search

bridgecrewio / checkov

Prevent cloud misconfigurations and find vulnerabilities during build-time in infrastructure as code, container images and open source packages with Checkov by Bridgecrew.
https://www.checkov.io/
Apache License 2.0
7.13k stars 1.12k forks source link

CKV_AZURE_165 is triggered on non-premium ACR #5455

Closed konopkap closed 1 year ago

konopkap commented 1 year ago

Describe the issue CKV_AZURE_165 Ensure geo-replicated container registries to match multi-region container deployments is triggered against non-premium registries. It's white-noice as Basic and Standard ACR's does not support geo-replication.

Examples

resource "azurerm_container_registry" "acr" {
  name                = "${local.project_name}reg"
  resource_group_name = azurerm_resource_group.rg.name
  location            = azurerm_resource_group.rg.location
  sku                 = "Basic"
  admin_enabled       = true

  tags = local.tags
}

Such ACR should not be marked with CKV_AZURE_165

Version (please complete the following information):

Additional context

JamesWoolfenden commented 1 year ago

exactly, check is as designed.

konopkap commented 1 year ago

You mean that it is designed to mark resource which does not support geo-redundnacy at all?

JamesWoolfenden commented 1 year ago

It design to highlight that the sku you're using isn't up to it and that premium should be used so that you can have geo-replication.

gruebel commented 1 year ago

This is correct, sadly not all security relevant features are available to all tiers (SKU). So, if you are ok with it, then just use an inline suppression or skip the check entirely.