search

bridgecrewio / checkov

Prevent cloud misconfigurations and find vulnerabilities during build-time in infrastructure as code, container images and open source packages with Checkov by Bridgecrew.
https://www.checkov.io/
Apache License 2.0
6.84k stars 1.09k forks source link

CKV_AZURE_43 Naming and Description Mismatch #6559

Open iheanacho-chukwu opened 1 month ago

iheanacho-chukwu commented 1 month ago

Issue Description The check CKV_AZURE_43: "Ensure Storage Accounts adhere to the naming rules" has conflicting information between its title, address, and description. The description talks about encryption using Customer Managed Keys (CMKs) for Azure Cognitive Services accounts, which does not match the title and address.

Examples

Bicep Code Sample + the expected outcomes.

resource storageAccountResource 'Microsoft.Storage/storageAccounts@2023-01-01' = {
  name: storageAccount.name
  location: location
  kind: 'StorageV2'
  sku: {
    name: 'Standard_GRS'
  }
  properties: {
    allowBlobPublicAccess: false
    minimumTlsVersion: 'TLS1_2'
    supportsHttpsTrafficOnly: true
  }
  tags: tags
}

The Expected outcomes**

Version:

Additional context

Result Snippet

Check: CKV_AZURE_43: "Ensure Storage Accounts adhere to the naming rules"
    FAILED for resource: Microsoft.Storage/storageAccounts.storageAccountResource
    File: /Modules/function-app.bicep:31-44
    Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/azure-policies/azure-general-policies/ensure-cognitive-services-account-encryption-cmks-are-enabled
itariq20 commented 1 month ago

Hi @iheanachochukwu, please review the doc for this Policy: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/azure-policies/azure-storage-policies/ensure-storage-accounts-adhere-to-the-naming-rules It looks accurate now, please let me know if you still find any inaccuracy, thanks!

bostrowski13 commented 1 month ago

yeah, this needs some love. the descirpiton and things its checking for arent matching.

sluscombepure commented 2 weeks ago

I've also noticed a mismatch in this check. If I'm naming a storage account with an interpolated value (for example ${basename(abspath(path.module))}), then although the resulting name is under the 24 character limit, the check is not evaluating that.

iheanacho-chukwu commented 2 weeks ago

@itariq20

The displayed checkov scan outputs:

Check: CKV_AZURE_43: "Ensure Storage Accounts adhere to the naming rules"
    FAILED for resource: Microsoft.Storage/storageAccounts.storageAccountResource
    File: /Modules/storage-account.bicep:18-31
    Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/azure-policies/azure-general-policies/ensure-cognitive-services-account-encryption-cmks-are-enabled

The title is CKV_AZURE_43: "Ensure Storage Accounts adhere to the naming rules. But the advisory details for Description from the Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/azure-policies/azure-general-policies/ensure-cognitive-services-account-encryption-cmks-are-enabled mentions the below.

By default, all data at rest in an Azure Cognitive Services account is encrypted using Microsoft Managed Keys. It is recommended to use Customer Managed Keys to encrypt data in Azure Cognitive Services accounts for better control of the data access.

This is what I see and I dont think this matches.

What you share points to: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/azure-policies/azure-storage-policies/ensure-storage-accounts-adhere-to-the-naming-rules

This should be fine if inserted as guide url.

But the checks picks:

https://docs.prismacloud.io/en/enterprise-edition/policy-reference/azure-policies/azure-general-policies/ensure-cognitive-services-account-encryption-cmks-are-enabled

If the check should be for naming rules then the guide URL should carry the same.