Closed Acenl12 closed 1 year ago
@jtracey93
Thanks @acenl12,
From reviewing these scan results, by the way we do our own also in PR reviews via GH actions, these are not taking into account the things we set via policy. This is an issue with static code anaylsis, it is not aware of how it will actually be once deployed. So a lot of these are false positives.
The AzOps related templates were removed this week in #1310 and i am removing the stuff in the workloads
folder now
Thanks for raising but all good here, do not fear :)
I have scanned the entire Enterprise Scale repo with checkov an ARM template scanner, and found some issues. Please take a look at fix as required. Check: CKV_AZURE_20: "Ensure that security contact 'Phone number' is set" FAILED for resource: Microsoft.Security/securityContacts.default File: /docs/reference/treyresearch/armTemplates/auxiliary/subscriptioSecurityConfig.json:434-452 Guide: https://docs.bridgecrew.io/docs/bc_azr_general_3
Check: CKV_AZURE_21: "Ensure that 'Send email notification for high severity alerts' is set to 'On'" FAILED for resource: Microsoft.Security/securityContacts.default File: /docs/reference/treyresearch/armTemplates/auxiliary/subscriptioSecurityConfig.json:434-452 Guide: https://docs.bridgecrew.io/docs/bc_azr_general_4
Check: CKV_AZURE_22: "Ensure that 'Send email notification for high severity alerts' is set to 'On'" FAILED for resource: Microsoft.Security/securityContacts.default File: /docs/reference/treyresearch/armTemplates/auxiliary/subscriptioSecurityConfig.json:434-452 Guide: https://docs.bridgecrew.io/docs/bc_azr_general_5
Check: CKV_AZURE_41: "Ensure that the expiration date is set on all secrets" FAILED for resource: Microsoft.KeyVault/vaults/secrets.[concat(variables('keyVaultName'), '/', variables('patSecretName'))] File: /eslzArm/resourceGroupTemplates/azOpsArm.json:71-82 Guide: https://docs.bridgecrew.io/docs/set-an-expiration-date-on-all-secrets
Check: CKV_AZURE_41: "Ensure that the expiration date is set on all secrets" FAILED for resource: Microsoft.KeyVault/vaults/secrets.[concat(variables('keyVaultName'), '/', variables('spnSecretName'))] File: /eslzArm/resourceGroupTemplates/azOpsArm.json:83-94 Guide: https://docs.bridgecrew.io/docs/set-an-expiration-date-on-all-secrets
Check: CKV_AZURE_8: "Ensure Kubernetes Dashboard is disabled" FAILED for resource: Microsoft.ContainerService/managedClusters.[parameters('resourceName')] File: /workloads/AKS/armTemplates/online-aks.json:100-159 Guide: https://docs.bridgecrew.io/docs/bc_azr_kubernetes_5
Check: CKV_AZURE_4: "Ensure AKS logging to Azure Monitoring is Configured" FAILED for resource: Microsoft.ContainerService/managedClusters.[parameters('resourceName')] File: /workloads/AKS/armTemplates/online-aks.json:100-159 Guide: https://docs.bridgecrew.io/docs/bc_azr_kubernetes_1
Check: CKV_AZURE_7: "Ensure AKS cluster has Network Policy configured" FAILED for resource: Microsoft.ContainerService/managedClusters.[parameters('resourceName')] File: /workloads/AKS/armTemplates/online-aks.json:100-159 Guide: https://docs.bridgecrew.io/docs/bc_azr_kubernetes_4
Check: CKV_AZURE_6: "Ensure AKS has an API Server Authorized IP Ranges enabled" FAILED for resource: Microsoft.ContainerService/managedClusters.[parameters('resourceName')] File: /workloads/AKS/armTemplates/online-aks.json:100-159 Guide: https://docs.bridgecrew.io/docs/bc_azr_kubernetes_3
Check: CKV_AZURE_42: "Ensure the key vault is recoverable" FAILED for resource: Microsoft.KeyVault/vaults.[concat('keyvault-', uniqueString(resourceGroup().id))] File: /workloads/keyvault/azkeyvault.json:140-199 Guide: https://docs.bridgecrew.io/docs/ensure-the-key-vault-is-recoverable
Check: CKV_AZURE_20: "Ensure that security contact 'Phone number' is set" FAILED for resource: Microsoft.Security/securityContacts.default File: /eslzArm/subscriptionTemplates/ascConfiguration.json:432-450 Guide: https://docs.bridgecrew.io/docs/bc_azr_general_3
Check: CKV_AZURE_21: "Ensure that 'Send email notification for high severity alerts' is set to 'On'" FAILED for resource: Microsoft.Security/securityContacts.default File: /eslzArm/subscriptionTemplates/ascConfiguration.json:432-450 Guide: https://docs.bridgecrew.io/docs/bc_azr_general_4
Check: CKV_AZURE_22: "Ensure that 'Send email notification for high severity alerts' is set to 'On'" FAILED for resource: Microsoft.Security/securityContacts.default File: /eslzArm/subscriptionTemplates/ascConfiguration.json:432-450 Guide: https://docs.bridgecrew.io/docs/bc_azr_general_5