Azure Web Apps - Ensure SCM minimum TLS version is set to 1.2

[tdefise]

Describe the issue It seems that there are no checks in order to ensure that web apps have their SCM minimum TLS version is set to 1.2

Examples

resource "azurerm_linux_web_app" "example" {
  name                = "example"
  resource_group_name = azurerm_resource_group.example.name
  location            = azurerm_service_plan.example.location
  service_plan_id     = azurerm_service_plan.example.id

  site_config {}
}

Version (please complete the following information):

• Current

Additional context

Having SCM set to a minimum TLS version of 1.2 ensure that data-in-transit will be encrypted using a current TLS version, which is less likely subject to attack, and also required by some regulatory requirements. Even if by default it is set to 1.2, it's always good to have a check that ensure that if someone specified the parameter with an version not equal to 1.2, it would be flagged

[itariq20]

Hi @tdefise, we do have a Policy within Checkov that checks for this: CKV_AZURE_15

Checkov Doc Link: https://www.checkov.io/5.Policy%20Index/terraform.html#:~:text=1217,CKV_AZURE_15

[tdefise]

Hi @itariq20,

CKV_AZURE_15 check for "minimum_tls_version" cc https://github.com/bridgecrewio/checkov/blob/449df380f076d618b1e404e4a7bddad52131b35c/checkov/terraform/checks/resource/azure/AppServiceMinTLSVersion.py#L18

However, I don't see checks for "scm_minimum_tls_version"