search

bridgecrewio / checkov

Prevent cloud misconfigurations and find vulnerabilities during build-time in infrastructure as code, container images and open source packages with Checkov by Bridgecrew.
https://www.checkov.io/
Apache License 2.0
6.71k stars 1.08k forks source link

CKV_AZURE_189 is not being marked as passed in Bicep code #6429

Open mmassey1993 opened 2 weeks ago

mmassey1993 commented 2 weeks ago

Describe the issue The checkov scan is failing on CKV_AZURE_189 (Ensure public network access for key vault is disabled) even though the correct property is in place

Examples resource keyVault 'Microsoft.KeyVault/vaults@2022-07-01' = { name: keyVaultName location: location properties: { sku: { family: 'A' name: 'standard' } tenantId: tenant().tenantId enablePurgeProtection: true enableSoftDelete: true enabledForTemplateDeployment: true enabledForDiskEncryption: true enabledForDeployment: true enableRbacAuthorization: true publicNetworkAccess: 'Disabled' } }

I would expect this to work as public network access value is disabled

Additional context I had an issue with a different checkov check, and the issue was because it was not checking for string values of "Enabled" or "Disabled" correctly in BICEP compared to terraform

mannycepeda1989 commented 2 weeks ago

Hey @mmassey1993 when using changing the value from "publicNetworkAccess: 'Disabled' to lowercase 'disabled' seems to have fixed this issue for me.

Example of updated code: resource keyVault 'Microsoft.KeyVault/vaults@2022-07-01' = { name: keyVaultName location: location properties: { sku: { family: 'A' name: 'standard' } tenantId: tenant().tenantId enablePurgeProtection: true enableSoftDelete: true enabledForTemplateDeployment: true enabledForDiskEncryption: true enabledForDeployment: true enableRbacAuthorization: true publicNetworkAccess: 'disabled' } }

Seems to be the format that listed in the following documenatation: https://learn.microsoft.com/en-us/azure/templates/microsoft.keyvault/vaults?pivots=deployment-language-bicep#resource-format:~:text=RegisteringDns%27%0A%27Succeeded%27-,publicNetworkAccess,the%20firewall%20rules%20are%20present%20we%20will%20not%20honor%20the%20rules.,-string

Other notes: Checkov version 3.2.133

mmassey1993 commented 2 weeks ago

@mannycepeda1989 Thank you that has worked. However i use the same Disabled value for other things and it works perfectly fine. Would be nice if there was consistency or if it just use a lower() function to ensure its always the lowercase if that is what's needed.

mmassey1993 commented 2 weeks ago

The check also fails if the value is a parameter. Even if that parameters is "disabled" by default, it will still fail. Can checkov evaluate the parameter values?

@description('Optional. Whether or not public network access is allowed for this resource. For security reasons it should be disabled. If not specified, it will be disabled by default if private endpoints are set and networkAcls are not set.') @allowed([ 'enabled' 'disabled' ]) param publicNetworkAccess string = 'disabled'

resource keyVault 'Microsoft.KeyVault/vaults@2022-07-01' = { name: name location: location tags: tags properties: { enabledForDeployment: true enabledForTemplateDeployment: true enabledForDiskEncryption: true enableSoftDelete: true softDeleteRetentionInDays: softDeleteRetentionInDays enableRbacAuthorization: true enablePurgeProtection: true tenantId: subscription().tenantId accessPolicies: formattedAccessPolicies sku: { name: vaultSku family: 'A' } networkAcls: { defaultAction: 'Deny' bypass: 'AzureServices' } publicNetworkAccess: publicNetworkAccess } }