search

Azure / template-analyzer

Template scanner for security misconfiguration and best practices
MIT License
127 stars 39 forks source link

[FEATURE REQ] AZR-000302 #364

Open skynetsysadmin opened 4 months ago

skynetsysadmin commented 4 months ago

Please describe the feature or suggestion.

When the WAF Mode in BICEP or the ARM Template uses a conditional statement, it's flagging it as an error. Here is an example, in the development environment we set the mode to detection, but in all other environments we set to prevention.

"mode": "[if(equals(toLower(parameters('environment')), 'dev'), 'Detection', 'Prevention')]"

But, the templateanalyzer tool flags it as an error since it's not a fixed value of 'Prevention'. AZR-000302: Azure.AppGwWAF.PreventionMode.

Alternatively, if there was a way to ignore the rule I suppose that would be a stop gap.

Thanks

Additional context

No response

VeraBE commented 4 months ago

Is this rule also flagging your template if you specify the parameters file that has the environment variable not set to dev? I believe TemplateAnalyzer should resolve the if properly

skynetsysadmin commented 3 months ago

We are using the Microsoft Security DevOps extension to run the templateanalyzer tool. I'll need to research how to invoke the '-p' option via that extension. Thanks for the tip!