdnPrimarySignature": "4f0638c743b2d1843ef77d55d462748d273aee152bbb618ceaa5a51f793330fc", + "gdnAlternativeSignature0": "e4025758f0b783be95138fa9820d245cb4c1db229e4353bd0a20f699ee9e616a" + }, + "attachments": [] + }, + { + "ruleId": "CKV_AZURE_67", + "ruleIndex": 34, + "message": { + "text": "Ensure that 'HTTP Version' is the latest, if used to run the Function app" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "samples/insecure_arm.json" + }, + "region": { + "startLine": 319, + "endLine": 328, + "snippet": { + "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites\",\n \"kind\": \"functionapp\",\n \"name\": \"FunctionApp_NoSitesConfig\",\n \"location\": \"[parameters('location')]\",\n \"properties\": {\n \"httpsOnly\": true\n }\n }\n" + } + } + } + } + ], + "fingerprints": { + "gdnPrimarySignature": "ca846feb1e4469b819a99002b3cec670caeab114d5f1c85c81ed5830745e8c77", + "gdnAlternativeSignature0": "962bde0a801111d2d1cefcb5d5bb60e8c031e3c31f4e4527dc4ab9fb05b23991" + }, + "attachments": [] + }, + { + "ruleId": "CKV_K8S_25", + "ruleIndex": 10, + "level": "note", + "message": { + "text": "Minimize the admission of containers with added capability" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "samples/K8s-cassandra-statefulset.yaml" + }, + "region": { + "startLine": 1, + "endLine": 96, + "snippet": { + "text": "apiVersion: \"apps/v1\" # for k8s versions before 1.9.0 use apps/v1beta2 and before 1.8.0 use extensions/v1beta1\nkind: StatefulSet\nmetadata:\n name: cassandra\n labels:\n app: cassandra\nspec:\n serviceName: cassandra\n replicas: 3\n selector:\n matchLabels:\n app: cassandra\n template:\n metadata:\n labels:\n app: cassandra\n spec:\n terminationGracePeriodSeconds: 1800\n containers:\n - name: cassandra\n image: gcr.io/google-samples/cassandra:v14\n imagePullPolicy: Always\n ports:\n - containerPort: 7000\n name: intra-node\n - containerPort: 7001\n name: tls-intra-node\n - containerPort: 7199\n name: jmx\n - containerPort: 9042\n name: cql\n resources:\n limits:\n cpu: \"500m\"\n memory: 1Gi\n requests:\n cpu: \"500m\"\n memory: 1Gi\n securityContext:\n capabilities:\n add:\n - IPC_LOCK\n lifecycle:\n preStop:\n exec:\n command:\n - /bin/sh\n - -c\n - nodetool drain\n env:\n - name: MAX_HEAP_SIZE\n value: 512M\n - name: HEAP_NEWSIZE\n value: 100M\n - name: CASSANDRA_SEEDS\n value: \"cassandra-0.cassandra.default.svc.cluster.local\"\n - name: CASSANDRA_CLUSTER_NAME\n value: \"K8Demo\"\n - name: CASSANDRA_DC\n value: \"DC1-K8Demo\"\n - name: CASSANDRA_RACK\n value: \"Rack1-K8Demo\"\n - name: CASSANDRA_SEED_PROVIDER\n value: io.k8s.cassandra.KubernetesSeedProvider\n - name: POD_IP\n valueFrom:\n fieldRef:\n fieldPath: status.podIP\n readinessProbe:\n exec:\n command:\n - /bin/bash\n - -c\n - /ready-probe.sh\n initialDelaySeconds: 15\n timeoutSeconds: 5\n # These volume mounts are persistent. They are like inline claims,\n # but not exactly because the names need to match exactly one of\n # the stateful pod volumes.\n volumeMounts:\n - name: cassandra-data\n mountPath: /var/lib/cassandra\n # These are converted to volume claims by the controller\n # and mounted at the paths mentioned above.\n # do not use these in production until ssd GCEPersistentDisk or other ssd pd\n volumeClaimTemplates:\n - metadata:\n name: cassandra-data\n annotations:\n volume.beta.kubernetes.io/storage-class: fast\n spec:\n accessModes: [ \"ReadWriteOnce\" ]\n resources:\n requests:\n storage: 1Gi\n---\n" + } + } + } + } + ], + "fingerprints": { + "gdnPrimarySignature": "a73a10ebaed1bcca5045392cd0e24ff11412eeae435f8a66bd90d64a40f09958", + "gdnAlternativeSignature0": "681910e9bced9366623d2dd9e93781a0f1a15f148fa6523a13e9a0058492d662" + }, + "attachments": [] + }, + { + "ruleId": "CKV_K8S_20", + "ruleIndex": 11, + "message": { + "text": "Containers should not run with allowPrivilegeEscalation" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "samples/K8s-cassandra-statefulset.yaml" + }, + "region": { + "startLine": 1, + "endLine": 96, + "snippet": { + "text": "apiVersion: \"apps/v1\" # for k8s versions before 1.9.0 use apps/v1beta2 and before 1.8.0 use extensions/v1beta1\nkind: StatefulSet\nmetadata:\n name: cassandra\n labels:\n app: cassandra\nspec:\n serviceName: cassandra\n replicas: 3\n selector:\n matchLabels:\n app: cassandra\n template:\n metadata:\n labels:\n app: cassandra\n spec:\n terminationGracePeriodSeconds: 1800\n containers:\n - name: cassandra\n image: gcr.io/google-samples/cassandra:v14\n imagePullPolicy: Always\n ports:\n - containerPort: 7000\n name: intra-node\n - containerPort: 7001\n name: tls-intra-node\n - containerPort: 7199\n name: jmx\n - containerPort: 9042\n name: cql\n resources:\n limits:\n cpu: \"500m\"\n memory: 1Gi\n requests:\n cpu: \"500m\"\n memory: 1Gi\n securityContext:\n capabilities:\n add:\n - IPC_LOCK\n lifecycle:\n preStop:\n exec:\n command:\n - /bin/sh\n - -c\n - nodetool drain\n env:\n - name: MAX_HEAP_SIZE\n value: 512M\n - name: HEAP_NEWSIZE\n value: 100M\n - name: CASSANDRA_SEEDS\n value: \"cassandra-0.cassandra.default.svc.cluster.local\"\n - name: CASSANDRA_CLUSTER_NAME\n value: \"K8Demo\"\n - name: CASSANDRA_DC\n value: \"DC1-K8Demo\"\n - name: CASSANDRA_RACK\n value: \"Rack1-K8Demo\"\n - name: CASSANDRA_SEED_PROVIDER\n value: io.k8s.cassandra.KubernetesSeedProvider\n - name: POD_IP\n valueFrom:\n fieldRef:\n fieldPath: status.podIP\n readinessProbe:\n exec:\n command:\n - /bin/bash\n - -c\n - /ready-probe.sh\n initialDelaySeconds: 15\n timeoutSeconds: 5\n # These volume mounts are persistent. They are like inline claims,\n # but not exactly because the names need to match exactly one of\n # the stateful pod volumes.\n volumeMounts:\n - name: cassandra-data\n mountPath: /var/lib/cassandra\n # These are converted to volume claims by the controller\n # and mounted at the paths mentioned above.\n # do not use these in production until ssd GCEPersistentDisk or other ssd pd\n volumeClaimTemplates:\n - metadata:\n name: cassandra-data\n annotations:\n volume.beta.kubernetes.io/storage-class: fast\n spec:\n accessModes: [ \"ReadWriteOnce\" ]\n resources:\n requests:\n storage: 1Gi\n---\n" + } + } + } + } + ], + "fingerprints": { + "gdnPrimarySignature": "692c38842f145cb9c1ee25b48643b65a41b423830a016a149dc12712814602af", + "gdnAlternativeSignature0": "970e4c551a08367b382ed411f7ccca59e201e8e34e32717929767a568630af1e" + }, + "attachments": [] + }, + { + "ruleId": "CKV_K8S_21", + "ruleIndex": 12, + "level": "note", + "message": { + "text": "The default namespace should not be used" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "samples/K8s-cassandra-statefulset.yaml" + }, + "region": { + "startLine": 1, + "endLine": 96, + "snippet": { + "text": "apiVersion: \"apps/v1\" # for k8s versions before 1.9.0 use apps/v1beta2 and before 1.8.0 use extensions/v1beta1\nkind: StatefulSet\nmetadata:\n name: cassandra\n labels:\n app: cassandra\nspec:\n serviceName: cassandra\n replicas: 3\n selector:\n matchLabels:\n app: cassandra\n template:\n metadata:\n labels:\n app: cassandra\n spec:\n terminationGracePeriodSeconds: 1800\n containers:\n - name: cassandra\n image: gcr.io/google-samples/cassandra:v14\n imagePullPolicy: Always\n ports:\n - containerPort: 7000\n name: intra-node\n - containerPort: 7001\n name: tls-intra-node\n - containerPort: 7199\n name: jmx\n - containerPort: 9042\n name: cql\n resources:\n limits:\n cpu: \"500m\"\n memory: 1Gi\n requests:\n cpu: \"500m\"\n memory: 1Gi\n securityContext:\n capabilities:\n add:\n - IPC_LOCK\n lifecycle:\n preStop:\n exec:\n command:\n - /bin/sh\n - -c\n - nodetool drain\n env:\n - name: MAX_HEAP_SIZE\n value: 512M\n - name: HEAP_NEWSIZE\n value: 100M\n - name: CASSANDRA_SEEDS\n value: \"cassandra-0.cassandra.default.svc.cluster.local\"\n - name: CASSANDRA_CLUSTER_NAME\n value: \"K8Demo\"\n - name: CASSANDRA_DC\n value: \"DC1-K8Demo\"\n - name: CASSANDRA_RACK\n value: \"Rack1-K8Demo\"\n - name: CASSANDRA_SEED_PROVIDER\n value: io.k8s.cassandra.KubernetesSeedProvider\n - name: POD_IP\n valueFrom:\n fieldRef:\n fieldPath: status.podIP\n readinessProbe:\n exec:\n command:\n - /bin/bash\n - -c\n - /ready-probe.sh\n initialDelaySeconds: 15\n timeoutSeconds: 5\n # These volume mounts are persistent. They are like inline claims,\n # but not exactly because the names need to match exactly one of\n # the stateful pod volumes.\n volumeMounts:\n - name: cassandra-data\n mountPath: /var/lib/cassandra\n # These are converted to volume claims by the controller\n # and mounted at the paths mentioned above.\n # do not use these in production until ssd GCEPersistentDisk or other ssd pd\n volumeClaimTemplates:\n - metadata:\n name: cassandra-data\n annotations:\n volume.beta.kubernetes.io/storage-class: fast\n spec:\n accessModes: [ \"ReadWriteOnce\" ]\n resources:\n requests:\n storage: 1Gi\n---\n" + } + } + } + } + ], + "fingerprints": { + "gdnPrimarySignature": "0378eb8b121cbc93bfe8a78bc75aeb8987f5e31d530ec0adf577e7cf03ee717d", + "gdnAlternativeSignature0": "fffebb6a7b3891cdd01cc402002cc3f81150a080fef1ea60dfe1e2f6f69eb601" + }, + "attachments": [] + }, + { + "ruleId": "CKV_K8S_28", + "ruleIndex": 13, + "level": "note", + "message": { + "text": "Minimize the admission of containers with the NET_RAW capability" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "samples/K8s-cassandra-statefulset.yaml" + }, + "region": { + "startLine": 1, + "endLine": 96, + "snippet": { + "text": "apiVersion: \"apps/v1\" # for k8s versions before 1.9.0 use apps/v1beta2 and before 1.8.0 use extensions/v1beta1\nkind: StatefulSet\nmetadata:\n name: cassandra\n labels:\n app: cassandra\nspec:\n serviceName: cassandra\n replicas: 3\n selector:\n matchLabels:\n app: cassandra\n template:\n metadata:\n labels:\n app: cassandra\n spec:\n terminationGracePeriodSeconds: 1800\n containers:\n - name: cassandra\n image: gcr.io/google-samples/cassandra:v14\n imagePullPolicy: Always\n ports:\n - containerPort: 7000\n name: intra-node\n - containerPort: 7001\n name: tls-intra-node\n - containerPort: 7199\n name: jmx\n - containerPort: 9042\n name: cql\n resources:\n limits:\n cpu: \"500m\"\n memory: 1Gi\n requests:\n cpu: \"500m\"\n memory: 1Gi\n securityContext:\n capabilities:\n add:\n - IPC_LOCK\n lifecycle:\n preStop:\n exec:\n command:\n - /bin/sh\n - -c\n - nodetool drain\n env:\n - name: MAX_HEAP_SIZE\n value: 512M\n - name: HEAP_NEWSIZE\n value: 100M\n - name: CASSANDRA_SEEDS\n value: \"cassandra-0.cassandra.default.svc.cluster.local\"\n - name: CASSANDRA_CLUSTER_NAME\n value: \"K8Demo\"\n - name: CASSANDRA_DC\n value: \"DC1-K8Demo\"\n - name: CASSANDRA_RACK\n value: \"Rack1-K8Demo\"\n - name: CASSANDRA_SEED_PROVIDER\n value: io.k8s.cassandra.KubernetesSeedProvider\n - name: POD_IP\n valueFrom:\n fieldRef:\n fieldPath: status.podIP\n readinessProbe:\n exec:\n command:\n - /bin/bash\n - -c\n - /ready-probe.sh\n initialDelaySeconds: 15\n timeoutSeconds: 5\n # These volume mounts are persistent. They are like inline claims,\n # but not exactly because the names need to match exactly one of\n # the stateful pod volumes.\n volumeMounts:\n - name: cassandra-data\n mountPath: /var/lib/cassandra\n # These are converted to volume claims by the controller\n # and mounted at the paths mentioned above.\n # do not use these in production until ssd GCEPersistentDisk or other ssd pd\n volumeClaimTemplates:\n - metadata:\n name: cassandra-data\n annotations:\n volume.beta.kubernetes.io/storage-class: fast\n spec:\n accessModes: [ \"ReadWriteOnce\" ]\n resources:\n requests:\n storage: 1Gi\n---\n" + } + } + } + } + ], + "fingerprints": { + "gdnPrimarySignature": "70f66e4afeb0264ac95ebee5085b90a23e7a9a54107832fb271bd1f1aa298522", + "gdnAlternativeSignature0": "0f11dc2ccb44a7216c78769edb10df097f8a1fc681f56dfdfa93d7c2b802f9b7" + }, + "attachments": [] + }, + { + "ruleId": "CKV_K8S_43", + "ruleIndex": 14, + "level": "note", + "message": { + "text": "Image should use digest" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "samples/K8s-cassandra-statefulset.yaml" + }, + "region": { + "startLine": 1, + "endLine": 96, + "snippet": { + "text": "apiVersion: \"apps/v1\" # for k8s versions before 1.9.0 use apps/v1beta2 and before 1.8.0 use extensions/v1beta1\nkind: StatefulSet\nmetadata:\n name: cassandra\n labels:\n app: cassandra\nspec:\n serviceName: cassandra\n replicas: 3\n selector:\n matchLabels:\n app: cassandra\n template:\n metadata:\n labels:\n app: cassandra\n spec:\n terminationGracePeriodSeconds: 1800\n containers:\n - name: cassandra\n image: gcr.io/google-samples/cassandra:v14\n imagePullPolicy: Always\n ports:\n - containerPort: 7000\n name: intra-node\n - containerPort: 7001\n name: tls-intra-node\n - containerPort: 7199\n name: jmx\n - containerPort: 9042\n name: cql\n resources:\n limits:\n cpu: \"500m\"\n memory: 1Gi\n requests:\n cpu: \"500m\"\n memory: 1Gi\n securityContext:\n capabilities:\n add:\n - IPC_LOCK\n lifecycle:\n preStop:\n exec:\n command:\n - /bin/sh\n - -c\n - nodetool drain\n env:\n - name: MAX_HEAP_SIZE\n value: 512M\n - name: HEAP_NEWSIZE\n value: 100M\n - name: CASSANDRA_SEEDS\n value: \"cassandra-0.cassandra.default.svc.cluster.local\"\n - name: CASSANDRA_CLUSTER_NAME\n value: \"K8Demo\"\n - name: CASSANDRA_DC\n value: \"DC1-K8Demo\"\n - name: CASSANDRA_RACK\n value: \"Rack1-K8Demo\"\n - name: CASSANDRA_SEED_PROVIDER\n value: io.k8s.cassandra.KubernetesSeedProvider\n - name: POD_IP\n valueFrom:\n fieldRef:\n fieldPath: status.podIP\n readinessProbe:\n exec:\n command:\n - /bin/bash\n - -c\n - /ready-probe.sh\n initialDelaySeconds: 15\n timeoutSeconds: 5\n # These volume mounts are persistent. They are like inline claims,\n # but not exactly because the names need to match exactly one of\n # the stateful pod volumes.\n volumeMounts:\n - name: cassandra-data\n mountPath: /var/lib/cassandra\n # These are converted to volume claims by the controller\n # and mounted at the paths mentioned above.\n # do not use these in production until ssd GCEPersistentDisk or other ssd pd\n volumeClaimTemplates:\n - metadata:\n name: cassandra-data\n annotations:\n volume.beta.kubernetes.io/storage-class: fast\n spec:\n accessModes: [ \"ReadWriteOnce\" ]\n resources:\n requests:\n storage: 1Gi\n---\n" + } + } + } + } + ], + "fingerprints": { + "gdnPrimarySignature": "d54de20ef46f5565573d6411cce2a3baaf5b309cdc9e73bd2e0948dd98363d46", + "gdnAlternativeSignature0": "4e3e18739d7eee6105acea4f65c463484b66649a68e864755fc68c7030743359" + }, + "attachments": [] + }, + { + "ruleId": "CKV_K8S_8", + "ruleIndex": 15, + "level": "note", + "message": { + "text": "Liveness Probe Should be Configured" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "samples/K8s-cassandra-statefulset.yaml" + }, + "region": { + "startLine": 1, + "endLine": 96, + "snippet": { + "text": "apiVersion: \"apps/v1\" # for k8s versions before 1.9.0 use apps/v1beta2 and before 1.8.0 use extensions/v1beta1\nkind: StatefulSet\nmetadata:\n name: cassandra\n labels:\n app: cassandra\nspec:\n serviceName: cassandra\n replicas: 3\n selector:\n matchLabels:\n app: cassandra\n template:\n metadata:\n labels:\n app: cassandra\n spec:\n terminationGracePeriodSeconds: 1800\n containers:\n - name: cassandra\n image: gcr.io/google-samples/cassandra:v14\n imagePullPolicy: Always\n ports:\n - containerPort: 7000\n name: intra-node\n - containerPort: 7001\n name: tls-intra-node\n - containerPort: 7199\n name: jmx\n - containerPort: 9042\n name: cql\n resources:\n limits:\n cpu: \"500m\"\n memory: 1Gi\n requests:\n cpu: \"500m\"\n memory: 1Gi\n securityContext:\n capabilities:\n add:\n - IPC_LOCK\n lifecycle:\n preStop:\n exec:\n command:\n - /bin/sh\n - -c\n - nodetool drain\n env:\n - name: MAX_HEAP_SIZE\n value: 512M\n - name: HEAP_NEWSIZE\n value: 100M\n - name: CASSANDRA_SEEDS\n value: \"cassandra-0.cassandra.default.svc.cluster.local\"\n - name: CASSANDRA_CLUSTER_NAME\n value: \"K8Demo\"\n - name: CASSANDRA_DC\n value: \"DC1-K8Demo\"\n - name: CASSANDRA_RACK\n value: \"Rack1-K8Demo\"\n - name: CASSANDRA_SEED_PROVIDER\n value: io.k8s.cassandra.KubernetesSeedProvider\n - name: POD_IP\n valueFrom:\n fieldRef:\n fieldPath: status.podIP\n readinessProbe:\n exec:\n command:\n - /bin/bash\n - -c\n - /ready-probe.sh\n initialDelaySeconds: 15\n timeoutSeconds: 5\n # These volume mounts are persistent. They are like inline claims,\n # but not exactly because the names need to match exactly one of\n # the stateful pod volumes.\n volumeMounts:\n - name: cassandra-data\n mountPath: /var/lib/cassandra\n # These are converted to volume claims by the controller\n # and mounted at the paths mentioned above.\n # do not use these in production until ssd GCEPersistentDisk or other ssd pd\n volumeClaimTemplates:\n - metadata:\n name: cassandra-data\n annotations:\n volume.beta.kubernetes.io/storage-class: fast\n spec:\n accessModes: [ \"ReadWriteOnce\" ]\n resources:\n requests:\n storage: 1Gi\n---\n" + } + } + } + } + ], + "fingerprints": { + "gdnPrimarySignature": "2e737794eca54186f3ad53c5fe3a9a7e34d4e9617064e5f844c785e4082877e3", + "gdnAlternativeSignature0": "1efa25c9281d5272c63c1bd7aa7a55673eeb2696c3df5d258c0291cb3d22eff6" + }, + "attachments": [] + }, + { + "ruleId": "CKV_K8S_37", + "ruleIndex": 16, + "level": "note", + "message": { + "text": "Minimize the admission of containers with capabilities assigned" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "samples/K8s-cassandra-statefulset.yaml" + }, + "region": { + "startLine": 1, + "endLine": 96, + "snippet": { + "text": "apiVersion: \"apps/v1\" # for k8s versions before 1.9.0 use apps/v1beta2 and before 1.8.0 use extensions/v1beta1\nkind: StatefulSet\nmetadata:\n name: cassandra\n labels:\n app: cassandra\nspec:\n serviceName: cassandra\n replicas: 3\n selector:\n matchLabels:\n app: cassandra\n template:\n metadata:\n labels:\n app: cassandra\n spec:\n terminationGracePeriodSeconds: 1800\n containers:\n - name: cassandra\n image: gcr.io/google-samples/cassandra:v14\n imagePullPolicy: Always\n ports:\n - containerPort: 7000\n name: intra-node\n - containerPort: 7001\n name: tls-intra-node\n - containerPort: 7199\n name: jmx\n - containerPort: 9042\n name: cql\n resources:\n limits:\n cpu: \"500m\"\n memory: 1Gi\n requests:\n cpu: \"500m\"\n memory: 1Gi\n securityContext:\n capabilities:\n add:\n - IPC_LOCK\n lifecycle:\n preStop:\n exec:\n command:\n - /bin/sh\n - -c\n - nodetool drain\n env:\n - name: MAX_HEAP_SIZE\n value: 512M\n - name: HEAP_NEWSIZE\n value: 100M\n - name: CASSANDRA_SEEDS\n value: \"cassandra-0.cassandra.default.svc.cluster.local\"\n - name: CASSANDRA_CLUSTER_NAME\n value: \"K8Demo\"\n - name: CASSANDRA_DC\n value: \"DC1-K8Demo\"\n - name: CASSANDRA_RACK\n value: \"Rack1-K8Demo\"\n - name: CASSANDRA_SEED_PROVIDER\n value: io.k8s.cassandra.KubernetesSeedProvider\n - name: POD_IP\n valueFrom:\n fieldRef:\n fieldPath: status.podIP\n readinessProbe:\n exec:\n command:\n - /bin/bash\n - -c\n - /ready-probe.sh\n initialDelaySeconds: 15\n timeoutSeconds: 5\n # These volume mounts are persistent. They are like inline claims,\n # but not exactly because the names need to match exactly one of\n # the stateful pod volumes.\n volumeMounts:\n - name: cassandra-data\n mountPath: /var/lib/cassandra\n # These are converted to volume claims by the controller\n # and mounted at the paths mentioned above.\n # do not use these in production until ssd GCEPersistentDisk or other ssd pd\n volumeClaimTemplates:\n - metadata:\n name: cassandra-data\n annotations:\n volume.beta.kubernetes.io/storage-class: fast\n spec:\n accessModes: [ \"ReadWriteOnce\" ]\n resources:\n requests:\n storage: 1Gi\n---\n" + } + } + } + } + ], + "fingerprints": { + "gdnPrimarySignature": "09e2a7056dc2cd2bb024c4a44a0111d6f1e72d32b6b4a76c8f02e14817384044", + "gdnAlternativeSignature0": "d3bc404f8a377bc479f16b07ba7be8098c6d7a10735ee0bc15be7f48c5f089f4" + }, + "attachments": [] + }, + { + "ruleId": "CKV_K8S_29", + "ruleIndex": 17, + "level": "note", + "message": { + "text": "Apply security context to your pods and containers" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "samples/K8s-cassandra-statefulset.yaml" + }, + "region": { + "startLine": 1, + "endLine": 96, + "snippet": { + "text": "apiVersion: \"apps/v1\" # for k8s versions before 1.9.0 use apps/v1beta2 and before 1.8.0 use extensions/v1beta1\nkind: StatefulSet\nmetadata:\n name: cassandra\n labels:\n app: cassandra\nspec:\n serviceName: cassandra\n replicas: 3\n selector:\n matchLabels:\n app: cassandra\n template:\n metadata:\n labels:\n app: cassandra\n spec:\n terminationGracePeriodSeconds: 1800\n containers:\n - name: cassandra\n image: gcr.io/google-samples/cassandra:v14\n imagePullPolicy: Always\n ports:\n - containerPort: 7000\n name: intra-node\n - containerPort: 7001\n name: tls-intra-node\n - containerPort: 7199\n name: jmx\n - containerPort: 9042\n name: cql\n resources:\n limits:\n cpu: \"500m\"\n memory: 1Gi\n requests:\n cpu: \"500m\"\n memory: 1Gi\n securityContext:\n capabilities:\n add:\n - IPC_LOCK\n lifecycle:\n preStop:\n exec:\n command:\n - /bin/sh\n - -c\n - nodetool drain\n env:\n - name: MAX_HEAP_SIZE\n value: 512M\n - name: HEAP_NEWSIZE\n value: 100M\n - name: CASSANDRA_SEEDS\n value: \"cassandra-0.cassandra.default.svc.cluster.local\"\n - name: CASSANDRA_CLUSTER_NAME\n value: \"K8Demo\"\n - name: CASSANDRA_DC\n value: \"DC1-K8Demo\"\n - name: CASSANDRA_RACK\n value: \"Rack1-K8Demo\"\n - name: CASSANDRA_SEED_PROVIDER\n value: io.k8s.cassandra.KubernetesSeedProvider\n - name: POD_IP\n valueFrom:\n fieldRef:\n fieldPath: status.podIP\n readinessProbe:\n exec:\n command:\n - /bin/bash\n - -c\n - /ready-probe.sh\n initialDelaySeconds: 15\n timeoutSeconds: 5\n # These volume mounts are persistent. They are like inline claims,\n # but not exactly because the names need to match exactly one of\n # the stateful pod volumes.\n volumeMounts:\n - name: cassandra-data\n mountPath: /var/lib/cassandra\n # These are converted to volume claims by the controller\n # and mounted at the paths mentioned above.\n # do not use these in production until ssd GCEPersistentDisk or other ssd pd\n volumeClaimTemplates:\n - metadata:\n name: cassandra-data\n annotations:\n volume.beta.kubernetes.io/storage-class: fast\n spec:\n accessModes: [ \"ReadWriteOnce\" ]\n resources:\n requests:\n storage: 1Gi\n---\n" + } + } + } + } + ], + "fingerprints": { + "gdnPrimarySignature": "2fb25b212960e5a8760b6523d4a4c2b47c5a0482186059c1d23c41446faf72b7", + "gdnAlternativeSignature0": "85a6f0ad55f847141b45ccf6ef907b5a180d07d0d29cac32bcc1829e8eb8b2ea" + }, + "attachments": [] + }, + { + "ruleId": "CKV_K8S_22", + "ruleIndex": 18, + "level": "note", + "message": { + "text": "Use read-only filesystem for containers where possible" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "samples/K8s-cassandra-statefulset.yaml" + }, + "region": { + "startLine": 1, + "endLine": 96, + "snippet": { + "text": "apiVersion: \"apps/v1\" # for k8s versions before 1.9.0 use apps/v1beta2 and before 1.8.0 use extensions/v1beta1\nkind: StatefulSet\nmetadata:\n name: cassandra\n labels:\n app: cassandra\nspec:\n serviceName: cassandra\n replicas: 3\n selector:\n matchLabels:\n app: cassandra\n template:\n metadata:\n labels:\n app: cassandra\n spec:\n terminationGracePeriodSeconds: 1800\n containers:\n - name: cassandra\n image: gcr.io/google-samples/cassandra:v14\n imagePullPolicy: Always\n ports:\n - containerPort: 7000\n name: intra-node\n - containerPort: 7001\n name: tls-intra-node\n - containerPort: 7199\n name: jmx\n - containerPort: 9042\n name: cql\n resources:\n limits:\n cpu: \"500m\"\n memory: 1Gi\n requests:\n cpu: \"500m\"\n memory: 1Gi\n securityContext:\n capabilities:\n add:\n - IPC_LOCK\n lifecycle:\n preStop:\n exec:\n command:\n - /bin/sh\n - -c\n - nodetool drain\n env:\n - name: MAX_HEAP_SIZE\n value: 512M\n - name: HEAP_NEWSIZE\n value: 100M\n - name: CASSANDRA_SEEDS\n value: \"cassandra-0.cassandra.default.svc.cluster.local\"\n - name: CASSANDRA_CLUSTER_NAME\n value: \"K8Demo\"\n - name: CASSANDRA_DC\n value: \"DC1-K8Demo\"\n - name: CASSANDRA_RACK\n value: \"Rack1-K8Demo\"\n - name: CASSANDRA_SEED_PROVIDER\n value: io.k8s.cassandra.KubernetesSeedProvider\n - name: POD_IP\n valueFrom:\n fieldRef:\n fieldPath: status.podIP\n readinessProbe:\n exec:\n command:\n - /bin/bash\n - -c\n - /ready-probe.sh\n initialDelaySeconds: 15\n timeoutSeconds: 5\n # These volume mounts are persistent. They are like inline claims,\n # but not exactly because the names need to match exactly one of\n # the stateful pod volumes.\n volumeMounts:\n - name: cassandra-data\n mountPath: /var/lib/cassandra\n # These are converted to volume claims by the controller\n # and mounted at the paths mentioned above.\n # do not use these in production until ssd GCEPersistentDisk or other ssd pd\n volumeClaimTemplates:\n - metadata:\n name: cassandra-data\n annotations:\n volume.beta.kubernetes.io/storage-class: fast\n spec:\n accessModes: [ \"ReadWriteOnce\" ]\n resources:\n requests:\n storage: 1Gi\n---\n" + } + } + } + } + ], + "fingerprints": { + "gdnPrimarySignature": "da115818e9e2ffadf20a6b9d1cb1c02e963eb192dae03af8c39e6fce8bcc097e", + "gdnAlternativeSignature0": "d8c06cf85b8fbddd0ad8ba2f86285da2ad52245291c6cab6fd69f3fce31127d7" + }, + "attachments": [] + }, + { + "ruleId": "CKV_K8S_23", + "ruleIndex": 19, + "message": { + "text": "Minimize the admission of root containers" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "samples/K8s-cassandra-statefulset.yaml" + }, + "region": { + "startLine": 1, + "endLine": 96, + "snippet": { + "text": "apiVersion: \"apps/v1\" # for k8s versions before 1.9.0 use apps/v1beta2 and before 1.8.0 use extensions/v1beta1\nkind: StatefulSet\nmetadata:\n name: cassandra\n labels:\n app: cassandra\nspec:\n serviceName: cassandra\n replicas: 3\n selector:\n matchLabels:\n app: cassandra\n template:\n metadata:\n labels:\n app: cassandra\n spec:\n terminationGracePeriodSeconds: 1800\n containers:\n - name: cassandra\n image: gcr.io/google-samples/cassandra:v14\n imagePullPolicy: Always\n ports:\n - containerPort: 7000\n name: intra-node\n - containerPort: 7001\n name: tls-intra-node\n - containerPort: 7199\n name: jmx\n - containerPort: 9042\n name: cql\n resources:\n limits:\n cpu: \"500m\"\n memory: 1Gi\n requests:\n cpu: \"500m\"\n memory: 1Gi\n securityContext:\n capabilities:\n add:\n - IPC_LOCK\n lifecycle:\n preStop:\n exec:\n command:\n - /bin/sh\n - -c\n - nodetool drain\n env:\n - name: MAX_HEAP_SIZE\n value: 512M\n - name: HEAP_NEWSIZE\n value: 100M\n - name: CASSANDRA_SEEDS\n value: \"cassandra-0.cassandra.default.svc.cluster.local\"\n - name: CASSANDRA_CLUSTER_NAME\n value: \"K8Demo\"\n - name: CASSANDRA_DC\n value: \"DC1-K8Demo\"\n - name: CASSANDRA_RACK\n value: \"Rack1-K8Demo\"\n - name: CASSANDRA_SEED_PROVIDER\n value: io.k8s.cassandra.KubernetesSeedProvider\n - name: POD_IP\n valueFrom:\n fieldRef:\n fieldPath: status.podIP\n readinessProbe:\n exec:\n command:\n - /bin/bash\n - -c\n - /ready-probe.sh\n initialDelaySeconds: 15\n timeoutSeconds: 5\n # These volume mounts are persistent. They are like inline claims,\n # but not exactly because the names need to match exactly one of\n # the stateful pod volumes.\n volumeMounts:\n - name: cassandra-data\n mountPath: /var/lib/cassandra\n # These are converted to volume claims by the controller\n # and mounted at the paths mentioned above.\n # do not use these in production until ssd GCEPersistentDisk or other ssd pd\n volumeClaimTemplates:\n - metadata:\n name: cassandra-data\n annotations:\n volume.beta.kubernetes.io/storage-class: fast\n spec:\n accessModes: [ \"ReadWriteOnce\" ]\n resources:\n requests:\n storage: 1Gi\n---\n" + } + } + } + } + ], + "fingerprints": { + "gdnPrimarySignature": "c1be36e7556627562c7357f53bacdfea88d2fd6839ffad11f41bff594ddd0f83", + "gdnAlternativeSignature0": "e149f6402cc34c6663973655fb12e532f6c670a7e0374081fae82fd6575dab65" + }, + "attachments": [] + }, + { + "ruleId": "CKV_K8S_40", + "ruleIndex": 20, + "level": "note", + "message": { + "text": "Containers should run as a high UID to avoid host conflict" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "samples/K8s-cassandra-statefulset.yaml" + }, + "region": { + "startLine": 1, + "endLine": 96, + "snippet": { + "text": "apiVersion: \"apps/v1\" # for k8s versions before 1.9.0 use apps/v1beta2 and before 1.8.0 use extensions/v1beta1\nkind: StatefulSet\nmetadata:\n name: cassandra\n labels:\n app: cassandra\nspec:\n serviceName: cassandra\n replicas: 3\n selector:\n matchLabels:\n app: cassandra\n template:\n metadata:\n labels:\n app: cassandra\n spec:\n terminationGracePeriodSeconds: 1800\n containers:\n - name: cassandra\n image: gcr.io/google-samples/cassandra:v14\n imagePullPolicy: Always\n ports:\n - containerPort: 7000\n name: intra-node\n - containerPort: 7001\n name: tls-intra-node\n - containerPort: 7199\n name: jmx\n - containerPort: 9042\n name: cql\n resources:\n limits:\n cpu: \"500m\"\n memory: 1Gi\n requests:\n cpu: \"500m\"\n memory: 1Gi\n securityContext:\n capabilities:\n add:\n - IPC_LOCK\n lifecycle:\n preStop:\n exec:\n command:\n - /bin/sh\n - -c\n - nodetool drain\n env:\n - name: MAX_HEAP_SIZE\n value: 512M\n - name: HEAP_NEWSIZE\n value: 100M\n - name: CASSANDRA_SEEDS\n value: \"cassandra-0.cassandra.default.svc.cluster.local\"\n - name: CASSANDRA_CLUSTER_NAME\n value: \"K8Demo\"\n - name: CASSANDRA_DC\n value: \"DC1-K8Demo\"\n - name: CASSANDRA_RACK\n value: \"Rack1-K8Demo\"\n - name: CASSANDRA_SEED_PROVIDER\n value: io.k8s.cassandra.KubernetesSeedProvider\n - name: POD_IP\n valueFrom:\n fieldRef:\n fieldPath: status.podIP\n readinessProbe:\n exec:\n command:\n - /bin/bash\n - -c\n - /ready-probe.sh\n initialDelaySeconds: 15\n timeoutSeconds: 5\n # These volume mounts are persistent. They are like inline claims,\n # but not exactly because the names need to match exactly one of\n # the stateful pod volumes.\n volumeMounts:\n - name: cassandra-data\n mountPath: /var/lib/cassandra\n # These are converted to volume claims by the controller\n # and mounted at the paths mentioned above.\n # do not use these in production until ssd GCEPersistentDisk or other ssd pd\n volumeClaimTemplates:\n - metadata:\n name: cassandra-data\n annotations:\n volume.beta.kubernetes.io/storage-class: fast\n spec:\n accessModes: [ \"ReadWriteOnce\" ]\n resources:\n requests:\n storage: 1Gi\n---\n" + } + } + } + } + ], + "fingerprints": { + "gdnPrimarySignature": "25c05ca1359bd4c2edaee66ac2d7fdc6c213eebfa5d139a0555ed06ea2c573c7", + "gdnAlternativeSignature0": "a73c63b0f812757918d4198fe20e0100bcf3d60c9a9a37f67cd321a74a14f72b" + }, + "attachments": [] + }, + { + "ruleId": "CKV_K8S_31", + "ruleIndex": 21, + "level": "note", + "message": { + "text": "Ensure that the seccomp profile is set to docker/default or runtime/default" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "samples/K8s-cassandra-statefulset.yaml" + }, + "region": { + "startLine": 1, + "endLine": 96, + "snippet": { + "text": "apiVersion: \"apps/v1\" # for k8s versions before 1.9.0 use apps/v1beta2 and before 1.8.0 use extensions/v1beta1\nkind: StatefulSet\nmetadata:\n name: cassandra\n labels:\n app: cassandra\nspec:\n serviceName: cassandra\n replicas: 3\n selector:\n matchLabels:\n app: cassandra\n template:\n metadata:\n labels:\n app: cassandra\n spec:\n terminationGracePeriodSeconds: 1800\n containers:\n - name: cassandra\n image: gcr.io/google-samples/cassandra:v14\n imagePullPolicy: Always\n ports:\n - containerPort: 7000\n name: intra-node\n - containerPort: 7001\n name: tls-intra-node\n - containerPort: 7199\n name: jmx\n - containerPort: 9042\n name: cql\n resources:\n limits:\n cpu: \"500m\"\n memory: 1Gi\n requests:\n cpu: \"500m\"\n memory: 1Gi\n securityContext:\n capabilities:\n add:\n - IPC_LOCK\n lifecycle:\n preStop:\n exec:\n command:\n - /bin/sh\n - -c\n - nodetool drain\n env:\n - name: MAX_HEAP_SIZE\n value: 512M\n - name: HEAP_NEWSIZE\n value: 100M\n - name: CASSANDRA_SEEDS\n value: \"cassandra-0.cassandra.default.svc.cluster.local\"\n - name: CASSANDRA_CLUSTER_NAME\n value: \"K8Demo\"\n - name: CASSANDRA_DC\n value: \"DC1-K8Demo\"\n - name: CASSANDRA_RACK\n value: \"Rack1-K8Demo\"\n - name: CASSANDRA_SEED_PROVIDER\n value: io.k8s.cassandra.KubernetesSeedProvider\n - name: POD_IP\n valueFrom:\n fieldRef:\n fieldPath: status.podIP\n readinessProbe:\n exec:\n command:\n - /bin/bash\n - -c\n - /ready-probe.sh\n initialDelaySeconds: 15\n timeoutSeconds: 5\n # These volume mounts are persistent. They are like inline claims,\n # but not exactly because the names need to match exactly one of\n # the stateful pod volumes.\n volumeMounts:\n - name: cassandra-data\n mountPath: /var/lib/cassandra\n # These are converted to volume claims by the controller\n # and mounted at the paths mentioned above.\n # do not use these in production until ssd GCEPersistentDisk or other ssd pd\n volumeClaimTemplates:\n - metadata:\n name: cassandra-data\n annotations:\n volume.beta.kubernetes.io/storage-class: fast\n spec:\n accessModes: [ \"ReadWriteOnce\" ]\n resources:\n requests:\n storage: 1Gi\n---\n" + } + } + } + } + ], + "fingerprints": { + "gdnPrimarySignature": "70378cd13d8568d09ced49362abbf35160b842273ca5ec57bf69c71c378a6321", + "gdnAlternativeSignature0": "3bfe46e3cda430aa1ce3f452e781cdc43697d087821cc36fd104604f940ae43a" + }, + "attachments": [] + }, + { + "ruleId": "CKV_K8S_38", + "ruleIndex": 22, + "level": "note", + "message": { + "text": "Ensure that Service Account Tokens are only mounted where necessary" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "samples/K8s-cassandra-statefulset.yaml" + }, + "region": { + "startLine": 1, + "endLine": 96, + "snippet": { + "text": "apiVersion: \"apps/v1\" # for k8s versions before 1.9.0 use apps/v1beta2 and before 1.8.0 use extensions/v1beta1\nkind: StatefulSet\nmetadata:\n name: cassandra\n labels:\n app: cassandra\nspec:\n serviceName: cassandra\n replicas: 3\n selector:\n matchLabels:\n app: cassandra\n template:\n metadata:\n labels:\n app: cassandra\n spec:\n terminationGracePeriodSeconds: 1800\n containers:\n - name: cassandra\n image: gcr.io/google-samples/cassandra:v14\n imagePullPolicy: Always\n ports:\n - containerPort: 7000\n name: intra-node\n - containerPort: 7001\n name: tls-intra-node\n - containerPort: 7199\n name: jmx\n - containerPort: 9042\n name: cql\n resources:\n limits:\n cpu: \"500m\"\n memory: 1Gi\n requests:\n cpu: \"500m\"\n memory: 1Gi\n securityContext:\n capabilities:\n add:\n - IPC_LOCK\n lifecycle:\n preStop:\n exec:\n command:\n - /bin/sh\n - -c\n - nodetool drain\n env:\n - name: MAX_HEAP_SIZE\n value: 512M\n - name: HEAP_NEWSIZE\n value: 100M\n - name: CASSANDRA_SEEDS\n value: \"cassandra-0.cassandra.default.svc.cluster.local\"\n - name: CASSANDRA_CLUSTER_NAME\n value: \"K8Demo\"\n - name: CASSANDRA_DC\n value: \"DC1-K8Demo\"\n - name: CASSANDRA_RACK\n value: \"Rack1-K8Demo\"\n - name: CASSANDRA_SEED_PROVIDER\n value: io.k8s.cassandra.KubernetesSeedProvider\n - name: POD_IP\n valueFrom:\n fieldRef:\n fieldPath: status.podIP\n readinessProbe:\n exec:\n command:\n - /bin/bash\n - -c\n - /ready-probe.sh\n initialDelaySeconds: 15\n timeoutSeconds: 5\n # These volume mounts are persistent. They are like inline claims,\n # but not exactly because the names need to match exactly one of\n # the stateful pod volumes.\n volumeMounts:\n - name: cassandra-data\n mountPath: /var/lib/cassandra\n # These are converted to volume claims by the controller\n # and mounted at the paths mentioned above.\n # do not use these in production until ssd GCEPersistentDisk or other ssd pd\n volumeClaimTemplates:\n - metadata:\n name: cassandra-data\n annotations:\n volume.beta.kubernetes.io/storage-class: fast\n spec:\n accessModes: [ \"ReadWriteOnce\" ]\n resources:\n requests:\n storage: 1Gi\n---\n" + } + } + } + } + ], + "fingerprints": { + "gdnPrimarySignature": "97d3e19a31f43aac84ccd148a5c258209c1727f5900e0b2b1435e8ab08b647b3", + "gdnAlternativeSignature0": "218768ca543d9e02181e0769e8f9a3c7e5e2318fb0742bed2736ea116b7b8f4e" + }, + "attachments": [] + }, + { + "ruleId": "CKV2_K8S_6", + "ruleIndex": 23, + "message": { + "text": "Minimize the admission of pods which lack an associated NetworkPolicy" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "samples/K8s-cassandra-statefulset.yaml" + }, + "region": { + "startLine": 1, + "endLine": 96, + "snippet": { + "text": "apiVersion: \"apps/v1\" # for k8s versions before 1.9.0 use apps/v1beta2 and before 1.8.0 use extensions/v1beta1\nkind: StatefulSet\nmetadata:\n name: cassandra\n labels:\n app: cassandra\nspec:\n serviceName: cassandra\n replicas: 3\n selector:\n matchLabels:\n app: cassandra\n template:\n metadata:\n labels:\n app: cassandra\n spec:\n terminationGracePeriodSeconds: 1800\n containers:\n - name: cassandra\n image: gcr.io/google-samples/cassandra:v14\n imagePullPolicy: Always\n ports:\n - containerPort: 7000\n name: intra-node\n - containerPort: 7001\n name: tls-intra-node\n - containerPort: 7199\n name: jmx\n - containerPort: 9042\n name: cql\n resources:\n limits:\n cpu: \"500m\"\n memory: 1Gi\n requests:\n cpu: \"500m\"\n memory: 1Gi\n securityContext:\n capabilities:\n add:\n - IPC_LOCK\n lifecycle:\n preStop:\n exec:\n command:\n - /bin/sh\n - -c\n - nodetool drain\n env:\n - name: MAX_HEAP_SIZE\n value: 512M\n - name: HEAP_NEWSIZE\n value: 100M\n - name: CASSANDRA_SEEDS\n value: \"cassandra-0.cassandra.default.svc.cluster.local\"\n - name: CASSANDRA_CLUSTER_NAME\n value: \"K8Demo\"\n - name: CASSANDRA_DC\n value: \"DC1-K8Demo\"\n - name: CASSANDRA_RACK\n value: \"Rack1-K8Demo\"\n - name: CASSANDRA_SEED_PROVIDER\n value: io.k8s.cassandra.KubernetesSeedProvider\n - name: POD_IP\n valueFrom:\n fieldRef:\n fieldPath: status.podIP\n readinessProbe:\n exec:\n command:\n - /bin/bash\n - -c\n - /ready-probe.sh\n initialDelaySeconds: 15\n timeoutSeconds: 5\n # These volume mounts are persistent. They are like inline claims,\n # but not exactly because the names need to match exactly one of\n # the stateful pod volumes.\n volumeMounts:\n - name: cassandra-data\n mountPath: /var/lib/cassandra\n # These are converted to volume claims by the controller\n # and mounted at the paths mentioned above.\n # do not use these in production until ssd GCEPersistentDisk or other ssd pd\n volumeClaimTemplates:\n - metadata:\n name: cassandra-data\n annotations:\n volume.beta.kubernetes.io/storage-class: fast\n spec:\n accessModes: [ \"ReadWriteOnce\" ]\n resources:\n requests:\n storage: 1Gi\n---\n" + } + } + } + } + ], + "fingerprints": { + "gdnPrimarySignature": "2c09fe5d58637920ffb2f45d2e9e47b6d24f94f9a5a6318e86d5b119d90dc136", + "gdnAlternativeSignature0": "52664a33e0000747d7d55032ea8ff784c99f191108fd7b0a4405b4b4b1787c90" + }, + "attachments": [] + }, + { + "ruleId": "CKV_AZURE_59", + "ruleIndex": 0, + "level": "note", + "message": { + "text": "Ensure that Storage accounts disallow public access" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "samples/IaCMapping/main.tf" + }, + "region": { + "startLine": 19, + "endLine": 29, + "snippet": { + "text": "resource \"azurerm_storage_account\" \"terraformaccount1\" {\n name = \"iacmapping1212\"\n resource_group_name = azurerm_resource_group.resourcegroup.name\n location = \"Central US\"\n account_tier = \"Standard\"\n account_replication_type = \"GRS\"\n\n tags = {\n \"mapping_tag\" = \"6189b638-15a5-42ec-b934-0d2b8e035ce1\"\n }\n}\n" + } + } + } + } + ], + "fingerprints": { + "gdnPrimarySignature": "d7f32900926833945cac2ead4c1ed6c351aabf9fee418b413e3bfe46c8fc54f3", + "gdnAlternativeSignature0": "a3fc19e10564a2494f31f34241b921013aeb4aef2a9ef7ef9731f2fe7fd95ce9" + }, + "attachments": [] + }, + { + "ruleId": "CKV_AZURE_33", + "ruleIndex": 1, + "message": { + "text": "Ensure Storage logging is enabled for Queue service for read, write and delete requests" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "samples/IaCMapping/main.tf" + }, + "region": { + "startLine": 19, + "endLine": 29, + "snippet": { + "text": "resource \"azurerm_storage_account\" \"terraformaccount1\" {\n name = \"iacmapping1212\"\n resource_group_name = azurerm_resource_group.resourcegroup.name\n location = \"Central US\"\n account_tier = \"Standard\"\n account_replication_type = \"GRS\"\n\n tags = {\n \"mapping_tag\" = \"6189b638-15a5-42ec-b934-0d2b8e035ce1\"\n }\n}\n" + } + } + } + } + ], + "fingerprints": { + "gdnPrimarySignature": "641b61a3a4b3c0d759acd57a321d6db4044b47347cd764c152f071e8341faea0", + "gdnAlternativeSignature0": "83a8dfca2a610d8e67e683b30391980c336f3c1722ce80fb2afacb2a01b0a799" + }, + "attachments": [] + }, + { + "ruleId": "CKV_AZURE_44", + "ruleIndex": 2, + "message": { + "text": "Ensure Storage Account is using the latest version of TLS encryption" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "samples/IaCMapping/main.tf" + }, + "region": { + "startLine": 19, + "endLine": 29, + "snippet": { + "text": "resource \"azurerm_storage_account\" \"terraformaccount1\" {\n name = \"iacmapping1212\"\n resource_group_name = azurerm_resource_group.resourcegroup.name\n location = \"Central US\"\n account_tier = \"Standard\"\n account_replication_type = \"GRS\"\n\n tags = {\n \"mapping_tag\" = \"6189b638-15a5-42ec-b934-0d2b8e035ce1\"\n }\n}\n" + } + } + } + } + ], + "fingerprints": { + "gdnPrimarySignature": "9805631179c91f5535eda5e1f2a9d29d2295ca1bec013d3174a1285a9be83d60", + "gdnAlternativeSignature0": "05b8f7f1708c13235397e5a11b0fd243e02f41d8c5085efc269c1d4e73d2b39a" + }, + "attachments": [] + }, + { + "ruleId": "CKV_AZURE_190", + "ruleIndex": 3, + "level": "error", + "message": { + "text": "Ensure that Storage blobs restrict public access" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "samples/IaCMapping/main.tf" + }, + "region": { + "startLine": 19, + "endLine": 29, + "snippet": { + "text": "resource \"azurerm_storage_account\" \"terraformaccount1\" {\n name = \"iacmapping1212\"\n resource_group_name = azurerm_resource_group.resourcegroup.name\n location = \"Central US\"\n account_tier = \"Standard\"\n account_replication_type = \"GRS\"\n\n tags = {\n \"mapping_tag\" = \"6189b638-15a5-42ec-b934-0d2b8e035ce1\"\n }\n}\n" + } + } + } + } + ], + "fingerprints": { + "gdnPrimarySignature": "a34ff2ab3988f90969a68250eef2b1c1e687c5b58396f198c2615a955b8db206", + "gdnAlternativeSignature0": "9c23a512d4110d27fefdb36bb130958e046b17463df5a7ef245d584c9f943363" + }, + "attachments": [] + }, + { + "ruleId": "CKV2_AZURE_40", + "ruleIndex": 4, + "message": { + "text": "Ensure storage account is not configured with Shared Key authorization" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "samples/IaCMapping/main.tf" + }, + "region": { + "startLine": 19, + "endLine": 29, + "snippet": { + "text": "resource \"azurerm_storage_account\" \"terraformaccount1\" {\n name = \"iacmapping1212\"\n resource_group_name = azurerm_resource_group.resourcegroup.name\n location = \"Central US\"\n account_tier = \"Standard\"\n account_replication_type = \"GRS\"\n\n tags = {\n \"mapping_tag\" = \"6189b638-15a5-42ec-b934-0d2b8e035ce1\"\n }\n}\n" + } + } + } + } + ], + "fingerprints": { + "gdnPrimarySignature": "e9deaf9a38127ba6222b800492a1b840017f9907c25f9fba842d8c85ae861f33", + "gdnAlternativeSignature0": "bf8101fb23c886bf671ac5c24d8b62f3028e2d9b5e8fc2e106d6789aa8070b76" + }, + "attachments": [] + }, + { + "ruleId": "CKV2_AZURE_47", + "ruleIndex": 5, + "message": { + "text": "Ensure storage account is configured without blob anonymous access" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "samples/IaCMapping/main.tf" + }, + "region": { + "startLine": 19, + "endLine": 29, + "snippet": { + "text": "resource \"azurerm_storage_account\" \"terraformaccount1\" {\n name = \"iacmapping1212\"\n resource_group_name = azurerm_resource_group.resourcegroup.name\n location = \"Central US\"\n account_tier = \"Standard\"\n account_replication_type = \"GRS\"\n\n tags = {\n \"mapping_tag\" = \"6189b638-15a5-42ec-b934-0d2b8e035ce1\"\n }\n}\n" + } + } + } + } + ], + "fingerprints": { + "gdnPrimarySignature": "1d3bb7599e6f934ddc2badeee51d506051093f4e718c3199d4efd83c6e74ec12", + "gdnAlternativeSignature0": "edfaa2046c397a63e4856e499fc9a7166c96e5bb51978d37f2426cefa1af8457" + }, + "attachments": [] + }, + { + "ruleId": "CKV2_AZURE_33", + "ruleIndex": 6, + "message": { + "text": "Ensure storage account is configured with private endpoint" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "samples/IaCMapping/main.tf" + }, + "region": { + "startLine": 19, + "endLine": 29, + "snippet": { + "text": "resource \"azurerm_storage_account\" \"terraformaccount1\" {\n name = \"iacmapping1212\"\n resource_group_name = azurerm_resource_group.resourcegroup.name\n location = \"Central US\"\n account_tier = \"Standard\"\n account_replication_type = \"GRS\"\n\n tags = {\n \"mapping_tag\" = \"6189b638-15a5-42ec-b934-0d2b8e035ce1\"\n }\n}\n" + } + } + } + } + ], + "fingerprints": { + "gdnPrimarySignature": "43638c4e55b51ed9f346ab462c059ca30a19b570565c7de7ea7b5daee1d6d9ef", + "gdnAlternativeSignature0": "4b4ba219a803a0d61f213eab7cfdf2792eda5bd536ccf4992d1b5d9342e26ac3" + }, + "attachments": [] + }, + { + "ruleId": "CKV2_AZURE_41", + "ruleIndex": 7, + "message": { + "text": "Ensure storage account is configured with SAS expiration policy" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "samples/IaCMapping/main.tf" + }, + "region": { + "startLine": 19, + "endLine": 29, + "snippet": { + "text": "resource \"azurerm_storage_account\" \"terraformaccount1\" {\n name = \"iacmapping1212\"\n resource_group_name = azurerm_resource_group.resourcegroup.name\n location = \"Central US\"\n account_tier = \"Standard\"\n account_replication_type = \"GRS\"\n\n tags = {\n \"mapping_tag\" = \"6189b638-15a5-42ec-b934-0d2b8e035ce1\"\n }\n}\n" + } + } + } + } + ], + "fingerprints": { + "gdnPrimarySignature": "761254b9af4e347b1a2a05bc08bd77da3c0a640e44671e27f0fa7cbbc88d2b93", + "gdnAlternativeSignature0": "3358ef85a8762cda2cea0b4f31eebe014dc97571753cefc4394067b9f23cf0f2" + }, + "attachments": [] + }, + { + "ruleId": "CKV2_AZURE_38", + "ruleIndex": 8, + "message": { + "text": "Ensure soft-delete is enabled on Azure storage account" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "samples/IaCMapping/main.tf" + }, + "region": { + "startLine": 19, + "endLine": 29, + "snippet": { + "text": "resource \"azurerm_storage_account\" \"terraformaccount1\" {\n name = \"iacmapping1212\"\n resource_group_name = azurerm_resource_group.resourcegroup.name\n location = \"Central US\"\n account_tier = \"Standard\"\n account_replication_type = \"GRS\"\n\n tags = {\n \"mapping_tag\" = \"6189b638-15a5-42ec-b934-0d2b8e035ce1\"\n }\n}\n" + } + } + } + } + ], + "fingerprints": { + "gdnPrimarySignature": "8fdd2b7bd19cdd5ce21a89b95330d3a80ecd9efbe30f89c35f0b146a42a65d0f", + "gdnAlternativeSignature0": "e05ba2b227cc43fd36ea7fe66359bf553cdf88de6ff3aa184fc24ed97fa3c3c4" + }, + "attachments": [] + }, + { + "ruleId": "CKV2_AZURE_1", + "ruleIndex": 9, + "level": "error", + "message": { + "text": "Ensure storage for critical data are encrypted with Customer Managed Key" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "samples/IaCMapping/main.tf" + }, + "region": { + "startLine": 19, + "endLine": 29, + "snippet": { + "text": "resource \"azurerm_storage_account\" \"terraformaccount1\" {\n name = \"iacmapping1212\"\n resource_group_name = azurerm_resource_group.resourcegroup.name\n location = \"Central US\"\n account_tier = \"Standard\"\n account_replication_type = \"GRS\"\n\n tags = {\n \"mapping_tag\" = \"6189b638-15a5-42ec-b934-0d2b8e035ce1\"\n }\n}\n" + } + } + } + } + ], + "fingerprints": { + "gdnPrimarySignature": "b6600702be50525edb979f621ecf387776351f02b51dc4d37b822d660e575787", + "gdnAlternativeSignature0": "d1feda229fb89c3ecbaaaf3edec8f23599c5bccd3a725020863ea9b593ae4375" + }, + "attachments": [] + } + ], + "columnKind": "utf16CodeUnits", + "policies": [ + { + "name": "Microsoft", + "version": "2.0.3" + } + ], + "properties": { + "toolInfoId": "checkov>>6>>202411062057" + } + } + ], + "properties": { + "producer": "MicrosoftSecurityDevOps", + "pipelineRunUrl": "Unknown", + "sourcePipelineId": "Unknown" + } +} \ No newline at end of file diff --git a/src/msdo-helpers.ts b/src/msdo-helpers.ts index 45fb2b5..72b13f1 100644 --- a/src/msdo-helpers.ts +++ b/src/msdo-helpers.ts @@ -11,7 +11,8 @@ export enum Inputs { Categories = 'categories', Languages = 'languages', Tools = 'tools', - IncludeTools = 'includeTools' + IncludeTools = 'includeTools', + ExistingFilename = 'existingFilename' } /** diff --git a/src/msdo.ts b/src/msdo.ts index bdbd0e4..c95399c 100644 --- a/src/msdo.ts +++ b/src/msdo.ts @@ -25,66 +25,77 @@ export class MicrosoftSecurityDevOps implements IMicrosoftSecurityDevOps { public async runMain() { core.debug('MicrosoftSecurityDevOps.runMain - Running MSDO...'); - let args: string[] = ['run']; + let args: string[] = undefined; - let config: string = core.getInput('config'); - if (!common.isNullOrWhiteSpace(config)) { - args.push('-c'); - args.push(config); + // Check job type - might be existing file + let existingFilename = core.getInput('existingFilename'); + if (!common.isNullOrWhiteSpace(existingFilename)) { + args = ['upload', '--file', existingFilename]; } - let policy: string = core.getInput('policy'); - if (common.isNullOrWhiteSpace(policy)) { - policy = "GitHub"; - } + // Nope, run the tool as intended + else { + args = ['run']; + + let config: string = core.getInput('config'); + if (!common.isNullOrWhiteSpace(config)) { + args.push('-c'); + args.push(config); + } + + let policy: string = core.getInput('policy'); + if (common.isNullOrWhiteSpace(policy)) { + policy = "GitHub"; + } + + args.push('-p'); + args.push(policy); - args.push('-p'); - args.push(policy); - - let categoriesString: string = core.getInput('categories'); - if (!common.isNullOrWhiteSpace(categoriesString)) { - args.push('--categories'); - let categories = categoriesString.split(','); - for (let i = 0; i < categories.length; i++) { - let category = categories[i]; - if (!common.isNullOrWhiteSpace(category)) { - args.push(category.trim()); + let categoriesString: string = core.getInput('categories'); + if (!common.isNullOrWhiteSpace(categoriesString)) { + args.push('--categories'); + let categories = categoriesString.split(','); + for (let i = 0; i < categories.length; i++) { + let category = categories[i]; + if (!common.isNullOrWhiteSpace(category)) { + args.push(category.trim()); + } } } - } - let languagesString: string = core.getInput('languages'); - if (!common.isNullOrWhiteSpace(languagesString)) { - args.push('--languages'); - let languages = languagesString.split(','); - for (let i = 0; i < languages.length; i++) { - let language = languages[i]; - if (!common.isNullOrWhiteSpace(language)) { - args.push(language.trim()); + let languagesString: string = core.getInput('languages'); + if (!common.isNullOrWhiteSpace(languagesString)) { + args.push('--languages'); + let languages = languagesString.split(','); + for (let i = 0; i < languages.length; i++) { + let language = languages[i]; + if (!common.isNullOrWhiteSpace(language)) { + args.push(language.trim()); + } } } - } - let toolsString: string = core.getInput('tools'); - let includedTools = []; - if (!common.isNullOrWhiteSpace(toolsString)) { - let tools = toolsString.split(','); - for (let i = 0; i < tools.length; i++) { - let tool = tools[i]; - let toolTrimmed = tool.trim(); - if (!common.isNullOrWhiteSpace(tool) - && tool != Tools.ContainerMapping // This tool is not handled by this executor - && includedTools.indexOf(toolTrimmed) == -1) { - if (includedTools.length == 0) { - args.push('--tool'); + let toolsString: string = core.getInput('tools'); + let includedTools = []; + if (!common.isNullOrWhiteSpace(toolsString)) { + let tools = toolsString.split(','); + for (let i = 0; i < tools.length; i++) { + let tool = tools[i]; + let toolTrimmed = tool.trim(); + if (!common.isNullOrWhiteSpace(tool) + && tool != Tools.ContainerMapping // This tool is not handled by this executor + && includedTools.indexOf(toolTrimmed) == -1) { + if (includedTools.length == 0) { + args.push('--tool'); + } + args.push(toolTrimmed); + includedTools.push(toolTrimmed); } - args.push(toolTrimmed); - includedTools.push(toolTrimmed); } } - } - args.push('--github'); + args.push('--github'); + } await client.run(args, 'microsoft/security-devops-action'); }