Repository | microsoft / cobalt |
Description | Infrastructure turn-key solution for app service workloads |
Stars | 115 |
|---|---|
Failed Checks |
Security Scanning |
Scan Date | 2023-10-30 17:57:40 |
Security Scanning
This repository failed the Experience Builder Terraform Module's Security Scanning validation. This means that a security scanning tool was not found to be implemented in any of the CICD tool configuration files in the repository.
There is an opportunity to:
- Remediate the findings identified by one of the recommended
Terraform security scanning tools (example
checkovoutput found below) - Implement one of the security scanning tools within the CICD framework used by the repository
Checkov Output
2023-10-05 15:03:37,952 [MainThread ] [WARNI] Failed to download module github.com/microsoft/bedrock?ref=0.12.0/cluster/azure/vnet:None (for external modules, the --download-external-modules flag is required)
2023-10-05 15:03:37,953 [MainThread ] [WARNI] Failed to download module github.com/Microsoft/bedrock/cluster/azure/backend-state:None (for external modules, the --download-external-modules flag is required)
terraform scan results:
Passed checks: 31, Failed checks: 67, Skipped checks: 0, Parsing errors: 2
Check: CKV_AZURE_174: "Ensure API management public access is disabled"
FAILED for resource: azurerm_api_management.apim_service
File: /infra/modules/providers/azure/api-mgmt/main.tf:79-94
79 | resource "azurerm_api_management" "apim_service" {
80 | name = var.apim_service_name
81 | location = data.azurerm_resource_group.rg.location
82 | resource_group_name = data.azurerm_resource_group.rg.name
83 | publisher_name = var.publisher_name
84 | publisher_email = var.publisher_email
85 | sku_name = "${var.sku_tier}_${var.sku_capacity}"
86 | tags = var.tags
87 | policy {
88 | xml_content = local.service_policy_is_url == false ? var.policy.content : null
89 | xml_link = local.service_policy_is_url == true ? var.policy.content : null
90 | }
91 | identity {
92 | type = "SystemAssigned"
93 | }
94 | }
Check: CKV_AZURE_107: "Ensure that API management services use virtual networks"
FAILED for resource: azurerm_api_management.apim_service
File: /infra/modules/providers/azure/api-mgmt/main.tf:79-94
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-networking-policies/ensure-that-api-management-services-uses-virtual-networks.html
79 | resource "azurerm_api_management" "apim_service" {
80 | name = var.apim_service_name
81 | location = data.azurerm_resource_group.rg.location
82 | resource_group_name = data.azurerm_resource_group.rg.name
83 | publisher_name = var.publisher_name
84 | publisher_email = var.publisher_email
85 | sku_name = "${var.sku_tier}_${var.sku_capacity}"
86 | tags = var.tags
87 | policy {
88 | xml_content = local.service_policy_is_url == false ? var.policy.content : null
89 | xml_link = local.service_policy_is_url == true ? var.policy.content : null
90 | }
91 | identity {
92 | type = "SystemAssigned"
93 | }
94 | }
Check: CKV_AZURE_218: "Ensure Application Gateway defines secure protocols for in transit communication"
FAILED for resource: module.app_gateway.azurerm_application_gateway.appgateway
File: /infra/modules/providers/azure/app-gateway/main.tf:13-100
Calling File: /infra/templates/az-service-single-region/admin.tf:39-49
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AZURE_164: "Ensures that ACR uses signed/trusted images"
FAILED for resource: module.container_registry.azurerm_container_registry.container_registry
File: /infra/modules/providers/azure/container-registry/main.tf:8-43
Calling File: /infra/templates/az-service-single-region/admin.tf:51-57
8 | resource "azurerm_container_registry" "container_registry" {
9 | name = var.container_registry_name
10 | resource_group_name = data.azurerm_resource_group.container_registry.name
11 | location = data.azurerm_resource_group.container_registry.location
12 | sku = var.container_registry_sku
13 | admin_enabled = var.container_registry_admin_enabled
14 | tags = var.container_registry_tags
15 |
16 | # This dynamic block configures a default DENY action to all incoming traffic
17 | # in the case that one of the following hold true:
18 | # 1: IP whitelist has been configured
19 | # 2: Subnet whitelist has been configured
20 | dynamic "network_rule_set" {
21 | for_each = length(concat(var.resource_ip_whitelist, var.subnet_id_whitelist)) == 0 ? [] : [var.resource_ip_whitelist]
22 | content {
23 | default_action = "Deny"
24 | # This dynamic block configures "Allow" action to all of the whitelisted IPs. It is only
25 | # stamped out in the case that there are IPs configured for whitelist
26 | dynamic "ip_rule" {
27 | for_each = var.resource_ip_whitelist
28 | content {
29 | action = "Allow"
30 | ip_range = ip_rule.value
31 | }
32 | }
33 | dynamic "virtual_network" {
34 | for_each = var.subnet_id_whitelist
35 | content {
36 | action = "Allow"
37 | subnet_id = virtual_network.value
38 | }
39 | }
40 | }
41 | }
42 |
43 | }
Check: CKV_AZURE_166: "Ensure container image quarantine, scan, and mark images verified"
FAILED for resource: module.container_registry.azurerm_container_registry.container_registry
File: /infra/modules/providers/azure/container-registry/main.tf:8-43
Calling File: /infra/templates/az-service-single-region/admin.tf:51-57
8 | resource "azurerm_container_registry" "container_registry" {
9 | name = var.container_registry_name
10 | resource_group_name = data.azurerm_resource_group.container_registry.name
11 | location = data.azurerm_resource_group.container_registry.location
12 | sku = var.container_registry_sku
13 | admin_enabled = var.container_registry_admin_enabled
14 | tags = var.container_registry_tags
15 |
16 | # This dynamic block configures a default DENY action to all incoming traffic
17 | # in the case that one of the following hold true:
18 | # 1: IP whitelist has been configured
19 | # 2: Subnet whitelist has been configured
20 | dynamic "network_rule_set" {
21 | for_each = length(concat(var.resource_ip_whitelist, var.subnet_id_whitelist)) == 0 ? [] : [var.resource_ip_whitelist]
22 | content {
23 | default_action = "Deny"
24 | # This dynamic block configures "Allow" action to all of the whitelisted IPs. It is only
25 | # stamped out in the case that there are IPs configured for whitelist
26 | dynamic "ip_rule" {
27 | for_each = var.resource_ip_whitelist
28 | content {
29 | action = "Allow"
30 | ip_range = ip_rule.value
31 | }
32 | }
33 | dynamic "virtual_network" {
34 | for_each = var.subnet_id_whitelist
35 | content {
36 | action = "Allow"
37 | subnet_id = virtual_network.value
38 | }
39 | }
40 | }
41 | }
42 |
43 | }
Check: CKV_AZURE_139: "Ensure ACR set to disable public networking"
FAILED for resource: module.container_registry.azurerm_container_registry.container_registry
File: /infra/modules/providers/azure/container-registry/main.tf:8-43
Calling File: /infra/templates/az-service-single-region/admin.tf:51-57
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-networking-policies/ensure-azure-acr-is-set-to-disable-public-networking.html
8 | resource "azurerm_container_registry" "container_registry" {
9 | name = var.container_registry_name
10 | resource_group_name = data.azurerm_resource_group.container_registry.name
11 | location = data.azurerm_resource_group.container_registry.location
12 | sku = var.container_registry_sku
13 | admin_enabled = var.container_registry_admin_enabled
14 | tags = var.container_registry_tags
15 |
16 | # This dynamic block configures a default DENY action to all incoming traffic
17 | # in the case that one of the following hold true:
18 | # 1: IP whitelist has been configured
19 | # 2: Subnet whitelist has been configured
20 | dynamic "network_rule_set" {
21 | for_each = length(concat(var.resource_ip_whitelist, var.subnet_id_whitelist)) == 0 ? [] : [var.resource_ip_whitelist]
22 | content {
23 | default_action = "Deny"
24 | # This dynamic block configures "Allow" action to all of the whitelisted IPs. It is only
25 | # stamped out in the case that there are IPs configured for whitelist
26 | dynamic "ip_rule" {
27 | for_each = var.resource_ip_whitelist
28 | content {
29 | action = "Allow"
30 | ip_range = ip_rule.value
31 | }
32 | }
33 | dynamic "virtual_network" {
34 | for_each = var.subnet_id_whitelist
35 | content {
36 | action = "Allow"
37 | subnet_id = virtual_network.value
38 | }
39 | }
40 | }
41 | }
42 |
43 | }
Check: CKV_AZURE_165: "Ensure geo-replicated container registries to match multi-region container deployments."
FAILED for resource: module.container_registry.azurerm_container_registry.container_registry
File: /infra/modules/providers/azure/container-registry/main.tf:8-43
Calling File: /infra/templates/az-service-single-region/admin.tf:51-57
8 | resource "azurerm_container_registry" "container_registry" {
9 | name = var.container_registry_name
10 | resource_group_name = data.azurerm_resource_group.container_registry.name
11 | location = data.azurerm_resource_group.container_registry.location
12 | sku = var.container_registry_sku
13 | admin_enabled = var.container_registry_admin_enabled
14 | tags = var.container_registry_tags
15 |
16 | # This dynamic block configures a default DENY action to all incoming traffic
17 | # in the case that one of the following hold true:
18 | # 1: IP whitelist has been configured
19 | # 2: Subnet whitelist has been configured
20 | dynamic "network_rule_set" {
21 | for_each = length(concat(var.resource_ip_whitelist, var.subnet_id_whitelist)) == 0 ? [] : [var.resource_ip_whitelist]
22 | content {
23 | default_action = "Deny"
24 | # This dynamic block configures "Allow" action to all of the whitelisted IPs. It is only
25 | # stamped out in the case that there are IPs configured for whitelist
26 | dynamic "ip_rule" {
27 | for_each = var.resource_ip_whitelist
28 | content {
29 | action = "Allow"
30 | ip_range = ip_rule.value
31 | }
32 | }
33 | dynamic "virtual_network" {
34 | for_each = var.subnet_id_whitelist
35 | content {
36 | action = "Allow"
37 | subnet_id = virtual_network.value
38 | }
39 | }
40 | }
41 | }
42 |
43 | }
Check: CKV_AZURE_167: "Ensure a retention policy is set to cleanup untagged manifests."
FAILED for resource: module.container_registry.azurerm_container_registry.container_registry
File: /infra/modules/providers/azure/container-registry/main.tf:8-43
Calling File: /infra/templates/az-service-single-region/admin.tf:51-57
8 | resource "azurerm_container_registry" "container_registry" {
9 | name = var.container_registry_name
10 | resource_group_name = data.azurerm_resource_group.container_registry.name
11 | location = data.azurerm_resource_group.container_registry.location
12 | sku = var.container_registry_sku
13 | admin_enabled = var.container_registry_admin_enabled
14 | tags = var.container_registry_tags
15 |
16 | # This dynamic block configures a default DENY action to all incoming traffic
17 | # in the case that one of the following hold true:
18 | # 1: IP whitelist has been configured
19 | # 2: Subnet whitelist has been configured
20 | dynamic "network_rule_set" {
21 | for_each = length(concat(var.resource_ip_whitelist, var.subnet_id_whitelist)) == 0 ? [] : [var.resource_ip_whitelist]
22 | content {
23 | default_action = "Deny"
24 | # This dynamic block configures "Allow" action to all of the whitelisted IPs. It is only
25 | # stamped out in the case that there are IPs configured for whitelist
26 | dynamic "ip_rule" {
27 | for_each = var.resource_ip_whitelist
28 | content {
29 | action = "Allow"
30 | ip_range = ip_rule.value
31 | }
32 | }
33 | dynamic "virtual_network" {
34 | for_each = var.subnet_id_whitelist
35 | content {
36 | action = "Allow"
37 | subnet_id = virtual_network.value
38 | }
39 | }
40 | }
41 | }
42 |
43 | }
Check: CKV_AZURE_137: "Ensure ACR admin account is disabled"
FAILED for resource: module.container_registry.azurerm_container_registry.container_registry
File: /infra/modules/providers/azure/container-registry/main.tf:8-43
Calling File: /infra/templates/az-service-single-region/admin.tf:51-57
Guide: https://docs.bridgecrew.io/docs/ensure-azure-acr-admin-account-is-disabled
8 | resource "azurerm_container_registry" "container_registry" {
9 | name = var.container_registry_name
10 | resource_group_name = data.azurerm_resource_group.container_registry.name
11 | location = data.azurerm_resource_group.container_registry.location
12 | sku = var.container_registry_sku
13 | admin_enabled = var.container_registry_admin_enabled
14 | tags = var.container_registry_tags
15 |
16 | # This dynamic block configures a default DENY action to all incoming traffic
17 | # in the case that one of the following hold true:
18 | # 1: IP whitelist has been configured
19 | # 2: Subnet whitelist has been configured
20 | dynamic "network_rule_set" {
21 | for_each = length(concat(var.resource_ip_whitelist, var.subnet_id_whitelist)) == 0 ? [] : [var.resource_ip_whitelist]
22 | content {
23 | default_action = "Deny"
24 | # This dynamic block configures "Allow" action to all of the whitelisted IPs. It is only
25 | # stamped out in the case that there are IPs configured for whitelist
26 | dynamic "ip_rule" {
27 | for_each = var.resource_ip_whitelist
28 | content {
29 | action = "Allow"
30 | ip_range = ip_rule.value
31 | }
32 | }
33 | dynamic "virtual_network" {
34 | for_each = var.subnet_id_whitelist
35 | content {
36 | action = "Allow"
37 | subnet_id = virtual_network.value
38 | }
39 | }
40 | }
41 | }
42 |
43 | }
Check: CKV_AZURE_132: "Ensure cosmosdb does not allow privileged escalation by restricting management plane changes"
FAILED for resource: azurerm_cosmosdb_account.cosmosdb
File: /infra/modules/providers/azure/cosmosdb/main.tf:14-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-storage-policies/bc-azr-storage-4.html
14 | resource "azurerm_cosmosdb_account" "cosmosdb" {
15 | name = var.account_name
16 | location = data.azurerm_resource_group.cosmosdb.location
17 | resource_group_name = data.azurerm_resource_group.cosmosdb.name
18 | offer_type = local.offer_type
19 | kind = var.kind
20 |
21 | enable_automatic_failover = var.automatic_failover
22 | is_virtual_network_filter_enabled = true
23 | ip_range_filter = local.ip_range_filter_Allow_Azure_Portal
24 |
25 | virtual_network_rule {
26 | id = var.vnet_subnet_id
27 | }
28 |
29 | consistency_policy {
30 | consistency_level = var.consistency_level
31 | }
32 |
33 | geo_location {
34 | location = var.primary_replica_location
35 | failover_priority = 0
36 | }
37 | }
Check: CKV_AZURE_100: "Ensure that Cosmos DB accounts have customer-managed keys to encrypt data at rest"
FAILED for resource: azurerm_cosmosdb_account.cosmosdb
File: /infra/modules/providers/azure/cosmosdb/main.tf:14-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-general-policies/ensure-that-cosmos-db-accounts-have-customer-managed-keys-to-encrypt-data-at-rest.html
14 | resource "azurerm_cosmosdb_account" "cosmosdb" {
15 | name = var.account_name
16 | location = data.azurerm_resource_group.cosmosdb.location
17 | resource_group_name = data.azurerm_resource_group.cosmosdb.name
18 | offer_type = local.offer_type
19 | kind = var.kind
20 |
21 | enable_automatic_failover = var.automatic_failover
22 | is_virtual_network_filter_enabled = true
23 | ip_range_filter = local.ip_range_filter_Allow_Azure_Portal
24 |
25 | virtual_network_rule {
26 | id = var.vnet_subnet_id
27 | }
28 |
29 | consistency_policy {
30 | consistency_level = var.consistency_level
31 | }
32 |
33 | geo_location {
34 | location = var.primary_replica_location
35 | failover_priority = 0
36 | }
37 | }
Check: CKV_AZURE_101: "Ensure that Azure Cosmos DB disables public network access"
FAILED for resource: azurerm_cosmosdb_account.cosmosdb
File: /infra/modules/providers/azure/cosmosdb/main.tf:14-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-networking-policies/ensure-that-azure-cosmos-db-disables-public-network-access.html
14 | resource "azurerm_cosmosdb_account" "cosmosdb" {
15 | name = var.account_name
16 | location = data.azurerm_resource_group.cosmosdb.location
17 | resource_group_name = data.azurerm_resource_group.cosmosdb.name
18 | offer_type = local.offer_type
19 | kind = var.kind
20 |
21 | enable_automatic_failover = var.automatic_failover
22 | is_virtual_network_filter_enabled = true
23 | ip_range_filter = local.ip_range_filter_Allow_Azure_Portal
24 |
25 | virtual_network_rule {
26 | id = var.vnet_subnet_id
27 | }
28 |
29 | consistency_policy {
30 | consistency_level = var.consistency_level
31 | }
32 |
33 | geo_location {
34 | location = var.primary_replica_location
35 | failover_priority = 0
36 | }
37 | }
Check: CKV_AZURE_140: "Ensure that Local Authentication is disabled on CosmosDB"
FAILED for resource: azurerm_cosmosdb_account.cosmosdb
File: /infra/modules/providers/azure/cosmosdb/main.tf:14-37
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-iam-policies/ensure-azure-acr-admin-account-is-disabled.html
14 | resource "azurerm_cosmosdb_account" "cosmosdb" {
15 | name = var.account_name
16 | location = data.azurerm_resource_group.cosmosdb.location
17 | resource_group_name = data.azurerm_resource_group.cosmosdb.name
18 | offer_type = local.offer_type
19 | kind = var.kind
20 |
21 | enable_automatic_failover = var.automatic_failover
22 | is_virtual_network_filter_enabled = true
23 | ip_range_filter = local.ip_range_filter_Allow_Azure_Portal
24 |
25 | virtual_network_rule {
26 | id = var.vnet_subnet_id
27 | }
28 |
29 | consistency_policy {
30 | consistency_level = var.consistency_level
31 | }
32 |
33 | geo_location {
34 | location = var.primary_replica_location
35 | failover_priority = 0
36 | }
37 | }
Check: CKV_AZURE_104: "Ensure that Azure Data factory public network access is disabled"
FAILED for resource: azurerm_data_factory.main
File: /infra/modules/providers/azure/data-factory/main.tf:9-19
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-networking-policies/ensure-that-azure-data-factory-public-network-access-is-disabled.html
9 | resource "azurerm_data_factory" "main" {
10 | #required
11 | name = var.data_factory_name
12 | resource_group_name = data.azurerm_resource_group.main.name
13 | location = data.azurerm_resource_group.main.location
14 |
15 | # This will be static as "SystemAssigned" is the only identity available now
16 | identity {
17 | type = "SystemAssigned"
18 | }
19 | }
Check: CKV_AZURE_103: "Ensure that Azure Data Factory uses Git repository for source control"
FAILED for resource: azurerm_data_factory.main
File: /infra/modules/providers/azure/data-factory/main.tf:9-19
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-general-policies/ensure-that-azure-data-factory-uses-git-repository-for-source-control.html
9 | resource "azurerm_data_factory" "main" {
10 | #required
11 | name = var.data_factory_name
12 | resource_group_name = data.azurerm_resource_group.main.name
13 | location = data.azurerm_resource_group.main.location
14 |
15 | # This will be static as "SystemAssigned" is the only identity available now
16 | identity {
17 | type = "SystemAssigned"
18 | }
19 | }
Check: CKV_AZURE_41: "Ensure that the expiration date is set on all secrets"
FAILED for resource: module.acr_service_principal_secrets.azurerm_key_vault_secret.secret
File: /infra/modules/providers/azure/keyvault-secret/main.tf:5-10
Calling File: /infra/templates/az-isolated-service-single-region/app.tf:101-105
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-secrets-policies/set-an-expiration-date-on-all-secrets.html
5 | resource "azurerm_key_vault_secret" "secret" {
6 | count = length(var.secrets)
7 | name = local.secret_names[count.index]
8 | value = var.secrets[local.secret_names[count.index]]
9 | key_vault_id = var.keyvault_id
10 | }
Check: CKV_AZURE_114: "Ensure that key vault secrets have "content_type" set"
FAILED for resource: module.acr_service_principal_secrets.azurerm_key_vault_secret.secret
File: /infra/modules/providers/azure/keyvault-secret/main.tf:5-10
Calling File: /infra/templates/az-isolated-service-single-region/app.tf:101-105
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-general-policies/ensure-that-key-vault-secrets-have-content-type-set.html
5 | resource "azurerm_key_vault_secret" "secret" {
6 | count = length(var.secrets)
7 | name = local.secret_names[count.index]
8 | value = var.secrets[local.secret_names[count.index]]
9 | key_vault_id = var.keyvault_id
10 | }
Check: CKV_AZURE_41: "Ensure that the expiration date is set on all secrets"
FAILED for resource: module.app_service_principal_secrets.azurerm_key_vault_secret.secret
File: /infra/modules/providers/azure/keyvault-secret/main.tf:5-10
Calling File: /infra/templates/az-isolated-service-single-region/app.tf:87-91
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-secrets-policies/set-an-expiration-date-on-all-secrets.html
5 | resource "azurerm_key_vault_secret" "secret" {
6 | count = length(var.secrets)
7 | name = local.secret_names[count.index]
8 | value = var.secrets[local.secret_names[count.index]]
9 | key_vault_id = var.keyvault_id
10 | }
Check: CKV_AZURE_114: "Ensure that key vault secrets have "content_type" set"
FAILED for resource: module.app_service_principal_secrets.azurerm_key_vault_secret.secret
File: /infra/modules/providers/azure/keyvault-secret/main.tf:5-10
Calling File: /infra/templates/az-isolated-service-single-region/app.tf:87-91
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-general-policies/ensure-that-key-vault-secrets-have-content-type-set.html
5 | resource "azurerm_key_vault_secret" "secret" {
6 | count = length(var.secrets)
7 | name = local.secret_names[count.index]
8 | value = var.secrets[local.secret_names[count.index]]
9 | key_vault_id = var.keyvault_id
10 | }
Check: CKV_AZURE_42: "Ensure the key vault is recoverable"
FAILED for resource: module.keyvault.azurerm_key_vault.keyvault
File: /infra/modules/providers/azure/keyvault/main.tf:15-36
Calling File: /infra/templates/az-service-single-region/admin.tf:16-20
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-general-policies/ensure-the-key-vault-is-recoverable.html
15 | resource "azurerm_key_vault" "keyvault" {
16 | name = var.keyvault_name
17 | location = data.azurerm_resource_group.kv.location
18 | resource_group_name = data.azurerm_resource_group.kv.name
19 | tenant_id = data.azurerm_client_config.current.tenant_id
20 |
21 | sku_name = var.keyvault_sku
22 |
23 | # This block configures VNET integration if a subnet whitelist is specified
24 | dynamic "network_acls" {
25 | # this block allows the loop to run 1 or 0 times based on if the resource ip whitelist or subnet id whitelist is provided.
26 | for_each = length(concat(var.resource_ip_whitelist, var.subnet_id_whitelist)) == 0 ? [] : [""]
27 | content {
28 | bypass = "None"
29 | default_action = "Deny"
30 | virtual_network_subnet_ids = var.subnet_id_whitelist
31 | ip_rules = var.resource_ip_whitelist
32 | }
33 | }
34 |
35 | tags = var.resource_tags
36 | }
Check: CKV_AZURE_110: "Ensure that key vault enables purge protection"
FAILED for resource: module.keyvault.azurerm_key_vault.keyvault
File: /infra/modules/providers/azure/keyvault/main.tf:15-36
Calling File: /infra/templates/az-service-single-region/admin.tf:16-20
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-general-policies/ensure-that-key-vault-enables-purge-protection.html
15 | resource "azurerm_key_vault" "keyvault" {
16 | name = var.keyvault_name
17 | location = data.azurerm_resource_group.kv.location
18 | resource_group_name = data.azurerm_resource_group.kv.name
19 | tenant_id = data.azurerm_client_config.current.tenant_id
20 |
21 | sku_name = var.keyvault_sku
22 |
23 | # This block configures VNET integration if a subnet whitelist is specified
24 | dynamic "network_acls" {
25 | # this block allows the loop to run 1 or 0 times based on if the resource ip whitelist or subnet id whitelist is provided.
26 | for_each = length(concat(var.resource_ip_whitelist, var.subnet_id_whitelist)) == 0 ? [] : [""]
27 | content {
28 | bypass = "None"
29 | default_action = "Deny"
30 | virtual_network_subnet_ids = var.subnet_id_whitelist
31 | ip_rules = var.resource_ip_whitelist
32 | }
33 | }
34 |
35 | tags = var.resource_tags
36 | }
Check: CKV_AZURE_144: "Ensure that Public Access is disabled for Machine Learning Workspace"
FAILED for resource: azurerm_machine_learning_workspace.mlworkspace
File: /infra/modules/providers/azure/ml-workspace/main.tf:10-21
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-networking-policies/ensure-azure-machine-learning-workspace-is-not-publicly-accessible.html
10 | resource "azurerm_machine_learning_workspace" "mlworkspace" {
11 | name = var.name
12 | location = data.azurerm_resource_group.ml_resource_group.location
13 | resource_group_name = var.resource_group_name
14 | application_insights_id = var.application_insights_id
15 | key_vault_id = var.key_vault_id
16 | storage_account_id = var.storage_account_id
17 | sku_name = var.sku_name
18 | identity {
19 | type = "SystemAssigned" //This is the only supported type at this time
20 | }
21 | }
Check: CKV_AZURE_89: "Ensure that Azure Cache for Redis disables public network access"
FAILED for resource: azurerm_redis_cache.arc
File: /infra/modules/providers/azure/redis-cache/main.tf:5-27
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-networking-policies/ensure-that-azure-cache-for-redis-disables-public-network-access.html
5 | resource "azurerm_redis_cache" "arc" {
6 | name = var.name
7 | location = data.azurerm_resource_group.arc.location
8 | resource_group_name = var.resource_group_name
9 | capacity = var.capacity
10 | sku_name = var.sku_name
11 | family = var.sku_name == "Premium" ? "P" : "C"
12 | shard_count = var.premium_tier_config.cache_shard_count
13 | minimum_tls_version = var.minimum_tls_version
14 | tags = var.resource_tags
15 |
16 | redis_configuration {
17 | maxmemory_reserved = var.memory_features.maxmemory_reserved
18 | maxmemory_delta = var.memory_features.maxmemory_delta
19 | maxmemory_policy = var.memory_features.maxmemory_policy
20 | maxfragmentationmemory_reserved = var.memory_features.maxfragmentationmemory_reserved
21 | }
22 |
23 | patch_schedule {
24 | day_of_week = var.premium_tier_config.server_patch_day
25 | start_hour_utc = var.premium_tier_config.server_patch_hour
26 | }
27 | }
Check: CKV_AZURE_205: "Ensure Azure Service Bus is using the latest version of TLS encryption"
FAILED for resource: azurerm_servicebus_namespace.servicebus
File: /infra/modules/providers/azure/service-bus/main.tf:45-51
45 | resource "azurerm_servicebus_namespace" "servicebus" {
46 | name = var.namespace_name
47 | location = data.azurerm_resource_group.resourcegroup.location
48 | resource_group_name = data.azurerm_resource_group.resourcegroup.name
49 | sku = var.sku
50 | tags = var.tags
51 | }
Check: CKV_AZURE_201: "Ensure that Azure Service Bus uses a customer-managed key to encrypt data"
FAILED for resource: azurerm_servicebus_namespace.servicebus
File: /infra/modules/providers/azure/service-bus/main.tf:45-51
45 | resource "azurerm_servicebus_namespace" "servicebus" {
46 | name = var.namespace_name
47 | location = data.azurerm_resource_group.resourcegroup.location
48 | resource_group_name = data.azurerm_resource_group.resourcegroup.name
49 | sku = var.sku
50 | tags = var.tags
51 | }
Check: CKV_AZURE_202: "Ensure that Managed identity provider is enabled for Azure Service Bus"
FAILED for resource: azurerm_servicebus_namespace.servicebus
File: /infra/modules/providers/azure/service-bus/main.tf:45-51
45 | resource "azurerm_servicebus_namespace" "servicebus" {
46 | name = var.namespace_name
47 | location = data.azurerm_resource_group.resourcegroup.location
48 | resource_group_name = data.azurerm_resource_group.resourcegroup.name
49 | sku = var.sku
50 | tags = var.tags
51 | }
Check: CKV_AZURE_199: "Ensure that Azure Service Bus uses double encryption"
FAILED for resource: azurerm_servicebus_namespace.servicebus
File: /infra/modules/providers/azure/service-bus/main.tf:45-51
45 | resource "azurerm_servicebus_namespace" "servicebus" {
46 | name = var.namespace_name
47 | location = data.azurerm_resource_group.resourcegroup.location
48 | resource_group_name = data.azurerm_resource_group.resourcegroup.name
49 | sku = var.sku
50 | tags = var.tags
51 | }
Check: CKV_AZURE_204: "Ensure 'public network access enabled' is set to 'False' for Azure Service Bus"
FAILED for resource: azurerm_servicebus_namespace.servicebus
File: /infra/modules/providers/azure/service-bus/main.tf:45-51
45 | resource "azurerm_servicebus_namespace" "servicebus" {
46 | name = var.namespace_name
47 | location = data.azurerm_resource_group.resourcegroup.location
48 | resource_group_name = data.azurerm_resource_group.resourcegroup.name
49 | sku = var.sku
50 | tags = var.tags
51 | }
Check: CKV_AZURE_203: "Ensure Azure Service Bus Local Authentication is disabled"
FAILED for resource: azurerm_servicebus_namespace.servicebus
File: /infra/modules/providers/azure/service-bus/main.tf:45-51
45 | resource "azurerm_servicebus_namespace" "servicebus" {
46 | name = var.namespace_name
47 | location = data.azurerm_resource_group.resourcegroup.location
48 | resource_group_name = data.azurerm_resource_group.resourcegroup.name
49 | sku = var.sku
50 | tags = var.tags
51 | }
Check: CKV_AZURE_44: "Ensure Storage Account is using the latest version of TLS encryption"
FAILED for resource: azurerm_storage_account.main
File: /infra/modules/providers/azure/storage-account/main.tf:5-23
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-storage-policies/bc-azr-storage-2.html
5 | resource "azurerm_storage_account" "main" {
6 | # required
7 | name = lower(var.name)
8 | resource_group_name = data.azurerm_resource_group.main.name
9 | location = data.azurerm_resource_group.main.location
10 | account_tier = var.performance_tier
11 | account_replication_type = var.replication_type
12 |
13 | # optional
14 | account_kind = var.kind
15 | enable_https_traffic_only = var.https
16 | account_encryption_source = var.encryption_source
17 | tags = var.resource_tags
18 |
19 | # enrolls storage account into azure 'managed identities' authentication
20 | identity {
21 | type = "SystemAssigned"
22 | }
23 | }
Check: CKV_AZURE_206: "Ensure that Storage Accounts use replication"
FAILED for resource: azurerm_storage_account.main
File: /infra/modules/providers/azure/storage-account/main.tf:5-23
5 | resource "azurerm_storage_account" "main" {
6 | # required
7 | name = lower(var.name)
8 | resource_group_name = data.azurerm_resource_group.main.name
9 | location = data.azurerm_resource_group.main.location
10 | account_tier = var.performance_tier
11 | account_replication_type = var.replication_type
12 |
13 | # optional
14 | account_kind = var.kind
15 | enable_https_traffic_only = var.https
16 | account_encryption_source = var.encryption_source
17 | tags = var.resource_tags
18 |
19 | # enrolls storage account into azure 'managed identities' authentication
20 | identity {
21 | type = "SystemAssigned"
22 | }
23 | }
Check: CKV_AZURE_190: "Ensure that Storage blobs restrict public access"
FAILED for resource: azurerm_storage_account.main
File: /infra/modules/providers/azure/storage-account/main.tf:5-23
5 | resource "azurerm_storage_account" "main" {
6 | # required
7 | name = lower(var.name)
8 | resource_group_name = data.azurerm_resource_group.main.name
9 | location = data.azurerm_resource_group.main.location
10 | account_tier = var.performance_tier
11 | account_replication_type = var.replication_type
12 |
13 | # optional
14 | account_kind = var.kind
15 | enable_https_traffic_only = var.https
16 | account_encryption_source = var.encryption_source
17 | tags = var.resource_tags
18 |
19 | # enrolls storage account into azure 'managed identities' authentication
20 | identity {
21 | type = "SystemAssigned"
22 | }
23 | }
Check: CKV_AZURE_33: "Ensure Storage logging is enabled for Queue service for read, write and delete requests"
FAILED for resource: azurerm_storage_account.main
File: /infra/modules/providers/azure/storage-account/main.tf:5-23
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-logging-policies/enable-requests-on-storage-logging-for-queue-service.html
5 | resource "azurerm_storage_account" "main" {
6 | # required
7 | name = lower(var.name)
8 | resource_group_name = data.azurerm_resource_group.main.name
9 | location = data.azurerm_resource_group.main.location
10 | account_tier = var.performance_tier
11 | account_replication_type = var.replication_type
12 |
13 | # optional
14 | account_kind = var.kind
15 | enable_https_traffic_only = var.https
16 | account_encryption_source = var.encryption_source
17 | tags = var.resource_tags
18 |
19 | # enrolls storage account into azure 'managed identities' authentication
20 | identity {
21 | type = "SystemAssigned"
22 | }
23 | }
Check: CKV_AZURE_59: "Ensure that Storage accounts disallow public access"
FAILED for resource: azurerm_storage_account.main
File: /infra/modules/providers/azure/storage-account/main.tf:5-23
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-networking-policies/ensure-that-storage-accounts-disallow-public-access.html
5 | resource "azurerm_storage_account" "main" {
6 | # required
7 | name = lower(var.name)
8 | resource_group_name = data.azurerm_resource_group.main.name
9 | location = data.azurerm_resource_group.main.location
10 | account_tier = var.performance_tier
11 | account_replication_type = var.replication_type
12 |
13 | # optional
14 | account_kind = var.kind
15 | enable_https_traffic_only = var.https
16 | account_encryption_source = var.encryption_source
17 | tags = var.resource_tags
18 |
19 | # enrolls storage account into azure 'managed identities' authentication
20 | identity {
21 | type = "SystemAssigned"
22 | }
23 | }
Check: CKV_AZURE_41: "Ensure that the expiration date is set on all secrets"
FAILED for resource: azurerm_key_vault_secret.acr_sp_pwd_secret
File: /infra/templates/az-isolated-service-single-region/tf_ignored_resources.tf:1-9
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-secrets-policies/set-an-expiration-date-on-all-secrets.html
1 | resource "azurerm_key_vault_secret" "acr_sp_pwd_secret" {
2 | name = "acr-service-principal-password"
3 | value = module.acr_service_principal_acrpull.service_principal_password
4 | key_vault_id = module.keyvault.keyvault_id
5 |
6 | lifecycle {
7 | ignore_changes = ["value"]
8 | }
9 | }
Check: CKV_AZURE_114: "Ensure that key vault secrets have "content_type" set"
FAILED for resource: azurerm_key_vault_secret.acr_sp_pwd_secret
File: /infra/templates/az-isolated-service-single-region/tf_ignored_resources.tf:1-9
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-general-policies/ensure-that-key-vault-secrets-have-content-type-set.html
1 | resource "azurerm_key_vault_secret" "acr_sp_pwd_secret" {
2 | name = "acr-service-principal-password"
3 | value = module.acr_service_principal_acrpull.service_principal_password
4 | key_vault_id = module.keyvault.keyvault_id
5 |
6 | lifecycle {
7 | ignore_changes = ["value"]
8 | }
9 | }
Check: CKV_AZURE_41: "Ensure that the expiration date is set on all secrets"
FAILED for resource: azurerm_key_vault_secret.app_svc_sp_pwd_secret
File: /infra/templates/az-isolated-service-single-region/tf_ignored_resources.tf:11-19
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-secrets-policies/set-an-expiration-date-on-all-secrets.html
11 | resource "azurerm_key_vault_secret" "app_svc_sp_pwd_secret" {
12 | name = "app-service-principal-password"
13 | value = module.app_service_principal_contributor.service_principal_password
14 | key_vault_id = module.keyvault.keyvault_id
15 |
16 | lifecycle {
17 | ignore_changes = ["value"]
18 | }
19 | }
Check: CKV_AZURE_114: "Ensure that key vault secrets have "content_type" set"
FAILED for resource: azurerm_key_vault_secret.app_svc_sp_pwd_secret
File: /infra/templates/az-isolated-service-single-region/tf_ignored_resources.tf:11-19
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-general-policies/ensure-that-key-vault-secrets-have-content-type-set.html
11 | resource "azurerm_key_vault_secret" "app_svc_sp_pwd_secret" {
12 | name = "app-service-principal-password"
13 | value = module.app_service_principal_contributor.service_principal_password
14 | key_vault_id = module.keyvault.keyvault_id
15 |
16 | lifecycle {
17 | ignore_changes = ["value"]
18 | }
19 | }
Check: CKV_AZURE_164: "Ensures that ACR uses signed/trusted images"
FAILED for resource: azurerm_container_registry.acr
File: /infra/templates/gitlab-bootstrap-iac-cicd/acr.tf:1-6
1 | resource "azurerm_container_registry" "acr" {
2 | name = format("acr%s", random_string.rand.result)
3 | resource_group_name = azurerm_resource_group.ci.name
4 | location = azurerm_resource_group.ci.location
5 | sku = "Basic"
6 | }
Check: CKV_AZURE_166: "Ensure container image quarantine, scan, and mark images verified"
FAILED for resource: azurerm_container_registry.acr
File: /infra/templates/gitlab-bootstrap-iac-cicd/acr.tf:1-6
1 | resource "azurerm_container_registry" "acr" {
2 | name = format("acr%s", random_string.rand.result)
3 | resource_group_name = azurerm_resource_group.ci.name
4 | location = azurerm_resource_group.ci.location
5 | sku = "Basic"
6 | }
Check: CKV_AZURE_139: "Ensure ACR set to disable public networking"
FAILED for resource: azurerm_container_registry.acr
File: /infra/templates/gitlab-bootstrap-iac-cicd/acr.tf:1-6
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-networking-policies/ensure-azure-acr-is-set-to-disable-public-networking.html
1 | resource "azurerm_container_registry" "acr" {
2 | name = format("acr%s", random_string.rand.result)
3 | resource_group_name = azurerm_resource_group.ci.name
4 | location = azurerm_resource_group.ci.location
5 | sku = "Basic"
6 | }
Check: CKV_AZURE_165: "Ensure geo-replicated container registries to match multi-region container deployments."
FAILED for resource: azurerm_container_registry.acr
File: /infra/templates/gitlab-bootstrap-iac-cicd/acr.tf:1-6
1 | resource "azurerm_container_registry" "acr" {
2 | name = format("acr%s", random_string.rand.result)
3 | resource_group_name = azurerm_resource_group.ci.name
4 | location = azurerm_resource_group.ci.location
5 | sku = "Basic"
6 | }
Check: CKV_AZURE_163: "Enable vulnerability scanning for container images."
FAILED for resource: azurerm_container_registry.acr
File: /infra/templates/gitlab-bootstrap-iac-cicd/acr.tf:1-6
1 | resource "azurerm_container_registry" "acr" {
2 | name = format("acr%s", random_string.rand.result)
3 | resource_group_name = azurerm_resource_group.ci.name
4 | location = azurerm_resource_group.ci.location
5 | sku = "Basic"
6 | }
Check: CKV_AZURE_167: "Ensure a retention policy is set to cleanup untagged manifests."
FAILED for resource: azurerm_container_registry.acr
File: /infra/templates/gitlab-bootstrap-iac-cicd/acr.tf:1-6
1 | resource "azurerm_container_registry" "acr" {
2 | name = format("acr%s", random_string.rand.result)
3 | resource_group_name = azurerm_resource_group.ci.name
4 | location = azurerm_resource_group.ci.location
5 | sku = "Basic"
6 | }
Check: CKV_AZURE_206: "Ensure that Storage Accounts use replication"
FAILED for resource: azurerm_storage_account.ci
File: /infra/templates/gitlab-bootstrap-iac-cicd/azure.tf:13-21
13 | resource "azurerm_storage_account" "ci" {
14 | name = format("backendstate%s", random_string.rand.result)
15 | resource_group_name = azurerm_resource_group.ci.name
16 | location = azurerm_resource_group.ci.location
17 |
18 | min_tls_version = "TLS1_2"
19 | account_tier = "Standard"
20 | account_replication_type = "LRS"
21 | }
Check: CKV_AZURE_190: "Ensure that Storage blobs restrict public access"
FAILED for resource: azurerm_storage_account.ci
File: /infra/templates/gitlab-bootstrap-iac-cicd/azure.tf:13-21
13 | resource "azurerm_storage_account" "ci" {
14 | name = format("backendstate%s", random_string.rand.result)
15 | resource_group_name = azurerm_resource_group.ci.name
16 | location = azurerm_resource_group.ci.location
17 |
18 | min_tls_version = "TLS1_2"
19 | account_tier = "Standard"
20 | account_replication_type = "LRS"
21 | }
Check: CKV_AZURE_33: "Ensure Storage logging is enabled for Queue service for read, write and delete requests"
FAILED for resource: azurerm_storage_account.ci
File: /infra/templates/gitlab-bootstrap-iac-cicd/azure.tf:13-21
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-logging-policies/enable-requests-on-storage-logging-for-queue-service.html
13 | resource "azurerm_storage_account" "ci" {
14 | name = format("backendstate%s", random_string.rand.result)
15 | resource_group_name = azurerm_resource_group.ci.name
16 | location = azurerm_resource_group.ci.location
17 |
18 | min_tls_version = "TLS1_2"
19 | account_tier = "Standard"
20 | account_replication_type = "LRS"
21 | }
Check: CKV_AZURE_59: "Ensure that Storage accounts disallow public access"
FAILED for resource: azurerm_storage_account.ci
File: /infra/templates/gitlab-bootstrap-iac-cicd/azure.tf:13-21
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-networking-policies/ensure-that-storage-accounts-disallow-public-access.html
13 | resource "azurerm_storage_account" "ci" {
14 | name = format("backendstate%s", random_string.rand.result)
15 | resource_group_name = azurerm_resource_group.ci.name
16 | location = azurerm_resource_group.ci.location
17 |
18 | min_tls_version = "TLS1_2"
19 | account_tier = "Standard"
20 | account_replication_type = "LRS"
21 | }
Check: CKV2_AZURE_33: "Ensure storage account is configured with private endpoint"
FAILED for resource: azurerm_storage_account.main
File: /infra/modules/providers/azure/storage-account/main.tf:5-23
5 | resource "azurerm_storage_account" "main" {
6 | # required
7 | name = lower(var.name)
8 | resource_group_name = data.azurerm_resource_group.main.name
9 | location = data.azurerm_resource_group.main.location
10 | account_tier = var.performance_tier
11 | account_replication_type = var.replication_type
12 |
13 | # optional
14 | account_kind = var.kind
15 | enable_https_traffic_only = var.https
16 | account_encryption_source = var.encryption_source
17 | tags = var.resource_tags
18 |
19 | # enrolls storage account into azure 'managed identities' authentication
20 | identity {
21 | type = "SystemAssigned"
22 | }
23 | }
Check: CKV2_AZURE_33: "Ensure storage account is configured with private endpoint"
FAILED for resource: azurerm_storage_account.acct
File: /infra/templates/ado-bootstrap-iac-pipeline/azure.tf:55-67
55 | resource "azurerm_storage_account" "acct" {
56 | count = length(var.environments)
57 | name = format("iactf%s", var.environments[count.index].environment)
58 | resource_group_name = azurerm_resource_group.rg.name
59 | location = azurerm_resource_group.rg.location
60 | account_tier = "Standard"
61 | account_replication_type = "LRS"
62 |
63 | tags = {
64 | environment = var.environments[count.index].environment
65 | bootstrap = "bootstrap"
66 | }
67 | }
Check: CKV2_AZURE_33: "Ensure storage account is configured with private endpoint"
FAILED for resource: azurerm_storage_account.ci
File: /infra/templates/gitlab-bootstrap-iac-cicd/azure.tf:13-21
13 | resource "azurerm_storage_account" "ci" {
14 | name = format("backendstate%s", random_string.rand.result)
15 | resource_group_name = azurerm_resource_group.ci.name
16 | location = azurerm_resource_group.ci.location
17 |
18 | min_tls_version = "TLS1_2"
19 | account_tier = "Standard"
20 | account_replication_type = "LRS"
21 | }
Check: CKV2_AZURE_21: "Ensure Storage logging is enabled for Blob service for read requests"
FAILED for resource: azurerm_storage_container.main
File: /infra/modules/providers/azure/storage-account/main.tf:25-30
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-logging-policies/ensure-storage-logging-is-enabled-for-blob-service-for-read-requests.html
25 | resource "azurerm_storage_container" "main" {
26 | count = length(var.container_names)
27 | name = var.container_names[count.index]
28 | storage_account_name = azurerm_storage_account.main.name
29 | container_access_type = "private"
30 | }
Check: CKV2_AZURE_21: "Ensure Storage logging is enabled for Blob service for read requests"
FAILED for resource: azurerm_storage_container.container
File: /infra/templates/ado-bootstrap-iac-pipeline/azure.tf:69-74
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-logging-policies/ensure-storage-logging-is-enabled-for-blob-service-for-read-requests.html
69 | resource "azurerm_storage_container" "container" {
70 | count = length(var.environments)
71 | name = local.tf_state_container_name
72 | storage_account_name = azurerm_storage_account.acct[count.index].name
73 | container_access_type = "private"
74 | }
Check: CKV2_AZURE_21: "Ensure Storage logging is enabled for Blob service for read requests"
FAILED for resource: azurerm_storage_container.tfstate
File: /infra/templates/gitlab-bootstrap-iac-cicd/azure.tf:23-27
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-logging-policies/ensure-storage-logging-is-enabled-for-blob-service-for-read-requests.html
23 | resource "azurerm_storage_container" "tfstate" {
24 | name = "tfstate-terraform-bootstrap"
25 | storage_account_name = azurerm_storage_account.ci.name
26 | container_access_type = "private"
27 | }
Check: CKV2_AZURE_21: "Ensure Storage logging is enabled for Blob service for read requests"
FAILED for resource: module.dev.azurerm_storage_container.tfstate
File: /infra/templates/gitlab-bootstrap-iac-cicd/environment/azure.tf:40-44
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-logging-policies/ensure-storage-logging-is-enabled-for-blob-service-for-read-requests.html
40 | resource "azurerm_storage_container" "tfstate" {
41 | name = format("tfstate-%s", var.environment_name)
42 | storage_account_name = var.backend_storage_account_name
43 | container_access_type = "private"
44 | }
Check: CKV2_AZURE_21: "Ensure Storage logging is enabled for Blob service for read requests"
FAILED for resource: module.integration.azurerm_storage_container.tfstate
File: /infra/templates/gitlab-bootstrap-iac-cicd/environment/azure.tf:40-44
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-logging-policies/ensure-storage-logging-is-enabled-for-blob-service-for-read-requests.html
40 | resource "azurerm_storage_container" "tfstate" {
41 | name = format("tfstate-%s", var.environment_name)
42 | storage_account_name = var.backend_storage_account_name
43 | container_access_type = "private"
44 | }
Check: CKV2_AZURE_21: "Ensure Storage logging is enabled for Blob service for read requests"
FAILED for resource: module.prod.azurerm_storage_container.tfstate
File: /infra/templates/gitlab-bootstrap-iac-cicd/environment/azure.tf:40-44
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-logging-policies/ensure-storage-logging-is-enabled-for-blob-service-for-read-requests.html
40 | resource "azurerm_storage_container" "tfstate" {
41 | name = format("tfstate-%s", var.environment_name)
42 | storage_account_name = var.backend_storage_account_name
43 | container_access_type = "private"
44 | }
Check: CKV2_AZURE_15: "Ensure that Azure data factories are encrypted with a customer-managed key"
FAILED for resource: azurerm_data_factory.main
File: /infra/modules/providers/azure/data-factory/main.tf:9-19
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-general-policies/ensure-that-azure-data-factories-are-encrypted-with-a-customer-managed-key.html
9 | resource "azurerm_data_factory" "main" {
10 | #required
11 | name = var.data_factory_name
12 | resource_group_name = data.azurerm_resource_group.main.name
13 | location = data.azurerm_resource_group.main.location
14 |
15 | # This will be static as "SystemAssigned" is the only identity available now
16 | identity {
17 | type = "SystemAssigned"
18 | }
19 | }
Check: CKV2_AZURE_38: "Ensure soft-delete is enabled on Azure storage account"
FAILED for resource: azurerm_storage_account.main
File: /infra/modules/providers/azure/storage-account/main.tf:5-23
5 | resource "azurerm_storage_account" "main" {
6 | # required
7 | name = lower(var.name)
8 | resource_group_name = data.azurerm_resource_group.main.name
9 | location = data.azurerm_resource_group.main.location
10 | account_tier = var.performance_tier
11 | account_replication_type = var.replication_type
12 |
13 | # optional
14 | account_kind = var.kind
15 | enable_https_traffic_only = var.https
16 | account_encryption_source = var.encryption_source
17 | tags = var.resource_tags
18 |
19 | # enrolls storage account into azure 'managed identities' authentication
20 | identity {
21 | type = "SystemAssigned"
22 | }
23 | }
Check: CKV2_AZURE_38: "Ensure soft-delete is enabled on Azure storage account"
FAILED for resource: azurerm_storage_account.acct
File: /infra/templates/ado-bootstrap-iac-pipeline/azure.tf:55-67
55 | resource "azurerm_storage_account" "acct" {
56 | count = length(var.environments)
57 | name = format("iactf%s", var.environments[count.index].environment)
58 | resource_group_name = azurerm_resource_group.rg.name
59 | location = azurerm_resource_group.rg.location
60 | account_tier = "Standard"
61 | account_replication_type = "LRS"
62 |
63 | tags = {
64 | environment = var.environments[count.index].environment
65 | bootstrap = "bootstrap"
66 | }
67 | }
Check: CKV2_AZURE_38: "Ensure soft-delete is enabled on Azure storage account"
FAILED for resource: azurerm_storage_account.ci
File: /infra/templates/gitlab-bootstrap-iac-cicd/azure.tf:13-21
13 | resource "azurerm_storage_account" "ci" {
14 | name = format("backendstate%s", random_string.rand.result)
15 | resource_group_name = azurerm_resource_group.ci.name
16 | location = azurerm_resource_group.ci.location
17 |
18 | min_tls_version = "TLS1_2"
19 | account_tier = "Standard"
20 | account_replication_type = "LRS"
21 | }
Check: CKV2_AZURE_1: "Ensure storage for critical data are encrypted with Customer Managed Key"
FAILED for resource: azurerm_storage_account.main
File: /infra/modules/providers/azure/storage-account/main.tf:5-23
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-general-policies/ensure-storage-for-critical-data-are-encrypted-with-customer-managed-key.html
5 | resource "azurerm_storage_account" "main" {
6 | # required
7 | name = lower(var.name)
8 | resource_group_name = data.azurerm_resource_group.main.name
9 | location = data.azurerm_resource_group.main.location
10 | account_tier = var.performance_tier
11 | account_replication_type = var.replication_type
12 |
13 | # optional
14 | account_kind = var.kind
15 | enable_https_traffic_only = var.https
16 | account_encryption_source = var.encryption_source
17 | tags = var.resource_tags
18 |
19 | # enrolls storage account into azure 'managed identities' authentication
20 | identity {
21 | type = "SystemAssigned"
22 | }
23 | }
Check: CKV2_AZURE_1: "Ensure storage for critical data are encrypted with Customer Managed Key"
FAILED for resource: azurerm_storage_account.acct
File: /infra/templates/ado-bootstrap-iac-pipeline/azure.tf:55-67
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-general-policies/ensure-storage-for-critical-data-are-encrypted-with-customer-managed-key.html
55 | resource "azurerm_storage_account" "acct" {
56 | count = length(var.environments)
57 | name = format("iactf%s", var.environments[count.index].environment)
58 | resource_group_name = azurerm_resource_group.rg.name
59 | location = azurerm_resource_group.rg.location
60 | account_tier = "Standard"
61 | account_replication_type = "LRS"
62 |
63 | tags = {
64 | environment = var.environments[count.index].environment
65 | bootstrap = "bootstrap"
66 | }
67 | }
Check: CKV2_AZURE_1: "Ensure storage for critical data are encrypted with Customer Managed Key"
FAILED for resource: azurerm_storage_account.ci
File: /infra/templates/gitlab-bootstrap-iac-cicd/azure.tf:13-21
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-general-policies/ensure-storage-for-critical-data-are-encrypted-with-customer-managed-key.html
13 | resource "azurerm_storage_account" "ci" {
14 | name = format("backendstate%s", random_string.rand.result)
15 | resource_group_name = azurerm_resource_group.ci.name
16 | location = azurerm_resource_group.ci.location
17 |
18 | min_tls_version = "TLS1_2"
19 | account_tier = "Standard"
20 | account_replication_type = "LRS"
21 | }
Check: CKV2_AZURE_31: "Ensure VNET subnet is configured with a Network Security Group (NSG)"
FAILED for resource: azurerm_subnet.subnet
File: /infra/modules/providers/azure/network/main.tf:17-34
17 | resource "azurerm_subnet" "subnet" {
18 | count = length(var.subnets)
19 | name = var.subnets[count.index].name
20 | resource_group_name = data.azurerm_resource_group.vnet.name
21 | address_prefix = var.subnets[count.index].address_prefix
22 | virtual_network_name = var.vnet_name
23 | service_endpoints = var.subnets[count.index].service_endpoints
24 |
25 | delegation {
26 | name = var.subnets[count.index].delegation.name
27 | service_delegation {
28 | name = var.subnets[count.index].delegation.service_delegation.name
29 | actions = var.subnets[count.index].delegation.service_delegation.actions
30 | }
31 | }
32 |
33 | depends_on = [azurerm_virtual_network.vnet]
34 | }
Check: CKV2_AZURE_32: "Ensure private endpoint is configured to key vault"
FAILED for resource: module.keyvault.azurerm_key_vault.keyvault
File: /infra/modules/providers/azure/keyvault/main.tf:15-36
15 | resource "azurerm_key_vault" "keyvault" {
16 | name = var.keyvault_name
17 | location = data.azurerm_resource_group.kv.location
18 | resource_group_name = data.azurerm_resource_group.kv.name
19 | tenant_id = data.azurerm_client_config.current.tenant_id
20 |
21 | sku_name = var.keyvault_sku
22 |
23 | # This block configures VNET integration if a subnet whitelist is specified
24 | dynamic "network_acls" {
25 | # this block allows the loop to run 1 or 0 times based on if the resource ip whitelist or subnet id whitelist is provided.
26 | for_each = length(concat(var.resource_ip_whitelist, var.subnet_id_whitelist)) == 0 ? [] : [""]
27 | content {
28 | bypass = "None"
29 | default_action = "Deny"
30 | virtual_network_subnet_ids = var.subnet_id_whitelist
31 | ip_rules = var.resource_ip_whitelist
32 | }
33 | }
34 |
35 | tags = var.resource_tags
36 | }
Check: CKV2_ADO_1: "Ensure at least two approving reviews for PRs"
FAILED for resource: azuredevops_git_repository.repo
File: /infra/templates/ado-bootstrap-iac-pipeline/azdo.tf:95-101
95 | resource "azuredevops_git_repository" "repo" {
96 | project_id = local.project_id
97 | name = "Infrastructure Repository"
98 | initialization {
99 | init_type = "Clean"
100 | }
101 | }
arm scan results:
Passed checks: 0, Failed checks: 6, Skipped checks: 0
Check: CKV_AZURE_80: "Ensure that 'Net Framework' version is the latest, if used as a part of the web app"
FAILED for resource: Microsoft.Web/sites/config.[concat(parameters('service_name'),'/web')]
File: /infra/modules/providers/azure/app-service/azuredeploy.json:19-35
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-general-policies/ensure-that-net-framework-version-is-the-latest-if-used-as-a-part-of-the-web-app.html
19 | {
20 | "name": "[concat(parameters('service_name'),'/web')]",
21 | "type": "Microsoft.Web/sites/config",
22 | "apiVersion": "2018-02-01",
23 | "properties": {
24 | "ipSecurityRestrictions": [
25 | {
26 | "vnetSubnetResourceId": "[parameters('vnet_subnet_id')]",
27 | "action": "Allow",
28 | "tag": "Default",
29 | "priority": 1,
30 | "name": "[parameters('access_restriction_name')]",
31 | "access_restriction_description": "[parameters('access_restriction_description')]"
32 | }
33 | ]
34 | }
35 | }
Check: CKV_AZURE_63: "Ensure that App service enables HTTP logging"
FAILED for resource: Microsoft.Web/sites/config.[concat(parameters('service_name'),'/web')]
File: /infra/modules/providers/azure/app-service/azuredeploy.json:19-35
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-logging-policies/ensure-that-app-service-enables-http-logging.html
19 | {
20 | "name": "[concat(parameters('service_name'),'/web')]",
21 | "type": "Microsoft.Web/sites/config",
22 | "apiVersion": "2018-02-01",
23 | "properties": {
24 | "ipSecurityRestrictions": [
25 | {
26 | "vnetSubnetResourceId": "[parameters('vnet_subnet_id')]",
27 | "action": "Allow",
28 | "tag": "Default",
29 | "priority": 1,
30 | "name": "[parameters('access_restriction_name')]",
31 | "access_restriction_description": "[parameters('access_restriction_description')]"
32 | }
33 | ]
34 | }
35 | }
Check: CKV_AZURE_66: "Ensure that App service enables failed request tracing"
FAILED for resource: Microsoft.Web/sites/config.[concat(parameters('service_name'),'/web')]
File: /infra/modules/providers/azure/app-service/azuredeploy.json:19-35
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-logging-policies/ensure-that-app-service-enables-failed-request-tracing.html
19 | {
20 | "name": "[concat(parameters('service_name'),'/web')]",
21 | "type": "Microsoft.Web/sites/config",
22 | "apiVersion": "2018-02-01",
23 | "properties": {
24 | "ipSecurityRestrictions": [
25 | {
26 | "vnetSubnetResourceId": "[parameters('vnet_subnet_id')]",
27 | "action": "Allow",
28 | "tag": "Default",
29 | "priority": 1,
30 | "name": "[parameters('access_restriction_name')]",
31 | "access_restriction_description": "[parameters('access_restriction_description')]"
32 | }
33 | ]
34 | }
35 | }
Check: CKV_AZURE_88: "Ensure that app services use Azure Files"
FAILED for resource: Microsoft.Web/sites/config.[concat(parameters('service_name'),'/web')]
File: /infra/modules/providers/azure/app-service/azuredeploy.json:19-35
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-general-policies/ensure-that-app-services-use-azure-files.html
19 | {
20 | "name": "[concat(parameters('service_name'),'/web')]",
21 | "type": "Microsoft.Web/sites/config",
22 | "apiVersion": "2018-02-01",
23 | "properties": {
24 | "ipSecurityRestrictions": [
25 | {
26 | "vnetSubnetResourceId": "[parameters('vnet_subnet_id')]",
27 | "action": "Allow",
28 | "tag": "Default",
29 | "priority": 1,
30 | "name": "[parameters('access_restriction_name')]",
31 | "access_restriction_description": "[parameters('access_restriction_description')]"
32 | }
33 | ]
34 | }
35 | }
Check: CKV_AZURE_13: "Ensure App Service Authentication is set on Azure App Service"
FAILED for resource: Microsoft.Web/sites/config.[concat(parameters('service_name'),'/web')]
File: /infra/modules/providers/azure/app-service/azuredeploy.json:19-35
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-general-policies/bc-azr-general-2.html
19 | {
20 | "name": "[concat(parameters('service_name'),'/web')]",
21 | "type": "Microsoft.Web/sites/config",
22 | "apiVersion": "2018-02-01",
23 | "properties": {
24 | "ipSecurityRestrictions": [
25 | {
26 | "vnetSubnetResourceId": "[parameters('vnet_subnet_id')]",
27 | "action": "Allow",
28 | "tag": "Default",
29 | "priority": 1,
30 | "name": "[parameters('access_restriction_name')]",
31 | "access_restriction_description": "[parameters('access_restriction_description')]"
32 | }
33 | ]
34 | }
35 | }
Check: CKV_AZURE_65: "Ensure that App service enables detailed error messages"
FAILED for resource: Microsoft.Web/sites/config.[concat(parameters('service_name'),'/web')]
File: /infra/modules/providers/azure/app-service/azuredeploy.json:19-35
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-logging-policies/tbdensure-that-app-service-enables-detailed-error-messages.html
19 | {
20 | "name": "[concat(parameters('service_name'),'/web')]",
21 | "type": "Microsoft.Web/sites/config",
22 | "apiVersion": "2018-02-01",
23 | "properties": {
24 | "ipSecurityRestrictions": [
25 | {
26 | "vnetSubnetResourceId": "[parameters('vnet_subnet_id')]",
27 | "action": "Allow",
28 | "tag": "Default",
29 | "priority": 1,
30 | "name": "[parameters('access_restriction_name')]",
31 | "access_restriction_description": "[parameters('access_restriction_description')]"
32 | }
33 | ]
34 | }
35 | }
dockerfile scan results:
Passed checks: 356, Failed checks: 14, Skipped checks: 0
Check: CKV_DOCKER_3: "Ensure that a user for the container has been created"
FAILED for resource: /devops/providers/gitlab/templates/Dockerfile.sample.
File: /devops/providers/gitlab/templates/Dockerfile.sample:1-13
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/docker-policies/docker-policy-index/ensure-that-a-user-for-the-container-has-been-created.html
1 | FROM hashicorp/terraform:0.12.29
2 |
3 | # Add common dependencies
4 | RUN apk update && \
5 | apk add openssl curl tar gzip bash ca-certificates coreutils
6 |
7 | # Add Azure CLI
8 | RUN \
9 | apk add py3-pip && \
10 | apk add --virtual=build gcc libffi-dev musl-dev openssl-dev python3-dev make && \
11 | pip3 --no-cache-dir install -U pip && \
12 | pip3 --no-cache-dir install azure-cli && \
13 | apk del --purge build
Check: CKV_DOCKER_2: "Ensure that HEALTHCHECK instructions have been added to container images"
FAILED for resource: /devops/providers/gitlab/templates/Dockerfile.sample.
File: /devops/providers/gitlab/templates/Dockerfile.sample:1-13
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/docker-policies/docker-policy-index/ensure-that-healthcheck-instructions-have-been-added-to-container-images.html
1 | FROM hashicorp/terraform:0.12.29
2 |
3 | # Add common dependencies
4 | RUN apk update && \
5 | apk add openssl curl tar gzip bash ca-certificates coreutils
6 |
7 | # Add Azure CLI
8 | RUN \
9 | apk add py3-pip && \
10 | apk add --virtual=build gcc libffi-dev musl-dev openssl-dev python3-dev make && \
11 | pip3 --no-cache-dir install -U pip && \
12 | pip3 --no-cache-dir install azure-cli && \
13 | apk del --purge build
Check: CKV_DOCKER_3: "Ensure that a user for the container has been created"
FAILED for resource: /devops/Build-Img/Dockerfile.
File: /devops/Build-Img/Dockerfile:1-33
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/docker-policies/docker-policy-index/ensure-that-a-user-for-the-container-has-been-created.html
1 | FROM ubuntu:16.04
2 |
3 | ENV GOLANG_VERSION 1.12.5
4 | ENV TERRAFORM_VERSION 0.12.4
5 |
6 | RUN apt-get update && \
7 | apt-get install -y --no-install-recommends \
8 | apt-transport-https \
9 | ca-certificates \
10 | gnupg-agent \
11 | software-properties-common \
12 | unzip \
13 | curl \
14 | jq \
15 | git \
16 | iputils-ping \
17 | libcurl3 \
18 | libicu55 \
19 | libunwind8 \
20 | netcat && \
21 | curl https://releases.hashicorp.com/terraform/${TERRAFORM_VERSION}/terraform_${TERRAFORM_VERSION}_linux_amd64.zip -o terraform_${TERRAFORM_VERSION}_linux_amd64.zip && \
22 | unzip terraform_${TERRAFORM_VERSION}_linux_amd64.zip && \
23 | mv terraform /usr/bin && \
24 | rm terraform_${TERRAFORM_VERSION}_linux_amd64.zip && \
25 | curl -sSL https://storage.googleapis.com/golang/go$GOLANG_VERSION.linux-amd64.tar.gz | \
26 | tar -v -C /usr/local -xz && \
27 | mkdir -p /go/src /go/bin && chmod -R 777 /go && \
28 | curl -sL https://aka.ms/InstallAzureCLIDeb | bash
29 |
30 | ENV PATH /usr/local/go/bin:$PATH
31 | ENV GOROOT /usr/local/go
32 | ENV GOPATH /go
33 | ENV PATH /go/bin:$PATH
Check: CKV_DOCKER_2: "Ensure that HEALTHCHECK instructions have been added to container images"
FAILED for resource: /devops/Build-Img/Dockerfile.
File: /devops/Build-Img/Dockerfile:1-33
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/docker-policies/docker-policy-index/ensure-that-healthcheck-instructions-have-been-added-to-container-images.html
1 | FROM ubuntu:16.04
2 |
3 | ENV GOLANG_VERSION 1.12.5
4 | ENV TERRAFORM_VERSION 0.12.4
5 |
6 | RUN apt-get update && \
7 | apt-get install -y --no-install-recommends \
8 | apt-transport-https \
9 | ca-certificates \
10 | gnupg-agent \
11 | software-properties-common \
12 | unzip \
13 | curl \
14 | jq \
15 | git \
16 | iputils-ping \
17 | libcurl3 \
18 | libicu55 \
19 | libunwind8 \
20 | netcat && \
21 | curl https://releases.hashicorp.com/terraform/${TERRAFORM_VERSION}/terraform_${TERRAFORM_VERSION}_linux_amd64.zip -o terraform_${TERRAFORM_VERSION}_linux_amd64.zip && \
22 | unzip terraform_${TERRAFORM_VERSION}_linux_amd64.zip && \
23 | mv terraform /usr/bin && \
24 | rm terraform_${TERRAFORM_VERSION}_linux_amd64.zip && \
25 | curl -sSL https://storage.googleapis.com/golang/go$GOLANG_VERSION.linux-amd64.tar.gz | \
26 | tar -v -C /usr/local -xz && \
27 | mkdir -p /go/src /go/bin && chmod -R 777 /go && \
28 | curl -sL https://aka.ms/InstallAzureCLIDeb | bash
29 |
30 | ENV PATH /usr/local/go/bin:$PATH
31 | ENV GOROOT /usr/local/go
32 | ENV GOPATH /go
33 | ENV PATH /go/bin:$PATH
Check: CKV_DOCKER_3: "Ensure that a user for the container has been created"
FAILED for resource: /devops/providers/azure-devops/build-agent/Dockerfile.
File: /devops/providers/azure-devops/build-agent/Dockerfile:1-34
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/docker-policies/docker-policy-index/ensure-that-a-user-for-the-container-has-been-created.html
1 | FROM ubuntu:16.04
2 |
3 | # To make it easier for build and release pipelines to run apt-get,
4 | # configure apt to not require confirmation (assume the -y argument by default)
5 | ENV DEBIAN_FRONTEND=noninteractive
6 | RUN echo "APT::Get::Assume-Yes \"true\";" > /etc/apt/apt.conf.d/90assumeyes
7 |
8 | RUN apt-get update \
9 | && apt-get install -y --no-install-recommends \
10 | apt-transport-https \
11 | ca-certificates \
12 | gnupg-agent \
13 | software-properties-common \
14 | curl \
15 | jq \
16 | git \
17 | iputils-ping \
18 | libcurl3 \
19 | libicu55 \
20 | libunwind8 \
21 | netcat && \
22 | curl -fsSL https://download.docker.com/linux/ubuntu/gpg | apt-key add - && \
23 | add-apt-repository \
24 | "deb [arch=amd64] https://download.docker.com/linux/ubuntu xenial stable" && \
25 | apt-get update && \
26 | apt-get install -y docker-ce docker-ce-cli containerd.io && \
27 | usermod -aG docker $(whoami)
28 |
29 | WORKDIR /azp
30 |
31 | COPY ./start.sh .
32 | RUN chmod +x start.sh
33 |
34 | CMD ["./start.sh"]
Check: CKV_DOCKER_2: "Ensure that HEALTHCHECK instructions have been added to container images"
FAILED for resource: /devops/providers/azure-devops/build-agent/Dockerfile.
File: /devops/providers/azure-devops/build-agent/Dockerfile:1-34
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/docker-policies/docker-policy-index/ensure-that-healthcheck-instructions-have-been-added-to-container-images.html
1 | FROM ubuntu:16.04
2 |
3 | # To make it easier for build and release pipelines to run apt-get,
4 | # configure apt to not require confirmation (assume the -y argument by default)
5 | ENV DEBIAN_FRONTEND=noninteractive
6 | RUN echo "APT::Get::Assume-Yes \"true\";" > /etc/apt/apt.conf.d/90assumeyes
7 |
8 | RUN apt-get update \
9 | && apt-get install -y --no-install-recommends \
10 | apt-transport-https \
11 | ca-certificates \
12 | gnupg-agent \
13 | software-properties-common \
14 | curl \
15 | jq \
16 | git \
17 | iputils-ping \
18 | libcurl3 \
19 | libicu55 \
20 | libunwind8 \
21 | netcat && \
22 | curl -fsSL https://download.docker.com/linux/ubuntu/gpg | apt-key add - && \
23 | add-apt-repository \
24 | "deb [arch=amd64] https://download.docker.com/linux/ubuntu xenial stable" && \
25 | apt-get update && \
26 | apt-get install -y docker-ce docker-ce-cli containerd.io && \
27 | usermod -aG docker $(whoami)
28 |
29 | WORKDIR /azp
30 |
31 | COPY ./start.sh .
32 | RUN chmod +x start.sh
33 |
34 | CMD ["./start.sh"]
Check: CKV_DOCKER_4: "Ensure that COPY is used instead of ADD in Dockerfiles"
FAILED for resource: /test-harness/docker/base-images/Dockerfile.ADD
File: /test-harness/docker/base-images/Dockerfile:47-47
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/docker-policies/docker-policy-index/ensure-that-copy-is-used-instead-of-add-in-dockerfiles.html
47 | ADD go.mod go.sum ./
Check: CKV_DOCKER_3: "Ensure that a user for the container has been created"
FAILED for resource: /test-harness/docker/base-images/Dockerfile.
File: /test-harness/docker/base-images/Dockerfile:1-50
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/docker-policies/docker-policy-index/ensure-that-a-user-for-the-container-has-been-created.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_DOCKER_2: "Ensure that HEALTHCHECK instructions have been added to container images"
FAILED for resource: /test-harness/docker/base-images/Dockerfile.
File: /test-harness/docker/base-images/Dockerfile:1-50
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/docker-policies/docker-policy-index/ensure-that-healthcheck-instructions-have-been-added-to-container-images.html
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_DOCKER_4: "Ensure that COPY is used instead of ADD in Dockerfiles"
FAILED for resource: /test-harness/Dockerfile.ADD
File: /test-harness/Dockerfile:8-8
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/docker-policies/docker-policy-index/ensure-that-copy-is-used-instead-of-add-in-dockerfiles.html
8 | ADD $build_directory *.go ./
Check: CKV_DOCKER_4: "Ensure that COPY is used instead of ADD in Dockerfiles"
FAILED for resource: /test-harness/Dockerfile.ADD
File: /test-harness/Dockerfile:12-12
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/docker-policies/docker-policy-index/ensure-that-copy-is-used-instead-of-add-in-dockerfiles.html
12 | ADD test-harness/ ./test-harness
Check: CKV_DOCKER_7: "Ensure the base image uses a non latest version tag"
FAILED for resource: /test-harness/Dockerfile.FROM
File: /test-harness/Dockerfile:3-3
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/docker-policies/docker-policy-index/ensure-the-base-image-uses-a-non-latest-version-tag.html
3 | FROM $base_image
Check: CKV_DOCKER_3: "Ensure that a user for the container has been created"
FAILED for resource: /test-harness/Dockerfile.
File: /test-harness/Dockerfile:1-15
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/docker-policies/docker-policy-index/ensure-that-a-user-for-the-container-has-been-created.html
1 | ARG base_image
2 |
3 | FROM $base_image
4 |
5 | ARG build_directory
6 | RUN echo "INFO: copying $build_directory"
7 | # Copy the recently modified terraform templates
8 | ADD $build_directory *.go ./
9 | RUN find ./ -type f -iname "*.sh" -exec chmod +x {} \;
10 |
11 | RUN echo "INFO: copying test-harness"
12 | ADD test-harness/ ./test-harness
13 |
14 | # Run a fresh clean/format/test run
15 | CMD ["go", "run", "magefile.go"]
Check: CKV_DOCKER_2: "Ensure that HEALTHCHECK instructions have been added to container images"
FAILED for resource: /test-harness/Dockerfile.
File: /test-harness/Dockerfile:1-15
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/docker-policies/docker-policy-index/ensure-that-healthcheck-instructions-have-been-added-to-container-images.html
1 | ARG base_image
2 |
3 | FROM $base_image
4 |
5 | ARG build_directory
6 | RUN echo "INFO: copying $build_directory"
7 | # Copy the recently modified terraform templates
8 | ADD $build_directory *.go ./
9 | RUN find ./ -type f -iname "*.sh" -exec chmod +x {} \;
10 |
11 | RUN echo "INFO: copying test-harness"
12 | ADD test-harness/ ./test-harness
13 |
14 | # Run a fresh clean/format/test run
15 | CMD ["go", "run", "magefile.go"]
Linting
This repository failed the Experience Builder Terraform Module's Linting validation. This means that a linting tool was not found to be implemented in any of the CICD tool configuration files in the repository.
There is an opportunity to:
- Remediate the findings identified by one of the recommended Terraform linting tools