Open ankrause opened 5 years ago
This is also an issue for SVTs which say
2019-08-20T22:11:57.4161566Z ##[error]Security report not generated for provided resource details. Please check if task configurations are correct.
2019-08-20T22:11:57.4405736Z Cleaning logs from temp directory...
2019-08-20T22:11:57.5460430Z ##[error]Unable to perform security scan. Please check task configurations/variables.
My variables are correct, it's just that the target RG doesn't have a combination of resources vs controls that can be evaluated, resulting in 0 evaluations.
This error makes it difficult to enforce the usage of the task and prevent future non-compliance.
This issue affects our team as well and it is a little disappointing that this issue has got no feedback since being opened. We have the same issue in that we don't wish to disable the secure check or treat the errors as warnings in case of future additions to the security checks being ignored as they would show up as errors on a pipeline that always errors.
You can use and set variable FailTaskIfNoControlsScanned to 'false' for the task to not fail even if no controls were scanned. Please refer https://github.com/azsk/DevOpsKit-docs/blob/master/03-Security-In-CICD/Readme.md#advanced-cicd-scanning-capabilities-1 for more details.
@ganesh-msft Hi, the description of this control variable is:
"This variable is to control the behavior of the SVT extension in case of no controls scanned. For e.g., using this, one may choose to pass the task if it is configured to scan only 'High' severity control but there are no resources for which 'High' severity controls are applicable."
This issue is in regards to the ARM template security status functionality of AzSK and not SVTs. I also tested the AzSKARMTemplateChecker@4 task in a pipeline and set the pipeline variable, 'FailTaskIfNoControlsScanned':'false' and the task still failed on a template without any controls scanned.
Hi @aholler2 , Thanks for the details, we are able to repro it, we'll fix it in upcoming release
Hi Team, Facing this issue with multiple resource types. Any work arounds or expected release date of the fix?
Has this been addressed?
Has this issue been fixed in a release?
Title
ARM Template Checker considers "no controls" as a failure
Description
There are a number of reasons why a template might not have anything that can be evaluated. In these scenarios, the ARM Template Checker task will write an error to output which fails the task unless the task is set to continue even on failure (resulting in partial success instead).
Since these tasks are intended to alert on or block potentially insecure or mis-configured deployments, this is unfortunate. Until one or more evaluatable policies and/or resources are included, the task either needs to be disabled or set to continue anyway which doesn't protect from future changes.
As a note, the above logs are from a setup that works if I remove -UseBaselineControls. The template and its parameters are valid and controls can be evaluated if they are enabled.
Steps to reproduce
This can be repro'd locally with a simple deployment template:
Get-AzSKARMTemplateSecurityStatus -ARMTemplatePath "SampleDeployment.json"
Expected behavior
In my opinion, the error here should only be written if the task actually fails, policies can't be loaded from the server (e.g. organizational policies), the template/parameters specified are invalid, or any other true error scenario. If there are simply no resources to evaluate, no policies to evaluate, or no policies to evaluate for the specified resources, then the task should be considered a success.
It would also be beneficial if the error were more specific to the scenario encountered.