search

bridgecrewio / checkov

Prevent cloud misconfigurations and find vulnerabilities during build-time in infrastructure as code, container images and open source packages with Checkov by Bridgecrew.
https://www.checkov.io/
Apache License 2.0
6.71k stars 1.07k forks source link

CKV2_AZURE_50 is generating false positives #6388

Closed eberkut closed 3 weeks ago

eberkut commented 1 month ago

Describe the issue CKV2_AZURE_50 (introduced in https://github.com/bridgecrewio/checkov/pull/6368) seems ill-defined. It's throwing failure for storage accounts that have public access disabled and are not tied to any Azure ML workspace. Even if it was, I don't have any Azure ML workspace with the optional high_business_impact argument set so the description and what it is raising are inconsistent.

Examples

Check: CKV2_AZURE_50: "Ensure Azure Storage Account storing Machine Learning workspace high business impact data is not publicly accessible"
    FAILED for resource: module.unity_catalog_metastore.module.storage_account.azurerm_storage_account.storage
    File: /modules/storage_account/main.tf:1-34

        1  | resource "azurerm_storage_account" "storage" {
        2  |   name                             = var.storage_account_name
        3  |   location                         = var.location
        4  |   account_replication_type         = var.account_replication_type
        5  |   resource_group_name              = var.resource_group_name
        6  |   account_tier                     = var.account_tier
        7  |   account_kind                     = var.account_kind
        8  |   public_network_access_enabled    = false
        9  |   cross_tenant_replication_enabled = false #checkov:skip=CKV_AZURE_206:Replication disabled
        10 |   allow_nested_items_to_be_public  = false # Set the allow_blob_public_access
        11 |   tags                             = var.tags
        12 |   is_hns_enabled                   = var.enable_hns == "true"
        13 |   min_tls_version                  = "TLS1_2"
        14 |   network_rules {
        15 |     default_action = "Deny"
        16 |     bypass         = ["AzureServices"]
        17 |   }
        18 |   blob_properties {
        19 |     change_feed_enabled = var.enable_hns != "true"
        20 |     versioning_enabled  = var.enable_hns != "true"
        21 |     delete_retention_policy {
        22 |       days = var.soft_delete_retention_days
        23 |     }
        24 |     container_delete_retention_policy {
        25 |       days = var.soft_delete_retention_days
        26 |     }
        27 |   }
        28 |   lifecycle {
        29 |     ignore_changes = [
        30 |       blob_properties["cors_rule"],
        31 |       tags
        32 |     ]
        33 |   }
        34 | }
Check: CKV2_AZURE_50: "Ensure Azure Storage Account storing Machine Learning workspace high business impact data is not publicly accessible"
    FAILED for resource: module.tfstates_storage.azurerm_storage_account.tfstates_storage
    File: /modules/domain-prerequisite/modules/tfstates_storage/main.tf:6-36

        6  | resource "azurerm_storage_account" "tfstates_storage" {
        7  |   name                             = local.tfstates_storage_name
        8  |   location                         = var.location
        9  |   account_replication_type         = "GRS"
        10 |   resource_group_name              = var.resource_group_name
        11 |   account_tier                     = "Standard"
        12 |   public_network_access_enabled    = false
        13 |   cross_tenant_replication_enabled = false
        14 |   allow_nested_items_to_be_public  = false # Set the allow_blob_public_access
        15 |   shared_access_key_enabled        = true  # required for container creation
        16 |   min_tls_version                  = "TLS1_2"
        17 |   network_rules {
        18 |     default_action = "Deny"
        19 |     bypass         = ["AzureServices"]
        20 |   }
        21 |   blob_properties {
        22 |     change_feed_enabled = true
        23 |     versioning_enabled  = true
        24 |     delete_retention_policy {
        25 |       days = 365
        26 |     }
        27 |     container_delete_retention_policy {
        28 |       days = 365
        29 |     }
        30 |   }
        31 |   lifecycle {
        32 |     ignore_changes = [
        33 |       tags
        34 |     ]
        35 |   }
        36 | }

Version (please complete the following information):

Additional context N/A

MrTomerLevi commented 4 weeks ago

A PR for this issue opened https://github.com/bridgecrewio/checkov/pull/6391

mariusp12 commented 3 weeks ago

Any idea when this fix will be released?

tberreis commented 3 weeks ago

Any idea when this fix will be released?

It is part of 3.2.128, released yesterday and I can confirm this fixes the issue.

tsmithv11 commented 3 weeks ago

@tberreis glad to hear it!