search

bridgecrewio / checkov

Prevent cloud misconfigurations and find vulnerabilities during build-time in infrastructure as code, container images and open source packages with Checkov by Bridgecrew.
https://www.checkov.io/
Apache License 2.0
6.71k stars 1.08k forks source link

CKV_AZURE_78: false positive for "siteConfig/ftpsState: 'Disabled'" #6441

Closed arnaud-tincelin closed 16 hours ago

arnaud-tincelin commented 2 weeks ago

Describe the issue

Language: Bicep Check ID: CKV_AZURE_78

Examples Extract of my code

resource api 'Microsoft.Web/sites@2022-09-01' = {
  name: name
  location: location
  kind: 'api'

  identity: {
    type: 'SystemAssigned'
  }

  properties: {
    serverFarmId: serverFarmId
    clientAffinityEnabled: false
    clientCertEnabled: false
    httpsOnly: true
    siteConfig: {
      ftpsState: 'Disabled'
     ...
    }
}

I would expect no issue on the FTP feature as it is set to Disabled but I am having

Tool
checkov

Rule ID 
CKV_AZURE_78

Description
Ensure FTP deployments are disabled
Resource: Microsoft.Web/sites.api

Version (please complete the following information):

We are using github action bridgecrewio/checkov-action@v12, so I expect it to use the latest

Additional context

Looking at https://github.com/bridgecrewio/checkov/blob/main/checkov/arm/checks/resource/AppServiceFTPSState.py,

I am guessing this line

    def get_inspected_key(self) -> str:
        return "siteConfig/ftpsState"

should be

    def get_inspected_key(self) -> str:
        return "properties/siteConfig/ftpsState"
Saarett commented 1 week ago

Hi @arnaud-tincelin , thank you for reaching out. Seems like an easy fix, would you like to contribute a fix? 🙂

ChanochShayner commented 16 hours ago

Closing, @arnaud-tincelin thank you for the contribution!