diff --git a/sda.sarif b/sda.sarif deleted file mode 100644 index 46a3e920..00000000 --- a/sda.sarif +++ /dev/null @@ -1,9259 +0,0 @@ -{ - "$schema": "https://schemastore.azurewebsites.net/schemas/json/sarif-2.1.0-rtm.5.json", - "version": "2.1.0", - "runs": [ - { - "tool": { - "driver": { - "name": "antimalware", - "rules": [ - { - "id": "NoThreatsFound", - "name": "No threats were found by AntiMalware." - } - ], - "properties": { - "RawName": "antimalware" - } - } - }, - "invocations": [ - { - "commandLine": "\"C:\\ProgramData\\Microsoft\\Windows Defender\\Platform\\4.18.24090.11-0\\MpCmdRun.exe\" -Scan -ScanType 3 -DisableRemediation -File D:\\source\\security-devops-action", - "executionSuccessful": true - } - ], - "versionControlProvenance": [ - { - "repositoryUri": "https://github.com/reynoldsa/security-devops-action", - "revisionId": "c5bc432f9640469fd713f651b4d18af73867f27a", - "branch": "main", - "properties": { - "RepositoryRoot": "D:\\source\\security-devops-action" - } - } - ], - "results": [], - "columnKind": "utf16CodeUnits", - "policies": [ - { - "name": "Microsoft", - "version": "2.0.3" - } - ], - "properties": { - "toolInfoId": "antimalware>>0>>202411062057" - } - }, - { - "tool": { - "driver": { - "name": "bandit", - "properties": { - "RawName": "bandit" - } - } - }, - "invocations": [ - { - "endTimeUtc": "2024-11-07T04:56:49.000Z", - "executionSuccessful": true - } - ], - "versionControlProvenance": [ - { - "repositoryUri": "https://github.com/reynoldsa/security-devops-action", - "revisionId": "c5bc432f9640469fd713f651b4d18af73867f27a", - "branch": "main", - "properties": { - "RepositoryRoot": "D:\\source\\security-devops-action" - } - } - ], - "results": [], - "columnKind": "utf16CodeUnits", - "policies": [ - { - "name": "Microsoft", - "version": "2.0.3" - } - ], - "properties": { - "metrics": {"_totals":{"loc":0,"nosec":0,"SEVERITY.UNDEFINED":0.0,"CONFIDENCE.UNDEFINED":0.0,"SEVERITY.LOW":0.0,"CONFIDENCE.LOW":0.0,"SEVERITY.MEDIUM":0.0,"CONFIDENCE.MEDIUM":0.0,"SEVERITY.HIGH":0.0,"CONFIDENCE.HIGH":0.0},"D:\\source\\security-devops-action\\samples\\insecure.py":{"loc":0,"nosec":0,"SEVERITY.UNDEFINED":0.0,"SEVERITY.LOW":0.0,"SEVERITY.MEDIUM":0.0,"SEVERITY.HIGH":0.0,"CONFIDENCE.UNDEFINED":0.0,"CONFIDENCE.LOW":0.0,"CONFIDENCE.MEDIUM":0.0,"CONFIDENCE.HIGH":0.0}}, - "toolInfoId": "bandit>>1>>202411062057" - } - }, - { - "tool": { - "driver": { - "name": "credscan", - "organization": "Microsoft Corporation", - "product": "Microsoft Security Credential Scanner Client", - "fullName": "CredentialScanner 2.5.1.13", - "version": "2.5.1.13", - "semanticVersion": "2.5.1", - "rules": [ - { - "id": "CSCAN-GENERAL0020", - "name": "X.509 Certificate Private Key", - "fullDescription": { - "text": "used as a private component in SSL certificates." - }, - "shortDescription": { - "text": "X.509 Certificate Private Key." - }, - "messageStrings": { - "Default": { - "text": "A potential secret was detected. Validate file contains secrets, remove, rotate credential, and use approved store. For additional information on secret remediation see the remediation section at https://aka.ms/CredScanDocs " - } - }, - "helpUri": "https://aka.ms/CredScanDocs" - } - ], - "properties": { - "Comments": "CredentialScanner is an Azure security tool to scan for credentials & other sensitive data in source code and/or system files.", - "RawName": "credscan" - } - }, - "properties": { - "IsPreview": true - } - }, - "invocations": [ - { - "startTimeUtc": "2024-11-07T04:57:07.500Z", - "endTimeUtc": "2024-11-07T04:57:15.725Z", - "executionSuccessful": true - } - ], - "versionControlProvenance": [ - { - "repositoryUri": "https://github.com/reynoldsa/security-devops-action", - "revisionId": "c5bc432f9640469fd713f651b4d18af73867f27a", - "branch": "main", - "properties": { - "RepositoryRoot": "D:\\source\\security-devops-action" - } - } - ], - "originalUriBaseIds": { - "file:///D:/source/security-devops-action/": { - "uri": "file:///D:/source/security-devops-action/" - } - }, - "results": [ - { - "ruleId": "CSCAN-GENERAL0020", - "ruleIndex": 0, - "rule": { - "id": "CSCAN-GENERAL0020" - }, - "level": "error", - "message": { - "text": "A potential secret was detected. Validate file contains secrets, remove, rotate credential, and use approved store. For additional information on secret remediation see the remediation section at https://aka.ms/CredScanDocs " - }, - "analysisTarget": { - "uri": ".gdn/i/nuget/Microsoft.Guardian.BanditRedist_windows_amd64.1.6.3.1/tools/lib/test/allsans.pem", - "uriBaseId": "file:///D:/source/security-devops-action/" - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": ".gdn/i/nuget/Microsoft.Guardian.BanditRedist_windows_amd64.1.6.3.1/tools/lib/test/allsans.pem", - "uriBaseId": "file:///D:/source/security-devops-action/" - }, - "region": { - "startLine": 1, - "startColumn": 1, - "endLine": 1, - "endColumn": 27 - } - } - } - ], - "fingerprints": { - "HashCode": "K4LFfz40Tf2WjHYSwHcxzmrGBXdPbp+75ngl6MIfimE=", - "gdnPrimarySignature": "ad80df55e021c410c64bbdc3c768739c9b7fd32cfe9d37e5049efe305a7cabbe", - "gdnAlternativeSignature0": "471e593e20b5c75c62e499b8249c85f1835dc7f99dc9553a8a66b1be2550515d" - }, - "suppressions": [], - "rank": 94.0, - "properties": { - "DefectCode": "SecretInFile", - "MatchingScore": 94.41, - "EnrichmentScore": 112.5, - "Severity": 94.0, - "Validation": "NoValidationRequested", - "Risk": "100" - } - }, - { - "ruleId": "CSCAN-GENERAL0020", - "ruleIndex": 0, - "rule": { - "id": "CSCAN-GENERAL0020" - }, - "level": "error", - "message": { - "text": "A potential secret was detected. Validate file contains secrets, remove, rotate credential, and use approved store. For additional information on secret remediation see the remediation section at https://aka.ms/CredScanDocs " - }, - "analysisTarget": { - "uri": ".gdn/i/nuget/Microsoft.Guardian.BanditRedist_windows_amd64.1.6.3.1/tools/lib/test/badcert.pem", - "uriBaseId": "file:///D:/source/security-devops-action/" - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": ".gdn/i/nuget/Microsoft.Guardian.BanditRedist_windows_amd64.1.6.3.1/tools/lib/test/badcert.pem", - "uriBaseId": "file:///D:/source/security-devops-action/" - }, - "region": { - "startLine": 19, - "startColumn": 1, - "endLine": 19, - "endColumn": 31 - } - } - } - ], - "fingerprints": { - "HashCode": "fdZwTjfxyQHIYf+BmyPXyLEOqdG4U2NLBuFNLckqc/s=", - "gdnPrimarySignature": "8c4f1c7c24033f5c2d1af110b7167b907f6c213c8da0388cc94da267b3b26053", - "gdnAlternativeSignature0": "370b8fdda16cd6662fa9f668df5eb3d0a34e6a7df7f9a47aa8e76ca6db6d7ceb" - }, - "suppressions": [], - "rank": 94.0, - "properties": { - "DefectCode": "SecretInFile", - "MatchingScore": 94.41, - "EnrichmentScore": 112.5, - "Severity": 94.0, - "Validation": "NoValidationRequested", - "Risk": "100" - } - }, - { - "ruleId": "CSCAN-GENERAL0020", - "ruleIndex": 0, - "rule": { - "id": "CSCAN-GENERAL0020" - }, - "level": "error", - "message": { - "text": "A potential secret was detected. Validate file contains secrets, remove, rotate credential, and use approved store. For additional information on secret remediation see the remediation section at https://aka.ms/CredScanDocs " - }, - "analysisTarget": { - "uri": ".gdn/i/nuget/Microsoft.Guardian.BanditRedist_windows_amd64.1.6.3.1/tools/lib/test/idnsans.pem", - "uriBaseId": "file:///D:/source/security-devops-action/" - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": ".gdn/i/nuget/Microsoft.Guardian.BanditRedist_windows_amd64.1.6.3.1/tools/lib/test/idnsans.pem", - "uriBaseId": "file:///D:/source/security-devops-action/" - }, - "region": { - "startLine": 1, - "startColumn": 1, - "endLine": 1, - "endColumn": 27 - } - } - } - ], - "fingerprints": { - "HashCode": "K4LFfz40Tf2WjHYSwHcxzmrGBXdPbp+75ngl6MIfimE=", - "gdnPrimarySignature": "e0143173968f10743c164db98a97f2f2ad51665ef207fc2e5ed568dadf16daa4", - "gdnAlternativeSignature0": "6a0059872bc6e5a9f1910e1c20b82a8c9770991596470214159c8d720884cf3c" - }, - "suppressions": [], - "rank": 94.0, - "properties": { - "DefectCode": "SecretInFile", - "MatchingScore": 94.41, - "EnrichmentScore": 112.5, - "Severity": 94.0, - "Validation": "NoValidationRequested", - "Risk": "100" - } - }, - { - "ruleId": "CSCAN-GENERAL0020", - "ruleIndex": 0, - "rule": { - "id": "CSCAN-GENERAL0020" - }, - "level": "error", - "message": { - "text": "A potential secret was detected. Validate file contains secrets, remove, rotate credential, and use approved store. For additional information on secret remediation see the remediation section at https://aka.ms/CredScanDocs " - }, - "analysisTarget": { - "uri": ".gdn/i/nuget/Microsoft.Guardian.BanditRedist_windows_amd64.1.6.3.1/tools/lib/test/keycert.passwd.pem", - "uriBaseId": "file:///D:/source/security-devops-action/" - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": ".gdn/i/nuget/Microsoft.Guardian.BanditRedist_windows_amd64.1.6.3.1/tools/lib/test/keycert.passwd.pem", - "uriBaseId": "file:///D:/source/security-devops-action/" - }, - "region": { - "startLine": 1, - "startColumn": 1, - "endLine": 1, - "endColumn": 37 - } - } - } - ], - "fingerprints": { - "HashCode": "vIPMvs25zTEA4CvYd/yXI5Q3s9TvruLN5sjPEqmD9Qo=", - "gdnPrimarySignature": "81cfc42c1d0b6a44b58032508492c13a1da8709259d9b955b7818b54375d7454", - "gdnAlternativeSignature0": "a3834b8e54bd96dedf30634b2195d9c1b45ffc9ac2d0cf9e7d72fb01ab2be4b6" - }, - "suppressions": [], - "rank": 94.0, - "properties": { - "DefectCode": "SecretInFile", - "MatchingScore": 94.41, - "EnrichmentScore": 112.5, - "Severity": 94.0, - "Validation": "NoValidationRequested", - "Risk": "100" - } - }, - { - "ruleId": "CSCAN-GENERAL0020", - "ruleIndex": 0, - "rule": { - "id": "CSCAN-GENERAL0020" - }, - "level": "error", - "message": { - "text": "A potential secret was detected. Validate file contains secrets, remove, rotate credential, and use approved store. For additional information on secret remediation see the remediation section at https://aka.ms/CredScanDocs " - }, - "analysisTarget": { - "uri": ".gdn/i/nuget/Microsoft.Guardian.BanditRedist_windows_amd64.1.6.3.1/tools/lib/test/keycert.pem", - "uriBaseId": "file:///D:/source/security-devops-action/" - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": ".gdn/i/nuget/Microsoft.Guardian.BanditRedist_windows_amd64.1.6.3.1/tools/lib/test/keycert.pem", - "uriBaseId": "file:///D:/source/security-devops-action/" - }, - "region": { - "startLine": 1, - "startColumn": 1, - "endLine": 1, - "endColumn": 27 - } - } - } - ], - "fingerprints": { - "HashCode": "K4LFfz40Tf2WjHYSwHcxzmrGBXdPbp+75ngl6MIfimE=", - "gdnPrimarySignature": "a5673d23e7575ac45ddbdc1d2e29a20164ef7e82f569408bffe292ceb779806a", - "gdnAlternativeSignature0": "13b90a64372a219e131bd44c942fb99d2e0499c28a050af144f432498b71b0b7" - }, - "suppressions": [], - "rank": 94.0, - "properties": { - "DefectCode": "SecretInFile", - "MatchingScore": 94.41, - "EnrichmentScore": 112.5, - "Severity": 94.0, - "Validation": "NoValidationRequested", - "Risk": "100" - } - }, - { - "ruleId": "CSCAN-GENERAL0020", - "ruleIndex": 0, - "rule": { - "id": "CSCAN-GENERAL0020" - }, - "level": "error", - "message": { - "text": "A potential secret was detected. Validate file contains secrets, remove, rotate credential, and use approved store. For additional information on secret remediation see the remediation section at https://aka.ms/CredScanDocs " - }, - "analysisTarget": { - "uri": ".gdn/i/nuget/Microsoft.Guardian.BanditRedist_windows_amd64.1.6.3.1/tools/lib/test/keycert2.pem", - "uriBaseId": "file:///D:/source/security-devops-action/" - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": ".gdn/i/nuget/Microsoft.Guardian.BanditRedist_windows_amd64.1.6.3.1/tools/lib/test/keycert2.pem", - "uriBaseId": "file:///D:/source/security-devops-action/" - }, - "region": { - "startLine": 1, - "startColumn": 1, - "endLine": 1, - "endColumn": 27 - } - } - } - ], - "fingerprints": { - "HashCode": "K4LFfz40Tf2WjHYSwHcxzmrGBXdPbp+75ngl6MIfimE=", - "gdnPrimarySignature": "0e05cea19167aed8b8ae01c841a7334ccb9c7fd7b993406580ff2832d15f7ce5", - "gdnAlternativeSignature0": "17f42847401af81a1d829e8aeac516090ae6c41935d0265f19c20dc5208ce44b" - }, - "suppressions": [], - "rank": 94.0, - "properties": { - "DefectCode": "SecretInFile", - "MatchingScore": 94.41, - "EnrichmentScore": 112.5, - "Severity": 94.0, - "Validation": "NoValidationRequested", - "Risk": "100" - } - }, - { - "ruleId": "CSCAN-GENERAL0020", - "ruleIndex": 0, - "rule": { - "id": "CSCAN-GENERAL0020" - }, - "level": "error", - "message": { - "text": "A potential secret was detected. Validate file contains secrets, remove, rotate credential, and use approved store. For additional information on secret remediation see the remediation section at https://aka.ms/CredScanDocs " - }, - "analysisTarget": { - "uri": ".gdn/i/nuget/Microsoft.Guardian.BanditRedist_windows_amd64.1.6.3.1/tools/lib/test/keycert3.pem", - "uriBaseId": "file:///D:/source/security-devops-action/" - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": ".gdn/i/nuget/Microsoft.Guardian.BanditRedist_windows_amd64.1.6.3.1/tools/lib/test/keycert3.pem", - "uriBaseId": "file:///D:/source/security-devops-action/" - }, - "region": { - "startLine": 1, - "startColumn": 1, - "endLine": 1, - "endColumn": 27 - } - } - } - ], - "fingerprints": { - "HashCode": "K4LFfz40Tf2WjHYSwHcxzmrGBXdPbp+75ngl6MIfimE=", - "gdnPrimarySignature": "cc2c869c6af3917c188f3405a5cab29825b895ad248b5e8d5657be11a3575e97", - "gdnAlternativeSignature0": "77b87003353fbbbdd842e915e87ceb94a00295aaa14b394e046cfc2e3d4c70a3" - }, - "suppressions": [], - "rank": 94.0, - "properties": { - "DefectCode": "SecretInFile", - "MatchingScore": 94.41, - "EnrichmentScore": 112.5, - "Severity": 94.0, - "Validation": "NoValidationRequested", - "Risk": "100" - } - }, - { - "ruleId": "CSCAN-GENERAL0020", - "ruleIndex": 0, - "rule": { - "id": "CSCAN-GENERAL0020" - }, - "level": "error", - "message": { - "text": "A potential secret was detected. Validate file contains secrets, remove, rotate credential, and use approved store. For additional information on secret remediation see the remediation section at https://aka.ms/CredScanDocs " - }, - "analysisTarget": { - "uri": ".gdn/i/nuget/Microsoft.Guardian.BanditRedist_windows_amd64.1.6.3.1/tools/lib/test/keycert4.pem", - "uriBaseId": "file:///D:/source/security-devops-action/" - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": ".gdn/i/nuget/Microsoft.Guardian.BanditRedist_windows_amd64.1.6.3.1/tools/lib/test/keycert4.pem", - "uriBaseId": "file:///D:/source/security-devops-action/" - }, - "region": { - "startLine": 1, - "startColumn": 1, - "endLine": 1, - "endColumn": 27 - } - } - } - ], - "fingerprints": { - "HashCode": "K4LFfz40Tf2WjHYSwHcxzmrGBXdPbp+75ngl6MIfimE=", - "gdnPrimarySignature": "c778616f1b5c561f1c66d5843f0e4759cbccf82ba1868f8af267ba96077086df", - "gdnAlternativeSignature0": "c387065dadee4e1320aee04842ec83e45758e802066fcc8deba5055695bfe565" - }, - "suppressions": [], - "rank": 94.0, - "properties": { - "DefectCode": "SecretInFile", - "MatchingScore": 94.41, - "EnrichmentScore": 112.5, - "Severity": 94.0, - "Validation": "NoValidationRequested", - "Risk": "100" - } - }, - { - "ruleId": "CSCAN-GENERAL0020", - "ruleIndex": 0, - "rule": { - "id": "CSCAN-GENERAL0020" - }, - "level": "error", - "message": { - "text": "A potential secret was detected. Validate file contains secrets, remove, rotate credential, and use approved store. For additional information on secret remediation see the remediation section at https://aka.ms/CredScanDocs " - }, - "analysisTarget": { - "uri": ".gdn/i/nuget/Microsoft.Guardian.BanditRedist_windows_amd64.1.6.3.1/tools/lib/test/keycertecc.pem", - "uriBaseId": "file:///D:/source/security-devops-action/" - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": ".gdn/i/nuget/Microsoft.Guardian.BanditRedist_windows_amd64.1.6.3.1/tools/lib/test/keycertecc.pem", - "uriBaseId": "file:///D:/source/security-devops-action/" - }, - "region": { - "startLine": 1, - "startColumn": 1, - "endLine": 1, - "endColumn": 27 - } - } - } - ], - "fingerprints": { - "HashCode": "K4LFfz40Tf2WjHYSwHcxzmrGBXdPbp+75ngl6MIfimE=", - "gdnPrimarySignature": "07fc5532f6969723a59a30bbf4679124b3408c52ad141644aefd5a5ee5ce3187", - "gdnAlternativeSignature0": "c3edc90bf722fd1545c98c99e988dc5405b162ce917767cb0aa7f53ac4954506" - }, - "suppressions": [], - "rank": 94.0, - "properties": { - "DefectCode": "SecretInFile", - "MatchingScore": 94.41, - "EnrichmentScore": 112.5, - "Severity": 94.0, - "Validation": "NoValidationRequested", - "Risk": "100" - } - }, - { - "ruleId": "CSCAN-GENERAL0020", - "ruleIndex": 0, - "rule": { - "id": "CSCAN-GENERAL0020" - }, - "level": "error", - "message": { - "text": "A potential secret was detected. Validate file contains secrets, remove, rotate credential, and use approved store. For additional information on secret remediation see the remediation section at https://aka.ms/CredScanDocs " - }, - "analysisTarget": { - "uri": ".gdn/i/nuget/Microsoft.Guardian.BanditRedist_windows_amd64.1.6.3.1/tools/lib/test/pycakey.pem", - "uriBaseId": "file:///D:/source/security-devops-action/" - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": ".gdn/i/nuget/Microsoft.Guardian.BanditRedist_windows_amd64.1.6.3.1/tools/lib/test/pycakey.pem", - "uriBaseId": "file:///D:/source/security-devops-action/" - }, - "region": { - "startLine": 1, - "startColumn": 1, - "endLine": 1, - "endColumn": 27 - } - } - } - ], - "fingerprints": { - "HashCode": "K4LFfz40Tf2WjHYSwHcxzmrGBXdPbp+75ngl6MIfimE=", - "gdnPrimarySignature": "4d5d643001bdc9ca750ddc12572d03f20c6ea6b00ccec260daad81b2cbaad937", - "gdnAlternativeSignature0": "5940924f309382ed130dc9019b7ddc750982599de02152e9f2badb1a4def1c77" - }, - "suppressions": [], - "rank": 94.0, - "properties": { - "DefectCode": "SecretInFile", - "MatchingScore": 94.41, - "EnrichmentScore": 112.5, - "Severity": 94.0, - "Validation": "NoValidationRequested", - "Risk": "100" - } - }, - { - "ruleId": "CSCAN-GENERAL0020", - "ruleIndex": 0, - "rule": { - "id": "CSCAN-GENERAL0020" - }, - "level": "error", - "message": { - "text": "A potential secret was detected. Validate file contains secrets, remove, rotate credential, and use approved store. For additional information on secret remediation see the remediation section at https://aka.ms/CredScanDocs " - }, - "analysisTarget": { - "uri": ".gdn/i/nuget/Microsoft.Guardian.BanditRedist_windows_amd64.1.6.3.1/tools/lib/test/ssl_key.passwd.pem", - "uriBaseId": "file:///D:/source/security-devops-action/" - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": ".gdn/i/nuget/Microsoft.Guardian.BanditRedist_windows_amd64.1.6.3.1/tools/lib/test/ssl_key.passwd.pem", - "uriBaseId": "file:///D:/source/security-devops-action/" - }, - "region": { - "startLine": 1, - "startColumn": 1, - "endLine": 1, - "endColumn": 37 - } - } - } - ], - "fingerprints": { - "HashCode": "vIPMvs25zTEA4CvYd/yXI5Q3s9TvruLN5sjPEqmD9Qo=", - "gdnPrimarySignature": "78f7c576f77b65667382d3cd1f98088d2a5e607d39cc22af6729d55e1f62f28c", - "gdnAlternativeSignature0": "45c71b1ac1f0538e9be6aba276dcb1484749f62e1ed6c955b8d06b3a034f4295" - }, - "suppressions": [], - "rank": 94.0, - "properties": { - "DefectCode": "SecretInFile", - "MatchingScore": 94.41, - "EnrichmentScore": 112.5, - "Severity": 94.0, - "Validation": "NoValidationRequested", - "Risk": "100" - } - }, - { - "ruleId": "CSCAN-GENERAL0020", - "ruleIndex": 0, - "rule": { - "id": "CSCAN-GENERAL0020" - }, - "level": "error", - "message": { - "text": "A potential secret was detected. Validate file contains secrets, remove, rotate credential, and use approved store. For additional information on secret remediation see the remediation section at https://aka.ms/CredScanDocs " - }, - "analysisTarget": { - "uri": ".gdn/i/nuget/Microsoft.Guardian.BanditRedist_windows_amd64.1.6.3.1/tools/lib/test/ssl_key.pem", - "uriBaseId": "file:///D:/source/security-devops-action/" - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": ".gdn/i/nuget/Microsoft.Guardian.BanditRedist_windows_amd64.1.6.3.1/tools/lib/test/ssl_key.pem", - "uriBaseId": "file:///D:/source/security-devops-action/" - }, - "region": { - "startLine": 1, - "startColumn": 1, - "endLine": 1, - "endColumn": 27 - } - } - } - ], - "fingerprints": { - "HashCode": "K4LFfz40Tf2WjHYSwHcxzmrGBXdPbp+75ngl6MIfimE=", - "gdnPrimarySignature": "1f4b7943f9d0c70caa2b1022c17ac1978128ebd3cf36afb1375dbd8dade2cd89", - "gdnAlternativeSignature0": "47585da2145382121fadbbbe66ef8b7f20a193b4b38372d031552b996edb0fea" - }, - "suppressions": [], - "rank": 94.0, - "properties": { - "DefectCode": "SecretInFile", - "MatchingScore": 94.41, - "EnrichmentScore": 112.5, - "Severity": 94.0, - "Validation": "NoValidationRequested", - "Risk": "100" - } - } - ], - "columnKind": "utf16CodeUnits", - "policies": [ - { - "name": "Microsoft", - "version": "2.0.3" - } - ], - "properties": { - "toolInfoId": "credscan>>2>>202411062057" - } - }, - { - "tool": { - "driver": { - "name": "eslint", - "version": "8.56.0", - "informationUri": "https://eslint.org", - "properties": { - "RawName": "eslint" - } - } - }, - "invocations": [ - { - "toolConfigurationNotifications": [ - { - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "file:///D:/source/security-devops-action/gulpfile.js", - "index": 0 - }, - "region": { - "startLine": 1, - "startColumn": 1 - } - } - } - ], - "message": { - "text": "Parsing error: The keyword 'const' is reserved" - }, - "level": "error", - "descriptor": { - "id": "ESL0999" - } - }, - { - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "file:///D:/source/security-devops-action/lib/container-mapping.js", - "index": 1 - }, - "region": { - "startLine": 36, - "startColumn": 1 - } - } - } - ], - "message": { - "text": "Parsing error: The keyword 'const' is reserved" - }, - "level": "error", - "descriptor": { - "id": "ESL0999" - } - }, - { - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "file:///D:/source/security-devops-action/lib/main.js", - "index": 2 - }, - "region": { - "startLine": 35, - "startColumn": 1 - } - } - } - ], - "message": { - "text": "Parsing error: The keyword 'const' is reserved" - }, - "level": "error", - "descriptor": { - "id": "ESL0999" - } - }, - { - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "file:///D:/source/security-devops-action/lib/msdo-helpers.js", - "index": 3 - }, - "region": { - "startLine": 7, - "startColumn": 1 - } - } - } - ], - "message": { - "text": "Parsing error: The keyword 'const' is reserved" - }, - "level": "error", - "descriptor": { - "id": "ESL0999" - } - }, - { - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "file:///D:/source/security-devops-action/lib/msdo.js", - "index": 5 - }, - "region": { - "startLine": 36, - "startColumn": 1 - } - } - } - ], - "message": { - "text": "Parsing error: The keyword 'const' is reserved" - }, - "level": "error", - "descriptor": { - "id": "ESL0999" - } - }, - { - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "file:///D:/source/security-devops-action/lib/post.js", - "index": 6 - }, - "region": { - "startLine": 35, - "startColumn": 1 - } - } - } - ], - "message": { - "text": "Parsing error: The keyword 'const' is reserved" - }, - "level": "error", - "descriptor": { - "id": "ESL0999" - } - }, - { - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "file:///D:/source/security-devops-action/lib/pre.js", - "index": 7 - }, - "region": { - "startLine": 35, - "startColumn": 1 - } - } - } - ], - "message": { - "text": "Parsing error: The keyword 'const' is reserved" - }, - "level": "error", - "descriptor": { - "id": "ESL0999" - } - }, - { - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "file:///D:/source/security-devops-action/samples/insecure.js", - "index": 8 - }, - "region": { - "startLine": 1, - "startColumn": 5 - } - } - } - ], - "message": { - "text": "Parsing error: Unexpected token injection" - }, - "level": "error", - "descriptor": { - "id": "ESL0999" - } - }, - { - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "file:///D:/source/security-devops-action/src/container-mapping.ts", - "index": 9 - }, - "region": { - "startLine": 1, - "startColumn": 1 - } - } - } - ], - "message": { - "text": "Parsing error: The keyword 'import' is reserved" - }, - "level": "error", - "descriptor": { - "id": "ESL0999" - } - }, - { - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "file:///D:/source/security-devops-action/src/main.ts", - "index": 10 - }, - "region": { - "startLine": 1, - "startColumn": 1 - } - } - } - ], - "message": { - "text": "Parsing error: The keyword 'import' is reserved" - }, - "level": "error", - "descriptor": { - "id": "ESL0999" - } - }, - { - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "file:///D:/source/security-devops-action/src/msdo-helpers.ts", - "index": 11 - }, - "region": { - "startLine": 1, - "startColumn": 1 - } - } - } - ], - "message": { - "text": "Parsing error: The keyword 'import' is reserved" - }, - "level": "error", - "descriptor": { - "id": "ESL0999" - } - }, - { - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "file:///D:/source/security-devops-action/src/msdo-interface.ts", - "index": 12 - }, - "region": { - "startLine": 4, - "startColumn": 1 - } - } - } - ], - "message": { - "text": "Parsing error: The keyword 'export' is reserved" - }, - "level": "error", - "descriptor": { - "id": "ESL0999" - } - }, - { - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "file:///D:/source/security-devops-action/src/msdo.ts", - "index": 13 - }, - "region": { - "startLine": 1, - "startColumn": 1 - } - } - } - ], - "message": { - "text": "Parsing error: The keyword 'import' is reserved" - }, - "level": "error", - "descriptor": { - "id": "ESL0999" - } - }, - { - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "file:///D:/source/security-devops-action/src/post.ts", - "index": 14 - }, - "region": { - "startLine": 1, - "startColumn": 1 - } - } - } - ], - "message": { - "text": "Parsing error: The keyword 'import' is reserved" - }, - "level": "error", - "descriptor": { - "id": "ESL0999" - } - }, - { - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "file:///D:/source/security-devops-action/src/pre.ts", - "index": 15 - }, - "region": { - "startLine": 1, - "startColumn": 1 - } - } - } - ], - "message": { - "text": "Parsing error: The keyword 'import' is reserved" - }, - "level": "error", - "descriptor": { - "id": "ESL0999" - } - }, - { - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "file:///D:/source/security-devops-action/test/post.tests.ts", - "index": 16 - }, - "region": { - "startLine": 1, - "startColumn": 1 - } - } - } - ], - "message": { - "text": "Parsing error: The keyword 'import' is reserved" - }, - "level": "error", - "descriptor": { - "id": "ESL0999" - } - }, - { - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "file:///D:/source/security-devops-action/test/pre.tests.ts", - "index": 17 - }, - "region": { - "startLine": 1, - "startColumn": 1 - } - } - } - ], - "message": { - "text": "Parsing error: The keyword 'import' is reserved" - }, - "level": "error", - "descriptor": { - "id": "ESL0999" - } - }, - { - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "file:///D:/source/security-devops-action/test/testCommon.ts", - "index": 18 - }, - "region": { - "startLine": 1, - "startColumn": 1 - } - } - } - ], - "message": { - "text": "Parsing error: The keyword 'import' is reserved" - }, - "level": "error", - "descriptor": { - "id": "ESL0999" - } - } - ], - "executionSuccessful": false - } - ], - "versionControlProvenance": [ - { - "repositoryUri": "https://github.com/reynoldsa/security-devops-action", - "revisionId": "c5bc432f9640469fd713f651b4d18af73867f27a", - "branch": "main", - "properties": { - "RepositoryRoot": "D:\\source\\security-devops-action" - } - } - ], - "artifacts": [ - { - "location": { - "uri": "file:///D:/source/security-devops-action/gulpfile.js" - } - }, - { - "location": { - "uri": "file:///D:/source/security-devops-action/lib/container-mapping.js" - } - }, - { - "location": { - "uri": "file:///D:/source/security-devops-action/lib/main.js" - } - }, - { - "location": { - "uri": "file:///D:/source/security-devops-action/lib/msdo-helpers.js" - } - }, - { - "location": { - "uri": "file:///D:/source/security-devops-action/lib/msdo-interface.js" - } - }, - { - "location": { - "uri": "file:///D:/source/security-devops-action/lib/msdo.js" - } - }, - { - "location": { - "uri": "file:///D:/source/security-devops-action/lib/post.js" - } - }, - { - "location": { - "uri": "file:///D:/source/security-devops-action/lib/pre.js" - } - }, - { - "location": { - "uri": "file:///D:/source/security-devops-action/samples/insecure.js" - } - }, - { - "location": { - "uri": "file:///D:/source/security-devops-action/src/container-mapping.ts" - } - }, - { - "location": { - "uri": "file:///D:/source/security-devops-action/src/main.ts" - } - }, - { - "location": { - "uri": "file:///D:/source/security-devops-action/src/msdo-helpers.ts" - } - }, - { - "location": { - "uri": "file:///D:/source/security-devops-action/src/msdo-interface.ts" - } - }, - { - "location": { - "uri": "file:///D:/source/security-devops-action/src/msdo.ts" - } - }, - { - "location": { - "uri": "file:///D:/source/security-devops-action/src/post.ts" - } - }, - { - "location": { - "uri": "file:///D:/source/security-devops-action/src/pre.ts" - } - }, - { - "location": { - "uri": "file:///D:/source/security-devops-action/test/post.tests.ts" - } - }, - { - "location": { - "uri": "file:///D:/source/security-devops-action/test/pre.tests.ts" - } - }, - { - "location": { - "uri": "file:///D:/source/security-devops-action/test/testCommon.ts" - } - } - ], - "results": [], - "columnKind": "utf16CodeUnits", - "policies": [ - { - "name": "Microsoft", - "version": "2.0.3" - } - ], - "properties": { - "toolInfoId": "eslint>>3>>202411062057" - } - }, - { - "tool": { - "driver": { - "name": "iacfilescanner", - "organization": "Microsoft", - "fullName": "IaC File Scanner", - "version": "0.1.3", - "rules": [ - { - "id": "IFS-1", - "name": "TagForResource", - "help": { - "text": "An IaC tag(s) was found on this resource. If there is a supported mapping tag, it will be used for code-to-cloud mapping." - }, - "shortDescription": { - "text": "An IaC tag(s) was found on this resource." - }, - "messageStrings": { - "default": { - "text": "An IaC tag(s) was found on this resource." - } - } - } - ], - "properties": { - "RawName": "iacfilescanner" - } - } - }, - "invocations": [ - { - "startTimeUtc": "2024-11-07T04:57:38.817Z", - "endTimeUtc": "2024-11-07T04:57:38.863Z", - "executionSuccessful": true - } - ], - "versionControlProvenance": [ - { - "repositoryUri": "https://github.com/reynoldsa/security-devops-action", - "revisionId": "c5bc432f9640469fd713f651b4d18af73867f27a", - "branch": "main", - "properties": { - "RepositoryRoot": "D:\\source\\security-devops-action" - } - } - ], - "originalUriBaseIds": { - "ROOTPATH": { - "uri": "file:///D:/source/security-devops-action" - } - }, - "artifacts": [ - { - "location": { - "uri": "samples/IaCMapping/main.tf", - "uriBaseId": "ROOTPATH" - } - } - ], - "results": [ - { - "ruleId": "IFS-1", - "ruleIndex": 0, - "level": "note", - "message": { - "id": "default" - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "samples/IaCMapping/main.tf", - "uriBaseId": "ROOTPATH" - }, - "region": { - "startLine": 1 - } - }, - "logicalLocations": [ - { - "fullyQualifiedName": "iacmapping1212", - "kind": "azurerm_storage_account" - } - ], - "properties": { - "mappingTagDictionary": {"mapping_tag":"6189b638-15a5-42ec-b934-0d2b8e035ce1"} - } - } - ], - "fingerprints": { - "gdnPrimarySignature": "6a2b2a71245a88c5e349c7097ea77bb21272924e2d7d7fb032670e63664912bd", - "gdnAlternativeSignature0": "21dbf0708629d98ff73f008fe2a43b6e0848c2e9ab665049176189097f037ace" - } - } - ], - "columnKind": "utf16CodeUnits", - "policies": [ - { - "name": "Microsoft", - "version": "2.0.3" - } - ], - "properties": { - "toolInfoId": "iacfilescanner>>4>>202411062057" - } - }, - { - "tool": { - "driver": { - "name": "templateanalyzer", - "organization": "Microsoft", - "fullName": "Template Analyzer", - "version": "0.8.0+1ba73133c28786a16b2c19e5d5eef09eb2324538", - "informationUri": "https://github.com/Azure/template-analyzer", - "rules": [ - { - "id": "TA-000001", - "name": "AppService.EnableDiagnosticLogs", - "fullDescription": { - "text": "Enable auditing of diagnostic logs on the app. This enables you to recreate activity trails for investigation purposes if a security incident occurs or your network is compromised." - }, - "help": { - "text": "Enable diagnostic logs in App Service." - }, - "shortDescription": { - "text": "Diagnostic logs in App Service should be enabled." - }, - "messageStrings": { - "default": { - "text": "Enable auditing of diagnostic logs on the app. This enables you to recreate activity trails for investigation purposes if a security incident occurs or your network is compromised." - } - }, - "helpUri": "https://github.com/Azure/template-analyzer/blob/main/docs/built-in-rules.md/#ta-000001-diagnostic-logs-in-app-service-should-be-enabled" - }, - { - "id": "TA-000003", - "name": "AppServiceAPIApp.OnlyFTPS", - "fullDescription": { - "text": "Enable FTPS enforcement for enhanced security." - }, - "help": { - "text": "Enable FTPS enforcement for enhanced security." - }, - "shortDescription": { - "text": "FTPS only should be required in your API app." - }, - "messageStrings": { - "default": { - "text": "Enable FTPS enforcement for enhanced security." - } - }, - "defaultConfiguration": { - "level": "error" - }, - "helpUri": "https://github.com/Azure/template-analyzer/blob/main/docs/built-in-rules.md/#ta-000003-ftps-only-should-be-required-in-your-api-app" - }, - { - "id": "TA-000004", - "name": "AppServiceAPIApp.OnlyHTTPS", - "fullDescription": { - "text": "API apps should require HTTPS to ensure connections are made to the expected server and data in transit is protected from network layer eavesdropping attacks." - }, - "help": { - "text": "Use HTTPS to ensure server/service authentication and protect data in transit from network layer eavesdropping attacks." - }, - "shortDescription": { - "text": "API app should only be accessible over HTTPS." - }, - "messageStrings": { - "default": { - "text": "API apps should require HTTPS to ensure connections are made to the expected server and data in transit is protected from network layer eavesdropping attacks." - } - }, - "helpUri": "https://github.com/Azure/template-analyzer/blob/main/docs/built-in-rules.md#ta-000004-api-app-should-only-be-accessible-over-https" - }, - { - "id": "TA-000005", - "name": "AppServiceAPIApp.UseLatestTLS", - "fullDescription": { - "text": "API apps should require the latest TLS version." - }, - "help": { - "text": "Upgrade to the latest TLS version." - }, - "shortDescription": { - "text": "Latest TLS version should be used in your API app." - }, - "messageStrings": { - "default": { - "text": "API apps should require the latest TLS version." - } - }, - "defaultConfiguration": { - "level": "error" - }, - "helpUri": "https://github.com/Azure/template-analyzer/blob/main/docs/built-in-rules.md/#ta-000005-latest-tls-version-should-be-used-in-your-api-app" - }, - { - "id": "TA-000006", - "name": "AppServiceAPIApp.RestrictCORSAccess", - "fullDescription": { - "text": "Cross-Origin Resource Sharing (CORS) should not allow all domains to access your API app. Allow only required domains to interact with your API app." - }, - "help": { - "text": "Allow only required domains to interact with your API app." - }, - "shortDescription": { - "text": "CORS should not allow every resource to access your API app." - }, - "messageStrings": { - "default": { - "text": "Cross-Origin Resource Sharing (CORS) should not allow all domains to access your API app. Allow only required domains to interact with your API app." - } - }, - "defaultConfiguration": { - "level": "note" - }, - "helpUri": "https://github.com/Azure/template-analyzer/blob/main/docs/built-in-rules.md/#ta-000006-cors-should-not-allow-every-resource-to-access-your-api-app" - }, - { - "id": "TA-000007", - "name": "AppServiceAPIApp.UseManagedIdentity", - "fullDescription": { - "text": "For enhanced authentication security, use a managed identity. On Azure, managed identities eliminate the need for developers to have to manage credentials by providing an identity for the Azure resource in Azure AD and using it to obtain Azure Active Directory (Azure AD) tokens." - }, - "help": { - "text": "Use a managed identity for enhanced authentication security." - }, - "shortDescription": { - "text": "Managed identity should be used in your API app." - }, - "messageStrings": { - "default": { - "text": "For enhanced authentication security, use a managed identity. On Azure, managed identities eliminate the need for developers to have to manage credentials by providing an identity for the Azure resource in Azure AD and using it to obtain Azure Active Directory (Azure AD) tokens." - } - }, - "helpUri": "https://github.com/Azure/template-analyzer/blob/main/docs/built-in-rules.md/#ta-000007-managed-identity-should-be-used-in-your-api-app" - }, - { - "id": "TA-000009", - "name": "AppServiceFunctionApp.OnlyFTPS", - "fullDescription": { - "text": "Enable FTPS enforcement for enhanced security." - }, - "help": { - "text": "Enable FTPS enforcement for enhanced security." - }, - "shortDescription": { - "text": "FTPS only should be required in your function app." - }, - "messageStrings": { - "default": { - "text": "Enable FTPS enforcement for enhanced security." - } - }, - "defaultConfiguration": { - "level": "error" - }, - "helpUri": "https://github.com/Azure/template-analyzer/blob/main/docs/built-in-rules.md/#ta-000009-ftps-only-should-be-required-in-your-function-app" - }, - { - "id": "TA-000010", - "name": "AppServiceFunctionApp.OnlyHTTPS", - "fullDescription": { - "text": "Function apps should require HTTPS to ensure connections are made to the expected server and data in transit is protected from network layer eavesdropping attacks." - }, - "help": { - "text": "Use HTTPS to ensure server/service authentication and protect data in transit from network layer eavesdropping attacks." - }, - "shortDescription": { - "text": "Function app should only be accessible over HTTPS." - }, - "messageStrings": { - "default": { - "text": "Function apps should require HTTPS to ensure connections are made to the expected server and data in transit is protected from network layer eavesdropping attacks." - } - }, - "helpUri": "https://github.com/Azure/template-analyzer/blob/main/docs/built-in-rules.md/#ta-000010-function-app-should-only-be-accessible-over-https" - }, - { - "id": "TA-000011", - "name": "AppServiceFunctionApp.UseLatestTLS", - "fullDescription": { - "text": "Function apps should require the latest TLS version." - }, - "help": { - "text": "Upgrade to the latest TLS version." - }, - "shortDescription": { - "text": "Latest TLS version should be used in your function app." - }, - "messageStrings": { - "default": { - "text": "Function apps should require the latest TLS version." - } - }, - "defaultConfiguration": { - "level": "error" - }, - "helpUri": "https://github.com/Azure/template-analyzer/blob/main/docs/built-in-rules.md/#ta-000011-latest-tls-version-should-be-used-in-your-function-app" - }, - { - "id": "TA-000012", - "name": "AppServiceFunctionApp.RestrictCORSAccess", - "fullDescription": { - "text": "Cross-Origin Resource Sharing (CORS) should not allow all domains to access your function app. Allow only required domains to interact with your function app." - }, - "help": { - "text": "Allow only required domains to interact with your function app." - }, - "shortDescription": { - "text": "CORS should not allow every resource to access your function app." - }, - "messageStrings": { - "default": { - "text": "Cross-Origin Resource Sharing (CORS) should not allow all domains to access your function app. Allow only required domains to interact with your function app." - } - }, - "defaultConfiguration": { - "level": "note" - }, - "helpUri": "https://github.com/Azure/template-analyzer/blob/main/docs/built-in-rules.md/#ta-000012-cors-should-not-allow-every-resource-to-access-your-function-app" - }, - { - "id": "TA-000013", - "name": "AppServiceFunctionApp.UseManagedIdentity", - "fullDescription": { - "text": "For enhanced authentication security, use a managed identity. On Azure, managed identities eliminate the need for developers to have to manage credentials by providing an identity for the Azure resource in Azure AD and using it to obtain Azure Active Directory (Azure AD) tokens." - }, - "help": { - "text": "Use a managed identity for enhanced authentication security." - }, - "shortDescription": { - "text": "Managed identity should be used in your function app." - }, - "messageStrings": { - "default": { - "text": "For enhanced authentication security, use a managed identity. On Azure, managed identities eliminate the need for developers to have to manage credentials by providing an identity for the Azure resource in Azure AD and using it to obtain Azure Active Directory (Azure AD) tokens." - } - }, - "helpUri": "https://github.com/Azure/template-analyzer/blob/main/docs/built-in-rules.md/#ta-000013-managed-identity-should-be-used-in-your-function-app" - }, - { - "id": "TA-000015", - "name": "AppServiceWebApp.OnlyFTPS", - "fullDescription": { - "text": "Enable FTPS enforcement for enhanced security." - }, - "help": { - "text": "Enable FTPS enforcement for enhanced security." - }, - "shortDescription": { - "text": "FTPS only should be required in your web app." - }, - "messageStrings": { - "default": { - "text": "Enable FTPS enforcement for enhanced security." - } - }, - "defaultConfiguration": { - "level": "error" - }, - "helpUri": "https://github.com/Azure/template-analyzer/blob/main/docs/built-in-rules.md/#ta-000015-ftps-only-should-be-required-in-your-web-app" - }, - { - "id": "TA-000016", - "name": "AppServiceWebApp.OnlyHTTPS", - "fullDescription": { - "text": "Web apps should require HTTPS to ensure connections are made to the expected server and data in transit is protected from network layer eavesdropping attacks." - }, - "help": { - "text": "Use HTTPS to ensure server/service authentication and protect data in transit from network layer eavesdropping attacks." - }, - "shortDescription": { - "text": "Web apps should only be accessible over HTTPS." - }, - "messageStrings": { - "default": { - "text": "Web apps should require HTTPS to ensure connections are made to the expected server and data in transit is protected from network layer eavesdropping attacks." - } - }, - "helpUri": "https://github.com/Azure/template-analyzer/blob/main/docs/built-in-rules.md/#ta-000016-web-apps-should-only-be-accessible-over-https" - }, - { - "id": "TA-000017", - "name": "AppServiceWebApp.UseLatestTLS", - "fullDescription": { - "text": "Web apps should require the latest TLS version." - }, - "help": { - "text": "Upgrade to the latest TLS version." - }, - "shortDescription": { - "text": "Latest TLS version should be used in your web app." - }, - "messageStrings": { - "default": { - "text": "Web apps should require the latest TLS version." - } - }, - "defaultConfiguration": { - "level": "error" - }, - "helpUri": "https://github.com/Azure/template-analyzer/blob/main/docs/built-in-rules.md/#ta-000017-latest-tls-version-should-be-used-in-your-web-app" - }, - { - "id": "TA-000018", - "name": "AppServiceWebApp.RestrictCORSAccess", - "fullDescription": { - "text": "Cross-Origin Resource Sharing (CORS) should not allow all domains to access your web application. Allow only required domains to interact with your web app." - }, - "help": { - "text": "Allow only required domains to interact with your web app." - }, - "shortDescription": { - "text": "CORS should not allow every resource to access your web apps." - }, - "messageStrings": { - "default": { - "text": "Cross-Origin Resource Sharing (CORS) should not allow all domains to access your web application. Allow only required domains to interact with your web app." - } - }, - "defaultConfiguration": { - "level": "note" - }, - "helpUri": "https://github.com/Azure/template-analyzer/blob/main/docs/built-in-rules.md/#ta-000018-cors-should-not-allow-every-resource-to-access-your-web-apps" - }, - { - "id": "TA-000019", - "name": "AppServiceWebApp.UseManagedIdentity", - "fullDescription": { - "text": "For enhanced authentication security, use a managed identity. On Azure, managed identities eliminate the need for developers to have to manage credentials by providing an identity for the Azure resource in Azure AD and using it to obtain Azure Active Directory (Azure AD) tokens." - }, - "help": { - "text": "Use a managed identity for enhanced authentication security." - }, - "shortDescription": { - "text": "Managed identity should be used in your web app." - }, - "messageStrings": { - "default": { - "text": "For enhanced authentication security, use a managed identity. On Azure, managed identities eliminate the need for developers to have to manage credentials by providing an identity for the Azure resource in Azure AD and using it to obtain Azure Active Directory (Azure AD) tokens." - } - }, - "helpUri": "https://github.com/Azure/template-analyzer/blob/main/docs/built-in-rules.md/#ta-000019-managed-identity-should-be-used-in-your-web-app" - } - ], - "properties": { - "RawName": "templateanalyzer" - } - } - }, - "invocations": [ - { - "startTimeUtc": "2024-11-07T04:57:57.369Z", - "endTimeUtc": "2024-11-07T04:58:02.943Z", - "toolExecutionNotifications": [ - { - "message": { - "text": "Discovered 1 template-parameter pairs to analyze" - }, - "level": "note" - } - ], - "executionSuccessful": true - } - ], - "versionControlProvenance": [ - { - "repositoryUri": "https://github.com/reynoldsa/security-devops-action", - "revisionId": "c5bc432f9640469fd713f651b4d18af73867f27a", - "branch": "main", - "properties": { - "RepositoryRoot": "D:\\source\\security-devops-action" - } - } - ], - "originalUriBaseIds": { - "ROOTPATH": { - "uri": "file:///D:/source/security-devops-action" - } - }, - "artifacts": [ - { - "location": { - "uri": "samples/insecure_arm.json", - "uriBaseId": "ROOTPATH" - } - } - ], - "results": [ - { - "ruleId": "TA-000001", - "ruleIndex": 0, - "level": "error", - "message": { - "id": "default" - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "samples/insecure_arm.json", - "uriBaseId": "ROOTPATH" - }, - "region": { - "startLine": 264 - } - } - } - ], - "fingerprints": { - "gdnPrimarySignature": "be38ef4a5beacf017f220b3d98472e58b2a22f36fd9be444d705a6da0156fd74", - "gdnAlternativeSignature0": "ed2c5f6d187878540408f5bbb17875166e824df9cd545c2071e66b80f6c4bb01" - } - }, - { - "ruleId": "TA-000001", - "ruleIndex": 0, - "level": "error", - "message": { - "id": "default" - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "samples/insecure_arm.json", - "uriBaseId": "ROOTPATH" - }, - "region": { - "startLine": 179 - } - } - }, - { - "physicalLocation": { - "artifactLocation": { - "uri": "samples/insecure_arm.json", - "uriBaseId": "ROOTPATH" - }, - "region": { - "startLine": 215 - } - } - }, - { - "physicalLocation": { - "artifactLocation": { - "uri": "samples/insecure_arm.json", - "uriBaseId": "ROOTPATH" - }, - "region": { - "startLine": 280 - } - } - } - ], - "fingerprints": { - "gdnPrimarySignature": "d37d8282e31133b27146eb024c2736f1d7b65bdd6a42c08607bdb2bead9b5423", - "gdnAlternativeSignature0": "4c40d2cc63ce679ba6157fdc72d12b40481a893ab13296c36239c7ed8622cb86" - } - }, - { - "ruleId": "TA-000003", - "ruleIndex": 1, - "level": "error", - "message": { - "id": "default" - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "samples/insecure_arm.json", - "uriBaseId": "ROOTPATH" - }, - "region": { - "startLine": 165 - } - } - }, - { - "physicalLocation": { - "artifactLocation": { - "uri": "samples/insecure_arm.json", - "uriBaseId": "ROOTPATH" - }, - "region": { - "startLine": 179 - } - } - }, - { - "physicalLocation": { - "artifactLocation": { - "uri": "samples/insecure_arm.json", - "uriBaseId": "ROOTPATH" - }, - "region": { - "startLine": 215 - } - } - } - ], - "fingerprints": { - "gdnPrimarySignature": "3549d0b318441c8b49bd89ca36ea85f70bf45f022ab8c0609706ff5f5a88d2d8", - "gdnAlternativeSignature0": "0edb0e1b59eb8e8d3fc182d647d80d92147876a0454f610aa836842fb52181e5" - } - }, - { - "ruleId": "TA-000003", - "ruleIndex": 1, - "level": "error", - "message": { - "id": "default" - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "samples/insecure_arm.json", - "uriBaseId": "ROOTPATH" - }, - "region": { - "startLine": 195 - } - } - } - ], - "fingerprints": { - "gdnPrimarySignature": "8dbbe99de40dee0eb3c9eb6568f8e48c5effeec820c694f77be3999efaad513b", - "gdnAlternativeSignature0": "f244a0d31df3eeaba0ca511703721d84fe79f8beb849b3cc4453a7f7e9ffc9c1" - } - }, - { - "ruleId": "TA-000004", - "ruleIndex": 2, - "level": "error", - "message": { - "id": "default" - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "samples/insecure_arm.json", - "uriBaseId": "ROOTPATH" - }, - "region": { - "startLine": 29 - } - } - } - ], - "fingerprints": { - "gdnPrimarySignature": "d1a766811373af8220668a1819fa53325b88ba36dffbf2706701e95dfa1e0aed", - "gdnAlternativeSignature0": "f0153f08d6d8174a8d76708b6935ba0ef2b38e06ff62758758e948d72ef1be52" - } - }, - { - "ruleId": "TA-000004", - "ruleIndex": 2, - "level": "error", - "message": { - "id": "default" - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "samples/insecure_arm.json", - "uriBaseId": "ROOTPATH" - }, - "region": { - "startLine": 44 - } - } - } - ], - "fingerprints": { - "gdnPrimarySignature": "6e9b1515330559d9ab46e4c5b6afdd2ee9a07fc5122b6c3748c3688cfeca2789", - "gdnAlternativeSignature0": "c0dd2c03abc529e58717d3191f4fd5e673d3316a39093ba7bd9b964920239290" - } - }, - { - "ruleId": "TA-000005", - "ruleIndex": 3, - "level": "error", - "message": { - "id": "default" - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "samples/insecure_arm.json", - "uriBaseId": "ROOTPATH" - }, - "region": { - "startLine": 165 - } - } - }, - { - "physicalLocation": { - "artifactLocation": { - "uri": "samples/insecure_arm.json", - "uriBaseId": "ROOTPATH" - }, - "region": { - "startLine": 179 - } - } - }, - { - "physicalLocation": { - "artifactLocation": { - "uri": "samples/insecure_arm.json", - "uriBaseId": "ROOTPATH" - }, - "region": { - "startLine": 215 - } - } - } - ], - "fingerprints": { - "gdnPrimarySignature": "b7e1a7ec5ef845a37f73c0407622bd567cdd07b2dfedc75a099d29862f374762", - "gdnAlternativeSignature0": "1cdb3b2f11971c7558e88df98da50f7e9a361b97dd3668a26543df13716d7597" - } - }, - { - "ruleId": "TA-000005", - "ruleIndex": 3, - "level": "error", - "message": { - "id": "default" - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "samples/insecure_arm.json", - "uriBaseId": "ROOTPATH" - }, - "region": { - "startLine": 195 - } - } - } - ], - "fingerprints": { - "gdnPrimarySignature": "4643d07151b417ee81f093352a1a712e3536febd4f9c68cb9774bc20578541ec", - "gdnAlternativeSignature0": "c90df3b94d648eb7354b444cbe823e580310b5eda0a5391f3f4c80b4c05317f9" - } - }, - { - "ruleId": "TA-000006", - "ruleIndex": 4, - "level": "error", - "message": { - "id": "default" - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "samples/insecure_arm.json", - "uriBaseId": "ROOTPATH" - }, - "region": { - "startLine": 218 - } - } - } - ], - "fingerprints": { - "gdnPrimarySignature": "65526fef72a3bd5686e08978f894f58ee0c94d6b14333616137c1197168771c2", - "gdnAlternativeSignature0": "6738218eca8210aa235b6a000d75d9cd8ec306669ef6783344d819eea5ad16a3" - } - }, - { - "ruleId": "TA-000006", - "ruleIndex": 4, - "level": "error", - "message": { - "id": "default" - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "samples/insecure_arm.json", - "uriBaseId": "ROOTPATH" - }, - "region": { - "startLine": 199 - } - } - } - ], - "fingerprints": { - "gdnPrimarySignature": "74875f7d2bcd35300850f78ef8d77d9ccba6f1f3e01f8aa8126148d78a157a60", - "gdnAlternativeSignature0": "02e4138fc76c7af81aa05894a92ac4d606d31021aa410b0aa62abbdd6eba5eed" - } - }, - { - "ruleId": "TA-000007", - "ruleIndex": 5, - "level": "error", - "message": { - "id": "default" - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "samples/insecure_arm.json", - "uriBaseId": "ROOTPATH" - }, - "region": { - "startLine": 187 - } - } - } - ], - "fingerprints": { - "gdnPrimarySignature": "be7e0b3fdbf227e31c46e9fd7b3a36bd67a5577fe93fabe7de457fb26f58dc34", - "gdnAlternativeSignature0": "b76e97cfdd95980416531f989be2fa221fd4f3689c9ca167b515e573bc729d04" - } - }, - { - "ruleId": "TA-000009", - "ruleIndex": 6, - "level": "error", - "message": { - "id": "default" - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "samples/insecure_arm.json", - "uriBaseId": "ROOTPATH" - }, - "region": { - "startLine": 309 - } - } - } - ], - "fingerprints": { - "gdnPrimarySignature": "265486bd8e28eea8810483d45dcc81f731cd9776eed60a7893943e33d9b07b6f", - "gdnAlternativeSignature0": "ed44340ff877ba9d68523648797c4f0f7b56c7c028d93312e55d5c4dc2cdf0a8" - } - }, - { - "ruleId": "TA-000009", - "ruleIndex": 6, - "level": "error", - "message": { - "id": "default" - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "samples/insecure_arm.json", - "uriBaseId": "ROOTPATH" - }, - "region": { - "startLine": 179 - } - } - }, - { - "physicalLocation": { - "artifactLocation": { - "uri": "samples/insecure_arm.json", - "uriBaseId": "ROOTPATH" - }, - "region": { - "startLine": 215 - } - } - }, - { - "physicalLocation": { - "artifactLocation": { - "uri": "samples/insecure_arm.json", - "uriBaseId": "ROOTPATH" - }, - "region": { - "startLine": 325 - } - } - } - ], - "fingerprints": { - "gdnPrimarySignature": "d70937da25c2f4c4bf54334ccc495634c22918258a3b46e45fcd389fd482855f", - "gdnAlternativeSignature0": "34c1f242e862c9a4b1ccceb99a33b1aac0df47aadcc5e6b4cc6a9957bfa60ddb" - } - }, - { - "ruleId": "TA-000010", - "ruleIndex": 7, - "level": "error", - "message": { - "id": "default" - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "samples/insecure_arm.json", - "uriBaseId": "ROOTPATH" - }, - "region": { - "startLine": 70 - } - } - } - ], - "fingerprints": { - "gdnPrimarySignature": "f09e415fda3660cc86a250ca8b35c87db6d6f5d15c69693c1cee3d5a1bd841c4", - "gdnAlternativeSignature0": "c11ab3206f07476269883239e183c0a38d77630a64dc0a0fac178d45f7f0cb8b" - } - }, - { - "ruleId": "TA-000010", - "ruleIndex": 7, - "level": "error", - "message": { - "id": "default" - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "samples/insecure_arm.json", - "uriBaseId": "ROOTPATH" - }, - "region": { - "startLine": 85 - } - } - } - ], - "fingerprints": { - "gdnPrimarySignature": "b3eb7244e83ec91b3b2fdcadbdd498b8f8095140b6c23b74883b5ca61878a994", - "gdnAlternativeSignature0": "3a37f05c16ebd9b493c603024eeb1c5f9c35a5a44d2378a11b6c33003fba815f" - } - }, - { - "ruleId": "TA-000011", - "ruleIndex": 8, - "level": "error", - "message": { - "id": "default" - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "samples/insecure_arm.json", - "uriBaseId": "ROOTPATH" - }, - "region": { - "startLine": 309 - } - } - } - ], - "fingerprints": { - "gdnPrimarySignature": "03a4354b8e006461fb34be109fe4601b633f817d7b237a02dbf2f1346d91e0b4", - "gdnAlternativeSignature0": "c490246cd2a3ee33ab981814e002c687938d33fba3eefb891fd8db2c7a92d64c" - } - }, - { - "ruleId": "TA-000011", - "ruleIndex": 8, - "level": "error", - "message": { - "id": "default" - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "samples/insecure_arm.json", - "uriBaseId": "ROOTPATH" - }, - "region": { - "startLine": 179 - } - } - }, - { - "physicalLocation": { - "artifactLocation": { - "uri": "samples/insecure_arm.json", - "uriBaseId": "ROOTPATH" - }, - "region": { - "startLine": 215 - } - } - }, - { - "physicalLocation": { - "artifactLocation": { - "uri": "samples/insecure_arm.json", - "uriBaseId": "ROOTPATH" - }, - "region": { - "startLine": 325 - } - } - } - ], - "fingerprints": { - "gdnPrimarySignature": "24126068b178d605ced2a12989a4fa2ebd4d15eb30c7c2c37b9d3c6cab349686", - "gdnAlternativeSignature0": "c5923a6a520bd145ef3957d75a6c9d8cbf1025fcd4915449e60bbb02bd10a9e8" - } - }, - { - "ruleId": "TA-000012", - "ruleIndex": 9, - "level": "error", - "message": { - "id": "default" - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "samples/insecure_arm.json", - "uriBaseId": "ROOTPATH" - }, - "region": { - "startLine": 313 - } - } - } - ], - "fingerprints": { - "gdnPrimarySignature": "36e23dcaac28961df21b197c601391bc76f0c90d72380a56f1fa29327bd0017c", - "gdnAlternativeSignature0": "3fa84bc1cc49b60bb7204fb88c7fada8faa63e5f8c9984e10e1b83d3b95bb9e7" - } - }, - { - "ruleId": "TA-000012", - "ruleIndex": 9, - "level": "error", - "message": { - "id": "default" - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "samples/insecure_arm.json", - "uriBaseId": "ROOTPATH" - }, - "region": { - "startLine": 218 - } - } - } - ], - "fingerprints": { - "gdnPrimarySignature": "b20e23b6ed47125967e4d087e615c9d4a9aba6d7dd9e2176ed151efcebb82d02", - "gdnAlternativeSignature0": "2ee68544e8b6b6a54363c95df7bd3d1422cf1c193ed005dddba038439e9650d7" - } - }, - { - "ruleId": "TA-000013", - "ruleIndex": 10, - "level": "error", - "message": { - "id": "default" - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "samples/insecure_arm.json", - "uriBaseId": "ROOTPATH" - }, - "region": { - "startLine": 319 - } - } - } - ], - "fingerprints": { - "gdnPrimarySignature": "ed0363b6f87f1d4e7c0807f68e051e1b3787bafbd2455d4528a10bf4d94b9edf", - "gdnAlternativeSignature0": "72d1e7c2a57d35fa08e178c56264746e48ed563a4da2d7f5dc8570438ed5d90c" - } - }, - { - "ruleId": "TA-000015", - "ruleIndex": 11, - "level": "error", - "message": { - "id": "default" - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "samples/insecure_arm.json", - "uriBaseId": "ROOTPATH" - }, - "region": { - "startLine": 264 - } - } - } - ], - "fingerprints": { - "gdnPrimarySignature": "ec6f5ed98134d472df3077d9c883d07c25923b8e2f9f0ee4ad62438d0a72b4f4", - "gdnAlternativeSignature0": "5e86cd98e6560ffb14e4eb72c99c8a11042feb183a1713a37c682f8417eca214" - } - }, - { - "ruleId": "TA-000015", - "ruleIndex": 11, - "level": "error", - "message": { - "id": "default" - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "samples/insecure_arm.json", - "uriBaseId": "ROOTPATH" - }, - "region": { - "startLine": 179 - } - } - }, - { - "physicalLocation": { - "artifactLocation": { - "uri": "samples/insecure_arm.json", - "uriBaseId": "ROOTPATH" - }, - "region": { - "startLine": 215 - } - } - }, - { - "physicalLocation": { - "artifactLocation": { - "uri": "samples/insecure_arm.json", - "uriBaseId": "ROOTPATH" - }, - "region": { - "startLine": 280 - } - } - } - ], - "fingerprints": { - "gdnPrimarySignature": "38abf206aa092efe2a8fa6d3546f1a342e08c86f4b25be558b8afd5bcb532651", - "gdnAlternativeSignature0": "f53e1db90f911dfc29b77e08c01fc16a609b9720473da74edae88428a4e2bc1c" - } - }, - { - "ruleId": "TA-000016", - "ruleIndex": 12, - "level": "error", - "message": { - "id": "default" - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "samples/insecure_arm.json", - "uriBaseId": "ROOTPATH" - }, - "region": { - "startLine": 111 - } - } - } - ], - "fingerprints": { - "gdnPrimarySignature": "408e1546a1bb4ad4b304b67d08fe6d99943c94a173d95edb8ddaa25a03798989", - "gdnAlternativeSignature0": "84d16425f679ebd232bade7a449c0cdbfef3776b9b928279599f00b71fbcfb22" - } - }, - { - "ruleId": "TA-000016", - "ruleIndex": 12, - "level": "error", - "message": { - "id": "default" - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "samples/insecure_arm.json", - "uriBaseId": "ROOTPATH" - }, - "region": { - "startLine": 125 - } - } - } - ], - "fingerprints": { - "gdnPrimarySignature": "bce4367d8d17dfed8e0504a56bdbde591cfc253f3632a2f21142dffcac9e33a5", - "gdnAlternativeSignature0": "e76df0666939f84d4c4ef2f13e863a131ecb5f7e36060126730de3bd7aee8734" - } - }, - { - "ruleId": "TA-000017", - "ruleIndex": 13, - "level": "error", - "message": { - "id": "default" - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "samples/insecure_arm.json", - "uriBaseId": "ROOTPATH" - }, - "region": { - "startLine": 264 - } - } - } - ], - "fingerprints": { - "gdnPrimarySignature": "84b7be1aa526d0d05c2de90d3e202c9ac537835e7b3140c871e452ee53505cf7", - "gdnAlternativeSignature0": "059a393d058cffaa8cdbe2fad159ee89d4f04ea63fcbee3981408888a39432e8" - } - }, - { - "ruleId": "TA-000017", - "ruleIndex": 13, - "level": "error", - "message": { - "id": "default" - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "samples/insecure_arm.json", - "uriBaseId": "ROOTPATH" - }, - "region": { - "startLine": 179 - } - } - }, - { - "physicalLocation": { - "artifactLocation": { - "uri": "samples/insecure_arm.json", - "uriBaseId": "ROOTPATH" - }, - "region": { - "startLine": 215 - } - } - }, - { - "physicalLocation": { - "artifactLocation": { - "uri": "samples/insecure_arm.json", - "uriBaseId": "ROOTPATH" - }, - "region": { - "startLine": 280 - } - } - } - ], - "fingerprints": { - "gdnPrimarySignature": "c8faed1d99ea5b1ced01439da3370660d482769c59a7665dda694f69f336bc76", - "gdnAlternativeSignature0": "216e7a3be42bfa5aae23ed3abf7bccf0d48aa5ad6ae0f617088f0de77723da89" - } - }, - { - "ruleId": "TA-000018", - "ruleIndex": 14, - "level": "error", - "message": { - "id": "default" - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "samples/insecure_arm.json", - "uriBaseId": "ROOTPATH" - }, - "region": { - "startLine": 268 - } - } - } - ], - "fingerprints": { - "gdnPrimarySignature": "b17d79fb40da84e43645bcdc62e3f720f8039e9be3454fd847cbef27623eea6f", - "gdnAlternativeSignature0": "4050ebca29a424898a464da3b851e5ae90c32384f653b4478a38a331c2639fa8" - } - }, - { - "ruleId": "TA-000018", - "ruleIndex": 14, - "level": "error", - "message": { - "id": "default" - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "samples/insecure_arm.json", - "uriBaseId": "ROOTPATH" - }, - "region": { - "startLine": 218 - } - } - } - ], - "fingerprints": { - "gdnPrimarySignature": "478c565e6f29f52f64c42e08aca4fe0c94a9ed37a629ab4529d58c764580df69", - "gdnAlternativeSignature0": "0a4753c9c18e6f31fb4d238774fa74f694731b7aff4566b256d7a4f2c93536cd" - } - }, - { - "ruleId": "TA-000019", - "ruleIndex": 15, - "level": "error", - "message": { - "id": "default" - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "samples/insecure_arm.json", - "uriBaseId": "ROOTPATH" - }, - "region": { - "startLine": 274 - } - } - } - ], - "fingerprints": { - "gdnPrimarySignature": "b7f8fadd8a0cbc8600952d828f4f4f59c163cd99350430230e976a126d8c9a89", - "gdnAlternativeSignature0": "1dad07739d9b4f2d7845f7a709da12b240d41c1a3536217dc80b23b104ea5362" - } - } - ], - "columnKind": "utf16CodeUnits", - "policies": [ - { - "name": "Microsoft", - "version": "2.0.3" - } - ], - "properties": { - "toolInfoId": "templateanalyzer>>5>>202411062057" - } - }, - { - "tool": { - "driver": { - "name": "checkov", - "organization": "bridgecrew", - "version": "3.2.199", - "informationUri": "https://checkov.io", - "rules": [ - { - "id": "CKV_AZURE_59", - "name": "Ensure that Storage accounts disallow public access", - "fullDescription": { - "text": "Ensure that Storage accounts disallow public access" - }, - "help": { - "text": "Ensure that Storage accounts disallow public access\nResource: azurerm_storage_account.terraformaccount1" - }, - "defaultConfiguration": { - "level": "error" - }, - "helpUri": "https://docs.prismacloud.io/en/enterprise-edition/policy-reference/azure-policies/azure-networking-policies/ensure-that-storage-accounts-disallow-public-access" - }, - { - "id": "CKV_AZURE_33", - "name": "Ensure Storage logging is enabled for Queue service for read, write and delete requests", - "fullDescription": { - "text": "Ensure Storage logging is enabled for Queue service for read, write and delete requests" - }, - "help": { - "text": "Ensure Storage logging is enabled for Queue service for read, write and delete requests\nResource: azurerm_storage_account.terraformaccount1" - }, - "defaultConfiguration": { - "level": "error" - }, - "helpUri": "https://docs.prismacloud.io/en/enterprise-edition/policy-reference/azure-policies/azure-logging-policies/enable-requests-on-storage-logging-for-queue-service" - }, - { - "id": "CKV_AZURE_44", - "name": "Ensure Storage Account is using the latest version of TLS encryption", - "fullDescription": { - "text": "Ensure Storage Account is using the latest version of TLS encryption" - }, - "help": { - "text": "Ensure Storage Account is using the latest version of TLS encryption\nResource: azurerm_storage_account.terraformaccount1" - }, - "defaultConfiguration": { - "level": "error" - }, - "helpUri": "https://docs.prismacloud.io/en/enterprise-edition/policy-reference/azure-policies/azure-storage-policies/bc-azr-storage-2" - }, - { - "id": "CKV_AZURE_190", - "name": "Ensure that Storage blobs restrict public access", - "fullDescription": { - "text": "Ensure that Storage blobs restrict public access" - }, - "help": { - "text": "Ensure that Storage blobs restrict public access\nResource: azurerm_storage_account.terraformaccount1" - }, - "defaultConfiguration": { - "level": "error" - }, - "helpUri": "https://docs.prismacloud.io/en/enterprise-edition/policy-reference/azure-policies/azure-networking-policies/azr-networking-190" - }, - { - "id": "CKV2_AZURE_40", - "name": "Ensure storage account is not configured with Shared Key authorization", - "fullDescription": { - "text": "Ensure storage account is not configured with Shared Key authorization" - }, - "help": { - "text": "Ensure storage account is not configured with Shared Key authorization\nResource: azurerm_storage_account.terraformaccount1" - }, - "defaultConfiguration": { - "level": "error" - }, - "helpUri": "https://docs.prismacloud.io/en/enterprise-edition/policy-reference/azure-policies/azure-iam-policies/bc-azure-2-40" - }, - { - "id": "CKV2_AZURE_47", - "name": "Ensure storage account is configured without blob anonymous access", - "fullDescription": { - "text": "Ensure storage account is configured without blob anonymous access" - }, - "help": { - "text": "Ensure storage account is configured without blob anonymous access\nResource: azurerm_storage_account.terraformaccount1" - }, - "defaultConfiguration": { - "level": "error" - }, - "helpUri": "https://docs.prismacloud.io/en/enterprise-edition/policy-reference/azure-policies/azure-iam-policies/bc-azure-2-47" - }, - { - "id": "CKV2_AZURE_33", - "name": "Ensure storage account is configured with private endpoint", - "fullDescription": { - "text": "Ensure storage account is configured with private endpoint" - }, - "help": { - "text": "Ensure storage account is configured with private endpoint\nResource: azurerm_storage_account.terraformaccount1" - }, - "defaultConfiguration": { - "level": "error" - }, - "helpUri": "https://docs.prismacloud.io/en/enterprise-edition/policy-reference/azure-policies/azure-general-policies/bc-azure-2-33" - }, - { - "id": "CKV2_AZURE_41", - "name": "Ensure storage account is configured with SAS expiration policy", - "fullDescription": { - "text": "Ensure storage account is configured with SAS expiration policy" - }, - "help": { - "text": "Ensure storage account is configured with SAS expiration policy\nResource: azurerm_storage_account.terraformaccount1" - }, - "defaultConfiguration": { - "level": "error" - }, - "helpUri": "https://docs.prismacloud.io/en/enterprise-edition/policy-reference/azure-policies/azure-iam-policies/bc-azure-2-41" - }, - { - "id": "CKV2_AZURE_38", - "name": "Ensure soft-delete is enabled on Azure storage account", - "fullDescription": { - "text": "Ensure soft-delete is enabled on Azure storage account" - }, - "help": { - "text": "Ensure soft-delete is enabled on Azure storage account\nResource: azurerm_storage_account.terraformaccount1" - }, - "defaultConfiguration": { - "level": "error" - }, - "helpUri": "https://docs.prismacloud.io/en/enterprise-edition/policy-reference/azure-policies/azure-general-policies/bc-azure-2-38" - }, - { - "id": "CKV2_AZURE_1", - "name": "Ensure storage for critical data are encrypted with Customer Managed Key", - "fullDescription": { - "text": "Ensure storage for critical data are encrypted with Customer Managed Key" - }, - "help": { - "text": "Ensure storage for critical data are encrypted with Customer Managed Key\nResource: azurerm_storage_account.terraformaccount1" - }, - "defaultConfiguration": { - "level": "error" - }, - "helpUri": "https://docs.prismacloud.io/en/enterprise-edition/policy-reference/azure-policies/azure-general-policies/ensure-storage-for-critical-data-are-encrypted-with-customer-managed-key" - }, - { - "id": "CKV_K8S_25", - "name": "Minimize the admission of containers with added capability", - "fullDescription": { - "text": "Minimize the admission of containers with added capability" - }, - "help": { - "text": "Minimize the admission of containers with added capability\nResource: StatefulSet.default.cassandra" - }, - "defaultConfiguration": { - "level": "error" - }, - "helpUri": "https://docs.prismacloud.io/en/enterprise-edition/policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-24" - }, - { - "id": "CKV_K8S_20", - "name": "Containers should not run with allowPrivilegeEscalation", - "fullDescription": { - "text": "Containers should not run with allowPrivilegeEscalation" - }, - "help": { - "text": "Containers should not run with allowPrivilegeEscalation\nResource: StatefulSet.default.cassandra" - }, - "defaultConfiguration": { - "level": "error" - }, - "helpUri": "https://docs.prismacloud.io/en/enterprise-edition/policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-19" - }, - { - "id": "CKV_K8S_21", - "name": "The default namespace should not be used", - "fullDescription": { - "text": "The default namespace should not be used" - }, - "help": { - "text": "The default namespace should not be used\nResource: StatefulSet.default.cassandra" - }, - "defaultConfiguration": { - "level": "error" - }, - "helpUri": "https://docs.prismacloud.io/en/enterprise-edition/policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20" - }, - { - "id": "CKV_K8S_28", - "name": "Minimize the admission of containers with the NET_RAW capability", - "fullDescription": { - "text": "Minimize the admission of containers with the NET_RAW capability" - }, - "help": { - "text": "Minimize the admission of containers with the NET_RAW capability\nResource: StatefulSet.default.cassandra" - }, - "defaultConfiguration": { - "level": "error" - }, - "helpUri": "https://docs.prismacloud.io/en/enterprise-edition/policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27" - }, - { - "id": "CKV_K8S_43", - "name": "Image should use digest", - "fullDescription": { - "text": "Image should use digest" - }, - "help": { - "text": "Image should use digest\nResource: StatefulSet.default.cassandra" - }, - "defaultConfiguration": { - "level": "error" - }, - "helpUri": "https://docs.prismacloud.io/en/enterprise-edition/policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39" - }, - { - "id": "CKV_K8S_8", - "name": "Liveness Probe Should be Configured", - "fullDescription": { - "text": "Liveness Probe Should be Configured" - }, - "help": { - "text": "Liveness Probe Should be Configured\nResource: StatefulSet.default.cassandra" - }, - "defaultConfiguration": { - "level": "error" - }, - "helpUri": "https://docs.prismacloud.io/en/enterprise-edition/policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-7" - }, - { - "id": "CKV_K8S_37", - "name": "Minimize the admission of containers with capabilities assigned", - "fullDescription": { - "text": "Minimize the admission of containers with capabilities assigned" - }, - "help": { - "text": "Minimize the admission of containers with capabilities assigned\nResource: StatefulSet.default.cassandra" - }, - "defaultConfiguration": { - "level": "error" - }, - "helpUri": "https://docs.prismacloud.io/en/enterprise-edition/policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-34" - }, - { - "id": "CKV_K8S_29", - "name": "Apply security context to your pods and containers", - "fullDescription": { - "text": "Apply security context to your pods and containers" - }, - "help": { - "text": "Apply security context to your pods and containers\nResource: StatefulSet.default.cassandra" - }, - "defaultConfiguration": { - "level": "error" - }, - "helpUri": "https://docs.prismacloud.io/en/enterprise-edition/policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-securitycontext-is-applied-to-pods-and-containers" - }, - { - "id": "CKV_K8S_22", - "name": "Use read-only filesystem for containers where possible", - "fullDescription": { - "text": "Use read-only filesystem for containers where possible" - }, - "help": { - "text": "Use read-only filesystem for containers where possible\nResource: StatefulSet.default.cassandra" - }, - "defaultConfiguration": { - "level": "error" - }, - "helpUri": "https://docs.prismacloud.io/en/enterprise-edition/policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-21" - }, - { - "id": "CKV_K8S_23", - "name": "Minimize the admission of root containers", - "fullDescription": { - "text": "Minimize the admission of root containers" - }, - "help": { - "text": "Minimize the admission of root containers\nResource: StatefulSet.default.cassandra" - }, - "defaultConfiguration": { - "level": "error" - }, - "helpUri": "https://docs.prismacloud.io/en/enterprise-edition/policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-22" - }, - { - "id": "CKV_K8S_40", - "name": "Containers should run as a high UID to avoid host conflict", - "fullDescription": { - "text": "Containers should run as a high UID to avoid host conflict" - }, - "help": { - "text": "Containers should run as a high UID to avoid host conflict\nResource: StatefulSet.default.cassandra" - }, - "defaultConfiguration": { - "level": "error" - }, - "helpUri": "https://docs.prismacloud.io/en/enterprise-edition/policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-37" - }, - { - "id": "CKV_K8S_31", - "name": "Ensure that the seccomp profile is set to docker/default or runtime/default", - "fullDescription": { - "text": "Ensure that the seccomp profile is set to docker/default or runtime/default" - }, - "help": { - "text": "Ensure that the seccomp profile is set to docker/default or runtime/default\nResource: StatefulSet.default.cassandra" - }, - "defaultConfiguration": { - "level": "error" - }, - "helpUri": "https://docs.prismacloud.io/en/enterprise-edition/policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-29" - }, - { - "id": "CKV_K8S_38", - "name": "Ensure that Service Account Tokens are only mounted where necessary", - "fullDescription": { - "text": "Ensure that Service Account Tokens are only mounted where necessary" - }, - "help": { - "text": "Ensure that Service Account Tokens are only mounted where necessary\nResource: StatefulSet.default.cassandra" - }, - "defaultConfiguration": { - "level": "error" - }, - "helpUri": "https://docs.prismacloud.io/en/enterprise-edition/policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-35" - }, - { - "id": "CKV2_K8S_6", - "name": "Minimize the admission of pods which lack an associated NetworkPolicy", - "fullDescription": { - "text": "Minimize the admission of pods which lack an associated NetworkPolicy" - }, - "help": { - "text": "Minimize the admission of pods which lack an associated NetworkPolicy\nResource: Pod.default.cassandra.app-cassandra" - }, - "defaultConfiguration": { - "level": "error" - } - }, - { - "id": "CKV_AZURE_225", - "name": "Ensure the App Service Plan is zone redundant", - "fullDescription": { - "text": "Ensure the App Service Plan is zone redundant" - }, - "help": { - "text": "Ensure the App Service Plan is zone redundant\nResource: Microsoft.Web/serverfarms.serverFarm" - }, - "defaultConfiguration": { - "level": "error" - }, - "helpUri": "https://docs.prismacloud.io/en/enterprise-edition/policy-reference/azure-policies/azure-storage-policies/bc-azure-225" - }, - { - "id": "CKV_AZURE_17", - "name": "Ensure the web app has 'Client Certificates (Incoming client certificates)' set", - "fullDescription": { - "text": "Ensure the web app has 'Client Certificates (Incoming client certificates)' set" - }, - "help": { - "text": "Ensure the web app has 'Client Certificates (Incoming client certificates)' set\nResource: Microsoft.Web/sites.ApiAppNoHttps" - }, - "defaultConfiguration": { - "level": "error" - }, - "helpUri": "https://docs.prismacloud.io/en/enterprise-edition/policy-reference/azure-policies/azure-networking-policies/bc-azr-networking-7" - }, - { - "id": "CKV_AZURE_78", - "name": "Ensure FTP deployments are disabled", - "fullDescription": { - "text": "Ensure FTP deployments are disabled" - }, - "help": { - "text": "Ensure FTP deployments are disabled\nResource: Microsoft.Web/sites.ApiAppNoHttps" - }, - "defaultConfiguration": { - "level": "error" - }, - "helpUri": "https://docs.prismacloud.io/en/enterprise-edition/policy-reference/azure-policies/azure-general-policies/ensure-ftp-deployments-are-disabled" - }, - { - "id": "CKV_AZURE_18", - "name": "Ensure that 'HTTP Version' is the latest if used to run the web app", - "fullDescription": { - "text": "Ensure that 'HTTP Version' is the latest if used to run the web app" - }, - "help": { - "text": "Ensure that 'HTTP Version' is the latest if used to run the web app\nResource: Microsoft.Web/sites.ApiAppNoHttps" - }, - "defaultConfiguration": { - "level": "error" - }, - "helpUri": "https://docs.prismacloud.io/en/enterprise-edition/policy-reference/azure-policies/azure-networking-policies/bc-azr-networking-8" - }, - { - "id": "CKV_AZURE_14", - "name": "Ensure web app redirects all HTTP traffic to HTTPS in Azure App Service", - "fullDescription": { - "text": "Ensure web app redirects all HTTP traffic to HTTPS in Azure App Service" - }, - "help": { - "text": "Ensure web app redirects all HTTP traffic to HTTPS in Azure App Service\nResource: Microsoft.Web/sites.ApiAppNoHttps" - }, - "defaultConfiguration": { - "level": "error" - }, - "helpUri": "https://docs.prismacloud.io/en/enterprise-edition/policy-reference/azure-policies/azure-networking-policies/bc-azr-networking-5" - }, - { - "id": "CKV_AZURE_16", - "name": "Ensure that Register with Azure Active Directory is enabled on App Service", - "fullDescription": { - "text": "Ensure that Register with Azure Active Directory is enabled on App Service" - }, - "help": { - "text": "Ensure that Register with Azure Active Directory is enabled on App Service\nResource: Microsoft.Web/sites.ApiAppNoHttps" - }, - "defaultConfiguration": { - "level": "error" - }, - "helpUri": "https://docs.prismacloud.io/en/enterprise-edition/policy-reference/azure-policies/azure-iam-policies/bc-azr-iam-1" - }, - { - "id": "CKV_AZURE_71", - "name": "Ensure that Managed identity provider is enabled for web apps", - "fullDescription": { - "text": "Ensure that Managed identity provider is enabled for web apps" - }, - "help": { - "text": "Ensure that Managed identity provider is enabled for web apps\nResource: Microsoft.Web/sites.ApiAppNoHttps" - }, - "defaultConfiguration": { - "level": "error" - }, - "helpUri": "https://docs.prismacloud.io/en/enterprise-edition/policy-reference/azure-policies/azure-general-policies/ensure-that-managed-identity-provider-is-enabled-for-app-services" - }, - { - "id": "CKV_AZURE_15", - "name": "Ensure web app is using the latest version of TLS encryption", - "fullDescription": { - "text": "Ensure web app is using the latest version of TLS encryption" - }, - "help": { - "text": "Ensure web app is using the latest version of TLS encryption\nResource: Microsoft.Web/sites.ApiAppNoHttps" - }, - "defaultConfiguration": { - "level": "error" - }, - "helpUri": "https://docs.prismacloud.io/en/enterprise-edition/policy-reference/azure-policies/azure-networking-policies/bc-azr-networking-6" - }, - { - "id": "CKV_AZURE_222", - "name": "Ensure that Azure Web App public network access is disabled", - "fullDescription": { - "text": "Ensure that Azure Web App public network access is disabled" - }, - "help": { - "text": "Ensure that Azure Web App public network access is disabled\nResource: Microsoft.Web/sites.ApiAppNoHttps" - }, - "defaultConfiguration": { - "level": "error" - }, - "helpUri": "https://docs.prismacloud.io/en/enterprise-edition/policy-reference/azure-policies/azure-networking-policies/azr-networking-63" - }, - { - "id": "CKV_AZURE_153", - "name": "Ensure web app redirects all HTTP traffic to HTTPS in Azure App Service Slot", - "fullDescription": { - "text": "Ensure web app redirects all HTTP traffic to HTTPS in Azure App Service Slot" - }, - "help": { - "text": "Ensure web app redirects all HTTP traffic to HTTPS in Azure App Service Slot\nResource: Microsoft.Web/sites.ApiAppNoHttps" - }, - "defaultConfiguration": { - "level": "error" - }, - "helpUri": "https://docs.prismacloud.io/en/enterprise-edition/policy-reference/azure-policies/azure-networking-policies/ensure-azure-web-app-redirects-all-http-traffic-to-https-in-azure-app-service-slot" - }, - { - "id": "CKV_AZURE_67", - "name": "Ensure that 'HTTP Version' is the latest, if used to run the Function app", - "fullDescription": { - "text": "Ensure that 'HTTP Version' is the latest, if used to run the Function app" - }, - "help": { - "text": "Ensure that 'HTTP Version' is the latest, if used to run the Function app\nResource: Microsoft.Web/sites.ApiAppNoHttps" - }, - "defaultConfiguration": { - "level": "error" - }, - "helpUri": "https://docs.prismacloud.io/en/enterprise-edition/policy-reference/azure-policies/azure-general-policies/ensure-that-http-version-is-the-latest-if-used-to-run-the-function-app" - }, - { - "id": "CKV_AZURE_70", - "name": "Ensure that Function apps is only accessible over HTTPS", - "fullDescription": { - "text": "Ensure that Function apps is only accessible over HTTPS" - }, - "help": { - "text": "Ensure that Function apps is only accessible over HTTPS\nResource: Microsoft.Web/sites.ApiAppNoHttps" - }, - "defaultConfiguration": { - "level": "error" - }, - "helpUri": "https://docs.prismacloud.io/en/enterprise-edition/policy-reference/azure-policies/azure-networking-policies/ensure-that-function-apps-is-only-accessible-over-https" - }, - { - "id": "CKV_AZURE_13", - "name": "Ensure App Service Authentication is set on Azure App Service", - "fullDescription": { - "text": "Ensure App Service Authentication is set on Azure App Service" - }, - "help": { - "text": "Ensure App Service Authentication is set on Azure App Service\nResource: Microsoft.Web/sites/config.SitesConfig/RestrictedCORSAccess_web" - }, - "defaultConfiguration": { - "level": "error" - }, - "helpUri": "https://docs.prismacloud.io/en/enterprise-edition/policy-reference/azure-policies/azure-general-policies/bc-azr-general-2" - }, - { - "id": "CKV_AZURE_65", - "name": "Ensure that App service enables detailed error messages", - "fullDescription": { - "text": "Ensure that App service enables detailed error messages" - }, - "help": { - "text": "Ensure that App service enables detailed error messages\nResource: Microsoft.Web/sites/config.SitesConfig/RestrictedCORSAccess_web" - }, - "defaultConfiguration": { - "level": "error" - }, - "helpUri": "https://docs.prismacloud.io/en/enterprise-edition/policy-reference/azure-policies/azure-logging-policies/tbdensure-that-app-service-enables-detailed-error-messages" - }, - { - "id": "CKV_AZURE_80", - "name": "Ensure that 'Net Framework' version is the latest, if used as a part of the web app", - "fullDescription": { - "text": "Ensure that 'Net Framework' version is the latest, if used as a part of the web app" - }, - "help": { - "text": "Ensure that 'Net Framework' version is the latest, if used as a part of the web app\nResource: Microsoft.Web/sites/config.SitesConfig/RestrictedCORSAccess_web" - }, - "defaultConfiguration": { - "level": "error" - }, - "helpUri": "https://docs.prismacloud.io/en/enterprise-edition/policy-reference/azure-policies/azure-general-policies/ensure-that-net-framework-version-is-the-latest-if-used-as-a-part-of-the-web-app" - }, - { - "id": "CKV_AZURE_66", - "name": "Ensure that App service enables failed request tracing", - "fullDescription": { - "text": "Ensure that App service enables failed request tracing" - }, - "help": { - "text": "Ensure that App service enables failed request tracing\nResource: Microsoft.Web/sites/config.SitesConfig/RestrictedCORSAccess_web" - }, - "defaultConfiguration": { - "level": "error" - }, - "helpUri": "https://docs.prismacloud.io/en/enterprise-edition/policy-reference/azure-policies/azure-logging-policies/ensure-that-app-service-enables-failed-request-tracing" - }, - { - "id": "CKV_AZURE_63", - "name": "Ensure that App service enables HTTP logging", - "fullDescription": { - "text": "Ensure that App service enables HTTP logging" - }, - "help": { - "text": "Ensure that App service enables HTTP logging\nResource: Microsoft.Web/sites/config.SitesConfig/RestrictedCORSAccess_web" - }, - "defaultConfiguration": { - "level": "error" - }, - "helpUri": "https://docs.prismacloud.io/en/enterprise-edition/policy-reference/azure-policies/azure-logging-policies/ensure-that-app-service-enables-http-logging" - }, - { - "id": "CKV_AZURE_88", - "name": "Ensure that app services use Azure Files", - "fullDescription": { - "text": "Ensure that app services use Azure Files" - }, - "help": { - "text": "Ensure that app services use Azure Files\nResource: Microsoft.Web/sites/config.SitesConfig/RestrictedCORSAccess_web" - }, - "defaultConfiguration": { - "level": "error" - }, - "helpUri": "https://docs.prismacloud.io/en/enterprise-edition/policy-reference/azure-policies/azure-general-policies/ensure-that-app-services-use-azure-files" - }, - { - "id": "CKV_DOCKER_2", - "name": "Ensure that HEALTHCHECK instructions have been added to container images", - "fullDescription": { - "text": "Ensure that HEALTHCHECK instructions have been added to container images" - }, - "help": { - "text": "Ensure that HEALTHCHECK instructions have been added to container images\nResource: /samples\\Dockerfile." - }, - "defaultConfiguration": { - "level": "error" - }, - "helpUri": "https://docs.prismacloud.io/en/enterprise-edition/policy-reference/docker-policies/docker-policy-index/ensure-that-healthcheck-instructions-have-been-added-to-container-images" - }, - { - "id": "CKV_DOCKER_3", - "name": "Ensure that a user for the container has been created", - "fullDescription": { - "text": "Ensure that a user for the container has been created" - }, - "help": { - "text": "Ensure that a user for the container has been created\nResource: /samples\\Dockerfile." - }, - "defaultConfiguration": { - "level": "error" - }, - "helpUri": "https://docs.prismacloud.io/en/enterprise-edition/policy-reference/docker-policies/docker-policy-index/ensure-that-a-user-for-the-container-has-been-created" - } - ], - "properties": { - "RawName": "checkov" - } - } - }, - "versionControlProvenance": [ - { - "repositoryUri": "https://github.com/reynoldsa/security-devops-action", - "revisionId": "c5bc432f9640469fd713f651b4d18af73867f27a", - "branch": "main", - "properties": { - "RepositoryRoot": "D:\\source\\security-devops-action" - } - } - ], - "results": [ - { - "ruleId": "CKV_DOCKER_2", - "ruleIndex": 42, - "level": "note", - "message": { - "text": "Ensure that HEALTHCHECK instructions have been added to container images" - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "samples/Dockerfile" - }, - "region": { - "startLine": 1, - "endLine": 2, - "snippet": { - "text": "FROM alpine:3.14.0\nRUN echo \"testuser:x:10999:10999:,,,:/home/testuser:/bin/bash\" >> /etc/passwd && echo \"testuser::18761:0:99999:7:::\" >> /etc/shadow\n" - } - } - } - } - ], - "fingerprints": { - "gdnPrimarySignature": "d575ad4cda6d50d0a5b22693f2455c3705f7c36bb4b15adc9192690133bf9374", - "gdnAlternativeSignature0": "b638b75acb82e58442ebe3ecff85569f7009ac136ba3db701680ba599b613c84" - }, - "attachments": [] - }, - { - "ruleId": "CKV_DOCKER_3", - "ruleIndex": 43, - "level": "note", - "message": { - "text": "Ensure that a user for the container has been created" - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "samples/Dockerfile" - }, - "region": { - "startLine": 1, - "endLine": 2, - "snippet": { - "text": "FROM alpine:3.14.0\nRUN echo \"testuser:x:10999:10999:,,,:/home/testuser:/bin/bash\" >> /etc/passwd && echo \"testuser::18761:0:99999:7:::\" >> /etc/shadow\n" - } - } - } - } - ], - "fingerprints": { - "gdnPrimarySignature": "1242a262a0e0dc6e681ad67a81a121ae66f0b2562d1d669a066233daaa7a615a", - "gdnAlternativeSignature0": "81662655dc607bf53d1554c1d9b11df48d1d564eac1529173b8d0a2e61969e63" - }, - "attachments": [] - }, - { - "ruleId": "CKV_AZURE_225", - "ruleIndex": 24, - "message": { - "text": "Ensure the App Service Plan is zone redundant" - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "samples/insecure_arm.json" - }, - "region": { - "startLine": 14, - "endLine": 19, - "snippet": { - "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/serverfarms\",\n \"name\": \"serverFarm\",\n \"location\": \"[parameters('location')]\"\n },\n" - } - } - } - } - ], - "fingerprints": { - "gdnPrimarySignature": "5221a67299814f524df6a6522077373a0fd22c2d3f1748e6025a8552333f7141", - "gdnAlternativeSignature0": "e6aab96518196be0b417589447f9a67fea4ac7f6f0a89667d1394f61195916f6" - }, - "attachments": [] - }, - { - "ruleId": "CKV_AZURE_17", - "ruleIndex": 25, - "message": { - "text": "Ensure the web app has 'Client Certificates (Incoming client certificates)' set" - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "samples/insecure_arm.json" - }, - "region": { - "startLine": 20, - "endLine": 32, - "snippet": { - "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites\",\n \"kind\": \"api\",\n \"name\": \"ApiAppNoHttps\",\n \"location\": \"[parameters('location')]\",\n \"dependsOn\": [\n \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\"\n ],\n \"properties\": {\n \"serverFarmId\": \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\"\n }\n },\n" - } - } - } - } - ], - "fingerprints": { - "gdnPrimarySignature": "2052f152b6d5766a7b59a9c7b4f1d29a0f7bb9060b894b7a65b9e58207a28318", - "gdnAlternativeSignature0": "e18fdea947ebaa5eeda8e3c09e3f041d81794a440563fc2ff6526653c22c9300" - }, - "attachments": [] - }, - { - "ruleId": "CKV_AZURE_78", - "ruleIndex": 26, - "message": { - "text": "Ensure FTP deployments are disabled" - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "samples/insecure_arm.json" - }, - "region": { - "startLine": 20, - "endLine": 32, - "snippet": { - "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites\",\n \"kind\": \"api\",\n \"name\": \"ApiAppNoHttps\",\n \"location\": \"[parameters('location')]\",\n \"dependsOn\": [\n \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\"\n ],\n \"properties\": {\n \"serverFarmId\": \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\"\n }\n },\n" - } - } - } - } - ], - "fingerprints": { - "gdnPrimarySignature": "5f73cccef9e3e5de304868ce267f1b16ddbbad0c9c52f4c39866f9e347b7d5d2", - "gdnAlternativeSignature0": "7806091df62a7f1ac9e2fd4c6a8f834a76f61fa22e8e6b577272499b3e942104" - }, - "attachments": [] - }, - { - "ruleId": "CKV_AZURE_18", - "ruleIndex": 27, - "message": { - "text": "Ensure that 'HTTP Version' is the latest if used to run the web app" - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "samples/insecure_arm.json" - }, - "region": { - "startLine": 20, - "endLine": 32, - "snippet": { - "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites\",\n \"kind\": \"api\",\n \"name\": \"ApiAppNoHttps\",\n \"location\": \"[parameters('location')]\",\n \"dependsOn\": [\n \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\"\n ],\n \"properties\": {\n \"serverFarmId\": \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\"\n }\n },\n" - } - } - } - } - ], - "fingerprints": { - "gdnPrimarySignature": "b9354cf1c73339ba30adcd102787a08181f25aaff9f6782332e185ca65fb9a6b", - "gdnAlternativeSignature0": "c95f4a7cc4fb4eab5c51d2885069bf453fc79e65aac23ff2d04b015fe36717d0" - }, - "attachments": [] - }, - { - "ruleId": "CKV_AZURE_14", - "ruleIndex": 28, - "message": { - "text": "Ensure web app redirects all HTTP traffic to HTTPS in Azure App Service" - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "samples/insecure_arm.json" - }, - "region": { - "startLine": 20, - "endLine": 32, - "snippet": { - "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites\",\n \"kind\": \"api\",\n \"name\": \"ApiAppNoHttps\",\n \"location\": \"[parameters('location')]\",\n \"dependsOn\": [\n \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\"\n ],\n \"properties\": {\n \"serverFarmId\": \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\"\n }\n },\n" - } - } - } - } - ], - "fingerprints": { - "gdnPrimarySignature": "be5f727a2ce11c634799422c02b8a4786d9b57ab5402571c6025b43e6b077b3d", - "gdnAlternativeSignature0": "30eef084050fc6c74f476b1ce8aa4c766974299647bbfbf548e37ddd1fc1ceb1" - }, - "attachments": [] - }, - { - "ruleId": "CKV_AZURE_16", - "ruleIndex": 29, - "message": { - "text": "Ensure that Register with Azure Active Directory is enabled on App Service" - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "samples/insecure_arm.json" - }, - "region": { - "startLine": 20, - "endLine": 32, - "snippet": { - "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites\",\n \"kind\": \"api\",\n \"name\": \"ApiAppNoHttps\",\n \"location\": \"[parameters('location')]\",\n \"dependsOn\": [\n \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\"\n ],\n \"properties\": {\n \"serverFarmId\": \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\"\n }\n },\n" - } - } - } - } - ], - "fingerprints": { - "gdnPrimarySignature": "8ec0cf28cfe77f1886c419e78389f8a6102878cb7612535c76516fd29c664889", - "gdnAlternativeSignature0": "b35de61bb549b7a7050bd10b59810d2d6c10f19155d87b4bd9b1f6a92ac87ae8" - }, - "attachments": [] - }, - { - "ruleId": "CKV_AZURE_71", - "ruleIndex": 30, - "level": "note", - "message": { - "text": "Ensure that Managed identity provider is enabled for web apps" - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "samples/insecure_arm.json" - }, - "region": { - "startLine": 20, - "endLine": 32, - "snippet": { - "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites\",\n \"kind\": \"api\",\n \"name\": \"ApiAppNoHttps\",\n \"location\": \"[parameters('location')]\",\n \"dependsOn\": [\n \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\"\n ],\n \"properties\": {\n \"serverFarmId\": \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\"\n }\n },\n" - } - } - } - } - ], - "fingerprints": { - "gdnPrimarySignature": "ee7a8721be19f071f11af14aaa7aca9576415f4d4d1e62346a853f58100c82e4", - "gdnAlternativeSignature0": "ec622e49b27f8e22a9e6f643cf8cf907eb559102eae22be4e991b94720701355" - }, - "attachments": [] - }, - { - "ruleId": "CKV_AZURE_15", - "ruleIndex": 31, - "message": { - "text": "Ensure web app is using the latest version of TLS encryption" - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "samples/insecure_arm.json" - }, - "region": { - "startLine": 20, - "endLine": 32, - "snippet": { - "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites\",\n \"kind\": \"api\",\n \"name\": \"ApiAppNoHttps\",\n \"location\": \"[parameters('location')]\",\n \"dependsOn\": [\n \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\"\n ],\n \"properties\": {\n \"serverFarmId\": \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\"\n }\n },\n" - } - } - } - } - ], - "fingerprints": { - "gdnPrimarySignature": "ef9b889940362ecd85475a4717800814cf44656011817a1d3370a3bcab0f9006", - "gdnAlternativeSignature0": "e8b887b9e4630d128d846a53822b5d4d36f7078245f4e138644f951d5da1c04b" - }, - "attachments": [] - }, - { - "ruleId": "CKV_AZURE_222", - "ruleIndex": 32, - "message": { - "text": "Ensure that Azure Web App public network access is disabled" - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "samples/insecure_arm.json" - }, - "region": { - "startLine": 20, - "endLine": 32, - "snippet": { - "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites\",\n \"kind\": \"api\",\n \"name\": \"ApiAppNoHttps\",\n \"location\": \"[parameters('location')]\",\n \"dependsOn\": [\n \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\"\n ],\n \"properties\": {\n \"serverFarmId\": \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\"\n }\n },\n" - } - } - } - } - ], - "fingerprints": { - "gdnPrimarySignature": "e1dc47b6e2369dd39565addd153d327dd0d76de16d44d15949739b4ece89857b", - "gdnAlternativeSignature0": "d43a14c244c9f2b15c1ba3cec391a15f1baf94ac985c7db47cad796ef60a075e" - }, - "attachments": [] - }, - { - "ruleId": "CKV_AZURE_153", - "ruleIndex": 33, - "level": "note", - "message": { - "text": "Ensure web app redirects all HTTP traffic to HTTPS in Azure App Service Slot" - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "samples/insecure_arm.json" - }, - "region": { - "startLine": 20, - "endLine": 32, - "snippet": { - "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites\",\n \"kind\": \"api\",\n \"name\": \"ApiAppNoHttps\",\n \"location\": \"[parameters('location')]\",\n \"dependsOn\": [\n \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\"\n ],\n \"properties\": {\n \"serverFarmId\": \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\"\n }\n },\n" - } - } - } - } - ], - "fingerprints": { - "gdnPrimarySignature": "97d7ca490bf520d069c13ebdb0d71a09b89fcd7769dde3ce13a56b628553002e", - "gdnAlternativeSignature0": "4900509f0378a44b7fbeba8ec8bf1dbc277cdf17e6f3726e7111c71d23884b5a" - }, - "attachments": [] - }, - { - "ruleId": "CKV_AZURE_67", - "ruleIndex": 34, - "message": { - "text": "Ensure that 'HTTP Version' is the latest, if used to run the Function app" - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "samples/insecure_arm.json" - }, - "region": { - "startLine": 20, - "endLine": 32, - "snippet": { - "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites\",\n \"kind\": \"api\",\n \"name\": \"ApiAppNoHttps\",\n \"location\": \"[parameters('location')]\",\n \"dependsOn\": [\n \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\"\n ],\n \"properties\": {\n \"serverFarmId\": \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\"\n }\n },\n" - } - } - } - } - ], - "fingerprints": { - "gdnPrimarySignature": "c56f175caf69b08d44542457468251bc934009d1db105d9b7bbebcbcb3beb452", - "gdnAlternativeSignature0": "913aa909429d17a84df0c1e8748ff6aea024d4ef99d8904de01b8ebfebb6ef2c" - }, - "attachments": [] - }, - { - "ruleId": "CKV_AZURE_70", - "ruleIndex": 35, - "message": { - "text": "Ensure that Function apps is only accessible over HTTPS" - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "samples/insecure_arm.json" - }, - "region": { - "startLine": 20, - "endLine": 32, - "snippet": { - "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites\",\n \"kind\": \"api\",\n \"name\": \"ApiAppNoHttps\",\n \"location\": \"[parameters('location')]\",\n \"dependsOn\": [\n \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\"\n ],\n \"properties\": {\n \"serverFarmId\": \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\"\n }\n },\n" - } - } - } - } - ], - "fingerprints": { - "gdnPrimarySignature": "2f45d4e06de44a01421e37f361501aad833ff822c1204548527c417f387a4bfd", - "gdnAlternativeSignature0": "c1176515ad6f738679a0735507229cb7137334a387d241a6f6f16e99fe2c2751" - }, - "attachments": [] - }, - { - "ruleId": "CKV_AZURE_17", - "ruleIndex": 25, - "message": { - "text": "Ensure the web app has 'Client Certificates (Incoming client certificates)' set" - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "samples/insecure_arm.json" - }, - "region": { - "startLine": 33, - "endLine": 46, - "snippet": { - "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites\",\n \"kind\": \"api\",\n \"name\": \"ApiApp_HttpsFalse\",\n \"location\": \"[parameters('location')]\",\n \"dependsOn\": [\n \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\"\n ],\n \"properties\": {\n \"serverFarmId\": \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\",\n \"httpsOnly\": false\n }\n },\n" - } - } - } - } - ], - "fingerprints": { - "gdnPrimarySignature": "77217b91fc3a35c94077b14d569129379554bc6c475fef0ed13e21ee3f64e356", - "gdnAlternativeSignature0": "a92fd4c7fd1c82fb5c7c4e2b973b97bd202817cb9be0631ec7ec94540eca12a0" - }, - "attachments": [] - }, - { - "ruleId": "CKV_AZURE_78", - "ruleIndex": 26, - "message": { - "text": "Ensure FTP deployments are disabled" - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "samples/insecure_arm.json" - }, - "region": { - "startLine": 33, - "endLine": 46, - "snippet": { - "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites\",\n \"kind\": \"api\",\n \"name\": \"ApiApp_HttpsFalse\",\n \"location\": \"[parameters('location')]\",\n \"dependsOn\": [\n \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\"\n ],\n \"properties\": {\n \"serverFarmId\": \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\",\n \"httpsOnly\": false\n }\n },\n" - } - } - } - } - ], - "fingerprints": { - "gdnPrimarySignature": "96272a03ccdc56a5a8b96c5109daa200cb64585bf6cb129647e817d4f08a4bfd", - "gdnAlternativeSignature0": "3e23e70479065b8d7df9e45448b64661427e6438fbe37d04a36266ce32bee78a" - }, - "attachments": [] - }, - { - "ruleId": "CKV_AZURE_18", - "ruleIndex": 27, - "message": { - "text": "Ensure that 'HTTP Version' is the latest if used to run the web app" - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "samples/insecure_arm.json" - }, - "region": { - "startLine": 33, - "endLine": 46, - "snippet": { - "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites\",\n \"kind\": \"api\",\n \"name\": \"ApiApp_HttpsFalse\",\n \"location\": \"[parameters('location')]\",\n \"dependsOn\": [\n \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\"\n ],\n \"properties\": {\n \"serverFarmId\": \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\",\n \"httpsOnly\": false\n }\n },\n" - } - } - } - } - ], - "fingerprints": { - "gdnPrimarySignature": "67cba71b0950ef66e3a3a355b9a91d2d202c0813fe7f8b95e741f7812d7033fc", - "gdnAlternativeSignature0": "fbff0c06779ae5a02c627c32a5286e16208ac4855c442d93ca1238f9c34e1d11" - }, - "attachments": [] - }, - { - "ruleId": "CKV_AZURE_14", - "ruleIndex": 28, - "message": { - "text": "Ensure web app redirects all HTTP traffic to HTTPS in Azure App Service" - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "samples/insecure_arm.json" - }, - "region": { - "startLine": 33, - "endLine": 46, - "snippet": { - "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites\",\n \"kind\": \"api\",\n \"name\": \"ApiApp_HttpsFalse\",\n \"location\": \"[parameters('location')]\",\n \"dependsOn\": [\n \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\"\n ],\n \"properties\": {\n \"serverFarmId\": \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\",\n \"httpsOnly\": false\n }\n },\n" - } - } - } - } - ], - "fingerprints": { - "gdnPrimarySignature": "2f0e38a86c95c2a52024f64d67bcd131909536c1a0e5b97ad5e093d03574efea", - "gdnAlternativeSignature0": "5ecca9431ae6ccf7833666998b89928bef027106342ff5293dbcea4fbfd8985f" - }, - "attachments": [] - }, - { - "ruleId": "CKV_AZURE_16", - "ruleIndex": 29, - "message": { - "text": "Ensure that Register with Azure Active Directory is enabled on App Service" - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "samples/insecure_arm.json" - }, - "region": { - "startLine": 33, - "endLine": 46, - "snippet": { - "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites\",\n \"kind\": \"api\",\n \"name\": \"ApiApp_HttpsFalse\",\n \"location\": \"[parameters('location')]\",\n \"dependsOn\": [\n \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\"\n ],\n \"properties\": {\n \"serverFarmId\": \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\",\n \"httpsOnly\": false\n }\n },\n" - } - } - } - } - ], - "fingerprints": { - "gdnPrimarySignature": "047e97aec3e3db452cd6494fac807837f79de6dbf49057a6af9fa720f29866cd", - "gdnAlternativeSignature0": "4d3bb1bfb723ab4e801290b50a7f708428b9978d60d75e9d4b421ce3261e987e" - }, - "attachments": [] - }, - { - "ruleId": "CKV_AZURE_71", - "ruleIndex": 30, - "level": "note", - "message": { - "text": "Ensure that Managed identity provider is enabled for web apps" - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "samples/insecure_arm.json" - }, - "region": { - "startLine": 33, - "endLine": 46, - "snippet": { - "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites\",\n \"kind\": \"api\",\n \"name\": \"ApiApp_HttpsFalse\",\n \"location\": \"[parameters('location')]\",\n \"dependsOn\": [\n \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\"\n ],\n \"properties\": {\n \"serverFarmId\": \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\",\n \"httpsOnly\": false\n }\n },\n" - } - } - } - } - ], - "fingerprints": { - "gdnPrimarySignature": "60a28f98c4f08919941b75af5cb9983b3d6d0d4fdbdfd72f0090398ec41d78b8", - "gdnAlternativeSignature0": "81e9acc15fdef5820327f3e7ba5bb7d63c7bc0ff05365b47c155fc8b5bf089f7" - }, - "attachments": [] - }, - { - "ruleId": "CKV_AZURE_15", - "ruleIndex": 31, - "message": { - "text": "Ensure web app is using the latest version of TLS encryption" - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "samples/insecure_arm.json" - }, - "region": { - "startLine": 33, - "endLine": 46, - "snippet": { - "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites\",\n \"kind\": \"api\",\n \"name\": \"ApiApp_HttpsFalse\",\n \"location\": \"[parameters('location')]\",\n \"dependsOn\": [\n \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\"\n ],\n \"properties\": {\n \"serverFarmId\": \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\",\n \"httpsOnly\": false\n }\n },\n" - } - } - } - } - ], - "fingerprints": { - "gdnPrimarySignature": "661df7e8e64bd5bdd34a1d439102b29529c13c746e5feb730fac1b89383a4443", - "gdnAlternativeSignature0": "20930ab9036a0597b410e4bbb9a3ae46121270bb3384764cabfe9af8664ee4c2" - }, - "attachments": [] - }, - { - "ruleId": "CKV_AZURE_222", - "ruleIndex": 32, - "message": { - "text": "Ensure that Azure Web App public network access is disabled" - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "samples/insecure_arm.json" - }, - "region": { - "startLine": 33, - "endLine": 46, - "snippet": { - "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites\",\n \"kind\": \"api\",\n \"name\": \"ApiApp_HttpsFalse\",\n \"location\": \"[parameters('location')]\",\n \"dependsOn\": [\n \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\"\n ],\n \"properties\": {\n \"serverFarmId\": \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\",\n \"httpsOnly\": false\n }\n },\n" - } - } - } - } - ], - "fingerprints": { - "gdnPrimarySignature": "eef8e08eefe99efe6383c19a6c2f6896c9ef94af166789c535a44e439faff96b", - "gdnAlternativeSignature0": "d9cfc31c8fd621cb84b4ac6e4aebe8fbdc58ac745ec38f3cad71e0d6516cac75" - }, - "attachments": [] - }, - { - "ruleId": "CKV_AZURE_153", - "ruleIndex": 33, - "level": "note", - "message": { - "text": "Ensure web app redirects all HTTP traffic to HTTPS in Azure App Service Slot" - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "samples/insecure_arm.json" - }, - "region": { - "startLine": 33, - "endLine": 46, - "snippet": { - "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites\",\n \"kind\": \"api\",\n \"name\": \"ApiApp_HttpsFalse\",\n \"location\": \"[parameters('location')]\",\n \"dependsOn\": [\n \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\"\n ],\n \"properties\": {\n \"serverFarmId\": \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\",\n \"httpsOnly\": false\n }\n },\n" - } - } - } - } - ], - "fingerprints": { - "gdnPrimarySignature": "b6eaac00912ec69927074d73bba19050e90b93d7c2863034c5f57ac14b6c3f56", - "gdnAlternativeSignature0": "63b91b45615d3139f0c8994573f3c9045d8602acb32fa9a2b56ff7b1e8c030d3" - }, - "attachments": [] - }, - { - "ruleId": "CKV_AZURE_67", - "ruleIndex": 34, - "message": { - "text": "Ensure that 'HTTP Version' is the latest, if used to run the Function app" - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "samples/insecure_arm.json" - }, - "region": { - "startLine": 33, - "endLine": 46, - "snippet": { - "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites\",\n \"kind\": \"api\",\n \"name\": \"ApiApp_HttpsFalse\",\n \"location\": \"[parameters('location')]\",\n \"dependsOn\": [\n \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\"\n ],\n \"properties\": {\n \"serverFarmId\": \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\",\n \"httpsOnly\": false\n }\n },\n" - } - } - } - } - ], - "fingerprints": { - "gdnPrimarySignature": "1a28305cc04bfcb6e7d6cd127478774b1bee41fc46643d7798536ede530ea751", - "gdnAlternativeSignature0": "0f393c4096130800e7805e4a66f1950cf2d771868201e4632b04ce44be71df65" - }, - "attachments": [] - }, - { - "ruleId": "CKV_AZURE_70", - "ruleIndex": 35, - "message": { - "text": "Ensure that Function apps is only accessible over HTTPS" - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "samples/insecure_arm.json" - }, - "region": { - "startLine": 33, - "endLine": 46, - "snippet": { - "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites\",\n \"kind\": \"api\",\n \"name\": \"ApiApp_HttpsFalse\",\n \"location\": \"[parameters('location')]\",\n \"dependsOn\": [\n \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\"\n ],\n \"properties\": {\n \"serverFarmId\": \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\",\n \"httpsOnly\": false\n }\n },\n" - } - } - } - } - ], - "fingerprints": { - "gdnPrimarySignature": "b7e0569871e364eb4f1ad13804f6bbac0225d2b791ccc53683c54d880a8d56ad", - "gdnAlternativeSignature0": "558d0b90f8a67d09495fad85b33c5877cb89b0319b670c21c57f4959cca1eaf1" - }, - "attachments": [] - }, - { - "ruleId": "CKV_AZURE_17", - "ruleIndex": 25, - "message": { - "text": "Ensure the web app has 'Client Certificates (Incoming client certificates)' set" - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "samples/insecure_arm.json" - }, - "region": { - "startLine": 47, - "endLine": 60, - "snippet": { - "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites\",\n \"kind\": \"api\",\n \"name\": \"ApiApp_HttpsTrue\",\n \"location\": \"[parameters('location')]\",\n \"dependsOn\": [\n \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\"\n ],\n \"properties\": {\n \"serverFarmId\": \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\",\n \"httpsOnly\": true\n }\n },\n" - } - } - } - } - ], - "fingerprints": { - "gdnPrimarySignature": "aaddab01eb68ff517e9444b2e9d93377d31950dea3e82ddb8ab944c5dfee7c1f", - "gdnAlternativeSignature0": "57cebe241ad3cf45ef799f306169e2b2264d43b4510f8e0752726be7131ab490" - }, - "attachments": [] - }, - { - "ruleId": "CKV_AZURE_78", - "ruleIndex": 26, - "message": { - "text": "Ensure FTP deployments are disabled" - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "samples/insecure_arm.json" - }, - "region": { - "startLine": 47, - "endLine": 60, - "snippet": { - "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites\",\n \"kind\": \"api\",\n \"name\": \"ApiApp_HttpsTrue\",\n \"location\": \"[parameters('location')]\",\n \"dependsOn\": [\n \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\"\n ],\n \"properties\": {\n \"serverFarmId\": \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\",\n \"httpsOnly\": true\n }\n },\n" - } - } - } - } - ], - "fingerprints": { - "gdnPrimarySignature": "590ff9987116abb8a3400496eddeb58c1f024d384c76051a44dc2c39e4e49283", - "gdnAlternativeSignature0": "61d1b562f5d44f6ddbc3c5c2814e820572971c9d99d41830d74ee6dab9e8b1b8" - }, - "attachments": [] - }, - { - "ruleId": "CKV_AZURE_18", - "ruleIndex": 27, - "message": { - "text": "Ensure that 'HTTP Version' is the latest if used to run the web app" - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "samples/insecure_arm.json" - }, - "region": { - "startLine": 47, - "endLine": 60, - "snippet": { - "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites\",\n \"kind\": \"api\",\n \"name\": \"ApiApp_HttpsTrue\",\n \"location\": \"[parameters('location')]\",\n \"dependsOn\": [\n \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\"\n ],\n \"properties\": {\n \"serverFarmId\": \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\",\n \"httpsOnly\": true\n }\n },\n" - } - } - } - } - ], - "fingerprints": { - "gdnPrimarySignature": "db280dfff3e2790244c8b505a80423b5448fc8e75d59a62250b7a79536cf7ff1", - "gdnAlternativeSignature0": "ac8dbe3cffb76f8661fc62b1f0f4da58be581b4d0ef2caa7f3cd204caca2463e" - }, - "attachments": [] - }, - { - "ruleId": "CKV_AZURE_16", - "ruleIndex": 29, - "message": { - "text": "Ensure that Register with Azure Active Directory is enabled on App Service" - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "samples/insecure_arm.json" - }, - "region": { - "startLine": 47, - "endLine": 60, - "snippet": { - "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites\",\n \"kind\": \"api\",\n \"name\": \"ApiApp_HttpsTrue\",\n \"location\": \"[parameters('location')]\",\n \"dependsOn\": [\n \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\"\n ],\n \"properties\": {\n \"serverFarmId\": \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\",\n \"httpsOnly\": true\n }\n },\n" - } - } - } - } - ], - "fingerprints": { - "gdnPrimarySignature": "aea92e244aca978f643e2e1ac665f53ebba318185bd336a66cd47a0b665060ec", - "gdnAlternativeSignature0": "b48782f8c3aa23c586d734684f31424229a47093f158458dc6b2d60685e3d769" - }, - "attachments": [] - }, - { - "ruleId": "CKV_AZURE_71", - "ruleIndex": 30, - "level": "note", - "message": { - "text": "Ensure that Managed identity provider is enabled for web apps" - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "samples/insecure_arm.json" - }, - "region": { - "startLine": 47, - "endLine": 60, - "snippet": { - "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites\",\n \"kind\": \"api\",\n \"name\": \"ApiApp_HttpsTrue\",\n \"location\": \"[parameters('location')]\",\n \"dependsOn\": [\n \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\"\n ],\n \"properties\": {\n \"serverFarmId\": \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\",\n \"httpsOnly\": true\n }\n },\n" - } - } - } - } - ], - "fingerprints": { - "gdnPrimarySignature": "798c50dcd9acde7329ed5009c3d07a2217acf11fec1f31004c527083961c540d", - "gdnAlternativeSignature0": "165dd9555e9c9161445bf7503e05d3cbed8dcbb6302f42637d6b45ccaca0ff58" - }, - "attachments": [] - }, - { - "ruleId": "CKV_AZURE_15", - "ruleIndex": 31, - "message": { - "text": "Ensure web app is using the latest version of TLS encryption" - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "samples/insecure_arm.json" - }, - "region": { - "startLine": 47, - "endLine": 60, - "snippet": { - "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites\",\n \"kind\": \"api\",\n \"name\": \"ApiApp_HttpsTrue\",\n \"location\": \"[parameters('location')]\",\n \"dependsOn\": [\n \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\"\n ],\n \"properties\": {\n \"serverFarmId\": \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\",\n \"httpsOnly\": true\n }\n },\n" - } - } - } - } - ], - "fingerprints": { - "gdnPrimarySignature": "4c5dfc4574f7685bcd89ddc5a65c7d0c511987abf75c9de4430457d1727af8af", - "gdnAlternativeSignature0": "d2ce914431dc4d3c206c55b66c4b6dca1bb2031972528496dbf84c655535f145" - }, - "attachments": [] - }, - { - "ruleId": "CKV_AZURE_222", - "ruleIndex": 32, - "message": { - "text": "Ensure that Azure Web App public network access is disabled" - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "samples/insecure_arm.json" - }, - "region": { - "startLine": 47, - "endLine": 60, - "snippet": { - "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites\",\n \"kind\": \"api\",\n \"name\": \"ApiApp_HttpsTrue\",\n \"location\": \"[parameters('location')]\",\n \"dependsOn\": [\n \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\"\n ],\n \"properties\": {\n \"serverFarmId\": \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\",\n \"httpsOnly\": true\n }\n },\n" - } - } - } - } - ], - "fingerprints": { - "gdnPrimarySignature": "44c94e00b2108329c9f76c78147b2604cc20cabbf31e7f8e4299bf4d2fd94f14", - "gdnAlternativeSignature0": "61c01b83b4d60836ee555f3f704f36d40cb7a30c25a0d5dcd09b5f172423448a" - }, - "attachments": [] - }, - { - "ruleId": "CKV_AZURE_67", - "ruleIndex": 34, - "message": { - "text": "Ensure that 'HTTP Version' is the latest, if used to run the Function app" - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "samples/insecure_arm.json" - }, - "region": { - "startLine": 47, - "endLine": 60, - "snippet": { - "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites\",\n \"kind\": \"api\",\n \"name\": \"ApiApp_HttpsTrue\",\n \"location\": \"[parameters('location')]\",\n \"dependsOn\": [\n \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\"\n ],\n \"properties\": {\n \"serverFarmId\": \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\",\n \"httpsOnly\": true\n }\n },\n" - } - } - } - } - ], - "fingerprints": { - "gdnPrimarySignature": "235d3319b06d373c3b2babd6236b29e3ee46066a92409d48434ecf54474c4f3d", - "gdnAlternativeSignature0": "781e42feb7fc10ca262f5cce84e3a566206e0d9abfe2465ba0a1fb45a98eef9e" - }, - "attachments": [] - }, - { - "ruleId": "CKV_AZURE_17", - "ruleIndex": 25, - "message": { - "text": "Ensure the web app has 'Client Certificates (Incoming client certificates)' set" - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "samples/insecure_arm.json" - }, - "region": { - "startLine": 61, - "endLine": 73, - "snippet": { - "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites\",\n \"kind\": \"functionapp\",\n \"name\": \"FunctionAppNoHttps\",\n \"location\": \"[parameters('location')]\",\n \"dependsOn\": [\n \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\"\n ],\n \"properties\": {\n \"serverFarmId\": \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\"\n }\n },\n" - } - } - } - } - ], - "fingerprints": { - "gdnPrimarySignature": "3645ea9051ae5673c813896b86a7ba9dd2b3b5e32c23cafc80908b2f2524f944", - "gdnAlternativeSignature0": "3f5299a9cafa29f11de4de69e3fd6545bbed0d8ef6dfdc23e989ccbd39b25cdd" - }, - "attachments": [] - }, - { - "ruleId": "CKV_AZURE_78", - "ruleIndex": 26, - "message": { - "text": "Ensure FTP deployments are disabled" - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "samples/insecure_arm.json" - }, - "region": { - "startLine": 61, - "endLine": 73, - "snippet": { - "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites\",\n \"kind\": \"functionapp\",\n \"name\": \"FunctionAppNoHttps\",\n \"location\": \"[parameters('location')]\",\n \"dependsOn\": [\n \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\"\n ],\n \"properties\": {\n \"serverFarmId\": \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\"\n }\n },\n" - } - } - } - } - ], - "fingerprints": { - "gdnPrimarySignature": "ca7a9cc04d61e4c2746e08d814a13bfce97322ab3330c23ac6a3a046e1da28cb", - "gdnAlternativeSignature0": "7223771f7f45cc448238ef3189a578bb9838dc9dcd6954b1769a77b8828299a3" - }, - "attachments": [] - }, - { - "ruleId": "CKV_AZURE_18", - "ruleIndex": 27, - "message": { - "text": "Ensure that 'HTTP Version' is the latest if used to run the web app" - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "samples/insecure_arm.json" - }, - "region": { - "startLine": 61, - "endLine": 73, - "snippet": { - "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites\",\n \"kind\": \"functionapp\",\n \"name\": \"FunctionAppNoHttps\",\n \"location\": \"[parameters('location')]\",\n \"dependsOn\": [\n \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\"\n ],\n \"properties\": {\n \"serverFarmId\": \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\"\n }\n },\n" - } - } - } - } - ], - "fingerprints": { - "gdnPrimarySignature": "71dc14fcd10f9c9553a4da8ac502b6435b2ed0db62277cd987cca6d551c6d181", - "gdnAlternativeSignature0": "d43fc88acb8d338e40410db7c591108b80e3d46c28060e62437919f14f722dfe" - }, - "attachments": [] - }, - { - "ruleId": "CKV_AZURE_14", - "ruleIndex": 28, - "message": { - "text": "Ensure web app redirects all HTTP traffic to HTTPS in Azure App Service" - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "samples/insecure_arm.json" - }, - "region": { - "startLine": 61, - "endLine": 73, - "snippet": { - "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites\",\n \"kind\": \"functionapp\",\n \"name\": \"FunctionAppNoHttps\",\n \"location\": \"[parameters('location')]\",\n \"dependsOn\": [\n \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\"\n ],\n \"properties\": {\n \"serverFarmId\": \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\"\n }\n },\n" - } - } - } - } - ], - "fingerprints": { - "gdnPrimarySignature": "3c0093298905723cba273ae4a7665878ab158eed129e338a933ea628f12cea27", - "gdnAlternativeSignature0": "3e6753aa3addf5ba0305dc624bf944236f65feb3fb342a87052ac03331c29086" - }, - "attachments": [] - }, - { - "ruleId": "CKV_AZURE_16", - "ruleIndex": 29, - "message": { - "text": "Ensure that Register with Azure Active Directory is enabled on App Service" - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "samples/insecure_arm.json" - }, - "region": { - "startLine": 61, - "endLine": 73, - "snippet": { - "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites\",\n \"kind\": \"functionapp\",\n \"name\": \"FunctionAppNoHttps\",\n \"location\": \"[parameters('location')]\",\n \"dependsOn\": [\n \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\"\n ],\n \"properties\": {\n \"serverFarmId\": \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\"\n }\n },\n" - } - } - } - } - ], - "fingerprints": { - "gdnPrimarySignature": "d1a5aac95999bad7e7b5c9e0e255d9d2ca11a7cea6fa5dc385222d4feaf488c3", - "gdnAlternativeSignature0": "33369208b079f75cbe0cab69fc1bf20ac7c43ea8f2b7536e1b4f13a771190cb6" - }, - "attachments": [] - }, - { - "ruleId": "CKV_AZURE_71", - "ruleIndex": 30, - "level": "note", - "message": { - "text": "Ensure that Managed identity provider is enabled for web apps" - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "samples/insecure_arm.json" - }, - "region": { - "startLine": 61, - "endLine": 73, - "snippet": { - "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites\",\n \"kind\": \"functionapp\",\n \"name\": \"FunctionAppNoHttps\",\n \"location\": \"[parameters('location')]\",\n \"dependsOn\": [\n \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\"\n ],\n \"properties\": {\n \"serverFarmId\": \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\"\n }\n },\n" - } - } - } - } - ], - "fingerprints": { - "gdnPrimarySignature": "d73af49617110ba351d090184b05165dc8855332c51a8857ed25280cf9afad44", - "gdnAlternativeSignature0": "09a999b4a9287158b3cca86c7e300c895a1350f7ef5816c5b55efc9f3ea7ce55" - }, - "attachments": [] - }, - { - "ruleId": "CKV_AZURE_15", - "ruleIndex": 31, - "message": { - "text": "Ensure web app is using the latest version of TLS encryption" - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "samples/insecure_arm.json" - }, - "region": { - "startLine": 61, - "endLine": 73, - "snippet": { - "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites\",\n \"kind\": \"functionapp\",\n \"name\": \"FunctionAppNoHttps\",\n \"location\": \"[parameters('location')]\",\n \"dependsOn\": [\n \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\"\n ],\n \"properties\": {\n \"serverFarmId\": \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\"\n }\n },\n" - } - } - } - } - ], - "fingerprints": { - "gdnPrimarySignature": "03753151129aae06d95a6bf05714f3962691cc58c210d7d9e1834d8fd0ccfbf9", - "gdnAlternativeSignature0": "ee019a6f911abaec8264daa5ce7e95edb613bb130a37c20e98d07b6ce408aa71" - }, - "attachments": [] - }, - { - "ruleId": "CKV_AZURE_222", - "ruleIndex": 32, - "message": { - "text": "Ensure that Azure Web App public network access is disabled" - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "samples/insecure_arm.json" - }, - "region": { - "startLine": 61, - "endLine": 73, - "snippet": { - "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites\",\n \"kind\": \"functionapp\",\n \"name\": \"FunctionAppNoHttps\",\n \"location\": \"[parameters('location')]\",\n \"dependsOn\": [\n \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\"\n ],\n \"properties\": {\n \"serverFarmId\": \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\"\n }\n },\n" - } - } - } - } - ], - "fingerprints": { - "gdnPrimarySignature": "b8b0b37b159d4ac33da5cc0f6c8e629f574c8e2989630facb7ed998b4fbd3e2b", - "gdnAlternativeSignature0": "c33ac75db46382ebd17cb142c0ac1e4ad6899e74b3a7aba6452e31cff4a58b91" - }, - "attachments": [] - }, - { - "ruleId": "CKV_AZURE_153", - "ruleIndex": 33, - "level": "note", - "message": { - "text": "Ensure web app redirects all HTTP traffic to HTTPS in Azure App Service Slot" - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "samples/insecure_arm.json" - }, - "region": { - "startLine": 61, - "endLine": 73, - "snippet": { - "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites\",\n \"kind\": \"functionapp\",\n \"name\": \"FunctionAppNoHttps\",\n \"location\": \"[parameters('location')]\",\n \"dependsOn\": [\n \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\"\n ],\n \"properties\": {\n \"serverFarmId\": \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\"\n }\n },\n" - } - } - } - } - ], - "fingerprints": { - "gdnPrimarySignature": "e964440f1574351b358e9ad24c3716799d68e1fff901003018bb171fe1731425", - "gdnAlternativeSignature0": "d665f8f5eb905b17e8a1114333ea0f968495576f17e39f7aa042a5e10d58f6dd" - }, - "attachments": [] - }, - { - "ruleId": "CKV_AZURE_67", - "ruleIndex": 34, - "message": { - "text": "Ensure that 'HTTP Version' is the latest, if used to run the Function app" - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "samples/insecure_arm.json" - }, - "region": { - "startLine": 61, - "endLine": 73, - "snippet": { - "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites\",\n \"kind\": \"functionapp\",\n \"name\": \"FunctionAppNoHttps\",\n \"location\": \"[parameters('location')]\",\n \"dependsOn\": [\n \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\"\n ],\n \"properties\": {\n \"serverFarmId\": \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\"\n }\n },\n" - } - } - } - } - ], - "fingerprints": { - "gdnPrimarySignature": "46bcafa5ef7682f49218b2cdae86203af9bd2d6676b1305517ff82ed2534c8a4", - "gdnAlternativeSignature0": "3aa93e2f42f94795cf57ca2abb96bbaf98d85c457a25083f5dc76fd25f6c828d" - }, - "attachments": [] - }, - { - "ruleId": "CKV_AZURE_70", - "ruleIndex": 35, - "message": { - "text": "Ensure that Function apps is only accessible over HTTPS" - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "samples/insecure_arm.json" - }, - "region": { - "startLine": 61, - "endLine": 73, - "snippet": { - "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites\",\n \"kind\": \"functionapp\",\n \"name\": \"FunctionAppNoHttps\",\n \"location\": \"[parameters('location')]\",\n \"dependsOn\": [\n \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\"\n ],\n \"properties\": {\n \"serverFarmId\": \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\"\n }\n },\n" - } - } - } - } - ], - "fingerprints": { - "gdnPrimarySignature": "8897f68b7d0cfd331d551cfe62263a1a37c12f1b2fa6cc72ced0fb70f1d07bea", - "gdnAlternativeSignature0": "1e32293b35ee682f0207bfc6b97b03f98947a3c42b123d602986180ab02349dd" - }, - "attachments": [] - }, - { - "ruleId": "CKV_AZURE_17", - "ruleIndex": 25, - "message": { - "text": "Ensure the web app has 'Client Certificates (Incoming client certificates)' set" - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "samples/insecure_arm.json" - }, - "region": { - "startLine": 74, - "endLine": 87, - "snippet": { - "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites\",\n \"kind\": \"functionapp,linux\",\n \"name\": \"FunctionApp_HttpsFalse\",\n \"location\": \"[parameters('location')]\",\n \"dependsOn\": [\n \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\"\n ],\n \"properties\": {\n \"serverFarmId\": \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\",\n \"httpsOnly\": false\n }\n },\n" - } - } - } - } - ], - "fingerprints": { - "gdnPrimarySignature": "e19ab0fdf6b41c60416ec1789e435d14b225c9059e0cb0e72b85621eaa9a6a86", - "gdnAlternativeSignature0": "9c76d0ac3067ddae324af883867178b01d2394b6293865422cfd1c2a0d8f2322" - }, - "attachments": [] - }, - { - "ruleId": "CKV_AZURE_78", - "ruleIndex": 26, - "message": { - "text": "Ensure FTP deployments are disabled" - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "samples/insecure_arm.json" - }, - "region": { - "startLine": 74, - "endLine": 87, - "snippet": { - "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites\",\n \"kind\": \"functionapp,linux\",\n \"name\": \"FunctionApp_HttpsFalse\",\n \"location\": \"[parameters('location')]\",\n \"dependsOn\": [\n \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\"\n ],\n \"properties\": {\n \"serverFarmId\": \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\",\n \"httpsOnly\": false\n }\n },\n" - } - } - } - } - ], - "fingerprints": { - "gdnPrimarySignature": "9ccd2eec805423da588e0e4fb39a20af8824e7b43e64c3e4b69ef404665c32cc", - "gdnAlternativeSignature0": "f564ab2518131f06da69f86eb0b8f61753018f7a7779cfb057eddd15551977ee" - }, - "attachments": [] - }, - { - "ruleId": "CKV_AZURE_18", - "ruleIndex": 27, - "message": { - "text": "Ensure that 'HTTP Version' is the latest if used to run the web app" - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "samples/insecure_arm.json" - }, - "region": { - "startLine": 74, - "endLine": 87, - "snippet": { - "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites\",\n \"kind\": \"functionapp,linux\",\n \"name\": \"FunctionApp_HttpsFalse\",\n \"location\": \"[parameters('location')]\",\n \"dependsOn\": [\n \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\"\n ],\n \"properties\": {\n \"serverFarmId\": \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\",\n \"httpsOnly\": false\n }\n },\n" - } - } - } - } - ], - "fingerprints": { - "gdnPrimarySignature": "9359461703908a57a96cb32c9d317be3fe28b28f0bf8392611a279a831e3c47d", - "gdnAlternativeSignature0": "4e87df39b2999630b9a10e9ecb92008f17baf6e351e0b208887f85e9931397af" - }, - "attachments": [] - }, - { - "ruleId": "CKV_AZURE_14", - "ruleIndex": 28, - "message": { - "text": "Ensure web app redirects all HTTP traffic to HTTPS in Azure App Service" - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "samples/insecure_arm.json" - }, - "region": { - "startLine": 74, - "endLine": 87, - "snippet": { - "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites\",\n \"kind\": \"functionapp,linux\",\n \"name\": \"FunctionApp_HttpsFalse\",\n \"location\": \"[parameters('location')]\",\n \"dependsOn\": [\n \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\"\n ],\n \"properties\": {\n \"serverFarmId\": \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\",\n \"httpsOnly\": false\n }\n },\n" - } - } - } - } - ], - "fingerprints": { - "gdnPrimarySignature": "52979741c27ad8788e0a869cb9c45f1dd101ad482c8c5157b8812f78991baf31", - "gdnAlternativeSignature0": "5058e736e60a56f62767c611d9a6aa94a5845c6ee0c4aa10fb6626a2aa2a70bf" - }, - "attachments": [] - }, - { - "ruleId": "CKV_AZURE_16", - "ruleIndex": 29, - "message": { - "text": "Ensure that Register with Azure Active Directory is enabled on App Service" - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "samples/insecure_arm.json" - }, - "region": { - "startLine": 74, - "endLine": 87, - "snippet": { - "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites\",\n \"kind\": \"functionapp,linux\",\n \"name\": \"FunctionApp_HttpsFalse\",\n \"location\": \"[parameters('location')]\",\n \"dependsOn\": [\n \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\"\n ],\n \"properties\": {\n \"serverFarmId\": \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\",\n \"httpsOnly\": false\n }\n },\n" - } - } - } - } - ], - "fingerprints": { - "gdnPrimarySignature": "31f0c7f30ad4509ee75d1a179af6e021694beb27d3a38ff0b5bcf0fd5d9bfec0", - "gdnAlternativeSignature0": "1129123e54ead9a5143b8feca94087caf7d35b5ae8251eafbe5b7cc169c2321e" - }, - "attachments": [] - }, - { - "ruleId": "CKV_AZURE_71", - "ruleIndex": 30, - "level": "note", - "message": { - "text": "Ensure that Managed identity provider is enabled for web apps" - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "samples/insecure_arm.json" - }, - "region": { - "startLine": 74, - "endLine": 87, - "snippet": { - "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites\",\n \"kind\": \"functionapp,linux\",\n \"name\": \"FunctionApp_HttpsFalse\",\n \"location\": \"[parameters('location')]\",\n \"dependsOn\": [\n \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\"\n ],\n \"properties\": {\n \"serverFarmId\": \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\",\n \"httpsOnly\": false\n }\n },\n" - } - } - } - } - ], - "fingerprints": { - "gdnPrimarySignature": "0768d45c77ded4c1385d2feae675b811f3c643696bda9156a8bfccd599aff704", - "gdnAlternativeSignature0": "a60f942f7a1141f3ee5bceb13b7991b3a42f1f9d9b467e82a0d3f2b9ba339d7c" - }, - "attachments": [] - }, - { - "ruleId": "CKV_AZURE_15", - "ruleIndex": 31, - "message": { - "text": "Ensure web app is using the latest version of TLS encryption" - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "samples/insecure_arm.json" - }, - "region": { - "startLine": 74, - "endLine": 87, - "snippet": { - "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites\",\n \"kind\": \"functionapp,linux\",\n \"name\": \"FunctionApp_HttpsFalse\",\n \"location\": \"[parameters('location')]\",\n \"dependsOn\": [\n \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\"\n ],\n \"properties\": {\n \"serverFarmId\": \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\",\n \"httpsOnly\": false\n }\n },\n" - } - } - } - } - ], - "fingerprints": { - "gdnPrimarySignature": "6401e6c3c7b71999c46c38b67aac9488aa986bc7b294124d85576bda8a4c0a9a", - "gdnAlternativeSignature0": "4dfd2fb00d7468e4b5ec7f9be6f463d7ce9654014d94abd3d367315c073cb7bb" - }, - "attachments": [] - }, - { - "ruleId": "CKV_AZURE_222", - "ruleIndex": 32, - "message": { - "text": "Ensure that Azure Web App public network access is disabled" - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "samples/insecure_arm.json" - }, - "region": { - "startLine": 74, - "endLine": 87, - "snippet": { - "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites\",\n \"kind\": \"functionapp,linux\",\n \"name\": \"FunctionApp_HttpsFalse\",\n \"location\": \"[parameters('location')]\",\n \"dependsOn\": [\n \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\"\n ],\n \"properties\": {\n \"serverFarmId\": \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\",\n \"httpsOnly\": false\n }\n },\n" - } - } - } - } - ], - "fingerprints": { - "gdnPrimarySignature": "e32c0ff998fcef5e2c8dc7044fad00fee70e804ea115377e31bb12a7f59a2c10", - "gdnAlternativeSignature0": "439c05a50fad4d75ec8d278a58719987c9009948631a2f11782251d73c8f4200" - }, - "attachments": [] - }, - { - "ruleId": "CKV_AZURE_153", - "ruleIndex": 33, - "level": "note", - "message": { - "text": "Ensure web app redirects all HTTP traffic to HTTPS in Azure App Service Slot" - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "samples/insecure_arm.json" - }, - "region": { - "startLine": 74, - "endLine": 87, - "snippet": { - "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites\",\n \"kind\": \"functionapp,linux\",\n \"name\": \"FunctionApp_HttpsFalse\",\n \"location\": \"[parameters('location')]\",\n \"dependsOn\": [\n \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\"\n ],\n \"properties\": {\n \"serverFarmId\": \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\",\n \"httpsOnly\": false\n }\n },\n" - } - } - } - } - ], - "fingerprints": { - "gdnPrimarySignature": "a5c04b13d6677bc41f4b3715f1e01ce95036675d6de4df8dc0439de074a03d73", - "gdnAlternativeSignature0": "49b98e30d0dd7ce696a9b0b481e3281fd671f0fd70de26dd6fb7510b705e0f87" - }, - "attachments": [] - }, - { - "ruleId": "CKV_AZURE_67", - "ruleIndex": 34, - "message": { - "text": "Ensure that 'HTTP Version' is the latest, if used to run the Function app" - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "samples/insecure_arm.json" - }, - "region": { - "startLine": 74, - "endLine": 87, - "snippet": { - "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites\",\n \"kind\": \"functionapp,linux\",\n \"name\": \"FunctionApp_HttpsFalse\",\n \"location\": \"[parameters('location')]\",\n \"dependsOn\": [\n \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\"\n ],\n \"properties\": {\n \"serverFarmId\": \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\",\n \"httpsOnly\": false\n }\n },\n" - } - } - } - } - ], - "fingerprints": { - "gdnPrimarySignature": "e6301a23f58d4b667b0f9399522c3093c2289a6533a91c5cdcf22d245d526fa9", - "gdnAlternativeSignature0": "6091c16fd0d417e61913fb8a205a0381ceb3beab6ee091ecdef880751180c796" - }, - "attachments": [] - }, - { - "ruleId": "CKV_AZURE_70", - "ruleIndex": 35, - "message": { - "text": "Ensure that Function apps is only accessible over HTTPS" - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "samples/insecure_arm.json" - }, - "region": { - "startLine": 74, - "endLine": 87, - "snippet": { - "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites\",\n \"kind\": \"functionapp,linux\",\n \"name\": \"FunctionApp_HttpsFalse\",\n \"location\": \"[parameters('location')]\",\n \"dependsOn\": [\n \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\"\n ],\n \"properties\": {\n \"serverFarmId\": \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\",\n \"httpsOnly\": false\n }\n },\n" - } - } - } - } - ], - "fingerprints": { - "gdnPrimarySignature": "0f2797770c6de1cf13dc915a59ed4540e23f915d86778fdb7e6b17a631c027fa", - "gdnAlternativeSignature0": "7f942a785576efce2530b9d5e5138b37b95f67caaaf4f068e03450ac35bc9b27" - }, - "attachments": [] - }, - { - "ruleId": "CKV_AZURE_17", - "ruleIndex": 25, - "message": { - "text": "Ensure the web app has 'Client Certificates (Incoming client certificates)' set" - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "samples/insecure_arm.json" - }, - "region": { - "startLine": 88, - "endLine": 101, - "snippet": { - "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites\",\n \"kind\": \"functionapp\",\n \"name\": \"FunctionApp_HttpsTrue\",\n \"location\": \"[parameters('location')]\",\n \"dependsOn\": [\n \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\"\n ],\n \"properties\": {\n \"serverFarmId\": \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\",\n \"httpsOnly\": true\n }\n },\n" - } - } - } - } - ], - "fingerprints": { - "gdnPrimarySignature": "8a917df4e8c678506a78db5559479538775f940b8c14aa146822e79c821a287e", - "gdnAlternativeSignature0": "536e095efb39b0a59bf24cda2950cc9d7a939e228a53bf159bf8cd0fb1b8da6e" - }, - "attachments": [] - }, - { - "ruleId": "CKV_AZURE_78", - "ruleIndex": 26, - "message": { - "text": "Ensure FTP deployments are disabled" - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "samples/insecure_arm.json" - }, - "region": { - "startLine": 88, - "endLine": 101, - "snippet": { - "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites\",\n \"kind\": \"functionapp\",\n \"name\": \"FunctionApp_HttpsTrue\",\n \"location\": \"[parameters('location')]\",\n \"dependsOn\": [\n \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\"\n ],\n \"properties\": {\n \"serverFarmId\": \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\",\n \"httpsOnly\": true\n }\n },\n" - } - } - } - } - ], - "fingerprints": { - "gdnPrimarySignature": "012a7cc9d1337a51d3b90f52d7866f9183fa75c796a6b444a5792554db38986e", - "gdnAlternativeSignature0": "a0b181e8b990ea5f29718c2f802c61d0e3d160d0fea9394c335ce70582b89c12" - }, - "attachments": [] - }, - { - "ruleId": "CKV_AZURE_18", - "ruleIndex": 27, - "message": { - "text": "Ensure that 'HTTP Version' is the latest if used to run the web app" - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "samples/insecure_arm.json" - }, - "region": { - "startLine": 88, - "endLine": 101, - "snippet": { - "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites\",\n \"kind\": \"functionapp\",\n \"name\": \"FunctionApp_HttpsTrue\",\n \"location\": \"[parameters('location')]\",\n \"dependsOn\": [\n \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\"\n ],\n \"properties\": {\n \"serverFarmId\": \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\",\n \"httpsOnly\": true\n }\n },\n" - } - } - } - } - ], - "fingerprints": { - "gdnPrimarySignature": "07162ca3946165f6599af87465895d93e3a4672e03b47519894ce51b2c5cc9bd", - "gdnAlternativeSignature0": "74128bc18a6b19a6678aa9cbd0384858bae0f0270c9c36bed84570fd26bfbaca" - }, - "attachments": [] - }, - { - "ruleId": "CKV_AZURE_16", - "ruleIndex": 29, - "message": { - "text": "Ensure that Register with Azure Active Directory is enabled on App Service" - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "samples/insecure_arm.json" - }, - "region": { - "startLine": 88, - "endLine": 101, - "snippet": { - "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites\",\n \"kind\": \"functionapp\",\n \"name\": \"FunctionApp_HttpsTrue\",\n \"location\": \"[parameters('location')]\",\n \"dependsOn\": [\n \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\"\n ],\n \"properties\": {\n \"serverFarmId\": \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\",\n \"httpsOnly\": true\n }\n },\n" - } - } - } - } - ], - "fingerprints": { - "gdnPrimarySignature": "a69519b3c5b094db4ab476ddeb127f3a19304d1a0dceaaa0990a3438551fa084", - "gdnAlternativeSignature0": "be3bd3018a1fbfa842ccab409f12e02b083c1afa3058a47b84c9fff1d4da82b3" - }, - "attachments": [] - }, - { - "ruleId": "CKV_AZURE_71", - "ruleIndex": 30, - "level": "note", - "message": { - "text": "Ensure that Managed identity provider is enabled for web apps" - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "samples/insecure_arm.json" - }, - "region": { - "startLine": 88, - "endLine": 101, - "snippet": { - "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites\",\n \"kind\": \"functionapp\",\n \"name\": \"FunctionApp_HttpsTrue\",\n \"location\": \"[parameters('location')]\",\n \"dependsOn\": [\n \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\"\n ],\n \"properties\": {\n \"serverFarmId\": \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\",\n \"httpsOnly\": true\n }\n },\n" - } - } - } - } - ], - "fingerprints": { - "gdnPrimarySignature": "736147b83648552df9d3f8b2b392ab48a9bf9ab58620fb7a3818f40f07bbfc61", - "gdnAlternativeSignature0": "f27f79c0de60ef21728d0f1fc1410e6a2cea4efb033b119007e4e6ab0626384a" - }, - "attachments": [] - }, - { - "ruleId": "CKV_AZURE_15", - "ruleIndex": 31, - "message": { - "text": "Ensure web app is using the latest version of TLS encryption" - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "samples/insecure_arm.json" - }, - "region": { - "startLine": 88, - "endLine": 101, - "snippet": { - "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites\",\n \"kind\": \"functionapp\",\n \"name\": \"FunctionApp_HttpsTrue\",\n \"location\": \"[parameters('location')]\",\n \"dependsOn\": [\n \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\"\n ],\n \"properties\": {\n \"serverFarmId\": \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\",\n \"httpsOnly\": true\n }\n },\n" - } - } - } - } - ], - "fingerprints": { - "gdnPrimarySignature": "a4b11836c10056ef0cdbbdb6afefc25c31906aaa79ca3bdbc1bdb18ed2d011b7", - "gdnAlternativeSignature0": "07b6c44a303c8c16e35003d2412596b49a13368ed484ff649ffa144d2b5771f8" - }, - "attachments": [] - }, - { - "ruleId": "CKV_AZURE_222", - "ruleIndex": 32, - "message": { - "text": "Ensure that Azure Web App public network access is disabled" - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "samples/insecure_arm.json" - }, - "region": { - "startLine": 88, - "endLine": 101, - "snippet": { - "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites\",\n \"kind\": \"functionapp\",\n \"name\": \"FunctionApp_HttpsTrue\",\n \"location\": \"[parameters('location')]\",\n \"dependsOn\": [\n \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\"\n ],\n \"properties\": {\n \"serverFarmId\": \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\",\n \"httpsOnly\": true\n }\n },\n" - } - } - } - } - ], - "fingerprints": { - "gdnPrimarySignature": "ac27e5bae66e1875d76fc175bccaf11c9f0a10e45ac8385025f5dde90c69e4fb", - "gdnAlternativeSignature0": "9a5fdc81a5d1e596583d75f0a2da7b28dd82d0c9155a0baf2b57fd32cf33e21d" - }, - "attachments": [] - }, - { - "ruleId": "CKV_AZURE_67", - "ruleIndex": 34, - "message": { - "text": "Ensure that 'HTTP Version' is the latest, if used to run the Function app" - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "samples/insecure_arm.json" - }, - "region": { - "startLine": 88, - "endLine": 101, - "snippet": { - "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites\",\n \"kind\": \"functionapp\",\n \"name\": \"FunctionApp_HttpsTrue\",\n \"location\": \"[parameters('location')]\",\n \"dependsOn\": [\n \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\"\n ],\n \"properties\": {\n \"serverFarmId\": \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\",\n \"httpsOnly\": true\n }\n },\n" - } - } - } - } - ], - "fingerprints": { - "gdnPrimarySignature": "d06586685b31f55d3be4de5084e13b421c700e4c87a7437bffe41291bf65d35b", - "gdnAlternativeSignature0": "dcb4c97d8e1a7a14524f2c6534312187b0272594e87ed98fe98e172b43b7dff9" - }, - "attachments": [] - }, - { - "ruleId": "CKV_AZURE_17", - "ruleIndex": 25, - "message": { - "text": "Ensure the web app has 'Client Certificates (Incoming client certificates)' set" - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "samples/insecure_arm.json" - }, - "region": { - "startLine": 102, - "endLine": 114, - "snippet": { - "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites\",\n \"kind\": \"app,linux\",\n \"name\": \"WebAppNoHttps\",\n \"location\": \"[parameters('location')]\",\n \"dependsOn\": [\n \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\"\n ],\n \"properties\": {\n \"serverFarmId\": \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\"\n }\n },\n" - } - } - } - } - ], - "fingerprints": { - "gdnPrimarySignature": "0207769333b739f934c6c2472c0f269001ca3b1e973fe1cce2d2472d8bc56399", - "gdnAlternativeSignature0": "c00d75f61dc4dfb1d452c9fa66da4eea57d1fd4fada176b36c66d53d5b9b1cb0" - }, - "attachments": [] - }, - { - "ruleId": "CKV_AZURE_78", - "ruleIndex": 26, - "message": { - "text": "Ensure FTP deployments are disabled" - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "samples/insecure_arm.json" - }, - "region": { - "startLine": 102, - "endLine": 114, - "snippet": { - "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites\",\n \"kind\": \"app,linux\",\n \"name\": \"WebAppNoHttps\",\n \"location\": \"[parameters('location')]\",\n \"dependsOn\": [\n \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\"\n ],\n \"properties\": {\n \"serverFarmId\": \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\"\n }\n },\n" - } - } - } - } - ], - "fingerprints": { - "gdnPrimarySignature": "5d7890ffeb37cacd07b107299144f625fa773f8e8fb28a62a7c0dea16025a0ee", - "gdnAlternativeSignature0": "089e7957dda409a966a18b7e294c4573d4ec68ad4e24b23938e321a8e82b030d" - }, - "attachments": [] - }, - { - "ruleId": "CKV_AZURE_18", - "ruleIndex": 27, - "message": { - "text": "Ensure that 'HTTP Version' is the latest if used to run the web app" - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "samples/insecure_arm.json" - }, - "region": { - "startLine": 102, - "endLine": 114, - "snippet": { - "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites\",\n \"kind\": \"app,linux\",\n \"name\": \"WebAppNoHttps\",\n \"location\": \"[parameters('location')]\",\n \"dependsOn\": [\n \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\"\n ],\n \"properties\": {\n \"serverFarmId\": \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\"\n }\n },\n" - } - } - } - } - ], - "fingerprints": { - "gdnPrimarySignature": "c29ee62ee70b4965bc0d67ef69030f6b70e617d9fcd3ac8200b68198192b7dc1", - "gdnAlternativeSignature0": "b4ba90b3e3e84e928c796f1c7ebb2e6797dea862b0e44cef5199dbe9bfe5e6aa" - }, - "attachments": [] - }, - { - "ruleId": "CKV_AZURE_14", - "ruleIndex": 28, - "message": { - "text": "Ensure web app redirects all HTTP traffic to HTTPS in Azure App Service" - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "samples/insecure_arm.json" - }, - "region": { - "startLine": 102, - "endLine": 114, - "snippet": { - "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites\",\n \"kind\": \"app,linux\",\n \"name\": \"WebAppNoHttps\",\n \"location\": \"[parameters('location')]\",\n \"dependsOn\": [\n \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\"\n ],\n \"properties\": {\n \"serverFarmId\": \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\"\n }\n },\n" - } - } - } - } - ], - "fingerprints": { - "gdnPrimarySignature": "ee8d746b0689b235f3208999ce7df1653fa45d2711d41a5d6e7ba90fd50c388c", - "gdnAlternativeSignature0": "ea3506129a69e11e59a2393a8e401e15c35473f82a143746cf124f0aceb0f013" - }, - "attachments": [] - }, - { - "ruleId": "CKV_AZURE_16", - "ruleIndex": 29, - "message": { - "text": "Ensure that Register with Azure Active Directory is enabled on App Service" - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "samples/insecure_arm.json" - }, - "region": { - "startLine": 102, - "endLine": 114, - "snippet": { - "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites\",\n \"kind\": \"app,linux\",\n \"name\": \"WebAppNoHttps\",\n \"location\": \"[parameters('location')]\",\n \"dependsOn\": [\n \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\"\n ],\n \"properties\": {\n \"serverFarmId\": \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\"\n }\n },\n" - } - } - } - } - ], - "fingerprints": { - "gdnPrimarySignature": "7b591f479f9723771411f3c953ee4ab3beda88856ae3ab53a88a64d61214e01d", - "gdnAlternativeSignature0": "0ac09190fd50243610f0dc1cefc1f8f5bf5340c6554465ca85333d39814c3094" - }, - "attachments": [] - }, - { - "ruleId": "CKV_AZURE_71", - "ruleIndex": 30, - "level": "note", - "message": { - "text": "Ensure that Managed identity provider is enabled for web apps" - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "samples/insecure_arm.json" - }, - "region": { - "startLine": 102, - "endLine": 114, - "snippet": { - "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites\",\n \"kind\": \"app,linux\",\n \"name\": \"WebAppNoHttps\",\n \"location\": \"[parameters('location')]\",\n \"dependsOn\": [\n \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\"\n ],\n \"properties\": {\n \"serverFarmId\": \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\"\n }\n },\n" - } - } - } - } - ], - "fingerprints": { - "gdnPrimarySignature": "f3eef46d00d6fe15f0b4da40bda2f0ab16e3c91fcec06df3545e1c7fe7d8ff6d", - "gdnAlternativeSignature0": "6d2fd3507d1f39e715802fc90b4f9779fa4a250936446362dfb3a3c8675b600b" - }, - "attachments": [] - }, - { - "ruleId": "CKV_AZURE_15", - "ruleIndex": 31, - "message": { - "text": "Ensure web app is using the latest version of TLS encryption" - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "samples/insecure_arm.json" - }, - "region": { - "startLine": 102, - "endLine": 114, - "snippet": { - "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites\",\n \"kind\": \"app,linux\",\n \"name\": \"WebAppNoHttps\",\n \"location\": \"[parameters('location')]\",\n \"dependsOn\": [\n \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\"\n ],\n \"properties\": {\n \"serverFarmId\": \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\"\n }\n },\n" - } - } - } - } - ], - "fingerprints": { - "gdnPrimarySignature": "52578dfe3657d9104db6fe82cafe200490942428064ed7a2ba755d780c8365a3", - "gdnAlternativeSignature0": "c54bc8f04da699379969061f974819212592deb962782dc7070937bd22ff33c6" - }, - "attachments": [] - }, - { - "ruleId": "CKV_AZURE_222", - "ruleIndex": 32, - "message": { - "text": "Ensure that Azure Web App public network access is disabled" - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "samples/insecure_arm.json" - }, - "region": { - "startLine": 102, - "endLine": 114, - "snippet": { - "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites\",\n \"kind\": \"app,linux\",\n \"name\": \"WebAppNoHttps\",\n \"location\": \"[parameters('location')]\",\n \"dependsOn\": [\n \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\"\n ],\n \"properties\": {\n \"serverFarmId\": \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\"\n }\n },\n" - } - } - } - } - ], - "fingerprints": { - "gdnPrimarySignature": "a5c0013a8fd9f0097d45e444d88054036ed8f442fe330587d0eae9d3714ec87c", - "gdnAlternativeSignature0": "10e9ab48939200696e4f91afa907175cea23e4c9aea63613a7ca13160da48477" - }, - "attachments": [] - }, - { - "ruleId": "CKV_AZURE_153", - "ruleIndex": 33, - "level": "note", - "message": { - "text": "Ensure web app redirects all HTTP traffic to HTTPS in Azure App Service Slot" - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "samples/insecure_arm.json" - }, - "region": { - "startLine": 102, - "endLine": 114, - "snippet": { - "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites\",\n \"kind\": \"app,linux\",\n \"name\": \"WebAppNoHttps\",\n \"location\": \"[parameters('location')]\",\n \"dependsOn\": [\n \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\"\n ],\n \"properties\": {\n \"serverFarmId\": \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\"\n }\n },\n" - } - } - } - } - ], - "fingerprints": { - "gdnPrimarySignature": "c8b8eb4f5fd69ed893f62f660e2df19dc69d3bb4a56c750d27505476f1cfd972", - "gdnAlternativeSignature0": "3bc11347887444d838588cd7d6dfcda7b36d4137a8406b9064dff980db330958" - }, - "attachments": [] - }, - { - "ruleId": "CKV_AZURE_67", - "ruleIndex": 34, - "message": { - "text": "Ensure that 'HTTP Version' is the latest, if used to run the Function app" - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "samples/insecure_arm.json" - }, - "region": { - "startLine": 102, - "endLine": 114, - "snippet": { - "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites\",\n \"kind\": \"app,linux\",\n \"name\": \"WebAppNoHttps\",\n \"location\": \"[parameters('location')]\",\n \"dependsOn\": [\n \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\"\n ],\n \"properties\": {\n \"serverFarmId\": \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\"\n }\n },\n" - } - } - } - } - ], - "fingerprints": { - "gdnPrimarySignature": "7a9df9fe206d31f6b88c7461cbbedd1791b9500136c048ba6c5a1a70390f97ac", - "gdnAlternativeSignature0": "69eb37c4e01e77eaee89dd5c5159883cb79b66d176282e18fcb6e2926e00a887" - }, - "attachments": [] - }, - { - "ruleId": "CKV_AZURE_70", - "ruleIndex": 35, - "message": { - "text": "Ensure that Function apps is only accessible over HTTPS" - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "samples/insecure_arm.json" - }, - "region": { - "startLine": 102, - "endLine": 114, - "snippet": { - "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites\",\n \"kind\": \"app,linux\",\n \"name\": \"WebAppNoHttps\",\n \"location\": \"[parameters('location')]\",\n \"dependsOn\": [\n \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\"\n ],\n \"properties\": {\n \"serverFarmId\": \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\"\n }\n },\n" - } - } - } - } - ], - "fingerprints": { - "gdnPrimarySignature": "67339bfd8472664e8e86c3dc86cc304bf7b9e1d32dfd00de0e6fbaeb2beea398", - "gdnAlternativeSignature0": "3e179c62893671bd328f85697d3c649cb45309fb6525b65b76a9aa5a649adc58" - }, - "attachments": [] - }, - { - "ruleId": "CKV_AZURE_17", - "ruleIndex": 25, - "message": { - "text": "Ensure the web app has 'Client Certificates (Incoming client certificates)' set" - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "samples/insecure_arm.json" - }, - "region": { - "startLine": 115, - "endLine": 127, - "snippet": { - "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites\",\n \"name\": \"WebApp_HttpsFalse\",\n \"location\": \"[parameters('location')]\",\n \"dependsOn\": [\n \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\"\n ],\n \"properties\": {\n \"serverFarmId\": \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\",\n \"httpsOnly\": false\n }\n },\n" - } - } - } - } - ], - "fingerprints": { - "gdnPrimarySignature": "4f72f1e4d99a8378d05b185cebfa8825d333a71cd5ef5b0bf186468bdbefea17", - "gdnAlternativeSignature0": "c78d4a844035a2ce61548f8d60784616fb2403fb930f340915bc4bfcc468716f" - }, - "attachments": [] - }, - { - "ruleId": "CKV_AZURE_78", - "ruleIndex": 26, - "message": { - "text": "Ensure FTP deployments are disabled" - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "samples/insecure_arm.json" - }, - "region": { - "startLine": 115, - "endLine": 127, - "snippet": { - "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites\",\n \"name\": \"WebApp_HttpsFalse\",\n \"location\": \"[parameters('location')]\",\n \"dependsOn\": [\n \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\"\n ],\n \"properties\": {\n \"serverFarmId\": \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\",\n \"httpsOnly\": false\n }\n },\n" - } - } - } - } - ], - "fingerprints": { - "gdnPrimarySignature": "cd8cdaf3f142d7a4565c43f60507169bdc01b2286039cf1255d61c596ba3101f", - "gdnAlternativeSignature0": "bd5c17ecc6b46d6513f8eca0a60db649dd30c9a1eb735d04fbc624a1b4b79f51" - }, - "attachments": [] - }, - { - "ruleId": "CKV_AZURE_18", - "ruleIndex": 27, - "message": { - "text": "Ensure that 'HTTP Version' is the latest if used to run the web app" - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "samples/insecure_arm.json" - }, - "region": { - "startLine": 115, - "endLine": 127, - "snippet": { - "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites\",\n \"name\": \"WebApp_HttpsFalse\",\n \"location\": \"[parameters('location')]\",\n \"dependsOn\": [\n \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\"\n ],\n \"properties\": {\n \"serverFarmId\": \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\",\n \"httpsOnly\": false\n }\n },\n" - } - } - } - } - ], - "fingerprints": { - "gdnPrimarySignature": "f7e0232cacef22c54066a9584d66a2197c9c74c0e03f83d8eb7c4e0134444dd0", - "gdnAlternativeSignature0": "7d8d600175945563c3b4bfe9e2c144473bb0a6ad19b8148501a70cdc8061004d" - }, - "attachments": [] - }, - { - "ruleId": "CKV_AZURE_14", - "ruleIndex": 28, - "message": { - "text": "Ensure web app redirects all HTTP traffic to HTTPS in Azure App Service" - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "samples/insecure_arm.json" - }, - "region": { - "startLine": 115, - "endLine": 127, - "snippet": { - "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites\",\n \"name\": \"WebApp_HttpsFalse\",\n \"location\": \"[parameters('location')]\",\n \"dependsOn\": [\n \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\"\n ],\n \"properties\": {\n \"serverFarmId\": \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\",\n \"httpsOnly\": false\n }\n },\n" - } - } - } - } - ], - "fingerprints": { - "gdnPrimarySignature": "ae3081631a2091bd9163df6f1ee42da0cb7854cc3bd2d6b398ceb8157d47c295", - "gdnAlternativeSignature0": "89901158631e4d71235d05997a134e895b4ccc2e4ef71ec40ae5b8fe13439adb" - }, - "attachments": [] - }, - { - "ruleId": "CKV_AZURE_16", - "ruleIndex": 29, - "message": { - "text": "Ensure that Register with Azure Active Directory is enabled on App Service" - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "samples/insecure_arm.json" - }, - "region": { - "startLine": 115, - "endLine": 127, - "snippet": { - "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites\",\n \"name\": \"WebApp_HttpsFalse\",\n \"location\": \"[parameters('location')]\",\n \"dependsOn\": [\n \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\"\n ],\n \"properties\": {\n \"serverFarmId\": \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\",\n \"httpsOnly\": false\n }\n },\n" - } - } - } - } - ], - "fingerprints": { - "gdnPrimarySignature": "255f7613ce31bf6755bb2ecceee14742ed8cff561d5a310b501ef17b7a9297d3", - "gdnAlternativeSignature0": "b96b4d533c88a6a70fd777af318af980187826608f3a569474d34858e2dfe22c" - }, - "attachments": [] - }, - { - "ruleId": "CKV_AZURE_71", - "ruleIndex": 30, - "level": "note", - "message": { - "text": "Ensure that Managed identity provider is enabled for web apps" - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "samples/insecure_arm.json" - }, - "region": { - "startLine": 115, - "endLine": 127, - "snippet": { - "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites\",\n \"name\": \"WebApp_HttpsFalse\",\n \"location\": \"[parameters('location')]\",\n \"dependsOn\": [\n \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\"\n ],\n \"properties\": {\n \"serverFarmId\": \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\",\n \"httpsOnly\": false\n }\n },\n" - } - } - } - } - ], - "fingerprints": { - "gdnPrimarySignature": "0b1fb05ccebfce0be5690acbadf661f9c2c441ad9d90eadd8db28efb2a5c574a", - "gdnAlternativeSignature0": "8835bcf442c7e87a2f87b12a5afeea783d9963935c9e670d58841eeee02b0fe0" - }, - "attachments": [] - }, - { - "ruleId": "CKV_AZURE_15", - "ruleIndex": 31, - "message": { - "text": "Ensure web app is using the latest version of TLS encryption" - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "samples/insecure_arm.json" - }, - "region": { - "startLine": 115, - "endLine": 127, - "snippet": { - "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites\",\n \"name\": \"WebApp_HttpsFalse\",\n \"location\": \"[parameters('location')]\",\n \"dependsOn\": [\n \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\"\n ],\n \"properties\": {\n \"serverFarmId\": \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\",\n \"httpsOnly\": false\n }\n },\n" - } - } - } - } - ], - "fingerprints": { - "gdnPrimarySignature": "2b2824300dc3a47d41fe35895bcc7cad5518ad6adbeecd51da01c157e6c984c0", - "gdnAlternativeSignature0": "7649a4df3f008f0807c7e8a88a1a2dc1343615f1b82341ecdf1c0191b0c59f89" - }, - "attachments": [] - }, - { - "ruleId": "CKV_AZURE_222", - "ruleIndex": 32, - "message": { - "text": "Ensure that Azure Web App public network access is disabled" - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "samples/insecure_arm.json" - }, - "region": { - "startLine": 115, - "endLine": 127, - "snippet": { - "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites\",\n \"name\": \"WebApp_HttpsFalse\",\n \"location\": \"[parameters('location')]\",\n \"dependsOn\": [\n \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\"\n ],\n \"properties\": {\n \"serverFarmId\": \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\",\n \"httpsOnly\": false\n }\n },\n" - } - } - } - } - ], - "fingerprints": { - "gdnPrimarySignature": "91cfeca6c81755244c63c7c01d9c91da11cbcf416444876ee05b92c981358129", - "gdnAlternativeSignature0": "c4fc2fbf31a7a52d60660e3c94d040c2abb912507c60f5b084cb0d8eae09c334" - }, - "attachments": [] - }, - { - "ruleId": "CKV_AZURE_153", - "ruleIndex": 33, - "level": "note", - "message": { - "text": "Ensure web app redirects all HTTP traffic to HTTPS in Azure App Service Slot" - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "samples/insecure_arm.json" - }, - "region": { - "startLine": 115, - "endLine": 127, - "snippet": { - "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites\",\n \"name\": \"WebApp_HttpsFalse\",\n \"location\": \"[parameters('location')]\",\n \"dependsOn\": [\n \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\"\n ],\n \"properties\": {\n \"serverFarmId\": \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\",\n \"httpsOnly\": false\n }\n },\n" - } - } - } - } - ], - "fingerprints": { - "gdnPrimarySignature": "12fdacf2d5aa3a1ee71cd5c41c350cfba3e252cd7cbe4d579fed9cb23ab77388", - "gdnAlternativeSignature0": "26f89be242e3ae985b8f53b8ee3c67bead4ae71123378bf3dee7dc2d8263e6d5" - }, - "attachments": [] - }, - { - "ruleId": "CKV_AZURE_67", - "ruleIndex": 34, - "message": { - "text": "Ensure that 'HTTP Version' is the latest, if used to run the Function app" - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "samples/insecure_arm.json" - }, - "region": { - "startLine": 115, - "endLine": 127, - "snippet": { - "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites\",\n \"name\": \"WebApp_HttpsFalse\",\n \"location\": \"[parameters('location')]\",\n \"dependsOn\": [\n \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\"\n ],\n \"properties\": {\n \"serverFarmId\": \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\",\n \"httpsOnly\": false\n }\n },\n" - } - } - } - } - ], - "fingerprints": { - "gdnPrimarySignature": "54ced1e9e7299882c21663f45e6f27de7eb21223e77344e814efcd89b8eed40a", - "gdnAlternativeSignature0": "33f9e2f7e0ddc2d74628ef9e4d55b535c2ddb446f42351f4ba30926022834e1a" - }, - "attachments": [] - }, - { - "ruleId": "CKV_AZURE_70", - "ruleIndex": 35, - "message": { - "text": "Ensure that Function apps is only accessible over HTTPS" - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "samples/insecure_arm.json" - }, - "region": { - "startLine": 115, - "endLine": 127, - "snippet": { - "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites\",\n \"name\": \"WebApp_HttpsFalse\",\n \"location\": \"[parameters('location')]\",\n \"dependsOn\": [\n \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\"\n ],\n \"properties\": {\n \"serverFarmId\": \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\",\n \"httpsOnly\": false\n }\n },\n" - } - } - } - } - ], - "fingerprints": { - "gdnPrimarySignature": "288291d4755ccee48c5333b7d63f37c8e0706cf06714117660c84507a289ebc0", - "gdnAlternativeSignature0": "f5a45e007c2154338b28247a0731d64cd6c700e52b86171ebfab23be42290c88" - }, - "attachments": [] - }, - { - "ruleId": "CKV_AZURE_17", - "ruleIndex": 25, - "message": { - "text": "Ensure the web app has 'Client Certificates (Incoming client certificates)' set" - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "samples/insecure_arm.json" - }, - "region": { - "startLine": 128, - "endLine": 141, - "snippet": { - "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites\",\n \"kind\": \"app\",\n \"name\": \"WebApp_HttpsTrue\",\n \"location\": \"[parameters('location')]\",\n \"dependsOn\": [\n \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\"\n ],\n \"properties\": {\n \"serverFarmId\": \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\",\n \"httpsOnly\": true\n }\n },\n" - } - } - } - } - ], - "fingerprints": { - "gdnPrimarySignature": "08008df0f45ad8f64f4f9486ca9d1d20053d77608610e41a01834c68b1cc3a09", - "gdnAlternativeSignature0": "7f7317b8b44e4c8b52c5da46edf6e775d451d85bc442fbf7d98ac9b0ecdf9b1a" - }, - "attachments": [] - }, - { - "ruleId": "CKV_AZURE_78", - "ruleIndex": 26, - "message": { - "text": "Ensure FTP deployments are disabled" - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "samples/insecure_arm.json" - }, - "region": { - "startLine": 128, - "endLine": 141, - "snippet": { - "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites\",\n \"kind\": \"app\",\n \"name\": \"WebApp_HttpsTrue\",\n \"location\": \"[parameters('location')]\",\n \"dependsOn\": [\n \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\"\n ],\n \"properties\": {\n \"serverFarmId\": \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\",\n \"httpsOnly\": true\n }\n },\n" - } - } - } - } - ], - "fingerprints": { - "gdnPrimarySignature": "a2fcaa633cbc5e8689c4c980a1b76805afde139435d0d92003f29dbc1adb25d2", - "gdnAlternativeSignature0": "02fc484de3908421bf498b943a3501de05c15edb775e37cb7257ad89b4e1ea9b" - }, - "attachments": [] - }, - { - "ruleId": "CKV_AZURE_18", - "ruleIndex": 27, - "message": { - "text": "Ensure that 'HTTP Version' is the latest if used to run the web app" - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "samples/insecure_arm.json" - }, - "region": { - "startLine": 128, - "endLine": 141, - "snippet": { - "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites\",\n \"kind\": \"app\",\n \"name\": \"WebApp_HttpsTrue\",\n \"location\": \"[parameters('location')]\",\n \"dependsOn\": [\n \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\"\n ],\n \"properties\": {\n \"serverFarmId\": \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\",\n \"httpsOnly\": true\n }\n },\n" - } - } - } - } - ], - "fingerprints": { - "gdnPrimarySignature": "bf112ad4ff0c1f3dbda36d12b6d980c83e9448f3cea1fab2124874b363e2ac33", - "gdnAlternativeSignature0": "ddde80d77251f9ab96e8180febb6470c41bad8598a1751ecf3205201e04032d6" - }, - "attachments": [] - }, - { - "ruleId": "CKV_AZURE_16", - "ruleIndex": 29, - "message": { - "text": "Ensure that Register with Azure Active Directory is enabled on App Service" - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "samples/insecure_arm.json" - }, - "region": { - "startLine": 128, - "endLine": 141, - "snippet": { - "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites\",\n \"kind\": \"app\",\n \"name\": \"WebApp_HttpsTrue\",\n \"location\": \"[parameters('location')]\",\n \"dependsOn\": [\n \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\"\n ],\n \"properties\": {\n \"serverFarmId\": \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\",\n \"httpsOnly\": true\n }\n },\n" - } - } - } - } - ], - "fingerprints": { - "gdnPrimarySignature": "adf211c29e22998dc5e478d0f175052925f2426ac7b3c077d75a3d438bf01a71", - "gdnAlternativeSignature0": "4b079ac338cf1fa4d757290e73fb9b247e37983f28925e314c9d61debdca8a29" - }, - "attachments": [] - }, - { - "ruleId": "CKV_AZURE_71", - "ruleIndex": 30, - "level": "note", - "message": { - "text": "Ensure that Managed identity provider is enabled for web apps" - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "samples/insecure_arm.json" - }, - "region": { - "startLine": 128, - "endLine": 141, - "snippet": { - "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites\",\n \"kind\": \"app\",\n \"name\": \"WebApp_HttpsTrue\",\n \"location\": \"[parameters('location')]\",\n \"dependsOn\": [\n \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\"\n ],\n \"properties\": {\n \"serverFarmId\": \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\",\n \"httpsOnly\": true\n }\n },\n" - } - } - } - } - ], - "fingerprints": { - "gdnPrimarySignature": "12cdce98f0d5aa4daf69793f9157ef1dd1dfd49ee3ef333f6d57ae4bad06477b", - "gdnAlternativeSignature0": "9ddb0eff72c95cda99852373789fe69e358faf69c9dd5a9fb90d415e957f67f3" - }, - "attachments": [] - }, - { - "ruleId": "CKV_AZURE_15", - "ruleIndex": 31, - "message": { - "text": "Ensure web app is using the latest version of TLS encryption" - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "samples/insecure_arm.json" - }, - "region": { - "startLine": 128, - "endLine": 141, - "snippet": { - "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites\",\n \"kind\": \"app\",\n \"name\": \"WebApp_HttpsTrue\",\n \"location\": \"[parameters('location')]\",\n \"dependsOn\": [\n \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\"\n ],\n \"properties\": {\n \"serverFarmId\": \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\",\n \"httpsOnly\": true\n }\n },\n" - } - } - } - } - ], - "fingerprints": { - "gdnPrimarySignature": "a01b7d7f752ca024104d998b10919091141c26bbd9d73412d05e9b7df9363f16", - "gdnAlternativeSignature0": "7df932c190b3ca666346a7f0465861d381530f106e254076b900a704cda36707" - }, - "attachments": [] - }, - { - "ruleId": "CKV_AZURE_222", - "ruleIndex": 32, - "message": { - "text": "Ensure that Azure Web App public network access is disabled" - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "samples/insecure_arm.json" - }, - "region": { - "startLine": 128, - "endLine": 141, - "snippet": { - "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites\",\n \"kind\": \"app\",\n \"name\": \"WebApp_HttpsTrue\",\n \"location\": \"[parameters('location')]\",\n \"dependsOn\": [\n \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\"\n ],\n \"properties\": {\n \"serverFarmId\": \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\",\n \"httpsOnly\": true\n }\n },\n" - } - } - } - } - ], - "fingerprints": { - "gdnPrimarySignature": "92ce11dc062621efb46ffb9f89dfd1b9c12dded0b94b04f3b0595f9420c0511a", - "gdnAlternativeSignature0": "7305d34c7a68da6a3a1c357d001602242c92f53fa425b0b2b7cac8681b8720c0" - }, - "attachments": [] - }, - { - "ruleId": "CKV_AZURE_67", - "ruleIndex": 34, - "message": { - "text": "Ensure that 'HTTP Version' is the latest, if used to run the Function app" - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "samples/insecure_arm.json" - }, - "region": { - "startLine": 128, - "endLine": 141, - "snippet": { - "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites\",\n \"kind\": \"app\",\n \"name\": \"WebApp_HttpsTrue\",\n \"location\": \"[parameters('location')]\",\n \"dependsOn\": [\n \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\"\n ],\n \"properties\": {\n \"serverFarmId\": \"[resourceId('Microsoft.Web/serverfarms', 'serverFarm')]\",\n \"httpsOnly\": true\n }\n },\n" - } - } - } - } - ], - "fingerprints": { - "gdnPrimarySignature": "66c95de9831d167d19805f23da1ed5e5e7187f6b898fd2c379923be413ebaed2", - "gdnAlternativeSignature0": "493078216959af69095559e71e4e85917a9850e8ea90fd13cae9e6e6378b602b" - }, - "attachments": [] - }, - { - "ruleId": "CKV_AZURE_17", - "ruleIndex": 25, - "message": { - "text": "Ensure the web app has 'Client Certificates (Incoming client certificates)' set" - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "samples/insecure_arm.json" - }, - "region": { - "startLine": 142, - "endLine": 158, - "snippet": { - "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites\",\n \"kind\": \"api\",\n \"name\": \"ApiApp_RestrictedCORSAccess_EmbeddedSitesConfig\",\n \"location\": \"[parameters('location')]\",\n \"properties\": {\n \"httpsOnly\": true,\n \"siteConfig\": {\n \"cors\": {\n \"allowedOrigins\": [\n \"someIP\"\n ]\n }\n }\n }\n },\n" - } - } - } - } - ], - "fingerprints": { - "gdnPrimarySignature": "dae96b9aa7c9155ac642e29b28b9fd890e6e1c9fa6412927d964aa22c026cce4", - "gdnAlternativeSignature0": "9b8c72895461d25ee31a8c5b1b5bdda37dc3c8b032c14663c43538cf838a7484" - }, - "attachments": [] - }, - { - "ruleId": "CKV_AZURE_78", - "ruleIndex": 26, - "message": { - "text": "Ensure FTP deployments are disabled" - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "samples/insecure_arm.json" - }, - "region": { - "startLine": 142, - "endLine": 158, - "snippet": { - "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites\",\n \"kind\": \"api\",\n \"name\": \"ApiApp_RestrictedCORSAccess_EmbeddedSitesConfig\",\n \"location\": \"[parameters('location')]\",\n \"properties\": {\n \"httpsOnly\": true,\n \"siteConfig\": {\n \"cors\": {\n \"allowedOrigins\": [\n \"someIP\"\n ]\n }\n }\n }\n },\n" - } - } - } - } - ], - "fingerprints": { - "gdnPrimarySignature": "0e15991fa47fbdff46caf4d88b4a2be08fb7309de35a5105df283f2cd3ef226f", - "gdnAlternativeSignature0": "b0664718fd5e7c63444d10f083239952773ba1744dbab54ba4179b90213c162b" - }, - "attachments": [] - }, - { - "ruleId": "CKV_AZURE_18", - "ruleIndex": 27, - "message": { - "text": "Ensure that 'HTTP Version' is the latest if used to run the web app" - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "samples/insecure_arm.json" - }, - "region": { - "startLine": 142, - "endLine": 158, - "snippet": { - "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites\",\n \"kind\": \"api\",\n \"name\": \"ApiApp_RestrictedCORSAccess_EmbeddedSitesConfig\",\n \"location\": \"[parameters('location')]\",\n \"properties\": {\n \"httpsOnly\": true,\n \"siteConfig\": {\n \"cors\": {\n \"allowedOrigins\": [\n \"someIP\"\n ]\n }\n }\n }\n },\n" - } - } - } - } - ], - "fingerprints": { - "gdnPrimarySignature": "f413c46ab964537bc7ae7dfcb7b2ffcef2f4859e417da785d2d693af373bbc72", - "gdnAlternativeSignature0": "90284155b27b35d9aa40959078e6e324d16c9ad43994fb20812c5b87ab3da8fe" - }, - "attachments": [] - }, - { - "ruleId": "CKV_AZURE_16", - "ruleIndex": 29, - "message": { - "text": "Ensure that Register with Azure Active Directory is enabled on App Service" - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "samples/insecure_arm.json" - }, - "region": { - "startLine": 142, - "endLine": 158, - "snippet": { - "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites\",\n \"kind\": \"api\",\n \"name\": \"ApiApp_RestrictedCORSAccess_EmbeddedSitesConfig\",\n \"location\": \"[parameters('location')]\",\n \"properties\": {\n \"httpsOnly\": true,\n \"siteConfig\": {\n \"cors\": {\n \"allowedOrigins\": [\n \"someIP\"\n ]\n }\n }\n }\n },\n" - } - } - } - } - ], - "fingerprints": { - "gdnPrimarySignature": "7720ed6c8b5f7baf81abe1e027fc660ee7213935e400dae0edcfd3446026ac34", - "gdnAlternativeSignature0": "19a91cb4fc78c2570287be6094778b7b3129af76dc046331d5a63c1adc857126" - }, - "attachments": [] - }, - { - "ruleId": "CKV_AZURE_71", - "ruleIndex": 30, - "level": "note", - "message": { - "text": "Ensure that Managed identity provider is enabled for web apps" - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "samples/insecure_arm.json" - }, - "region": { - "startLine": 142, - "endLine": 158, - "snippet": { - "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites\",\n \"kind\": \"api\",\n \"name\": \"ApiApp_RestrictedCORSAccess_EmbeddedSitesConfig\",\n \"location\": \"[parameters('location')]\",\n \"properties\": {\n \"httpsOnly\": true,\n \"siteConfig\": {\n \"cors\": {\n \"allowedOrigins\": [\n \"someIP\"\n ]\n }\n }\n }\n },\n" - } - } - } - } - ], - "fingerprints": { - "gdnPrimarySignature": "31eeaa41cb930b4da2b791b254b14fe3f8abf8fb09a3f4592f23195d8b3d32ac", - "gdnAlternativeSignature0": "852e81a1be9daed64c584b0a57f48572b61750d22f9558ca1b3cc6dabca55ddf" - }, - "attachments": [] - }, - { - "ruleId": "CKV_AZURE_15", - "ruleIndex": 31, - "message": { - "text": "Ensure web app is using the latest version of TLS encryption" - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "samples/insecure_arm.json" - }, - "region": { - "startLine": 142, - "endLine": 158, - "snippet": { - "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites\",\n \"kind\": \"api\",\n \"name\": \"ApiApp_RestrictedCORSAccess_EmbeddedSitesConfig\",\n \"location\": \"[parameters('location')]\",\n \"properties\": {\n \"httpsOnly\": true,\n \"siteConfig\": {\n \"cors\": {\n \"allowedOrigins\": [\n \"someIP\"\n ]\n }\n }\n }\n },\n" - } - } - } - } - ], - "fingerprints": { - "gdnPrimarySignature": "d41a5fe9e3ea723beaa68eaf7d4285ce450d5356436fcf3239c57109fab2e3f3", - "gdnAlternativeSignature0": "2a0982291cb4f11f796e6292520001696fa061f3549a3b4b6874c119b0dc8939" - }, - "attachments": [] - }, - { - "ruleId": "CKV_AZURE_222", - "ruleIndex": 32, - "message": { - "text": "Ensure that Azure Web App public network access is disabled" - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "samples/insecure_arm.json" - }, - "region": { - "startLine": 142, - "endLine": 158, - "snippet": { - "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites\",\n \"kind\": \"api\",\n \"name\": \"ApiApp_RestrictedCORSAccess_EmbeddedSitesConfig\",\n \"location\": \"[parameters('location')]\",\n \"properties\": {\n \"httpsOnly\": true,\n \"siteConfig\": {\n \"cors\": {\n \"allowedOrigins\": [\n \"someIP\"\n ]\n }\n }\n }\n },\n" - } - } - } - } - ], - "fingerprints": { - "gdnPrimarySignature": "0ae6105850f99ccaf95cf627c1995f3d7919bd31dc28f2945bcbf79f503fe118", - "gdnAlternativeSignature0": "72596372d73524682d0e517eb7a46d563f86d56830f27c9461e4d32ba4a781f2" - }, - "attachments": [] - }, - { - "ruleId": "CKV_AZURE_67", - "ruleIndex": 34, - "message": { - "text": "Ensure that 'HTTP Version' is the latest, if used to run the Function app" - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "samples/insecure_arm.json" - }, - "region": { - "startLine": 142, - "endLine": 158, - "snippet": { - "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites\",\n \"kind\": \"api\",\n \"name\": \"ApiApp_RestrictedCORSAccess_EmbeddedSitesConfig\",\n \"location\": \"[parameters('location')]\",\n \"properties\": {\n \"httpsOnly\": true,\n \"siteConfig\": {\n \"cors\": {\n \"allowedOrigins\": [\n \"someIP\"\n ]\n }\n }\n }\n },\n" - } - } - } - } - ], - "fingerprints": { - "gdnPrimarySignature": "7681cb3edcfb2659c2d32f2e7974f467446481d6b8f2b69ebae4df96958593db", - "gdnAlternativeSignature0": "a0af6fe2a04fe4a682850851dd4abb0ce07f4da5c8164df732c5042397d0f297" - }, - "attachments": [] - }, - { - "ruleId": "CKV_AZURE_17", - "ruleIndex": 25, - "message": { - "text": "Ensure the web app has 'Client Certificates (Incoming client certificates)' set" - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "samples/insecure_arm.json" - }, - "region": { - "startLine": 159, - "endLine": 168, - "snippet": { - "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites\",\n \"kind\": \"api\",\n \"name\": \"ApiApp_NoSitesConfig\",\n \"location\": \"[parameters('location')]\",\n \"properties\": {\n \"httpsOnly\": true\n }\n },\n" - } - } - } - } - ], - "fingerprints": { - "gdnPrimarySignature": "4df01be86e5e4147c31aff5bef0d87d3e3a0fea9898be19a88df8f6060c6e582", - "gdnAlternativeSignature0": "a3bda844d97fdd08c544d09a457ab85e6f4f33118537eec7ee0be628841a0253" - }, - "attachments": [] - }, - { - "ruleId": "CKV_AZURE_78", - "ruleIndex": 26, - "message": { - "text": "Ensure FTP deployments are disabled" - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "samples/insecure_arm.json" - }, - "region": { - "startLine": 159, - "endLine": 168, - "snippet": { - "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites\",\n \"kind\": \"api\",\n \"name\": \"ApiApp_NoSitesConfig\",\n \"location\": \"[parameters('location')]\",\n \"properties\": {\n \"httpsOnly\": true\n }\n },\n" - } - } - } - } - ], - "fingerprints": { - "gdnPrimarySignature": "7622258391e9aeb5136bfc53200e4631c118a10864775710c6e20c3a1c237687", - "gdnAlternativeSignature0": "481a7ad24af6150821e083f9d4f23bb233fc2533beddacef31c29768569b84d6" - }, - "attachments": [] - }, - { - "ruleId": "CKV_AZURE_18", - "ruleIndex": 27, - "message": { - "text": "Ensure that 'HTTP Version' is the latest if used to run the web app" - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "samples/insecure_arm.json" - }, - "region": { - "startLine": 159, - "endLine": 168, - "snippet": { - "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites\",\n \"kind\": \"api\",\n \"name\": \"ApiApp_NoSitesConfig\",\n \"location\": \"[parameters('location')]\",\n \"properties\": {\n \"httpsOnly\": true\n }\n },\n" - } - } - } - } - ], - "fingerprints": { - "gdnPrimarySignature": "ed1a58b3b54cc84e53c7bf600f8fab74e9c11af3031a3f091ec16ba9718b6009", - "gdnAlternativeSignature0": "15c3e8d74638416369e18b9d5385946a799c5d6e07556598bad7ffab2362586e" - }, - "attachments": [] - }, - { - "ruleId": "CKV_AZURE_16", - "ruleIndex": 29, - "message": { - "text": "Ensure that Register with Azure Active Directory is enabled on App Service" - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "samples/insecure_arm.json" - }, - "region": { - "startLine": 159, - "endLine": 168, - "snippet": { - "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites\",\n \"kind\": \"api\",\n \"name\": \"ApiApp_NoSitesConfig\",\n \"location\": \"[parameters('location')]\",\n \"properties\": {\n \"httpsOnly\": true\n }\n },\n" - } - } - } - } - ], - "fingerprints": { - "gdnPrimarySignature": "3182a4a340f4f50c65cd416eee5fbc9ded7a6ef32624b4c7474bc837466e224b", - "gdnAlternativeSignature0": "d8a84c842901bc6695e4d2872e84deb0a7baa06a702117331a93c6feadf5a546" - }, - "attachments": [] - }, - { - "ruleId": "CKV_AZURE_71", - "ruleIndex": 30, - "level": "note", - "message": { - "text": "Ensure that Managed identity provider is enabled for web apps" - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "samples/insecure_arm.json" - }, - "region": { - "startLine": 159, - "endLine": 168, - "snippet": { - "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites\",\n \"kind\": \"api\",\n \"name\": \"ApiApp_NoSitesConfig\",\n \"location\": \"[parameters('location')]\",\n \"properties\": {\n \"httpsOnly\": true\n }\n },\n" - } - } - } - } - ], - "fingerprints": { - "gdnPrimarySignature": "2c00ee00a620c96918dc4b9545112008c52cc88c30ac68e0b8478f877a16c74f", - "gdnAlternativeSignature0": "0fe0595ae36ffe8d3f8292c1f39136832913fff70668f658520a5a08513d411e" - }, - "attachments": [] - }, - { - "ruleId": "CKV_AZURE_15", - "ruleIndex": 31, - "message": { - "text": "Ensure web app is using the latest version of TLS encryption" - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "samples/insecure_arm.json" - }, - "region": { - "startLine": 159, - "endLine": 168, - "snippet": { - "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites\",\n \"kind\": \"api\",\n \"name\": \"ApiApp_NoSitesConfig\",\n \"location\": \"[parameters('location')]\",\n \"properties\": {\n \"httpsOnly\": true\n }\n },\n" - } - } - } - } - ], - "fingerprints": { - "gdnPrimarySignature": "6cdcbc4da68c2815a6d3f0bd78504303b0825e880d14097332cb170407c80128", - "gdnAlternativeSignature0": "1fe507dd25e0339cdc76945f0b74a799aa63dcc0b23cad0285faf8848457d916" - }, - "attachments": [] - }, - { - "ruleId": "CKV_AZURE_222", - "ruleIndex": 32, - "message": { - "text": "Ensure that Azure Web App public network access is disabled" - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "samples/insecure_arm.json" - }, - "region": { - "startLine": 159, - "endLine": 168, - "snippet": { - "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites\",\n \"kind\": \"api\",\n \"name\": \"ApiApp_NoSitesConfig\",\n \"location\": \"[parameters('location')]\",\n \"properties\": {\n \"httpsOnly\": true\n }\n },\n" - } - } - } - } - ], - "fingerprints": { - "gdnPrimarySignature": "f3ac1d65124943989cd407b1862791529fab3c4e0eedc65511c90e43edf3404b", - "gdnAlternativeSignature0": "298513397a838c0f2a237b8c715b3e500bcd2a54a0f1f6163bd77768da9dbcca" - }, - "attachments": [] - }, - { - "ruleId": "CKV_AZURE_67", - "ruleIndex": 34, - "message": { - "text": "Ensure that 'HTTP Version' is the latest, if used to run the Function app" - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "samples/insecure_arm.json" - }, - "region": { - "startLine": 159, - "endLine": 168, - "snippet": { - "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites\",\n \"kind\": \"api\",\n \"name\": \"ApiApp_NoSitesConfig\",\n \"location\": \"[parameters('location')]\",\n \"properties\": {\n \"httpsOnly\": true\n }\n },\n" - } - } - } - } - ], - "fingerprints": { - "gdnPrimarySignature": "bd6450c773eed311a8e88ceb126978f5c3988a64c332b8ec936cd28ea7aa295b", - "gdnAlternativeSignature0": "f234d72c8e49b23ce2aa32bda1a3f909baa6ad9b4fbbf65d4211d56cbf976848" - }, - "attachments": [] - }, - { - "ruleId": "CKV_AZURE_13", - "ruleIndex": 36, - "message": { - "text": "Ensure App Service Authentication is set on Azure App Service" - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "samples/insecure_arm.json" - }, - "region": { - "startLine": 169, - "endLine": 186, - "snippet": { - "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites/config\",\n \"name\": \"SitesConfig/RestrictedCORSAccess_web\",\n \"location\": \"[parameters('location')]\",\n \"dependsOn\": [\n \"ApiApp_NoSitesConfig\",\n \"WebApp_NoSitesConfig\",\n \"FunctionApp_NoSitesConfig\"\n ],\n \"properties\": {\n \"cors\": {\n \"allowedOrigins\": [\n \"someIP\"\n ]\n }\n }\n },\n" - } - } - } - } - ], - "fingerprints": { - "gdnPrimarySignature": "4764b062aa2d198673df7c5f6d2c0e9c01286e83909a609e2372747b782c1ab7", - "gdnAlternativeSignature0": "528e2e7673c1c9c45f2e03b442261956045574d01f03c9004d1d2bef6c09bea0" - }, - "attachments": [] - }, - { - "ruleId": "CKV_AZURE_65", - "ruleIndex": 37, - "level": "note", - "message": { - "text": "Ensure that App service enables detailed error messages" - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "samples/insecure_arm.json" - }, - "region": { - "startLine": 169, - "endLine": 186, - "snippet": { - "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites/config\",\n \"name\": \"SitesConfig/RestrictedCORSAccess_web\",\n \"location\": \"[parameters('location')]\",\n \"dependsOn\": [\n \"ApiApp_NoSitesConfig\",\n \"WebApp_NoSitesConfig\",\n \"FunctionApp_NoSitesConfig\"\n ],\n \"properties\": {\n \"cors\": {\n \"allowedOrigins\": [\n \"someIP\"\n ]\n }\n }\n },\n" - } - } - } - } - ], - "fingerprints": { - "gdnPrimarySignature": "b7a5a598012ddeb8be2fd66b67a61ffcdc2b743ee4bdec4d88ff3ec3b35747b5", - "gdnAlternativeSignature0": "1cef927286d0a4b4ea6cf8c1b9c129beffa0889f29a77ce4d2b443c9d83d3669" - }, - "attachments": [] - }, - { - "ruleId": "CKV_AZURE_80", - "ruleIndex": 38, - "level": "note", - "message": { - "text": "Ensure that 'Net Framework' version is the latest, if used as a part of the web app" - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "samples/insecure_arm.json" - }, - "region": { - "startLine": 169, - "endLine": 186, - "snippet": { - "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites/config\",\n \"name\": \"SitesConfig/RestrictedCORSAccess_web\",\n \"location\": \"[parameters('location')]\",\n \"dependsOn\": [\n \"ApiApp_NoSitesConfig\",\n \"WebApp_NoSitesConfig\",\n \"FunctionApp_NoSitesConfig\"\n ],\n \"properties\": {\n \"cors\": {\n \"allowedOrigins\": [\n \"someIP\"\n ]\n }\n }\n },\n" - } - } - } - } - ], - "fingerprints": { - "gdnPrimarySignature": "3f0e499426cfa4fe5bdb96a9894cb77d781ce58b0d391af6741cbbb23829d7c9", - "gdnAlternativeSignature0": "e237636bdd6a09fe032da4732bf99d542b96c319747ff963d56185e4298297e4" - }, - "attachments": [] - }, - { - "ruleId": "CKV_AZURE_66", - "ruleIndex": 39, - "level": "note", - "message": { - "text": "Ensure that App service enables failed request tracing" - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "samples/insecure_arm.json" - }, - "region": { - "startLine": 169, - "endLine": 186, - "snippet": { - "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites/config\",\n \"name\": \"SitesConfig/RestrictedCORSAccess_web\",\n \"location\": \"[parameters('location')]\",\n \"dependsOn\": [\n \"ApiApp_NoSitesConfig\",\n \"WebApp_NoSitesConfig\",\n \"FunctionApp_NoSitesConfig\"\n ],\n \"properties\": {\n \"cors\": {\n \"allowedOrigins\": [\n \"someIP\"\n ]\n }\n }\n },\n" - } - } - } - } - ], - "fingerprints": { - "gdnPrimarySignature": "ecda7f10c676f4fb72429cae500da0aa6d3a253664f489dd99c37140cc4adbdd", - "gdnAlternativeSignature0": "456c9b0bbba231ac9f76aeb80c65a8f2e4f2395fb0cbc94b7aa38df4ba418c4f" - }, - "attachments": [] - }, - { - "ruleId": "CKV_AZURE_63", - "ruleIndex": 40, - "level": "note", - "message": { - "text": "Ensure that App service enables HTTP logging" - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "samples/insecure_arm.json" - }, - "region": { - "startLine": 169, - "endLine": 186, - "snippet": { - "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites/config\",\n \"name\": \"SitesConfig/RestrictedCORSAccess_web\",\n \"location\": \"[parameters('location')]\",\n \"dependsOn\": [\n \"ApiApp_NoSitesConfig\",\n \"WebApp_NoSitesConfig\",\n \"FunctionApp_NoSitesConfig\"\n ],\n \"properties\": {\n \"cors\": {\n \"allowedOrigins\": [\n \"someIP\"\n ]\n }\n }\n },\n" - } - } - } - } - ], - "fingerprints": { - "gdnPrimarySignature": "0debc8b4bed8e61fddb6166094e0f30c9823a2a4bc6e21990d839ce42bbe7faf", - "gdnAlternativeSignature0": "119c560594404bbb1f85c2a4a64be3ba7f355cd183dcc2efa31fd0bc552f5ad5" - }, - "attachments": [] - }, - { - "ruleId": "CKV_AZURE_222", - "ruleIndex": 32, - "message": { - "text": "Ensure that Azure Web App public network access is disabled" - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "samples/insecure_arm.json" - }, - "region": { - "startLine": 169, - "endLine": 186, - "snippet": { - "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites/config\",\n \"name\": \"SitesConfig/RestrictedCORSAccess_web\",\n \"location\": \"[parameters('location')]\",\n \"dependsOn\": [\n \"ApiApp_NoSitesConfig\",\n \"WebApp_NoSitesConfig\",\n \"FunctionApp_NoSitesConfig\"\n ],\n \"properties\": {\n \"cors\": {\n \"allowedOrigins\": [\n \"someIP\"\n ]\n }\n }\n },\n" - } - } - } - } - ], - "fingerprints": { - "gdnPrimarySignature": "5c6cabb001d3b83d407085e00b359528524e83c168685191c6a9258098a9d366", - "gdnAlternativeSignature0": "3664e4a542b0f7100774ae71190236958f7e845d9a1d5079ba8b85ebf4ecfd1d" - }, - "attachments": [] - }, - { - "ruleId": "CKV_AZURE_88", - "ruleIndex": 41, - "level": "note", - "message": { - "text": "Ensure that app services use Azure Files" - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "samples/insecure_arm.json" - }, - "region": { - "startLine": 169, - "endLine": 186, - "snippet": { - "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites/config\",\n \"name\": \"SitesConfig/RestrictedCORSAccess_web\",\n \"location\": \"[parameters('location')]\",\n \"dependsOn\": [\n \"ApiApp_NoSitesConfig\",\n \"WebApp_NoSitesConfig\",\n \"FunctionApp_NoSitesConfig\"\n ],\n \"properties\": {\n \"cors\": {\n \"allowedOrigins\": [\n \"someIP\"\n ]\n }\n }\n },\n" - } - } - } - } - ], - "fingerprints": { - "gdnPrimarySignature": "6f0de3fde830219d08c3c4083fce6ccd9966859a6cd4143ec03fe04798472dee", - "gdnAlternativeSignature0": "6d432a9079e10e7a68453f21043b67398f44a7095b3b4337ad2a97b879c6adc4" - }, - "attachments": [] - }, - { - "ruleId": "CKV_AZURE_17", - "ruleIndex": 25, - "message": { - "text": "Ensure the web app has 'Client Certificates (Incoming client certificates)' set" - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "samples/insecure_arm.json" - }, - "region": { - "startLine": 187, - "endLine": 204, - "snippet": { - "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites\",\n \"kind\": \"api\",\n \"name\": \"ApiApp_UnrestrictedCORSAccess_EmbeddedSitesConfig\",\n \"location\": \"[parameters('location')]\",\n \"properties\": {\n \"httpsOnly\": true,\n \"siteConfig\": {\n \"cors\": {\n \"allowedOrigins\": [\n \"someIP\",\n \"*\"\n ]\n }\n }\n }\n },\n" - } - } - } - } - ], - "fingerprints": { - "gdnPrimarySignature": "dcd550d66ea4f3ffc89adf365fe7cd5bf8d63462acecd1cccb341a7335e9fbc6", - "gdnAlternativeSignature0": "5831a40aa6b645473d2ba22c02586e6993565e63f22aec548d3af0fa06b9fd22" - }, - "attachments": [] - }, - { - "ruleId": "CKV_AZURE_78", - "ruleIndex": 26, - "message": { - "text": "Ensure FTP deployments are disabled" - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "samples/insecure_arm.json" - }, - "region": { - "startLine": 187, - "endLine": 204, - "snippet": { - "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites\",\n \"kind\": \"api\",\n \"name\": \"ApiApp_UnrestrictedCORSAccess_EmbeddedSitesConfig\",\n \"location\": \"[parameters('location')]\",\n \"properties\": {\n \"httpsOnly\": true,\n \"siteConfig\": {\n \"cors\": {\n \"allowedOrigins\": [\n \"someIP\",\n \"*\"\n ]\n }\n }\n }\n },\n" - } - } - } - } - ], - "fingerprints": { - "gdnPrimarySignature": "6b0c6b35c56eaa234e454e964d8305e90681f1bb57225e8b47b7d84d4bd9c52f", - "gdnAlternativeSignature0": "25b4881300990c178e3af646a347540425e737d05e462e73ac054f3c73691340" - }, - "attachments": [] - }, - { - "ruleId": "CKV_AZURE_18", - "ruleIndex": 27, - "message": { - "text": "Ensure that 'HTTP Version' is the latest if used to run the web app" - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "samples/insecure_arm.json" - }, - "region": { - "startLine": 187, - "endLine": 204, - "snippet": { - "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites\",\n \"kind\": \"api\",\n \"name\": \"ApiApp_UnrestrictedCORSAccess_EmbeddedSitesConfig\",\n \"location\": \"[parameters('location')]\",\n \"properties\": {\n \"httpsOnly\": true,\n \"siteConfig\": {\n \"cors\": {\n \"allowedOrigins\": [\n \"someIP\",\n \"*\"\n ]\n }\n }\n }\n },\n" - } - } - } - } - ], - "fingerprints": { - "gdnPrimarySignature": "9fb5162913194706fc251e38d156beebe0887f9bb6ee8c03671cd6755a952833", - "gdnAlternativeSignature0": "99d41b0689e4d871f9d62281e26dfbfd83c98541d8a02fcc05cae59e1c6e1e61" - }, - "attachments": [] - }, - { - "ruleId": "CKV_AZURE_16", - "ruleIndex": 29, - "message": { - "text": "Ensure that Register with Azure Active Directory is enabled on App Service" - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "samples/insecure_arm.json" - }, - "region": { - "startLine": 187, - "endLine": 204, - "snippet": { - "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites\",\n \"kind\": \"api\",\n \"name\": \"ApiApp_UnrestrictedCORSAccess_EmbeddedSitesConfig\",\n \"location\": \"[parameters('location')]\",\n \"properties\": {\n \"httpsOnly\": true,\n \"siteConfig\": {\n \"cors\": {\n \"allowedOrigins\": [\n \"someIP\",\n \"*\"\n ]\n }\n }\n }\n },\n" - } - } - } - } - ], - "fingerprints": { - "gdnPrimarySignature": "e11b584dd233a10ac72c56c29b0abb0a46b40eec0fd60d073902939bb2fa1a7c", - "gdnAlternativeSignature0": "0094ff86f766a290f1f59fd99f98729982d98a5c48687076a1fef7cf652dc8c1" - }, - "attachments": [] - }, - { - "ruleId": "CKV_AZURE_71", - "ruleIndex": 30, - "level": "note", - "message": { - "text": "Ensure that Managed identity provider is enabled for web apps" - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "samples/insecure_arm.json" - }, - "region": { - "startLine": 187, - "endLine": 204, - "snippet": { - "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites\",\n \"kind\": \"api\",\n \"name\": \"ApiApp_UnrestrictedCORSAccess_EmbeddedSitesConfig\",\n \"location\": \"[parameters('location')]\",\n \"properties\": {\n \"httpsOnly\": true,\n \"siteConfig\": {\n \"cors\": {\n \"allowedOrigins\": [\n \"someIP\",\n \"*\"\n ]\n }\n }\n }\n },\n" - } - } - } - } - ], - "fingerprints": { - "gdnPrimarySignature": "4750d98ad7c586d98825c46bea9511b196f12dc4264fb696186efd16ab3d94a2", - "gdnAlternativeSignature0": "b8e824ce01520cea292f1a7f62c7bcb8a5f77c5151b5bc056b1412295ff3497a" - }, - "attachments": [] - }, - { - "ruleId": "CKV_AZURE_15", - "ruleIndex": 31, - "message": { - "text": "Ensure web app is using the latest version of TLS encryption" - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "samples/insecure_arm.json" - }, - "region": { - "startLine": 187, - "endLine": 204, - "snippet": { - "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites\",\n \"kind\": \"api\",\n \"name\": \"ApiApp_UnrestrictedCORSAccess_EmbeddedSitesConfig\",\n \"location\": \"[parameters('location')]\",\n \"properties\": {\n \"httpsOnly\": true,\n \"siteConfig\": {\n \"cors\": {\n \"allowedOrigins\": [\n \"someIP\",\n \"*\"\n ]\n }\n }\n }\n },\n" - } - } - } - } - ], - "fingerprints": { - "gdnPrimarySignature": "6618f89bf0f657561f12e6f711f090337aa8f3864239d9b428ecc00ca4e734d8", - "gdnAlternativeSignature0": "020034ec5f28ee65e82f5e48c62ebc00c918318b37fb5530d365b705686fd720" - }, - "attachments": [] - }, - { - "ruleId": "CKV_AZURE_222", - "ruleIndex": 32, - "message": { - "text": "Ensure that Azure Web App public network access is disabled" - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "samples/insecure_arm.json" - }, - "region": { - "startLine": 187, - "endLine": 204, - "snippet": { - "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites\",\n \"kind\": \"api\",\n \"name\": \"ApiApp_UnrestrictedCORSAccess_EmbeddedSitesConfig\",\n \"location\": \"[parameters('location')]\",\n \"properties\": {\n \"httpsOnly\": true,\n \"siteConfig\": {\n \"cors\": {\n \"allowedOrigins\": [\n \"someIP\",\n \"*\"\n ]\n }\n }\n }\n },\n" - } - } - } - } - ], - "fingerprints": { - "gdnPrimarySignature": "257663068ac706eb48e30972d5ef65ae59a81b05935937b81969fbce76b54284", - "gdnAlternativeSignature0": "7162b78e9cff93e85080d9d077dbd2f6d9c5a765d0da6485890b044204b68786" - }, - "attachments": [] - }, - { - "ruleId": "CKV_AZURE_67", - "ruleIndex": 34, - "message": { - "text": "Ensure that 'HTTP Version' is the latest, if used to run the Function app" - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "samples/insecure_arm.json" - }, - "region": { - "startLine": 187, - "endLine": 204, - "snippet": { - "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites\",\n \"kind\": \"api\",\n \"name\": \"ApiApp_UnrestrictedCORSAccess_EmbeddedSitesConfig\",\n \"location\": \"[parameters('location')]\",\n \"properties\": {\n \"httpsOnly\": true,\n \"siteConfig\": {\n \"cors\": {\n \"allowedOrigins\": [\n \"someIP\",\n \"*\"\n ]\n }\n }\n }\n },\n" - } - } - } - } - ], - "fingerprints": { - "gdnPrimarySignature": "2dae51e3df9996d76d22a1ae6f75f332e4bf5bad3f4272e79c26b2b7c999ac94", - "gdnAlternativeSignature0": "8259e76b9c016c2688d043c19e0143fe202feb2d893e108efc9e81c9d35ce4f5" - }, - "attachments": [] - }, - { - "ruleId": "CKV_AZURE_13", - "ruleIndex": 36, - "message": { - "text": "Ensure App Service Authentication is set on Azure App Service" - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "samples/insecure_arm.json" - }, - "region": { - "startLine": 205, - "endLine": 222, - "snippet": { - "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites/config\",\n \"name\": \"SitesConfig/UnrestrictedCORSAccess_web\",\n \"location\": \"[parameters('location')]\",\n \"dependsOn\": [\n \"ApiApp_NoSitesConfig\",\n \"WebApp_NoSitesConfig\",\n \"FunctionApp_NoSitesConfig\"\n ],\n \"properties\": {\n \"cors\": {\n \"allowedOrigins\": [\n \"*\"\n ]\n }\n }\n },\n" - } - } - } - } - ], - "fingerprints": { - "gdnPrimarySignature": "0e8af6cde44520ef4bcab2e8711c2dda5a7fd48878091674e03dc681118a266f", - "gdnAlternativeSignature0": "146cabdfaf6092c02eb82036132680f7b6808bdd5432312d46330c9bd3585e72" - }, - "attachments": [] - }, - { - "ruleId": "CKV_AZURE_65", - "ruleIndex": 37, - "level": "note", - "message": { - "text": "Ensure that App service enables detailed error messages" - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "samples/insecure_arm.json" - }, - "region": { - "startLine": 205, - "endLine": 222, - "snippet": { - "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites/config\",\n \"name\": \"SitesConfig/UnrestrictedCORSAccess_web\",\n \"location\": \"[parameters('location')]\",\n \"dependsOn\": [\n \"ApiApp_NoSitesConfig\",\n \"WebApp_NoSitesConfig\",\n \"FunctionApp_NoSitesConfig\"\n ],\n \"properties\": {\n \"cors\": {\n \"allowedOrigins\": [\n \"*\"\n ]\n }\n }\n },\n" - } - } - } - } - ], - "fingerprints": { - "gdnPrimarySignature": "ef81362c707d65d3863cae808daf52e6f7ef001be334504a099e1b9ff50e232b", - "gdnAlternativeSignature0": "6b075093c48fdb089dd2354278746e6a51fe721cabb128f140a431cf005127d3" - }, - "attachments": [] - }, - { - "ruleId": "CKV_AZURE_80", - "ruleIndex": 38, - "level": "note", - "message": { - "text": "Ensure that 'Net Framework' version is the latest, if used as a part of the web app" - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "samples/insecure_arm.json" - }, - "region": { - "startLine": 205, - "endLine": 222, - "snippet": { - "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites/config\",\n \"name\": \"SitesConfig/UnrestrictedCORSAccess_web\",\n \"location\": \"[parameters('location')]\",\n \"dependsOn\": [\n \"ApiApp_NoSitesConfig\",\n \"WebApp_NoSitesConfig\",\n \"FunctionApp_NoSitesConfig\"\n ],\n \"properties\": {\n \"cors\": {\n \"allowedOrigins\": [\n \"*\"\n ]\n }\n }\n },\n" - } - } - } - } - ], - "fingerprints": { - "gdnPrimarySignature": "0b92428b5f8d657f24f7b113a8e844c8b9f0eb0582cb7ceea6933aa04dafd8ff", - "gdnAlternativeSignature0": "817496a6ee1a0d6d64bb24701e78f9cba8b3fc06268f0bade0689ce46999e311" - }, - "attachments": [] - }, - { - "ruleId": "CKV_AZURE_66", - "ruleIndex": 39, - "level": "note", - "message": { - "text": "Ensure that App service enables failed request tracing" - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "samples/insecure_arm.json" - }, - "region": { - "startLine": 205, - "endLine": 222, - "snippet": { - "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites/config\",\n \"name\": \"SitesConfig/UnrestrictedCORSAccess_web\",\n \"location\": \"[parameters('location')]\",\n \"dependsOn\": [\n \"ApiApp_NoSitesConfig\",\n \"WebApp_NoSitesConfig\",\n \"FunctionApp_NoSitesConfig\"\n ],\n \"properties\": {\n \"cors\": {\n \"allowedOrigins\": [\n \"*\"\n ]\n }\n }\n },\n" - } - } - } - } - ], - "fingerprints": { - "gdnPrimarySignature": "3e9ad501881045e5d7309b74094c547164a1dab831701c7dfea6dac72f78ad39", - "gdnAlternativeSignature0": "8d2d4e5f2e7fb6ffe5a3d690ad5075c7a4194060994f0f063c517791e6bd4150" - }, - "attachments": [] - }, - { - "ruleId": "CKV_AZURE_63", - "ruleIndex": 40, - "level": "note", - "message": { - "text": "Ensure that App service enables HTTP logging" - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "samples/insecure_arm.json" - }, - "region": { - "startLine": 205, - "endLine": 222, - "snippet": { - "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites/config\",\n \"name\": \"SitesConfig/UnrestrictedCORSAccess_web\",\n \"location\": \"[parameters('location')]\",\n \"dependsOn\": [\n \"ApiApp_NoSitesConfig\",\n \"WebApp_NoSitesConfig\",\n \"FunctionApp_NoSitesConfig\"\n ],\n \"properties\": {\n \"cors\": {\n \"allowedOrigins\": [\n \"*\"\n ]\n }\n }\n },\n" - } - } - } - } - ], - "fingerprints": { - "gdnPrimarySignature": "4f45838aff932f565433ff3fd599bc9de4d7bd434bf4511cee319935dfb28950", - "gdnAlternativeSignature0": "d7afaaf97a739bde64c18fb27889fb4d931b2ba29561244209ab5f03659f4b71" - }, - "attachments": [] - }, - { - "ruleId": "CKV_AZURE_222", - "ruleIndex": 32, - "message": { - "text": "Ensure that Azure Web App public network access is disabled" - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "samples/insecure_arm.json" - }, - "region": { - "startLine": 205, - "endLine": 222, - "snippet": { - "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites/config\",\n \"name\": \"SitesConfig/UnrestrictedCORSAccess_web\",\n \"location\": \"[parameters('location')]\",\n \"dependsOn\": [\n \"ApiApp_NoSitesConfig\",\n \"WebApp_NoSitesConfig\",\n \"FunctionApp_NoSitesConfig\"\n ],\n \"properties\": {\n \"cors\": {\n \"allowedOrigins\": [\n \"*\"\n ]\n }\n }\n },\n" - } - } - } - } - ], - "fingerprints": { - "gdnPrimarySignature": "b7d1e0a2597990637571695421255bca16f0c42cb2ec39b943ec7ec98dbf64e8", - "gdnAlternativeSignature0": "1d2b4a62840a1bb054f7389ba3c9215d640240d28ecac6c4dd75531648052b7c" - }, - "attachments": [] - }, - { - "ruleId": "CKV_AZURE_88", - "ruleIndex": 41, - "level": "note", - "message": { - "text": "Ensure that app services use Azure Files" - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "samples/insecure_arm.json" - }, - "region": { - "startLine": 205, - "endLine": 222, - "snippet": { - "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites/config\",\n \"name\": \"SitesConfig/UnrestrictedCORSAccess_web\",\n \"location\": \"[parameters('location')]\",\n \"dependsOn\": [\n \"ApiApp_NoSitesConfig\",\n \"WebApp_NoSitesConfig\",\n \"FunctionApp_NoSitesConfig\"\n ],\n \"properties\": {\n \"cors\": {\n \"allowedOrigins\": [\n \"*\"\n ]\n }\n }\n },\n" - } - } - } - } - ], - "fingerprints": { - "gdnPrimarySignature": "7ac28937c766ad8aca6f80f4c1b203c09f14c9b030a09850ddf94906052d3cff", - "gdnAlternativeSignature0": "86dfaece04781f7765ed78900613f50af845e94a4498b5bfe133a0567832350b" - }, - "attachments": [] - }, - { - "ruleId": "CKV_AZURE_17", - "ruleIndex": 25, - "message": { - "text": "Ensure the web app has 'Client Certificates (Incoming client certificates)' set" - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "samples/insecure_arm.json" - }, - "region": { - "startLine": 223, - "endLine": 239, - "snippet": { - "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites\",\n \"kind\": \"app\",\n \"name\": \"WebApp_RestrictedCORSAccess_EmbeddedSitesConfig\",\n \"location\": \"[parameters('location')]\",\n \"properties\": {\n \"httpsOnly\": true,\n \"siteConfig\": {\n \"cors\": {\n \"allowedOrigins\": [\n \"someIP\"\n ]\n }\n }\n }\n },\n" - } - } - } - } - ], - "fingerprints": { - "gdnPrimarySignature": "b0458996e102d04b1269a39e6ad2f6d6fa741a778b7821a91a590d13708de75c", - "gdnAlternativeSignature0": "ba1b6ae6482744c512163ee84d83124346fdff55efcc553c93a117827b277dae" - }, - "attachments": [] - }, - { - "ruleId": "CKV_AZURE_78", - "ruleIndex": 26, - "message": { - "text": "Ensure FTP deployments are disabled" - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "samples/insecure_arm.json" - }, - "region": { - "startLine": 223, - "endLine": 239, - "snippet": { - "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites\",\n \"kind\": \"app\",\n \"name\": \"WebApp_RestrictedCORSAccess_EmbeddedSitesConfig\",\n \"location\": \"[parameters('location')]\",\n \"properties\": {\n \"httpsOnly\": true,\n \"siteConfig\": {\n \"cors\": {\n \"allowedOrigins\": [\n \"someIP\"\n ]\n }\n }\n }\n },\n" - } - } - } - } - ], - "fingerprints": { - "gdnPrimarySignature": "8e375b5a9dc4728fd4ba4a21882993369de923f2eac2ed78cf8491552d8facaa", - "gdnAlternativeSignature0": "853de3499062ba5a2cb953cc5283596ec4b8e90b4b1b51d5d7ed7fd9ef487dd5" - }, - "attachments": [] - }, - { - "ruleId": "CKV_AZURE_18", - "ruleIndex": 27, - "message": { - "text": "Ensure that 'HTTP Version' is the latest if used to run the web app" - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "samples/insecure_arm.json" - }, - "region": { - "startLine": 223, - "endLine": 239, - "snippet": { - "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites\",\n \"kind\": \"app\",\n \"name\": \"WebApp_RestrictedCORSAccess_EmbeddedSitesConfig\",\n \"location\": \"[parameters('location')]\",\n \"properties\": {\n \"httpsOnly\": true,\n \"siteConfig\": {\n \"cors\": {\n \"allowedOrigins\": [\n \"someIP\"\n ]\n }\n }\n }\n },\n" - } - } - } - } - ], - "fingerprints": { - "gdnPrimarySignature": "a127ae6cec02825e2f917c367e3db26bf8017f68b1998857a4ebb175353f6a51", - "gdnAlternativeSignature0": "e1bb268111081a04f49ac60c72a63ed0738145f62892adb59d43e0cdb4181ffc" - }, - "attachments": [] - }, - { - "ruleId": "CKV_AZURE_16", - "ruleIndex": 29, - "message": { - "text": "Ensure that Register with Azure Active Directory is enabled on App Service" - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "samples/insecure_arm.json" - }, - "region": { - "startLine": 223, - "endLine": 239, - "snippet": { - "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites\",\n \"kind\": \"app\",\n \"name\": \"WebApp_RestrictedCORSAccess_EmbeddedSitesConfig\",\n \"location\": \"[parameters('location')]\",\n \"properties\": {\n \"httpsOnly\": true,\n \"siteConfig\": {\n \"cors\": {\n \"allowedOrigins\": [\n \"someIP\"\n ]\n }\n }\n }\n },\n" - } - } - } - } - ], - "fingerprints": { - "gdnPrimarySignature": "d351baa7f806ab65257e43138c406148e9c81bb988521fe221f56f7e72e21818", - "gdnAlternativeSignature0": "5c32a35a8c57bffbbce0105bb252897bba594b8d564d6be228aa0d086db40eb6" - }, - "attachments": [] - }, - { - "ruleId": "CKV_AZURE_71", - "ruleIndex": 30, - "level": "note", - "message": { - "text": "Ensure that Managed identity provider is enabled for web apps" - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "samples/insecure_arm.json" - }, - "region": { - "startLine": 223, - "endLine": 239, - "snippet": { - "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites\",\n \"kind\": \"app\",\n \"name\": \"WebApp_RestrictedCORSAccess_EmbeddedSitesConfig\",\n \"location\": \"[parameters('location')]\",\n \"properties\": {\n \"httpsOnly\": true,\n \"siteConfig\": {\n \"cors\": {\n \"allowedOrigins\": [\n \"someIP\"\n ]\n }\n }\n }\n },\n" - } - } - } - } - ], - "fingerprints": { - "gdnPrimarySignature": "34cf1285b6c9b01e2163c4235369bba2bd1740e57a71fa21d4945fee87438740", - "gdnAlternativeSignature0": "e681471f7211744f1008218a8212ef79deecebeb44aaf693cb5c6a2ff0c30fbc" - }, - "attachments": [] - }, - { - "ruleId": "CKV_AZURE_15", - "ruleIndex": 31, - "message": { - "text": "Ensure web app is using the latest version of TLS encryption" - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "samples/insecure_arm.json" - }, - "region": { - "startLine": 223, - "endLine": 239, - "snippet": { - "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites\",\n \"kind\": \"app\",\n \"name\": \"WebApp_RestrictedCORSAccess_EmbeddedSitesConfig\",\n \"location\": \"[parameters('location')]\",\n \"properties\": {\n \"httpsOnly\": true,\n \"siteConfig\": {\n \"cors\": {\n \"allowedOrigins\": [\n \"someIP\"\n ]\n }\n }\n }\n },\n" - } - } - } - } - ], - "fingerprints": { - "gdnPrimarySignature": "e25dee6e2c2afa0f90032dee4f66872f8022716e6e1870e697e282669a0e6bea", - "gdnAlternativeSignature0": "44100aca6dd76613f2e92578a73695780785c3777bbba30651b6e632ad118318" - }, - "attachments": [] - }, - { - "ruleId": "CKV_AZURE_222", - "ruleIndex": 32, - "message": { - "text": "Ensure that Azure Web App public network access is disabled" - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "samples/insecure_arm.json" - }, - "region": { - "startLine": 223, - "endLine": 239, - "snippet": { - "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites\",\n \"kind\": \"app\",\n \"name\": \"WebApp_RestrictedCORSAccess_EmbeddedSitesConfig\",\n \"location\": \"[parameters('location')]\",\n \"properties\": {\n \"httpsOnly\": true,\n \"siteConfig\": {\n \"cors\": {\n \"allowedOrigins\": [\n \"someIP\"\n ]\n }\n }\n }\n },\n" - } - } - } - } - ], - "fingerprints": { - "gdnPrimarySignature": "da1a3fa73f790c28a05f8d7c42c7961059009ddc9e050d309066a52dc28f2964", - "gdnAlternativeSignature0": "b97d0c99d154acece432cd4b25ed97cebdc3307aff68dff7034a8814c9407ae1" - }, - "attachments": [] - }, - { - "ruleId": "CKV_AZURE_67", - "ruleIndex": 34, - "message": { - "text": "Ensure that 'HTTP Version' is the latest, if used to run the Function app" - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "samples/insecure_arm.json" - }, - "region": { - "startLine": 223, - "endLine": 239, - "snippet": { - "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites\",\n \"kind\": \"app\",\n \"name\": \"WebApp_RestrictedCORSAccess_EmbeddedSitesConfig\",\n \"location\": \"[parameters('location')]\",\n \"properties\": {\n \"httpsOnly\": true,\n \"siteConfig\": {\n \"cors\": {\n \"allowedOrigins\": [\n \"someIP\"\n ]\n }\n }\n }\n },\n" - } - } - } - } - ], - "fingerprints": { - "gdnPrimarySignature": "c469692cea7b7ca010669e9d28957de550b80aca420639dab41c3b50acb673fd", - "gdnAlternativeSignature0": "0280a30c60f721964ef8f0e1f057cc3823c08e2c877a2f35ecc0bf0cba67aa73" - }, - "attachments": [] - }, - { - "ruleId": "CKV_AZURE_17", - "ruleIndex": 25, - "message": { - "text": "Ensure the web app has 'Client Certificates (Incoming client certificates)' set" - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "samples/insecure_arm.json" - }, - "region": { - "startLine": 240, - "endLine": 255, - "snippet": { - "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites\",\n \"name\": \"WebApp_NoKind_RestrictedCORSAccess_EmbeddedSitesConfig\",\n \"location\": \"[parameters('location')]\",\n \"properties\": {\n \"httpsOnly\": true,\n \"siteConfig\": {\n \"cors\": {\n \"allowedOrigins\": [\n \"someIP\"\n ]\n }\n }\n }\n },\n" - } - } - } - } - ], - "fingerprints": { - "gdnPrimarySignature": "4fd9a062f86a13872b9dad7a38cfe0d953f929b117ea32a74b12949f94482d1e", - "gdnAlternativeSignature0": "4313f93aeba30524fe4b597801c38b1eff909f6cbc2cb6ac96c9fc11b4acd52a" - }, - "attachments": [] - }, - { - "ruleId": "CKV_AZURE_78", - "ruleIndex": 26, - "message": { - "text": "Ensure FTP deployments are disabled" - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "samples/insecure_arm.json" - }, - "region": { - "startLine": 240, - "endLine": 255, - "snippet": { - "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites\",\n \"name\": \"WebApp_NoKind_RestrictedCORSAccess_EmbeddedSitesConfig\",\n \"location\": \"[parameters('location')]\",\n \"properties\": {\n \"httpsOnly\": true,\n \"siteConfig\": {\n \"cors\": {\n \"allowedOrigins\": [\n \"someIP\"\n ]\n }\n }\n }\n },\n" - } - } - } - } - ], - "fingerprints": { - "gdnPrimarySignature": "6ee562e5d732261eee58f4880f619fded377b21bb88bcc90f9b5abad30ed6398", - "gdnAlternativeSignature0": "e931b536ca4eb49838ef185e4d0af6477b51badbaa93242a6c4ff1b2e1298bf8" - }, - "attachments": [] - }, - { - "ruleId": "CKV_AZURE_18", - "ruleIndex": 27, - "message": { - "text": "Ensure that 'HTTP Version' is the latest if used to run the web app" - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "samples/insecure_arm.json" - }, - "region": { - "startLine": 240, - "endLine": 255, - "snippet": { - "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites\",\n \"name\": \"WebApp_NoKind_RestrictedCORSAccess_EmbeddedSitesConfig\",\n \"location\": \"[parameters('location')]\",\n \"properties\": {\n \"httpsOnly\": true,\n \"siteConfig\": {\n \"cors\": {\n \"allowedOrigins\": [\n \"someIP\"\n ]\n }\n }\n }\n },\n" - } - } - } - } - ], - "fingerprints": { - "gdnPrimarySignature": "143778d4f31ab73a5bb75054896253c16373f69b3e0441b850b0369d1bddf1c4", - "gdnAlternativeSignature0": "03129ed6590e6f4bf2f43e9281e29c697a95962f5878ba90589b6fe88fe04380" - }, - "attachments": [] - }, - { - "ruleId": "CKV_AZURE_16", - "ruleIndex": 29, - "message": { - "text": "Ensure that Register with Azure Active Directory is enabled on App Service" - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "samples/insecure_arm.json" - }, - "region": { - "startLine": 240, - "endLine": 255, - "snippet": { - "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites\",\n \"name\": \"WebApp_NoKind_RestrictedCORSAccess_EmbeddedSitesConfig\",\n \"location\": \"[parameters('location')]\",\n \"properties\": {\n \"httpsOnly\": true,\n \"siteConfig\": {\n \"cors\": {\n \"allowedOrigins\": [\n \"someIP\"\n ]\n }\n }\n }\n },\n" - } - } - } - } - ], - "fingerprints": { - "gdnPrimarySignature": "8e4a04fbf2e32b4f92897087315fb87884e9f2888146d04906779b927323f6c4", - "gdnAlternativeSignature0": "f321e049084aef0145e1b33f9c49fbfd5cdeb2ab03c824e93f910fbd3adbbd44" - }, - "attachments": [] - }, - { - "ruleId": "CKV_AZURE_71", - "ruleIndex": 30, - "level": "note", - "message": { - "text": "Ensure that Managed identity provider is enabled for web apps" - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "samples/insecure_arm.json" - }, - "region": { - "startLine": 240, - "endLine": 255, - "snippet": { - "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites\",\n \"name\": \"WebApp_NoKind_RestrictedCORSAccess_EmbeddedSitesConfig\",\n \"location\": \"[parameters('location')]\",\n \"properties\": {\n \"httpsOnly\": true,\n \"siteConfig\": {\n \"cors\": {\n \"allowedOrigins\": [\n \"someIP\"\n ]\n }\n }\n }\n },\n" - } - } - } - } - ], - "fingerprints": { - "gdnPrimarySignature": "3c4d99dfa4a6499c4718cdbe5c7c7b5fb1667ca31c16bddbc1f0d50f201b0eec", - "gdnAlternativeSignature0": "fe55bb9000959302368aa07dd560c68c98caed221602cf2a2f997e85d4bdd6f6" - }, - "attachments": [] - }, - { - "ruleId": "CKV_AZURE_15", - "ruleIndex": 31, - "message": { - "text": "Ensure web app is using the latest version of TLS encryption" - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "samples/insecure_arm.json" - }, - "region": { - "startLine": 240, - "endLine": 255, - "snippet": { - "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites\",\n \"name\": \"WebApp_NoKind_RestrictedCORSAccess_EmbeddedSitesConfig\",\n \"location\": \"[parameters('location')]\",\n \"properties\": {\n \"httpsOnly\": true,\n \"siteConfig\": {\n \"cors\": {\n \"allowedOrigins\": [\n \"someIP\"\n ]\n }\n }\n }\n },\n" - } - } - } - } - ], - "fingerprints": { - "gdnPrimarySignature": "eb4bed8fbe96c4a4bda2d5714d30a37fe5af249e7983c2e529ed2555b2302577", - "gdnAlternativeSignature0": "e5ada8bedea49618df2290b727da8e0b3564bbc4cad4ad22aee82b8a6afd2581" - }, - "attachments": [] - }, - { - "ruleId": "CKV_AZURE_222", - "ruleIndex": 32, - "message": { - "text": "Ensure that Azure Web App public network access is disabled" - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "samples/insecure_arm.json" - }, - "region": { - "startLine": 240, - "endLine": 255, - "snippet": { - "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites\",\n \"name\": \"WebApp_NoKind_RestrictedCORSAccess_EmbeddedSitesConfig\",\n \"location\": \"[parameters('location')]\",\n \"properties\": {\n \"httpsOnly\": true,\n \"siteConfig\": {\n \"cors\": {\n \"allowedOrigins\": [\n \"someIP\"\n ]\n }\n }\n }\n },\n" - } - } - } - } - ], - "fingerprints": { - "gdnPrimarySignature": "c7c28aa1f6eb6c981b8dab94041a68bab23a9b72de245b2058c9280c612cac81", - "gdnAlternativeSignature0": "53b134cf1cec93348d12102916d6e3bd4072019df2f026de26b3ef6db3543505" - }, - "attachments": [] - }, - { - "ruleId": "CKV_AZURE_67", - "ruleIndex": 34, - "message": { - "text": "Ensure that 'HTTP Version' is the latest, if used to run the Function app" - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "samples/insecure_arm.json" - }, - "region": { - "startLine": 240, - "endLine": 255, - "snippet": { - "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites\",\n \"name\": \"WebApp_NoKind_RestrictedCORSAccess_EmbeddedSitesConfig\",\n \"location\": \"[parameters('location')]\",\n \"properties\": {\n \"httpsOnly\": true,\n \"siteConfig\": {\n \"cors\": {\n \"allowedOrigins\": [\n \"someIP\"\n ]\n }\n }\n }\n },\n" - } - } - } - } - ], - "fingerprints": { - "gdnPrimarySignature": "23dc3709b4a9455bce85771532889a8fb832f85ad458d4f285fe9fb2eb7807ae", - "gdnAlternativeSignature0": "7fa5336cda8b5f2d8c41c95ffc7b95cd3ace43f023bd72dfbf479b585045984b" - }, - "attachments": [] - }, - { - "ruleId": "CKV_AZURE_17", - "ruleIndex": 25, - "message": { - "text": "Ensure the web app has 'Client Certificates (Incoming client certificates)' set" - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "samples/insecure_arm.json" - }, - "region": { - "startLine": 256, - "endLine": 273, - "snippet": { - "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites\",\n \"kind\": \"app\",\n \"name\": \"WebApp_UnrestrictedCORSAccess_EmbeddedSitesConfig\",\n \"location\": \"[parameters('location')]\",\n \"properties\": {\n \"httpsOnly\": true,\n \"siteConfig\": {\n \"cors\": {\n \"allowedOrigins\": [\n \"someIP\",\n \"*\"\n ]\n }\n }\n }\n },\n" - } - } - } - } - ], - "fingerprints": { - "gdnPrimarySignature": "4e8cc7e2a4b582670ab605572ebf449e0b91a874db1ab9ef2e8e1202651fb74b", - "gdnAlternativeSignature0": "7fca34e471d5ec9837849486a2e299f93b5ee49824bfbaf0059ddade380c33c5" - }, - "attachments": [] - }, - { - "ruleId": "CKV_AZURE_78", - "ruleIndex": 26, - "message": { - "text": "Ensure FTP deployments are disabled" - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "samples/insecure_arm.json" - }, - "region": { - "startLine": 256, - "endLine": 273, - "snippet": { - "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites\",\n \"kind\": \"app\",\n \"name\": \"WebApp_UnrestrictedCORSAccess_EmbeddedSitesConfig\",\n \"location\": \"[parameters('location')]\",\n \"properties\": {\n \"httpsOnly\": true,\n \"siteConfig\": {\n \"cors\": {\n \"allowedOrigins\": [\n \"someIP\",\n \"*\"\n ]\n }\n }\n }\n },\n" - } - } - } - } - ], - "fingerprints": { - "gdnPrimarySignature": "32f70b90c9398c6ab47faf4896ca724cc667414fbdd61f9d37ab64180039afa9", - "gdnAlternativeSignature0": "74ac563e5ceaa5a0e09e489b9fa579c8be0ec02947aed0617c6faddf0243f60c" - }, - "attachments": [] - }, - { - "ruleId": "CKV_AZURE_18", - "ruleIndex": 27, - "message": { - "text": "Ensure that 'HTTP Version' is the latest if used to run the web app" - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "samples/insecure_arm.json" - }, - "region": { - "startLine": 256, - "endLine": 273, - "snippet": { - "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites\",\n \"kind\": \"app\",\n \"name\": \"WebApp_UnrestrictedCORSAccess_EmbeddedSitesConfig\",\n \"location\": \"[parameters('location')]\",\n \"properties\": {\n \"httpsOnly\": true,\n \"siteConfig\": {\n \"cors\": {\n \"allowedOrigins\": [\n \"someIP\",\n \"*\"\n ]\n }\n }\n }\n },\n" - } - } - } - } - ], - "fingerprints": { - "gdnPrimarySignature": "f565d488d0ee136a77ca481e53820893ff8ba50cacc9abe76f757c1a84865639", - "gdnAlternativeSignature0": "3fe95bf85179982d04d6323aeb899d481688025a708d5e171859bd82cc1cdd76" - }, - "attachments": [] - }, - { - "ruleId": "CKV_AZURE_16", - "ruleIndex": 29, - "message": { - "text": "Ensure that Register with Azure Active Directory is enabled on App Service" - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "samples/insecure_arm.json" - }, - "region": { - "startLine": 256, - "endLine": 273, - "snippet": { - "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites\",\n \"kind\": \"app\",\n \"name\": \"WebApp_UnrestrictedCORSAccess_EmbeddedSitesConfig\",\n \"location\": \"[parameters('location')]\",\n \"properties\": {\n \"httpsOnly\": true,\n \"siteConfig\": {\n \"cors\": {\n \"allowedOrigins\": [\n \"someIP\",\n \"*\"\n ]\n }\n }\n }\n },\n" - } - } - } - } - ], - "fingerprints": { - "gdnPrimarySignature": "88848a38797205708edddcc47234828b56efc3e522b2f791a287bd2e1362ca36", - "gdnAlternativeSignature0": "0c58696e023f4bb523561bf26c5c02916c2411086a669f73ace694130370fd8b" - }, - "attachments": [] - }, - { - "ruleId": "CKV_AZURE_71", - "ruleIndex": 30, - "level": "note", - "message": { - "text": "Ensure that Managed identity provider is enabled for web apps" - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "samples/insecure_arm.json" - }, - "region": { - "startLine": 256, - "endLine": 273, - "snippet": { - "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites\",\n \"kind\": \"app\",\n \"name\": \"WebApp_UnrestrictedCORSAccess_EmbeddedSitesConfig\",\n \"location\": \"[parameters('location')]\",\n \"properties\": {\n \"httpsOnly\": true,\n \"siteConfig\": {\n \"cors\": {\n \"allowedOrigins\": [\n \"someIP\",\n \"*\"\n ]\n }\n }\n }\n },\n" - } - } - } - } - ], - "fingerprints": { - "gdnPrimarySignature": "df545930bb8458e5f4d491540b41367072287dd41d4cc413670e820d053b3c59", - "gdnAlternativeSignature0": "b156e3e128bdada88119590b89491ba5637d828eb52a1fd7cb66709f886f4015" - }, - "attachments": [] - }, - { - "ruleId": "CKV_AZURE_15", - "ruleIndex": 31, - "message": { - "text": "Ensure web app is using the latest version of TLS encryption" - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "samples/insecure_arm.json" - }, - "region": { - "startLine": 256, - "endLine": 273, - "snippet": { - "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites\",\n \"kind\": \"app\",\n \"name\": \"WebApp_UnrestrictedCORSAccess_EmbeddedSitesConfig\",\n \"location\": \"[parameters('location')]\",\n \"properties\": {\n \"httpsOnly\": true,\n \"siteConfig\": {\n \"cors\": {\n \"allowedOrigins\": [\n \"someIP\",\n \"*\"\n ]\n }\n }\n }\n },\n" - } - } - } - } - ], - "fingerprints": { - "gdnPrimarySignature": "a4a0f2a5361ad3d1b9eae1eee98796fd4b9cb48e588e5ff7e991e03b1fd406f6", - "gdnAlternativeSignature0": "273d89c35b3928f35b2b753a0285d00ac263f3183a4a1488c2f7a79177415611" - }, - "attachments": [] - }, - { - "ruleId": "CKV_AZURE_222", - "ruleIndex": 32, - "message": { - "text": "Ensure that Azure Web App public network access is disabled" - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "samples/insecure_arm.json" - }, - "region": { - "startLine": 256, - "endLine": 273, - "snippet": { - "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites\",\n \"kind\": \"app\",\n \"name\": \"WebApp_UnrestrictedCORSAccess_EmbeddedSitesConfig\",\n \"location\": \"[parameters('location')]\",\n \"properties\": {\n \"httpsOnly\": true,\n \"siteConfig\": {\n \"cors\": {\n \"allowedOrigins\": [\n \"someIP\",\n \"*\"\n ]\n }\n }\n }\n },\n" - } - } - } - } - ], - "fingerprints": { - "gdnPrimarySignature": "9719571b68e5b3a885fa6fd8f779399b128f621f8c56f6fab08675f5bab6bad4", - "gdnAlternativeSignature0": "e0db6d935221b8f1a1c87a50acb333285eeab2b10c099cfc8c0e1842c3a55397" - }, - "attachments": [] - }, - { - "ruleId": "CKV_AZURE_67", - "ruleIndex": 34, - "message": { - "text": "Ensure that 'HTTP Version' is the latest, if used to run the Function app" - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "samples/insecure_arm.json" - }, - "region": { - "startLine": 256, - "endLine": 273, - "snippet": { - "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites\",\n \"kind\": \"app\",\n \"name\": \"WebApp_UnrestrictedCORSAccess_EmbeddedSitesConfig\",\n \"location\": \"[parameters('location')]\",\n \"properties\": {\n \"httpsOnly\": true,\n \"siteConfig\": {\n \"cors\": {\n \"allowedOrigins\": [\n \"someIP\",\n \"*\"\n ]\n }\n }\n }\n },\n" - } - } - } - } - ], - "fingerprints": { - "gdnPrimarySignature": "c99607a3189b9bc5ab42ae5c2d7df75995a965340270a602883d37aeed0923d9", - "gdnAlternativeSignature0": "95c9c99f71bb81429ee8ccb9608f889801fd91e170be93bd519d0c4aa56ab001" - }, - "attachments": [] - }, - { - "ruleId": "CKV_AZURE_17", - "ruleIndex": 25, - "message": { - "text": "Ensure the web app has 'Client Certificates (Incoming client certificates)' set" - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "samples/insecure_arm.json" - }, - "region": { - "startLine": 274, - "endLine": 283, - "snippet": { - "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites\",\n \"kind\": \"app\",\n \"name\": \"WebApp_NoSitesConfig\",\n \"location\": \"[parameters('location')]\",\n \"properties\": {\n \"httpsOnly\": true\n }\n },\n" - } - } - } - } - ], - "fingerprints": { - "gdnPrimarySignature": "ab35f47a9966e5318d1be863b2ec0f17d58d977c71e868ebff0db5b49b68af09", - "gdnAlternativeSignature0": "9c833adad252c499f44a089a84712b55a0a006a47a9aba6c530d01a1bc94f558" - }, - "attachments": [] - }, - { - "ruleId": "CKV_AZURE_78", - "ruleIndex": 26, - "message": { - "text": "Ensure FTP deployments are disabled" - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "samples/insecure_arm.json" - }, - "region": { - "startLine": 274, - "endLine": 283, - "snippet": { - "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites\",\n \"kind\": \"app\",\n \"name\": \"WebApp_NoSitesConfig\",\n \"location\": \"[parameters('location')]\",\n \"properties\": {\n \"httpsOnly\": true\n }\n },\n" - } - } - } - } - ], - "fingerprints": { - "gdnPrimarySignature": "602fdea611aaa3d22235f4e83203311f5ffe8e9e22833d6184d440e68f024bf5", - "gdnAlternativeSignature0": "5c17ba6738b8da7c912c45aebf73499fbce4dc65cf6407b66f5a4c274679619c" - }, - "attachments": [] - }, - { - "ruleId": "CKV_AZURE_18", - "ruleIndex": 27, - "message": { - "text": "Ensure that 'HTTP Version' is the latest if used to run the web app" - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "samples/insecure_arm.json" - }, - "region": { - "startLine": 274, - "endLine": 283, - "snippet": { - "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites\",\n \"kind\": \"app\",\n \"name\": \"WebApp_NoSitesConfig\",\n \"location\": \"[parameters('location')]\",\n \"properties\": {\n \"httpsOnly\": true\n }\n },\n" - } - } - } - } - ], - "fingerprints": { - "gdnPrimarySignature": "20d3cf16494d80ca62033400936f0feb57be0a8ab23b9cc9b162b2247897388e", - "gdnAlternativeSignature0": "cd1e03ef8f9614165ea4d7a0973270f4bbab817cb3cc52ad0cf36cb647c3b6d9" - }, - "attachments": [] - }, - { - "ruleId": "CKV_AZURE_16", - "ruleIndex": 29, - "message": { - "text": "Ensure that Register with Azure Active Directory is enabled on App Service" - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "samples/insecure_arm.json" - }, - "region": { - "startLine": 274, - "endLine": 283, - "snippet": { - "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites\",\n \"kind\": \"app\",\n \"name\": \"WebApp_NoSitesConfig\",\n \"location\": \"[parameters('location')]\",\n \"properties\": {\n \"httpsOnly\": true\n }\n },\n" - } - } - } - } - ], - "fingerprints": { - "gdnPrimarySignature": "78cc949070f476ebc74b2dda7f5c41ae43b805ea3b7daf49d3078c058f79e5a1", - "gdnAlternativeSignature0": "a55b806fb31cb3bf0e6b5c3d01f6ffd490c3b886bb80a722866cc000586f0f8a" - }, - "attachments": [] - }, - { - "ruleId": "CKV_AZURE_71", - "ruleIndex": 30, - "level": "note", - "message": { - "text": "Ensure that Managed identity provider is enabled for web apps" - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "samples/insecure_arm.json" - }, - "region": { - "startLine": 274, - "endLine": 283, - "snippet": { - "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites\",\n \"kind\": \"app\",\n \"name\": \"WebApp_NoSitesConfig\",\n \"location\": \"[parameters('location')]\",\n \"properties\": {\n \"httpsOnly\": true\n }\n },\n" - } - } - } - } - ], - "fingerprints": { - "gdnPrimarySignature": "15dc91ac7c730ca245aabad00f156494d8a29ee9b357748967d76f05344eda7f", - "gdnAlternativeSignature0": "5847938307c50605c0610b36925ab50eefcc6634ed7e565f480bda53984af466" - }, - "attachments": [] - }, - { - "ruleId": "CKV_AZURE_15", - "ruleIndex": 31, - "message": { - "text": "Ensure web app is using the latest version of TLS encryption" - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "samples/insecure_arm.json" - }, - "region": { - "startLine": 274, - "endLine": 283, - "snippet": { - "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites\",\n \"kind\": \"app\",\n \"name\": \"WebApp_NoSitesConfig\",\n \"location\": \"[parameters('location')]\",\n \"properties\": {\n \"httpsOnly\": true\n }\n },\n" - } - } - } - } - ], - "fingerprints": { - "gdnPrimarySignature": "ea83d615bfff6cce7ff0679906857f978db31bcc20aaf8362758e87312e2d941", - "gdnAlternativeSignature0": "c039abcf9cf88918b4dd9167119722b1a5108ce5e38d75043c0b750fd2981ec3" - }, - "attachments": [] - }, - { - "ruleId": "CKV_AZURE_222", - "ruleIndex": 32, - "message": { - "text": "Ensure that Azure Web App public network access is disabled" - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "samples/insecure_arm.json" - }, - "region": { - "startLine": 274, - "endLine": 283, - "snippet": { - "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites\",\n \"kind\": \"app\",\n \"name\": \"WebApp_NoSitesConfig\",\n \"location\": \"[parameters('location')]\",\n \"properties\": {\n \"httpsOnly\": true\n }\n },\n" - } - } - } - } - ], - "fingerprints": { - "gdnPrimarySignature": "b051219a1626ff89706e92b04e25fb0932c1d985ea27f8aecbf7f743c04dc659", - "gdnAlternativeSignature0": "cabf626aade2ee1d730330c88d2aa7d8895dd4c93938eeb77c63f03a052c7679" - }, - "attachments": [] - }, - { - "ruleId": "CKV_AZURE_67", - "ruleIndex": 34, - "message": { - "text": "Ensure that 'HTTP Version' is the latest, if used to run the Function app" - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "samples/insecure_arm.json" - }, - "region": { - "startLine": 274, - "endLine": 283, - "snippet": { - "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites\",\n \"kind\": \"app\",\n \"name\": \"WebApp_NoSitesConfig\",\n \"location\": \"[parameters('location')]\",\n \"properties\": {\n \"httpsOnly\": true\n }\n },\n" - } - } - } - } - ], - "fingerprints": { - "gdnPrimarySignature": "6b115656ed41348ad449cf25c954970b70b571ade5d19e1105620b4e7717e2fe", - "gdnAlternativeSignature0": "aa6295e81aa6a4ae09a54ac0c497bf6291b50dd88a72b6e830bd210a1a68aceb" - }, - "attachments": [] - }, - { - "ruleId": "CKV_AZURE_17", - "ruleIndex": 25, - "message": { - "text": "Ensure the web app has 'Client Certificates (Incoming client certificates)' set" - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "samples/insecure_arm.json" - }, - "region": { - "startLine": 284, - "endLine": 300, - "snippet": { - "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites\",\n \"kind\": \"functionapp\",\n \"name\": \"FunctionApp_RestrictedCORSAccess_EmbeddedSitesConfig\",\n \"location\": \"[parameters('location')]\",\n \"properties\": {\n \"httpsOnly\": true,\n \"siteConfig\": {\n \"cors\": {\n \"allowedOrigins\": [\n \"someIP\"\n ]\n }\n }\n }\n },\n" - } - } - } - } - ], - "fingerprints": { - "gdnPrimarySignature": "14fcb885307e08a2c5ada1206158c9a84bbe32823e0d5c615704e0bafa8aee79", - "gdnAlternativeSignature0": "fb7374d63bc8d8ab31652d206739a312b4868d345ca64543f8d31991d5b46cfa" - }, - "attachments": [] - }, - { - "ruleId": "CKV_AZURE_78", - "ruleIndex": 26, - "message": { - "text": "Ensure FTP deployments are disabled" - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "samples/insecure_arm.json" - }, - "region": { - "startLine": 284, - "endLine": 300, - "snippet": { - "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites\",\n \"kind\": \"functionapp\",\n \"name\": \"FunctionApp_RestrictedCORSAccess_EmbeddedSitesConfig\",\n \"location\": \"[parameters('location')]\",\n \"properties\": {\n \"httpsOnly\": true,\n \"siteConfig\": {\n \"cors\": {\n \"allowedOrigins\": [\n \"someIP\"\n ]\n }\n }\n }\n },\n" - } - } - } - } - ], - "fingerprints": { - "gdnPrimarySignature": "5ed1b342d8a0f06c5b0bb3d15388f5670cf2b409bf65da4b74e438912627892a", - "gdnAlternativeSignature0": "9f5a5eef4cfdb3f4462b7862dcba4b5bef7ef10e97449da469e0495432b1aa9c" - }, - "attachments": [] - }, - { - "ruleId": "CKV_AZURE_18", - "ruleIndex": 27, - "message": { - "text": "Ensure that 'HTTP Version' is the latest if used to run the web app" - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "samples/insecure_arm.json" - }, - "region": { - "startLine": 284, - "endLine": 300, - "snippet": { - "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites\",\n \"kind\": \"functionapp\",\n \"name\": \"FunctionApp_RestrictedCORSAccess_EmbeddedSitesConfig\",\n \"location\": \"[parameters('location')]\",\n \"properties\": {\n \"httpsOnly\": true,\n \"siteConfig\": {\n \"cors\": {\n \"allowedOrigins\": [\n \"someIP\"\n ]\n }\n }\n }\n },\n" - } - } - } - } - ], - "fingerprints": { - "gdnPrimarySignature": "f769bd7202fd3a2674861afca95fa1cfc0664bd0b76619913a2f39f87fd2fe8a", - "gdnAlternativeSignature0": "5992da2c97b93015cd5ff7d85e7dca064eea8c61012c16fd094729db911f95a8" - }, - "attachments": [] - }, - { - "ruleId": "CKV_AZURE_16", - "ruleIndex": 29, - "message": { - "text": "Ensure that Register with Azure Active Directory is enabled on App Service" - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "samples/insecure_arm.json" - }, - "region": { - "startLine": 284, - "endLine": 300, - "snippet": { - "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites\",\n \"kind\": \"functionapp\",\n \"name\": \"FunctionApp_RestrictedCORSAccess_EmbeddedSitesConfig\",\n \"location\": \"[parameters('location')]\",\n \"properties\": {\n \"httpsOnly\": true,\n \"siteConfig\": {\n \"cors\": {\n \"allowedOrigins\": [\n \"someIP\"\n ]\n }\n }\n }\n },\n" - } - } - } - } - ], - "fingerprints": { - "gdnPrimarySignature": "5bcdda995b38f39e6e644a8b926bad1dda898d677c7095948d0787f601427d9b", - "gdnAlternativeSignature0": "13ea3d62cdfd23a6f501449536936b1c6db8485e0dff7c99196f039ded5323e3" - }, - "attachments": [] - }, - { - "ruleId": "CKV_AZURE_71", - "ruleIndex": 30, - "level": "note", - "message": { - "text": "Ensure that Managed identity provider is enabled for web apps" - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "samples/insecure_arm.json" - }, - "region": { - "startLine": 284, - "endLine": 300, - "snippet": { - "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites\",\n \"kind\": \"functionapp\",\n \"name\": \"FunctionApp_RestrictedCORSAccess_EmbeddedSitesConfig\",\n \"location\": \"[parameters('location')]\",\n \"properties\": {\n \"httpsOnly\": true,\n \"siteConfig\": {\n \"cors\": {\n \"allowedOrigins\": [\n \"someIP\"\n ]\n }\n }\n }\n },\n" - } - } - } - } - ], - "fingerprints": { - "gdnPrimarySignature": "01e261f9a2c80b85eac147e32d3398613aacdcc9aba1ad95bed4948b25697177", - "gdnAlternativeSignature0": "06726daca90067656a51c927384b29c2fa63923f996cd8820a67beaac37a348a" - }, - "attachments": [] - }, - { - "ruleId": "CKV_AZURE_15", - "ruleIndex": 31, - "message": { - "text": "Ensure web app is using the latest version of TLS encryption" - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "samples/insecure_arm.json" - }, - "region": { - "startLine": 284, - "endLine": 300, - "snippet": { - "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites\",\n \"kind\": \"functionapp\",\n \"name\": \"FunctionApp_RestrictedCORSAccess_EmbeddedSitesConfig\",\n \"location\": \"[parameters('location')]\",\n \"properties\": {\n \"httpsOnly\": true,\n \"siteConfig\": {\n \"cors\": {\n \"allowedOrigins\": [\n \"someIP\"\n ]\n }\n }\n }\n },\n" - } - } - } - } - ], - "fingerprints": { - "gdnPrimarySignature": "72e5f5c502813f23c86f6954f698b653e4357d2982e8bb56333ee89c838fcfad", - "gdnAlternativeSignature0": "faae5ac2227e01f41f73eda05f5b00d5de49e9d7c812dc34cbea14b50d6e9f77" - }, - "attachments": [] - }, - { - "ruleId": "CKV_AZURE_222", - "ruleIndex": 32, - "message": { - "text": "Ensure that Azure Web App public network access is disabled" - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "samples/insecure_arm.json" - }, - "region": { - "startLine": 284, - "endLine": 300, - "snippet": { - "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites\",\n \"kind\": \"functionapp\",\n \"name\": \"FunctionApp_RestrictedCORSAccess_EmbeddedSitesConfig\",\n \"location\": \"[parameters('location')]\",\n \"properties\": {\n \"httpsOnly\": true,\n \"siteConfig\": {\n \"cors\": {\n \"allowedOrigins\": [\n \"someIP\"\n ]\n }\n }\n }\n },\n" - } - } - } - } - ], - "fingerprints": { - "gdnPrimarySignature": "64bf46cc4a2b1a39786b447ec202c2052f0686c787af51cc562ff3cb2baeadac", - "gdnAlternativeSignature0": "370f91c60e0d1be39570b5bc47e69e0826dd5835293145c9f61e8fcecac252b6" - }, - "attachments": [] - }, - { - "ruleId": "CKV_AZURE_67", - "ruleIndex": 34, - "message": { - "text": "Ensure that 'HTTP Version' is the latest, if used to run the Function app" - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "samples/insecure_arm.json" - }, - "region": { - "startLine": 284, - "endLine": 300, - "snippet": { - "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites\",\n \"kind\": \"functionapp\",\n \"name\": \"FunctionApp_RestrictedCORSAccess_EmbeddedSitesConfig\",\n \"location\": \"[parameters('location')]\",\n \"properties\": {\n \"httpsOnly\": true,\n \"siteConfig\": {\n \"cors\": {\n \"allowedOrigins\": [\n \"someIP\"\n ]\n }\n }\n }\n },\n" - } - } - } - } - ], - "fingerprints": { - "gdnPrimarySignature": "4040613d3dfb88a05ae97881bd42b488d51f9ab73eb119fc0554a783ca548f34", - "gdnAlternativeSignature0": "aa1ce087240db3e7202e98fb6d5d42a12644148791a444e2923686fe70b74fc5" - }, - "attachments": [] - }, - { - "ruleId": "CKV_AZURE_17", - "ruleIndex": 25, - "message": { - "text": "Ensure the web app has 'Client Certificates (Incoming client certificates)' set" - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "samples/insecure_arm.json" - }, - "region": { - "startLine": 301, - "endLine": 318, - "snippet": { - "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites\",\n \"kind\": \"functionapp\",\n \"name\": \"FunctionApp_UnrestrictedCORSAccess_EmbeddedSitesConfig\",\n \"location\": \"[parameters('location')]\",\n \"properties\": {\n \"httpsOnly\": true,\n \"siteConfig\": {\n \"cors\": {\n \"allowedOrigins\": [\n \"someIP\",\n \"*\"\n ]\n }\n }\n }\n },\n" - } - } - } - } - ], - "fingerprints": { - "gdnPrimarySignature": "7aa4dc87ad0a059efeb183e063efb6d08c9643371ef92a08431c2d59dbe6d7d8", - "gdnAlternativeSignature0": "efa930281f9711759aae2cbd30e4f5f6dfa8935213ef9d897b14266716dc3a50" - }, - "attachments": [] - }, - { - "ruleId": "CKV_AZURE_78", - "ruleIndex": 26, - "message": { - "text": "Ensure FTP deployments are disabled" - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "samples/insecure_arm.json" - }, - "region": { - "startLine": 301, - "endLine": 318, - "snippet": { - "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites\",\n \"kind\": \"functionapp\",\n \"name\": \"FunctionApp_UnrestrictedCORSAccess_EmbeddedSitesConfig\",\n \"location\": \"[parameters('location')]\",\n \"properties\": {\n \"httpsOnly\": true,\n \"siteConfig\": {\n \"cors\": {\n \"allowedOrigins\": [\n \"someIP\",\n \"*\"\n ]\n }\n }\n }\n },\n" - } - } - } - } - ], - "fingerprints": { - "gdnPrimarySignature": "e921d31bfff9b531e071fb26ffdf65b6ad8bbe22352067af06b35cb28e82fb8c", - "gdnAlternativeSignature0": "17ce881dab034d29e0a5df168f9e1c52bdd2c5c975e4fdda06fa613e032d79bf" - }, - "attachments": [] - }, - { - "ruleId": "CKV_AZURE_18", - "ruleIndex": 27, - "message": { - "text": "Ensure that 'HTTP Version' is the latest if used to run the web app" - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "samples/insecure_arm.json" - }, - "region": { - "startLine": 301, - "endLine": 318, - "snippet": { - "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites\",\n \"kind\": \"functionapp\",\n \"name\": \"FunctionApp_UnrestrictedCORSAccess_EmbeddedSitesConfig\",\n \"location\": \"[parameters('location')]\",\n \"properties\": {\n \"httpsOnly\": true,\n \"siteConfig\": {\n \"cors\": {\n \"allowedOrigins\": [\n \"someIP\",\n \"*\"\n ]\n }\n }\n }\n },\n" - } - } - } - } - ], - "fingerprints": { - "gdnPrimarySignature": "a1c9a388790b96bca8c54d7e1af1d480c30c7478de1cdf397833aefa8611697a", - "gdnAlternativeSignature0": "6550ec87cae9d511c54e0c344a4cdd2c0de2f8cd89c915cdadf98545ba96361f" - }, - "attachments": [] - }, - { - "ruleId": "CKV_AZURE_16", - "ruleIndex": 29, - "message": { - "text": "Ensure that Register with Azure Active Directory is enabled on App Service" - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "samples/insecure_arm.json" - }, - "region": { - "startLine": 301, - "endLine": 318, - "snippet": { - "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites\",\n \"kind\": \"functionapp\",\n \"name\": \"FunctionApp_UnrestrictedCORSAccess_EmbeddedSitesConfig\",\n \"location\": \"[parameters('location')]\",\n \"properties\": {\n \"httpsOnly\": true,\n \"siteConfig\": {\n \"cors\": {\n \"allowedOrigins\": [\n \"someIP\",\n \"*\"\n ]\n }\n }\n }\n },\n" - } - } - } - } - ], - "fingerprints": { - "gdnPrimarySignature": "5f201d5437de55fd80955e36fa892fc93cfb30c65f554f53a86a4df19d91f7a6", - "gdnAlternativeSignature0": "24eb4b238d28c37f127ee733bc68e96c101b7c274ec58a964bb4ef8f105a07ad" - }, - "attachments": [] - }, - { - "ruleId": "CKV_AZURE_71", - "ruleIndex": 30, - "level": "note", - "message": { - "text": "Ensure that Managed identity provider is enabled for web apps" - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "samples/insecure_arm.json" - }, - "region": { - "startLine": 301, - "endLine": 318, - "snippet": { - "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites\",\n \"kind\": \"functionapp\",\n \"name\": \"FunctionApp_UnrestrictedCORSAccess_EmbeddedSitesConfig\",\n \"location\": \"[parameters('location')]\",\n \"properties\": {\n \"httpsOnly\": true,\n \"siteConfig\": {\n \"cors\": {\n \"allowedOrigins\": [\n \"someIP\",\n \"*\"\n ]\n }\n }\n }\n },\n" - } - } - } - } - ], - "fingerprints": { - "gdnPrimarySignature": "eb2f9b348b74a7a30a2ccf85154a95c66cbbd999d7f0db1a5515dc50033cd858", - "gdnAlternativeSignature0": "ee26900668b5c483ff485bc262a9dda64ddedd4b96a4e5f956797fc4e31c4d1e" - }, - "attachments": [] - }, - { - "ruleId": "CKV_AZURE_15", - "ruleIndex": 31, - "message": { - "text": "Ensure web app is using the latest version of TLS encryption" - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "samples/insecure_arm.json" - }, - "region": { - "startLine": 301, - "endLine": 318, - "snippet": { - "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites\",\n \"kind\": \"functionapp\",\n \"name\": \"FunctionApp_UnrestrictedCORSAccess_EmbeddedSitesConfig\",\n \"location\": \"[parameters('location')]\",\n \"properties\": {\n \"httpsOnly\": true,\n \"siteConfig\": {\n \"cors\": {\n \"allowedOrigins\": [\n \"someIP\",\n \"*\"\n ]\n }\n }\n }\n },\n" - } - } - } - } - ], - "fingerprints": { - "gdnPrimarySignature": "752975926aaa31a34fc4bb75edb0955f8b1b2b7cdd24081443961bd594ef684e", - "gdnAlternativeSignature0": "55cf1c6618e5e7a3be0f2feae175940eb5ec736d17afe66f0895df6997ab216e" - }, - "attachments": [] - }, - { - "ruleId": "CKV_AZURE_222", - "ruleIndex": 32, - "message": { - "text": "Ensure that Azure Web App public network access is disabled" - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "samples/insecure_arm.json" - }, - "region": { - "startLine": 301, - "endLine": 318, - "snippet": { - "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites\",\n \"kind\": \"functionapp\",\n \"name\": \"FunctionApp_UnrestrictedCORSAccess_EmbeddedSitesConfig\",\n \"location\": \"[parameters('location')]\",\n \"properties\": {\n \"httpsOnly\": true,\n \"siteConfig\": {\n \"cors\": {\n \"allowedOrigins\": [\n \"someIP\",\n \"*\"\n ]\n }\n }\n }\n },\n" - } - } - } - } - ], - "fingerprints": { - "gdnPrimarySignature": "26f0a1a83d914e1d5687c693993f2e09d71b52f756d23a5682778f4a2085ff5e", - "gdnAlternativeSignature0": "5a8642e916010fccd880c8c0e73e83f149b9d44c76710d50d541dbd4d3c7d72a" - }, - "attachments": [] - }, - { - "ruleId": "CKV_AZURE_67", - "ruleIndex": 34, - "message": { - "text": "Ensure that 'HTTP Version' is the latest, if used to run the Function app" - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "samples/insecure_arm.json" - }, - "region": { - "startLine": 301, - "endLine": 318, - "snippet": { - "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites\",\n \"kind\": \"functionapp\",\n \"name\": \"FunctionApp_UnrestrictedCORSAccess_EmbeddedSitesConfig\",\n \"location\": \"[parameters('location')]\",\n \"properties\": {\n \"httpsOnly\": true,\n \"siteConfig\": {\n \"cors\": {\n \"allowedOrigins\": [\n \"someIP\",\n \"*\"\n ]\n }\n }\n }\n },\n" - } - } - } - } - ], - "fingerprints": { - "gdnPrimarySignature": "5add9273a9903c496a94184e7c5ae16aa8c53067ea2f4eecb7f6cc9876a3145b", - "gdnAlternativeSignature0": "a1cb801109625b1081f5c08bf8d85057df4fa338901c035a3c779845e8d973ca" - }, - "attachments": [] - }, - { - "ruleId": "CKV_AZURE_17", - "ruleIndex": 25, - "message": { - "text": "Ensure the web app has 'Client Certificates (Incoming client certificates)' set" - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "samples/insecure_arm.json" - }, - "region": { - "startLine": 319, - "endLine": 328, - "snippet": { - "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites\",\n \"kind\": \"functionapp\",\n \"name\": \"FunctionApp_NoSitesConfig\",\n \"location\": \"[parameters('location')]\",\n \"properties\": {\n \"httpsOnly\": true\n }\n }\n" - } - } - } - } - ], - "fingerprints": { - "gdnPrimarySignature": "3f3a80ee3024489c35085570b02f970bafaaf551396274635a00a4b79ac0eae2", - "gdnAlternativeSignature0": "917035e9a96adddabea41ba383c24edf46e1ec39e5e02fc8be4ddbeb01bc5b4e" - }, - "attachments": [] - }, - { - "ruleId": "CKV_AZURE_78", - "ruleIndex": 26, - "message": { - "text": "Ensure FTP deployments are disabled" - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "samples/insecure_arm.json" - }, - "region": { - "startLine": 319, - "endLine": 328, - "snippet": { - "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites\",\n \"kind\": \"functionapp\",\n \"name\": \"FunctionApp_NoSitesConfig\",\n \"location\": \"[parameters('location')]\",\n \"properties\": {\n \"httpsOnly\": true\n }\n }\n" - } - } - } - } - ], - "fingerprints": { - "gdnPrimarySignature": "8493bbcbf96e7e1068c6296f576527e894ef7245800bcd2116bc07e72079b43d", - "gdnAlternativeSignature0": "755512e4b82449a08f44e7eaebdb946e29314098160f8e1f39b9870f19dc43f7" - }, - "attachments": [] - }, - { - "ruleId": "CKV_AZURE_18", - "ruleIndex": 27, - "message": { - "text": "Ensure that 'HTTP Version' is the latest if used to run the web app" - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "samples/insecure_arm.json" - }, - "region": { - "startLine": 319, - "endLine": 328, - "snippet": { - "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites\",\n \"kind\": \"functionapp\",\n \"name\": \"FunctionApp_NoSitesConfig\",\n \"location\": \"[parameters('location')]\",\n \"properties\": {\n \"httpsOnly\": true\n }\n }\n" - } - } - } - } - ], - "fingerprints": { - "gdnPrimarySignature": "d15577475858e078e31e0a5a4560d3e46f04f5c0af458457d9c46525545d0add", - "gdnAlternativeSignature0": "34f10bce44f8b65d8306df6efd6b8a73666704ebe97281cf5bb20c27415a99c5" - }, - "attachments": [] - }, - { - "ruleId": "CKV_AZURE_16", - "ruleIndex": 29, - "message": { - "text": "Ensure that Register with Azure Active Directory is enabled on App Service" - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "samples/insecure_arm.json" - }, - "region": { - "startLine": 319, - "endLine": 328, - "snippet": { - "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites\",\n \"kind\": \"functionapp\",\n \"name\": \"FunctionApp_NoSitesConfig\",\n \"location\": \"[parameters('location')]\",\n \"properties\": {\n \"httpsOnly\": true\n }\n }\n" - } - } - } - } - ], - "fingerprints": { - "gdnPrimarySignature": "21939dfe4c3d1e60adaaab7f75ef7a0b94b4377b2a2950f7670c9afd424de80f", - "gdnAlternativeSignature0": "0054487d755a01b77de504fc5157faecd817a0ecae44d1e4aa91fd1a46e0be8b" - }, - "attachments": [] - }, - { - "ruleId": "CKV_AZURE_71", - "ruleIndex": 30, - "level": "note", - "message": { - "text": "Ensure that Managed identity provider is enabled for web apps" - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "samples/insecure_arm.json" - }, - "region": { - "startLine": 319, - "endLine": 328, - "snippet": { - "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites\",\n \"kind\": \"functionapp\",\n \"name\": \"FunctionApp_NoSitesConfig\",\n \"location\": \"[parameters('location')]\",\n \"properties\": {\n \"httpsOnly\": true\n }\n }\n" - } - } - } - } - ], - "fingerprints": { - "gdnPrimarySignature": "47829e0ae136b8b26a4176f73de53c99044bba251a284cf106812e2600802361", - "gdnAlternativeSignature0": "0a441e95438cb23ebbfb5ba5d34958a96417b8b4a440e329223843a090eab255" - }, - "attachments": [] - }, - { - "ruleId": "CKV_AZURE_15", - "ruleIndex": 31, - "message": { - "text": "Ensure web app is using the latest version of TLS encryption" - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "samples/insecure_arm.json" - }, - "region": { - "startLine": 319, - "endLine": 328, - "snippet": { - "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites\",\n \"kind\": \"functionapp\",\n \"name\": \"FunctionApp_NoSitesConfig\",\n \"location\": \"[parameters('location')]\",\n \"properties\": {\n \"httpsOnly\": true\n }\n }\n" - } - } - } - } - ], - "fingerprints": { - "gdnPrimarySignature": "0563668dc60ab562ba7553e4059ccb2600d2aee6505b99813a4d2edad7d7cab8", - "gdnAlternativeSignature0": "71db655b881a2f569a03dc4a80cf4f01371a09611c4f9780e1ac3eba24b4e2f8" - }, - "attachments": [] - }, - { - "ruleId": "CKV_AZURE_222", - "ruleIndex": 32, - "message": { - "text": "Ensure that Azure Web App public network access is disabled" - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "samples/insecure_arm.json" - }, - "region": { - "startLine": 319, - "endLine": 328, - "snippet": { - "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites\",\n \"kind\": \"functionapp\",\n \"name\": \"FunctionApp_NoSitesConfig\",\n \"location\": \"[parameters('location')]\",\n \"properties\": {\n \"httpsOnly\": true\n }\n }\n" - } - } - } - } - ], - "fingerprints": { - "gdnPrimarySignature": "4f0638c743b2d1843ef77d55d462748d273aee152bbb618ceaa5a51f793330fc", - "gdnAlternativeSignature0": "e4025758f0b783be95138fa9820d245cb4c1db229e4353bd0a20f699ee9e616a" - }, - "attachments": [] - }, - { - "ruleId": "CKV_AZURE_67", - "ruleIndex": 34, - "message": { - "text": "Ensure that 'HTTP Version' is the latest, if used to run the Function app" - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "samples/insecure_arm.json" - }, - "region": { - "startLine": 319, - "endLine": 328, - "snippet": { - "text": " {\n \"apiVersion\": \"2019-08-01\",\n \"type\": \"Microsoft.Web/sites\",\n \"kind\": \"functionapp\",\n \"name\": \"FunctionApp_NoSitesConfig\",\n \"location\": \"[parameters('location')]\",\n \"properties\": {\n \"httpsOnly\": true\n }\n }\n" - } - } - } - } - ], - "fingerprints": { - "gdnPrimarySignature": "ca846feb1e4469b819a99002b3cec670caeab114d5f1c85c81ed5830745e8c77", - "gdnAlternativeSignature0": "962bde0a801111d2d1cefcb5d5bb60e8c031e3c31f4e4527dc4ab9fb05b23991" - }, - "attachments": [] - }, - { - "ruleId": "CKV_K8S_25", - "ruleIndex": 10, - "level": "note", - "message": { - "text": "Minimize the admission of containers with added capability" - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "samples/K8s-cassandra-statefulset.yaml" - }, - "region": { - "startLine": 1, - "endLine": 96, - "snippet": { - "text": "apiVersion: \"apps/v1\" # for k8s versions before 1.9.0 use apps/v1beta2 and before 1.8.0 use extensions/v1beta1\nkind: StatefulSet\nmetadata:\n name: cassandra\n labels:\n app: cassandra\nspec:\n serviceName: cassandra\n replicas: 3\n selector:\n matchLabels:\n app: cassandra\n template:\n metadata:\n labels:\n app: cassandra\n spec:\n terminationGracePeriodSeconds: 1800\n containers:\n - name: cassandra\n image: gcr.io/google-samples/cassandra:v14\n imagePullPolicy: Always\n ports:\n - containerPort: 7000\n name: intra-node\n - containerPort: 7001\n name: tls-intra-node\n - containerPort: 7199\n name: jmx\n - containerPort: 9042\n name: cql\n resources:\n limits:\n cpu: \"500m\"\n memory: 1Gi\n requests:\n cpu: \"500m\"\n memory: 1Gi\n securityContext:\n capabilities:\n add:\n - IPC_LOCK\n lifecycle:\n preStop:\n exec:\n command:\n - /bin/sh\n - -c\n - nodetool drain\n env:\n - name: MAX_HEAP_SIZE\n value: 512M\n - name: HEAP_NEWSIZE\n value: 100M\n - name: CASSANDRA_SEEDS\n value: \"cassandra-0.cassandra.default.svc.cluster.local\"\n - name: CASSANDRA_CLUSTER_NAME\n value: \"K8Demo\"\n - name: CASSANDRA_DC\n value: \"DC1-K8Demo\"\n - name: CASSANDRA_RACK\n value: \"Rack1-K8Demo\"\n - name: CASSANDRA_SEED_PROVIDER\n value: io.k8s.cassandra.KubernetesSeedProvider\n - name: POD_IP\n valueFrom:\n fieldRef:\n fieldPath: status.podIP\n readinessProbe:\n exec:\n command:\n - /bin/bash\n - -c\n - /ready-probe.sh\n initialDelaySeconds: 15\n timeoutSeconds: 5\n # These volume mounts are persistent. They are like inline claims,\n # but not exactly because the names need to match exactly one of\n # the stateful pod volumes.\n volumeMounts:\n - name: cassandra-data\n mountPath: /var/lib/cassandra\n # These are converted to volume claims by the controller\n # and mounted at the paths mentioned above.\n # do not use these in production until ssd GCEPersistentDisk or other ssd pd\n volumeClaimTemplates:\n - metadata:\n name: cassandra-data\n annotations:\n volume.beta.kubernetes.io/storage-class: fast\n spec:\n accessModes: [ \"ReadWriteOnce\" ]\n resources:\n requests:\n storage: 1Gi\n---\n" - } - } - } - } - ], - "fingerprints": { - "gdnPrimarySignature": "a73a10ebaed1bcca5045392cd0e24ff11412eeae435f8a66bd90d64a40f09958", - "gdnAlternativeSignature0": "681910e9bced9366623d2dd9e93781a0f1a15f148fa6523a13e9a0058492d662" - }, - "attachments": [] - }, - { - "ruleId": "CKV_K8S_20", - "ruleIndex": 11, - "message": { - "text": "Containers should not run with allowPrivilegeEscalation" - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "samples/K8s-cassandra-statefulset.yaml" - }, - "region": { - "startLine": 1, - "endLine": 96, - "snippet": { - "text": "apiVersion: \"apps/v1\" # for k8s versions before 1.9.0 use apps/v1beta2 and before 1.8.0 use extensions/v1beta1\nkind: StatefulSet\nmetadata:\n name: cassandra\n labels:\n app: cassandra\nspec:\n serviceName: cassandra\n replicas: 3\n selector:\n matchLabels:\n app: cassandra\n template:\n metadata:\n labels:\n app: cassandra\n spec:\n terminationGracePeriodSeconds: 1800\n containers:\n - name: cassandra\n image: gcr.io/google-samples/cassandra:v14\n imagePullPolicy: Always\n ports:\n - containerPort: 7000\n name: intra-node\n - containerPort: 7001\n name: tls-intra-node\n - containerPort: 7199\n name: jmx\n - containerPort: 9042\n name: cql\n resources:\n limits:\n cpu: \"500m\"\n memory: 1Gi\n requests:\n cpu: \"500m\"\n memory: 1Gi\n securityContext:\n capabilities:\n add:\n - IPC_LOCK\n lifecycle:\n preStop:\n exec:\n command:\n - /bin/sh\n - -c\n - nodetool drain\n env:\n - name: MAX_HEAP_SIZE\n value: 512M\n - name: HEAP_NEWSIZE\n value: 100M\n - name: CASSANDRA_SEEDS\n value: \"cassandra-0.cassandra.default.svc.cluster.local\"\n - name: CASSANDRA_CLUSTER_NAME\n value: \"K8Demo\"\n - name: CASSANDRA_DC\n value: \"DC1-K8Demo\"\n - name: CASSANDRA_RACK\n value: \"Rack1-K8Demo\"\n - name: CASSANDRA_SEED_PROVIDER\n value: io.k8s.cassandra.KubernetesSeedProvider\n - name: POD_IP\n valueFrom:\n fieldRef:\n fieldPath: status.podIP\n readinessProbe:\n exec:\n command:\n - /bin/bash\n - -c\n - /ready-probe.sh\n initialDelaySeconds: 15\n timeoutSeconds: 5\n # These volume mounts are persistent. They are like inline claims,\n # but not exactly because the names need to match exactly one of\n # the stateful pod volumes.\n volumeMounts:\n - name: cassandra-data\n mountPath: /var/lib/cassandra\n # These are converted to volume claims by the controller\n # and mounted at the paths mentioned above.\n # do not use these in production until ssd GCEPersistentDisk or other ssd pd\n volumeClaimTemplates:\n - metadata:\n name: cassandra-data\n annotations:\n volume.beta.kubernetes.io/storage-class: fast\n spec:\n accessModes: [ \"ReadWriteOnce\" ]\n resources:\n requests:\n storage: 1Gi\n---\n" - } - } - } - } - ], - "fingerprints": { - "gdnPrimarySignature": "692c38842f145cb9c1ee25b48643b65a41b423830a016a149dc12712814602af", - "gdnAlternativeSignature0": "970e4c551a08367b382ed411f7ccca59e201e8e34e32717929767a568630af1e" - }, - "attachments": [] - }, - { - "ruleId": "CKV_K8S_21", - "ruleIndex": 12, - "level": "note", - "message": { - "text": "The default namespace should not be used" - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "samples/K8s-cassandra-statefulset.yaml" - }, - "region": { - "startLine": 1, - "endLine": 96, - "snippet": { - "text": "apiVersion: \"apps/v1\" # for k8s versions before 1.9.0 use apps/v1beta2 and before 1.8.0 use extensions/v1beta1\nkind: StatefulSet\nmetadata:\n name: cassandra\n labels:\n app: cassandra\nspec:\n serviceName: cassandra\n replicas: 3\n selector:\n matchLabels:\n app: cassandra\n template:\n metadata:\n labels:\n app: cassandra\n spec:\n terminationGracePeriodSeconds: 1800\n containers:\n - name: cassandra\n image: gcr.io/google-samples/cassandra:v14\n imagePullPolicy: Always\n ports:\n - containerPort: 7000\n name: intra-node\n - containerPort: 7001\n name: tls-intra-node\n - containerPort: 7199\n name: jmx\n - containerPort: 9042\n name: cql\n resources:\n limits:\n cpu: \"500m\"\n memory: 1Gi\n requests:\n cpu: \"500m\"\n memory: 1Gi\n securityContext:\n capabilities:\n add:\n - IPC_LOCK\n lifecycle:\n preStop:\n exec:\n command:\n - /bin/sh\n - -c\n - nodetool drain\n env:\n - name: MAX_HEAP_SIZE\n value: 512M\n - name: HEAP_NEWSIZE\n value: 100M\n - name: CASSANDRA_SEEDS\n value: \"cassandra-0.cassandra.default.svc.cluster.local\"\n - name: CASSANDRA_CLUSTER_NAME\n value: \"K8Demo\"\n - name: CASSANDRA_DC\n value: \"DC1-K8Demo\"\n - name: CASSANDRA_RACK\n value: \"Rack1-K8Demo\"\n - name: CASSANDRA_SEED_PROVIDER\n value: io.k8s.cassandra.KubernetesSeedProvider\n - name: POD_IP\n valueFrom:\n fieldRef:\n fieldPath: status.podIP\n readinessProbe:\n exec:\n command:\n - /bin/bash\n - -c\n - /ready-probe.sh\n initialDelaySeconds: 15\n timeoutSeconds: 5\n # These volume mounts are persistent. They are like inline claims,\n # but not exactly because the names need to match exactly one of\n # the stateful pod volumes.\n volumeMounts:\n - name: cassandra-data\n mountPath: /var/lib/cassandra\n # These are converted to volume claims by the controller\n # and mounted at the paths mentioned above.\n # do not use these in production until ssd GCEPersistentDisk or other ssd pd\n volumeClaimTemplates:\n - metadata:\n name: cassandra-data\n annotations:\n volume.beta.kubernetes.io/storage-class: fast\n spec:\n accessModes: [ \"ReadWriteOnce\" ]\n resources:\n requests:\n storage: 1Gi\n---\n" - } - } - } - } - ], - "fingerprints": { - "gdnPrimarySignature": "0378eb8b121cbc93bfe8a78bc75aeb8987f5e31d530ec0adf577e7cf03ee717d", - "gdnAlternativeSignature0": "fffebb6a7b3891cdd01cc402002cc3f81150a080fef1ea60dfe1e2f6f69eb601" - }, - "attachments": [] - }, - { - "ruleId": "CKV_K8S_28", - "ruleIndex": 13, - "level": "note", - "message": { - "text": "Minimize the admission of containers with the NET_RAW capability" - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "samples/K8s-cassandra-statefulset.yaml" - }, - "region": { - "startLine": 1, - "endLine": 96, - "snippet": { - "text": "apiVersion: \"apps/v1\" # for k8s versions before 1.9.0 use apps/v1beta2 and before 1.8.0 use extensions/v1beta1\nkind: StatefulSet\nmetadata:\n name: cassandra\n labels:\n app: cassandra\nspec:\n serviceName: cassandra\n replicas: 3\n selector:\n matchLabels:\n app: cassandra\n template:\n metadata:\n labels:\n app: cassandra\n spec:\n terminationGracePeriodSeconds: 1800\n containers:\n - name: cassandra\n image: gcr.io/google-samples/cassandra:v14\n imagePullPolicy: Always\n ports:\n - containerPort: 7000\n name: intra-node\n - containerPort: 7001\n name: tls-intra-node\n - containerPort: 7199\n name: jmx\n - containerPort: 9042\n name: cql\n resources:\n limits:\n cpu: \"500m\"\n memory: 1Gi\n requests:\n cpu: \"500m\"\n memory: 1Gi\n securityContext:\n capabilities:\n add:\n - IPC_LOCK\n lifecycle:\n preStop:\n exec:\n command:\n - /bin/sh\n - -c\n - nodetool drain\n env:\n - name: MAX_HEAP_SIZE\n value: 512M\n - name: HEAP_NEWSIZE\n value: 100M\n - name: CASSANDRA_SEEDS\n value: \"cassandra-0.cassandra.default.svc.cluster.local\"\n - name: CASSANDRA_CLUSTER_NAME\n value: \"K8Demo\"\n - name: CASSANDRA_DC\n value: \"DC1-K8Demo\"\n - name: CASSANDRA_RACK\n value: \"Rack1-K8Demo\"\n - name: CASSANDRA_SEED_PROVIDER\n value: io.k8s.cassandra.KubernetesSeedProvider\n - name: POD_IP\n valueFrom:\n fieldRef:\n fieldPath: status.podIP\n readinessProbe:\n exec:\n command:\n - /bin/bash\n - -c\n - /ready-probe.sh\n initialDelaySeconds: 15\n timeoutSeconds: 5\n # These volume mounts are persistent. They are like inline claims,\n # but not exactly because the names need to match exactly one of\n # the stateful pod volumes.\n volumeMounts:\n - name: cassandra-data\n mountPath: /var/lib/cassandra\n # These are converted to volume claims by the controller\n # and mounted at the paths mentioned above.\n # do not use these in production until ssd GCEPersistentDisk or other ssd pd\n volumeClaimTemplates:\n - metadata:\n name: cassandra-data\n annotations:\n volume.beta.kubernetes.io/storage-class: fast\n spec:\n accessModes: [ \"ReadWriteOnce\" ]\n resources:\n requests:\n storage: 1Gi\n---\n" - } - } - } - } - ], - "fingerprints": { - "gdnPrimarySignature": "70f66e4afeb0264ac95ebee5085b90a23e7a9a54107832fb271bd1f1aa298522", - "gdnAlternativeSignature0": "0f11dc2ccb44a7216c78769edb10df097f8a1fc681f56dfdfa93d7c2b802f9b7" - }, - "attachments": [] - }, - { - "ruleId": "CKV_K8S_43", - "ruleIndex": 14, - "level": "note", - "message": { - "text": "Image should use digest" - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "samples/K8s-cassandra-statefulset.yaml" - }, - "region": { - "startLine": 1, - "endLine": 96, - "snippet": { - "text": "apiVersion: \"apps/v1\" # for k8s versions before 1.9.0 use apps/v1beta2 and before 1.8.0 use extensions/v1beta1\nkind: StatefulSet\nmetadata:\n name: cassandra\n labels:\n app: cassandra\nspec:\n serviceName: cassandra\n replicas: 3\n selector:\n matchLabels:\n app: cassandra\n template:\n metadata:\n labels:\n app: cassandra\n spec:\n terminationGracePeriodSeconds: 1800\n containers:\n - name: cassandra\n image: gcr.io/google-samples/cassandra:v14\n imagePullPolicy: Always\n ports:\n - containerPort: 7000\n name: intra-node\n - containerPort: 7001\n name: tls-intra-node\n - containerPort: 7199\n name: jmx\n - containerPort: 9042\n name: cql\n resources:\n limits:\n cpu: \"500m\"\n memory: 1Gi\n requests:\n cpu: \"500m\"\n memory: 1Gi\n securityContext:\n capabilities:\n add:\n - IPC_LOCK\n lifecycle:\n preStop:\n exec:\n command:\n - /bin/sh\n - -c\n - nodetool drain\n env:\n - name: MAX_HEAP_SIZE\n value: 512M\n - name: HEAP_NEWSIZE\n value: 100M\n - name: CASSANDRA_SEEDS\n value: \"cassandra-0.cassandra.default.svc.cluster.local\"\n - name: CASSANDRA_CLUSTER_NAME\n value: \"K8Demo\"\n - name: CASSANDRA_DC\n value: \"DC1-K8Demo\"\n - name: CASSANDRA_RACK\n value: \"Rack1-K8Demo\"\n - name: CASSANDRA_SEED_PROVIDER\n value: io.k8s.cassandra.KubernetesSeedProvider\n - name: POD_IP\n valueFrom:\n fieldRef:\n fieldPath: status.podIP\n readinessProbe:\n exec:\n command:\n - /bin/bash\n - -c\n - /ready-probe.sh\n initialDelaySeconds: 15\n timeoutSeconds: 5\n # These volume mounts are persistent. They are like inline claims,\n # but not exactly because the names need to match exactly one of\n # the stateful pod volumes.\n volumeMounts:\n - name: cassandra-data\n mountPath: /var/lib/cassandra\n # These are converted to volume claims by the controller\n # and mounted at the paths mentioned above.\n # do not use these in production until ssd GCEPersistentDisk or other ssd pd\n volumeClaimTemplates:\n - metadata:\n name: cassandra-data\n annotations:\n volume.beta.kubernetes.io/storage-class: fast\n spec:\n accessModes: [ \"ReadWriteOnce\" ]\n resources:\n requests:\n storage: 1Gi\n---\n" - } - } - } - } - ], - "fingerprints": { - "gdnPrimarySignature": "d54de20ef46f5565573d6411cce2a3baaf5b309cdc9e73bd2e0948dd98363d46", - "gdnAlternativeSignature0": "4e3e18739d7eee6105acea4f65c463484b66649a68e864755fc68c7030743359" - }, - "attachments": [] - }, - { - "ruleId": "CKV_K8S_8", - "ruleIndex": 15, - "level": "note", - "message": { - "text": "Liveness Probe Should be Configured" - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "samples/K8s-cassandra-statefulset.yaml" - }, - "region": { - "startLine": 1, - "endLine": 96, - "snippet": { - "text": "apiVersion: \"apps/v1\" # for k8s versions before 1.9.0 use apps/v1beta2 and before 1.8.0 use extensions/v1beta1\nkind: StatefulSet\nmetadata:\n name: cassandra\n labels:\n app: cassandra\nspec:\n serviceName: cassandra\n replicas: 3\n selector:\n matchLabels:\n app: cassandra\n template:\n metadata:\n labels:\n app: cassandra\n spec:\n terminationGracePeriodSeconds: 1800\n containers:\n - name: cassandra\n image: gcr.io/google-samples/cassandra:v14\n imagePullPolicy: Always\n ports:\n - containerPort: 7000\n name: intra-node\n - containerPort: 7001\n name: tls-intra-node\n - containerPort: 7199\n name: jmx\n - containerPort: 9042\n name: cql\n resources:\n limits:\n cpu: \"500m\"\n memory: 1Gi\n requests:\n cpu: \"500m\"\n memory: 1Gi\n securityContext:\n capabilities:\n add:\n - IPC_LOCK\n lifecycle:\n preStop:\n exec:\n command:\n - /bin/sh\n - -c\n - nodetool drain\n env:\n - name: MAX_HEAP_SIZE\n value: 512M\n - name: HEAP_NEWSIZE\n value: 100M\n - name: CASSANDRA_SEEDS\n value: \"cassandra-0.cassandra.default.svc.cluster.local\"\n - name: CASSANDRA_CLUSTER_NAME\n value: \"K8Demo\"\n - name: CASSANDRA_DC\n value: \"DC1-K8Demo\"\n - name: CASSANDRA_RACK\n value: \"Rack1-K8Demo\"\n - name: CASSANDRA_SEED_PROVIDER\n value: io.k8s.cassandra.KubernetesSeedProvider\n - name: POD_IP\n valueFrom:\n fieldRef:\n fieldPath: status.podIP\n readinessProbe:\n exec:\n command:\n - /bin/bash\n - -c\n - /ready-probe.sh\n initialDelaySeconds: 15\n timeoutSeconds: 5\n # These volume mounts are persistent. They are like inline claims,\n # but not exactly because the names need to match exactly one of\n # the stateful pod volumes.\n volumeMounts:\n - name: cassandra-data\n mountPath: /var/lib/cassandra\n # These are converted to volume claims by the controller\n # and mounted at the paths mentioned above.\n # do not use these in production until ssd GCEPersistentDisk or other ssd pd\n volumeClaimTemplates:\n - metadata:\n name: cassandra-data\n annotations:\n volume.beta.kubernetes.io/storage-class: fast\n spec:\n accessModes: [ \"ReadWriteOnce\" ]\n resources:\n requests:\n storage: 1Gi\n---\n" - } - } - } - } - ], - "fingerprints": { - "gdnPrimarySignature": "2e737794eca54186f3ad53c5fe3a9a7e34d4e9617064e5f844c785e4082877e3", - "gdnAlternativeSignature0": "1efa25c9281d5272c63c1bd7aa7a55673eeb2696c3df5d258c0291cb3d22eff6" - }, - "attachments": [] - }, - { - "ruleId": "CKV_K8S_37", - "ruleIndex": 16, - "level": "note", - "message": { - "text": "Minimize the admission of containers with capabilities assigned" - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "samples/K8s-cassandra-statefulset.yaml" - }, - "region": { - "startLine": 1, - "endLine": 96, - "snippet": { - "text": "apiVersion: \"apps/v1\" # for k8s versions before 1.9.0 use apps/v1beta2 and before 1.8.0 use extensions/v1beta1\nkind: StatefulSet\nmetadata:\n name: cassandra\n labels:\n app: cassandra\nspec:\n serviceName: cassandra\n replicas: 3\n selector:\n matchLabels:\n app: cassandra\n template:\n metadata:\n labels:\n app: cassandra\n spec:\n terminationGracePeriodSeconds: 1800\n containers:\n - name: cassandra\n image: gcr.io/google-samples/cassandra:v14\n imagePullPolicy: Always\n ports:\n - containerPort: 7000\n name: intra-node\n - containerPort: 7001\n name: tls-intra-node\n - containerPort: 7199\n name: jmx\n - containerPort: 9042\n name: cql\n resources:\n limits:\n cpu: \"500m\"\n memory: 1Gi\n requests:\n cpu: \"500m\"\n memory: 1Gi\n securityContext:\n capabilities:\n add:\n - IPC_LOCK\n lifecycle:\n preStop:\n exec:\n command:\n - /bin/sh\n - -c\n - nodetool drain\n env:\n - name: MAX_HEAP_SIZE\n value: 512M\n - name: HEAP_NEWSIZE\n value: 100M\n - name: CASSANDRA_SEEDS\n value: \"cassandra-0.cassandra.default.svc.cluster.local\"\n - name: CASSANDRA_CLUSTER_NAME\n value: \"K8Demo\"\n - name: CASSANDRA_DC\n value: \"DC1-K8Demo\"\n - name: CASSANDRA_RACK\n value: \"Rack1-K8Demo\"\n - name: CASSANDRA_SEED_PROVIDER\n value: io.k8s.cassandra.KubernetesSeedProvider\n - name: POD_IP\n valueFrom:\n fieldRef:\n fieldPath: status.podIP\n readinessProbe:\n exec:\n command:\n - /bin/bash\n - -c\n - /ready-probe.sh\n initialDelaySeconds: 15\n timeoutSeconds: 5\n # These volume mounts are persistent. They are like inline claims,\n # but not exactly because the names need to match exactly one of\n # the stateful pod volumes.\n volumeMounts:\n - name: cassandra-data\n mountPath: /var/lib/cassandra\n # These are converted to volume claims by the controller\n # and mounted at the paths mentioned above.\n # do not use these in production until ssd GCEPersistentDisk or other ssd pd\n volumeClaimTemplates:\n - metadata:\n name: cassandra-data\n annotations:\n volume.beta.kubernetes.io/storage-class: fast\n spec:\n accessModes: [ \"ReadWriteOnce\" ]\n resources:\n requests:\n storage: 1Gi\n---\n" - } - } - } - } - ], - "fingerprints": { - "gdnPrimarySignature": "09e2a7056dc2cd2bb024c4a44a0111d6f1e72d32b6b4a76c8f02e14817384044", - "gdnAlternativeSignature0": "d3bc404f8a377bc479f16b07ba7be8098c6d7a10735ee0bc15be7f48c5f089f4" - }, - "attachments": [] - }, - { - "ruleId": "CKV_K8S_29", - "ruleIndex": 17, - "level": "note", - "message": { - "text": "Apply security context to your pods and containers" - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "samples/K8s-cassandra-statefulset.yaml" - }, - "region": { - "startLine": 1, - "endLine": 96, - "snippet": { - "text": "apiVersion: \"apps/v1\" # for k8s versions before 1.9.0 use apps/v1beta2 and before 1.8.0 use extensions/v1beta1\nkind: StatefulSet\nmetadata:\n name: cassandra\n labels:\n app: cassandra\nspec:\n serviceName: cassandra\n replicas: 3\n selector:\n matchLabels:\n app: cassandra\n template:\n metadata:\n labels:\n app: cassandra\n spec:\n terminationGracePeriodSeconds: 1800\n containers:\n - name: cassandra\n image: gcr.io/google-samples/cassandra:v14\n imagePullPolicy: Always\n ports:\n - containerPort: 7000\n name: intra-node\n - containerPort: 7001\n name: tls-intra-node\n - containerPort: 7199\n name: jmx\n - containerPort: 9042\n name: cql\n resources:\n limits:\n cpu: \"500m\"\n memory: 1Gi\n requests:\n cpu: \"500m\"\n memory: 1Gi\n securityContext:\n capabilities:\n add:\n - IPC_LOCK\n lifecycle:\n preStop:\n exec:\n command:\n - /bin/sh\n - -c\n - nodetool drain\n env:\n - name: MAX_HEAP_SIZE\n value: 512M\n - name: HEAP_NEWSIZE\n value: 100M\n - name: CASSANDRA_SEEDS\n value: \"cassandra-0.cassandra.default.svc.cluster.local\"\n - name: CASSANDRA_CLUSTER_NAME\n value: \"K8Demo\"\n - name: CASSANDRA_DC\n value: \"DC1-K8Demo\"\n - name: CASSANDRA_RACK\n value: \"Rack1-K8Demo\"\n - name: CASSANDRA_SEED_PROVIDER\n value: io.k8s.cassandra.KubernetesSeedProvider\n - name: POD_IP\n valueFrom:\n fieldRef:\n fieldPath: status.podIP\n readinessProbe:\n exec:\n command:\n - /bin/bash\n - -c\n - /ready-probe.sh\n initialDelaySeconds: 15\n timeoutSeconds: 5\n # These volume mounts are persistent. They are like inline claims,\n # but not exactly because the names need to match exactly one of\n # the stateful pod volumes.\n volumeMounts:\n - name: cassandra-data\n mountPath: /var/lib/cassandra\n # These are converted to volume claims by the controller\n # and mounted at the paths mentioned above.\n # do not use these in production until ssd GCEPersistentDisk or other ssd pd\n volumeClaimTemplates:\n - metadata:\n name: cassandra-data\n annotations:\n volume.beta.kubernetes.io/storage-class: fast\n spec:\n accessModes: [ \"ReadWriteOnce\" ]\n resources:\n requests:\n storage: 1Gi\n---\n" - } - } - } - } - ], - "fingerprints": { - "gdnPrimarySignature": "2fb25b212960e5a8760b6523d4a4c2b47c5a0482186059c1d23c41446faf72b7", - "gdnAlternativeSignature0": "85a6f0ad55f847141b45ccf6ef907b5a180d07d0d29cac32bcc1829e8eb8b2ea" - }, - "attachments": [] - }, - { - "ruleId": "CKV_K8S_22", - "ruleIndex": 18, - "level": "note", - "message": { - "text": "Use read-only filesystem for containers where possible" - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "samples/K8s-cassandra-statefulset.yaml" - }, - "region": { - "startLine": 1, - "endLine": 96, - "snippet": { - "text": "apiVersion: \"apps/v1\" # for k8s versions before 1.9.0 use apps/v1beta2 and before 1.8.0 use extensions/v1beta1\nkind: StatefulSet\nmetadata:\n name: cassandra\n labels:\n app: cassandra\nspec:\n serviceName: cassandra\n replicas: 3\n selector:\n matchLabels:\n app: cassandra\n template:\n metadata:\n labels:\n app: cassandra\n spec:\n terminationGracePeriodSeconds: 1800\n containers:\n - name: cassandra\n image: gcr.io/google-samples/cassandra:v14\n imagePullPolicy: Always\n ports:\n - containerPort: 7000\n name: intra-node\n - containerPort: 7001\n name: tls-intra-node\n - containerPort: 7199\n name: jmx\n - containerPort: 9042\n name: cql\n resources:\n limits:\n cpu: \"500m\"\n memory: 1Gi\n requests:\n cpu: \"500m\"\n memory: 1Gi\n securityContext:\n capabilities:\n add:\n - IPC_LOCK\n lifecycle:\n preStop:\n exec:\n command:\n - /bin/sh\n - -c\n - nodetool drain\n env:\n - name: MAX_HEAP_SIZE\n value: 512M\n - name: HEAP_NEWSIZE\n value: 100M\n - name: CASSANDRA_SEEDS\n value: \"cassandra-0.cassandra.default.svc.cluster.local\"\n - name: CASSANDRA_CLUSTER_NAME\n value: \"K8Demo\"\n - name: CASSANDRA_DC\n value: \"DC1-K8Demo\"\n - name: CASSANDRA_RACK\n value: \"Rack1-K8Demo\"\n - name: CASSANDRA_SEED_PROVIDER\n value: io.k8s.cassandra.KubernetesSeedProvider\n - name: POD_IP\n valueFrom:\n fieldRef:\n fieldPath: status.podIP\n readinessProbe:\n exec:\n command:\n - /bin/bash\n - -c\n - /ready-probe.sh\n initialDelaySeconds: 15\n timeoutSeconds: 5\n # These volume mounts are persistent. They are like inline claims,\n # but not exactly because the names need to match exactly one of\n # the stateful pod volumes.\n volumeMounts:\n - name: cassandra-data\n mountPath: /var/lib/cassandra\n # These are converted to volume claims by the controller\n # and mounted at the paths mentioned above.\n # do not use these in production until ssd GCEPersistentDisk or other ssd pd\n volumeClaimTemplates:\n - metadata:\n name: cassandra-data\n annotations:\n volume.beta.kubernetes.io/storage-class: fast\n spec:\n accessModes: [ \"ReadWriteOnce\" ]\n resources:\n requests:\n storage: 1Gi\n---\n" - } - } - } - } - ], - "fingerprints": { - "gdnPrimarySignature": "da115818e9e2ffadf20a6b9d1cb1c02e963eb192dae03af8c39e6fce8bcc097e", - "gdnAlternativeSignature0": "d8c06cf85b8fbddd0ad8ba2f86285da2ad52245291c6cab6fd69f3fce31127d7" - }, - "attachments": [] - }, - { - "ruleId": "CKV_K8S_23", - "ruleIndex": 19, - "message": { - "text": "Minimize the admission of root containers" - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "samples/K8s-cassandra-statefulset.yaml" - }, - "region": { - "startLine": 1, - "endLine": 96, - "snippet": { - "text": "apiVersion: \"apps/v1\" # for k8s versions before 1.9.0 use apps/v1beta2 and before 1.8.0 use extensions/v1beta1\nkind: StatefulSet\nmetadata:\n name: cassandra\n labels:\n app: cassandra\nspec:\n serviceName: cassandra\n replicas: 3\n selector:\n matchLabels:\n app: cassandra\n template:\n metadata:\n labels:\n app: cassandra\n spec:\n terminationGracePeriodSeconds: 1800\n containers:\n - name: cassandra\n image: gcr.io/google-samples/cassandra:v14\n imagePullPolicy: Always\n ports:\n - containerPort: 7000\n name: intra-node\n - containerPort: 7001\n name: tls-intra-node\n - containerPort: 7199\n name: jmx\n - containerPort: 9042\n name: cql\n resources:\n limits:\n cpu: \"500m\"\n memory: 1Gi\n requests:\n cpu: \"500m\"\n memory: 1Gi\n securityContext:\n capabilities:\n add:\n - IPC_LOCK\n lifecycle:\n preStop:\n exec:\n command:\n - /bin/sh\n - -c\n - nodetool drain\n env:\n - name: MAX_HEAP_SIZE\n value: 512M\n - name: HEAP_NEWSIZE\n value: 100M\n - name: CASSANDRA_SEEDS\n value: \"cassandra-0.cassandra.default.svc.cluster.local\"\n - name: CASSANDRA_CLUSTER_NAME\n value: \"K8Demo\"\n - name: CASSANDRA_DC\n value: \"DC1-K8Demo\"\n - name: CASSANDRA_RACK\n value: \"Rack1-K8Demo\"\n - name: CASSANDRA_SEED_PROVIDER\n value: io.k8s.cassandra.KubernetesSeedProvider\n - name: POD_IP\n valueFrom:\n fieldRef:\n fieldPath: status.podIP\n readinessProbe:\n exec:\n command:\n - /bin/bash\n - -c\n - /ready-probe.sh\n initialDelaySeconds: 15\n timeoutSeconds: 5\n # These volume mounts are persistent. They are like inline claims,\n # but not exactly because the names need to match exactly one of\n # the stateful pod volumes.\n volumeMounts:\n - name: cassandra-data\n mountPath: /var/lib/cassandra\n # These are converted to volume claims by the controller\n # and mounted at the paths mentioned above.\n # do not use these in production until ssd GCEPersistentDisk or other ssd pd\n volumeClaimTemplates:\n - metadata:\n name: cassandra-data\n annotations:\n volume.beta.kubernetes.io/storage-class: fast\n spec:\n accessModes: [ \"ReadWriteOnce\" ]\n resources:\n requests:\n storage: 1Gi\n---\n" - } - } - } - } - ], - "fingerprints": { - "gdnPrimarySignature": "c1be36e7556627562c7357f53bacdfea88d2fd6839ffad11f41bff594ddd0f83", - "gdnAlternativeSignature0": "e149f6402cc34c6663973655fb12e532f6c670a7e0374081fae82fd6575dab65" - }, - "attachments": [] - }, - { - "ruleId": "CKV_K8S_40", - "ruleIndex": 20, - "level": "note", - "message": { - "text": "Containers should run as a high UID to avoid host conflict" - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "samples/K8s-cassandra-statefulset.yaml" - }, - "region": { - "startLine": 1, - "endLine": 96, - "snippet": { - "text": "apiVersion: \"apps/v1\" # for k8s versions before 1.9.0 use apps/v1beta2 and before 1.8.0 use extensions/v1beta1\nkind: StatefulSet\nmetadata:\n name: cassandra\n labels:\n app: cassandra\nspec:\n serviceName: cassandra\n replicas: 3\n selector:\n matchLabels:\n app: cassandra\n template:\n metadata:\n labels:\n app: cassandra\n spec:\n terminationGracePeriodSeconds: 1800\n containers:\n - name: cassandra\n image: gcr.io/google-samples/cassandra:v14\n imagePullPolicy: Always\n ports:\n - containerPort: 7000\n name: intra-node\n - containerPort: 7001\n name: tls-intra-node\n - containerPort: 7199\n name: jmx\n - containerPort: 9042\n name: cql\n resources:\n limits:\n cpu: \"500m\"\n memory: 1Gi\n requests:\n cpu: \"500m\"\n memory: 1Gi\n securityContext:\n capabilities:\n add:\n - IPC_LOCK\n lifecycle:\n preStop:\n exec:\n command:\n - /bin/sh\n - -c\n - nodetool drain\n env:\n - name: MAX_HEAP_SIZE\n value: 512M\n - name: HEAP_NEWSIZE\n value: 100M\n - name: CASSANDRA_SEEDS\n value: \"cassandra-0.cassandra.default.svc.cluster.local\"\n - name: CASSANDRA_CLUSTER_NAME\n value: \"K8Demo\"\n - name: CASSANDRA_DC\n value: \"DC1-K8Demo\"\n - name: CASSANDRA_RACK\n value: \"Rack1-K8Demo\"\n - name: CASSANDRA_SEED_PROVIDER\n value: io.k8s.cassandra.KubernetesSeedProvider\n - name: POD_IP\n valueFrom:\n fieldRef:\n fieldPath: status.podIP\n readinessProbe:\n exec:\n command:\n - /bin/bash\n - -c\n - /ready-probe.sh\n initialDelaySeconds: 15\n timeoutSeconds: 5\n # These volume mounts are persistent. They are like inline claims,\n # but not exactly because the names need to match exactly one of\n # the stateful pod volumes.\n volumeMounts:\n - name: cassandra-data\n mountPath: /var/lib/cassandra\n # These are converted to volume claims by the controller\n # and mounted at the paths mentioned above.\n # do not use these in production until ssd GCEPersistentDisk or other ssd pd\n volumeClaimTemplates:\n - metadata:\n name: cassandra-data\n annotations:\n volume.beta.kubernetes.io/storage-class: fast\n spec:\n accessModes: [ \"ReadWriteOnce\" ]\n resources:\n requests:\n storage: 1Gi\n---\n" - } - } - } - } - ], - "fingerprints": { - "gdnPrimarySignature": "25c05ca1359bd4c2edaee66ac2d7fdc6c213eebfa5d139a0555ed06ea2c573c7", - "gdnAlternativeSignature0": "a73c63b0f812757918d4198fe20e0100bcf3d60c9a9a37f67cd321a74a14f72b" - }, - "attachments": [] - }, - { - "ruleId": "CKV_K8S_31", - "ruleIndex": 21, - "level": "note", - "message": { - "text": "Ensure that the seccomp profile is set to docker/default or runtime/default" - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "samples/K8s-cassandra-statefulset.yaml" - }, - "region": { - "startLine": 1, - "endLine": 96, - "snippet": { - "text": "apiVersion: \"apps/v1\" # for k8s versions before 1.9.0 use apps/v1beta2 and before 1.8.0 use extensions/v1beta1\nkind: StatefulSet\nmetadata:\n name: cassandra\n labels:\n app: cassandra\nspec:\n serviceName: cassandra\n replicas: 3\n selector:\n matchLabels:\n app: cassandra\n template:\n metadata:\n labels:\n app: cassandra\n spec:\n terminationGracePeriodSeconds: 1800\n containers:\n - name: cassandra\n image: gcr.io/google-samples/cassandra:v14\n imagePullPolicy: Always\n ports:\n - containerPort: 7000\n name: intra-node\n - containerPort: 7001\n name: tls-intra-node\n - containerPort: 7199\n name: jmx\n - containerPort: 9042\n name: cql\n resources:\n limits:\n cpu: \"500m\"\n memory: 1Gi\n requests:\n cpu: \"500m\"\n memory: 1Gi\n securityContext:\n capabilities:\n add:\n - IPC_LOCK\n lifecycle:\n preStop:\n exec:\n command:\n - /bin/sh\n - -c\n - nodetool drain\n env:\n - name: MAX_HEAP_SIZE\n value: 512M\n - name: HEAP_NEWSIZE\n value: 100M\n - name: CASSANDRA_SEEDS\n value: \"cassandra-0.cassandra.default.svc.cluster.local\"\n - name: CASSANDRA_CLUSTER_NAME\n value: \"K8Demo\"\n - name: CASSANDRA_DC\n value: \"DC1-K8Demo\"\n - name: CASSANDRA_RACK\n value: \"Rack1-K8Demo\"\n - name: CASSANDRA_SEED_PROVIDER\n value: io.k8s.cassandra.KubernetesSeedProvider\n - name: POD_IP\n valueFrom:\n fieldRef:\n fieldPath: status.podIP\n readinessProbe:\n exec:\n command:\n - /bin/bash\n - -c\n - /ready-probe.sh\n initialDelaySeconds: 15\n timeoutSeconds: 5\n # These volume mounts are persistent. They are like inline claims,\n # but not exactly because the names need to match exactly one of\n # the stateful pod volumes.\n volumeMounts:\n - name: cassandra-data\n mountPath: /var/lib/cassandra\n # These are converted to volume claims by the controller\n # and mounted at the paths mentioned above.\n # do not use these in production until ssd GCEPersistentDisk or other ssd pd\n volumeClaimTemplates:\n - metadata:\n name: cassandra-data\n annotations:\n volume.beta.kubernetes.io/storage-class: fast\n spec:\n accessModes: [ \"ReadWriteOnce\" ]\n resources:\n requests:\n storage: 1Gi\n---\n" - } - } - } - } - ], - "fingerprints": { - "gdnPrimarySignature": "70378cd13d8568d09ced49362abbf35160b842273ca5ec57bf69c71c378a6321", - "gdnAlternativeSignature0": "3bfe46e3cda430aa1ce3f452e781cdc43697d087821cc36fd104604f940ae43a" - }, - "attachments": [] - }, - { - "ruleId": "CKV_K8S_38", - "ruleIndex": 22, - "level": "note", - "message": { - "text": "Ensure that Service Account Tokens are only mounted where necessary" - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "samples/K8s-cassandra-statefulset.yaml" - }, - "region": { - "startLine": 1, - "endLine": 96, - "snippet": { - "text": "apiVersion: \"apps/v1\" # for k8s versions before 1.9.0 use apps/v1beta2 and before 1.8.0 use extensions/v1beta1\nkind: StatefulSet\nmetadata:\n name: cassandra\n labels:\n app: cassandra\nspec:\n serviceName: cassandra\n replicas: 3\n selector:\n matchLabels:\n app: cassandra\n template:\n metadata:\n labels:\n app: cassandra\n spec:\n terminationGracePeriodSeconds: 1800\n containers:\n - name: cassandra\n image: gcr.io/google-samples/cassandra:v14\n imagePullPolicy: Always\n ports:\n - containerPort: 7000\n name: intra-node\n - containerPort: 7001\n name: tls-intra-node\n - containerPort: 7199\n name: jmx\n - containerPort: 9042\n name: cql\n resources:\n limits:\n cpu: \"500m\"\n memory: 1Gi\n requests:\n cpu: \"500m\"\n memory: 1Gi\n securityContext:\n capabilities:\n add:\n - IPC_LOCK\n lifecycle:\n preStop:\n exec:\n command:\n - /bin/sh\n - -c\n - nodetool drain\n env:\n - name: MAX_HEAP_SIZE\n value: 512M\n - name: HEAP_NEWSIZE\n value: 100M\n - name: CASSANDRA_SEEDS\n value: \"cassandra-0.cassandra.default.svc.cluster.local\"\n - name: CASSANDRA_CLUSTER_NAME\n value: \"K8Demo\"\n - name: CASSANDRA_DC\n value: \"DC1-K8Demo\"\n - name: CASSANDRA_RACK\n value: \"Rack1-K8Demo\"\n - name: CASSANDRA_SEED_PROVIDER\n value: io.k8s.cassandra.KubernetesSeedProvider\n - name: POD_IP\n valueFrom:\n fieldRef:\n fieldPath: status.podIP\n readinessProbe:\n exec:\n command:\n - /bin/bash\n - -c\n - /ready-probe.sh\n initialDelaySeconds: 15\n timeoutSeconds: 5\n # These volume mounts are persistent. They are like inline claims,\n # but not exactly because the names need to match exactly one of\n # the stateful pod volumes.\n volumeMounts:\n - name: cassandra-data\n mountPath: /var/lib/cassandra\n # These are converted to volume claims by the controller\n # and mounted at the paths mentioned above.\n # do not use these in production until ssd GCEPersistentDisk or other ssd pd\n volumeClaimTemplates:\n - metadata:\n name: cassandra-data\n annotations:\n volume.beta.kubernetes.io/storage-class: fast\n spec:\n accessModes: [ \"ReadWriteOnce\" ]\n resources:\n requests:\n storage: 1Gi\n---\n" - } - } - } - } - ], - "fingerprints": { - "gdnPrimarySignature": "97d3e19a31f43aac84ccd148a5c258209c1727f5900e0b2b1435e8ab08b647b3", - "gdnAlternativeSignature0": "218768ca543d9e02181e0769e8f9a3c7e5e2318fb0742bed2736ea116b7b8f4e" - }, - "attachments": [] - }, - { - "ruleId": "CKV2_K8S_6", - "ruleIndex": 23, - "message": { - "text": "Minimize the admission of pods which lack an associated NetworkPolicy" - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "samples/K8s-cassandra-statefulset.yaml" - }, - "region": { - "startLine": 1, - "endLine": 96, - "snippet": { - "text": "apiVersion: \"apps/v1\" # for k8s versions before 1.9.0 use apps/v1beta2 and before 1.8.0 use extensions/v1beta1\nkind: StatefulSet\nmetadata:\n name: cassandra\n labels:\n app: cassandra\nspec:\n serviceName: cassandra\n replicas: 3\n selector:\n matchLabels:\n app: cassandra\n template:\n metadata:\n labels:\n app: cassandra\n spec:\n terminationGracePeriodSeconds: 1800\n containers:\n - name: cassandra\n image: gcr.io/google-samples/cassandra:v14\n imagePullPolicy: Always\n ports:\n - containerPort: 7000\n name: intra-node\n - containerPort: 7001\n name: tls-intra-node\n - containerPort: 7199\n name: jmx\n - containerPort: 9042\n name: cql\n resources:\n limits:\n cpu: \"500m\"\n memory: 1Gi\n requests:\n cpu: \"500m\"\n memory: 1Gi\n securityContext:\n capabilities:\n add:\n - IPC_LOCK\n lifecycle:\n preStop:\n exec:\n command:\n - /bin/sh\n - -c\n - nodetool drain\n env:\n - name: MAX_HEAP_SIZE\n value: 512M\n - name: HEAP_NEWSIZE\n value: 100M\n - name: CASSANDRA_SEEDS\n value: \"cassandra-0.cassandra.default.svc.cluster.local\"\n - name: CASSANDRA_CLUSTER_NAME\n value: \"K8Demo\"\n - name: CASSANDRA_DC\n value: \"DC1-K8Demo\"\n - name: CASSANDRA_RACK\n value: \"Rack1-K8Demo\"\n - name: CASSANDRA_SEED_PROVIDER\n value: io.k8s.cassandra.KubernetesSeedProvider\n - name: POD_IP\n valueFrom:\n fieldRef:\n fieldPath: status.podIP\n readinessProbe:\n exec:\n command:\n - /bin/bash\n - -c\n - /ready-probe.sh\n initialDelaySeconds: 15\n timeoutSeconds: 5\n # These volume mounts are persistent. They are like inline claims,\n # but not exactly because the names need to match exactly one of\n # the stateful pod volumes.\n volumeMounts:\n - name: cassandra-data\n mountPath: /var/lib/cassandra\n # These are converted to volume claims by the controller\n # and mounted at the paths mentioned above.\n # do not use these in production until ssd GCEPersistentDisk or other ssd pd\n volumeClaimTemplates:\n - metadata:\n name: cassandra-data\n annotations:\n volume.beta.kubernetes.io/storage-class: fast\n spec:\n accessModes: [ \"ReadWriteOnce\" ]\n resources:\n requests:\n storage: 1Gi\n---\n" - } - } - } - } - ], - "fingerprints": { - "gdnPrimarySignature": "2c09fe5d58637920ffb2f45d2e9e47b6d24f94f9a5a6318e86d5b119d90dc136", - "gdnAlternativeSignature0": "52664a33e0000747d7d55032ea8ff784c99f191108fd7b0a4405b4b4b1787c90" - }, - "attachments": [] - }, - { - "ruleId": "CKV_AZURE_59", - "ruleIndex": 0, - "level": "note", - "message": { - "text": "Ensure that Storage accounts disallow public access" - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "samples/IaCMapping/main.tf" - }, - "region": { - "startLine": 19, - "endLine": 29, - "snippet": { - "text": "resource \"azurerm_storage_account\" \"terraformaccount1\" {\n name = \"iacmapping1212\"\n resource_group_name = azurerm_resource_group.resourcegroup.name\n location = \"Central US\"\n account_tier = \"Standard\"\n account_replication_type = \"GRS\"\n\n tags = {\n \"mapping_tag\" = \"6189b638-15a5-42ec-b934-0d2b8e035ce1\"\n }\n}\n" - } - } - } - } - ], - "fingerprints": { - "gdnPrimarySignature": "d7f32900926833945cac2ead4c1ed6c351aabf9fee418b413e3bfe46c8fc54f3", - "gdnAlternativeSignature0": "a3fc19e10564a2494f31f34241b921013aeb4aef2a9ef7ef9731f2fe7fd95ce9" - }, - "attachments": [] - }, - { - "ruleId": "CKV_AZURE_33", - "ruleIndex": 1, - "message": { - "text": "Ensure Storage logging is enabled for Queue service for read, write and delete requests" - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "samples/IaCMapping/main.tf" - }, - "region": { - "startLine": 19, - "endLine": 29, - "snippet": { - "text": "resource \"azurerm_storage_account\" \"terraformaccount1\" {\n name = \"iacmapping1212\"\n resource_group_name = azurerm_resource_group.resourcegroup.name\n location = \"Central US\"\n account_tier = \"Standard\"\n account_replication_type = \"GRS\"\n\n tags = {\n \"mapping_tag\" = \"6189b638-15a5-42ec-b934-0d2b8e035ce1\"\n }\n}\n" - } - } - } - } - ], - "fingerprints": { - "gdnPrimarySignature": "641b61a3a4b3c0d759acd57a321d6db4044b47347cd764c152f071e8341faea0", - "gdnAlternativeSignature0": "83a8dfca2a610d8e67e683b30391980c336f3c1722ce80fb2afacb2a01b0a799" - }, - "attachments": [] - }, - { - "ruleId": "CKV_AZURE_44", - "ruleIndex": 2, - "message": { - "text": "Ensure Storage Account is using the latest version of TLS encryption" - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "samples/IaCMapping/main.tf" - }, - "region": { - "startLine": 19, - "endLine": 29, - "snippet": { - "text": "resource \"azurerm_storage_account\" \"terraformaccount1\" {\n name = \"iacmapping1212\"\n resource_group_name = azurerm_resource_group.resourcegroup.name\n location = \"Central US\"\n account_tier = \"Standard\"\n account_replication_type = \"GRS\"\n\n tags = {\n \"mapping_tag\" = \"6189b638-15a5-42ec-b934-0d2b8e035ce1\"\n }\n}\n" - } - } - } - } - ], - "fingerprints": { - "gdnPrimarySignature": "9805631179c91f5535eda5e1f2a9d29d2295ca1bec013d3174a1285a9be83d60", - "gdnAlternativeSignature0": "05b8f7f1708c13235397e5a11b0fd243e02f41d8c5085efc269c1d4e73d2b39a" - }, - "attachments": [] - }, - { - "ruleId": "CKV_AZURE_190", - "ruleIndex": 3, - "level": "error", - "message": { - "text": "Ensure that Storage blobs restrict public access" - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "samples/IaCMapping/main.tf" - }, - "region": { - "startLine": 19, - "endLine": 29, - "snippet": { - "text": "resource \"azurerm_storage_account\" \"terraformaccount1\" {\n name = \"iacmapping1212\"\n resource_group_name = azurerm_resource_group.resourcegroup.name\n location = \"Central US\"\n account_tier = \"Standard\"\n account_replication_type = \"GRS\"\n\n tags = {\n \"mapping_tag\" = \"6189b638-15a5-42ec-b934-0d2b8e035ce1\"\n }\n}\n" - } - } - } - } - ], - "fingerprints": { - "gdnPrimarySignature": "a34ff2ab3988f90969a68250eef2b1c1e687c5b58396f198c2615a955b8db206", - "gdnAlternativeSignature0": "9c23a512d4110d27fefdb36bb130958e046b17463df5a7ef245d584c9f943363" - }, - "attachments": [] - }, - { - "ruleId": "CKV2_AZURE_40", - "ruleIndex": 4, - "message": { - "text": "Ensure storage account is not configured with Shared Key authorization" - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "samples/IaCMapping/main.tf" - }, - "region": { - "startLine": 19, - "endLine": 29, - "snippet": { - "text": "resource \"azurerm_storage_account\" \"terraformaccount1\" {\n name = \"iacmapping1212\"\n resource_group_name = azurerm_resource_group.resourcegroup.name\n location = \"Central US\"\n account_tier = \"Standard\"\n account_replication_type = \"GRS\"\n\n tags = {\n \"mapping_tag\" = \"6189b638-15a5-42ec-b934-0d2b8e035ce1\"\n }\n}\n" - } - } - } - } - ], - "fingerprints": { - "gdnPrimarySignature": "e9deaf9a38127ba6222b800492a1b840017f9907c25f9fba842d8c85ae861f33", - "gdnAlternativeSignature0": "bf8101fb23c886bf671ac5c24d8b62f3028e2d9b5e8fc2e106d6789aa8070b76" - }, - "attachments": [] - }, - { - "ruleId": "CKV2_AZURE_47", - "ruleIndex": 5, - "message": { - "text": "Ensure storage account is configured without blob anonymous access" - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "samples/IaCMapping/main.tf" - }, - "region": { - "startLine": 19, - "endLine": 29, - "snippet": { - "text": "resource \"azurerm_storage_account\" \"terraformaccount1\" {\n name = \"iacmapping1212\"\n resource_group_name = azurerm_resource_group.resourcegroup.name\n location = \"Central US\"\n account_tier = \"Standard\"\n account_replication_type = \"GRS\"\n\n tags = {\n \"mapping_tag\" = \"6189b638-15a5-42ec-b934-0d2b8e035ce1\"\n }\n}\n" - } - } - } - } - ], - "fingerprints": { - "gdnPrimarySignature": "1d3bb7599e6f934ddc2badeee51d506051093f4e718c3199d4efd83c6e74ec12", - "gdnAlternativeSignature0": "edfaa2046c397a63e4856e499fc9a7166c96e5bb51978d37f2426cefa1af8457" - }, - "attachments": [] - }, - { - "ruleId": "CKV2_AZURE_33", - "ruleIndex": 6, - "message": { - "text": "Ensure storage account is configured with private endpoint" - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "samples/IaCMapping/main.tf" - }, - "region": { - "startLine": 19, - "endLine": 29, - "snippet": { - "text": "resource \"azurerm_storage_account\" \"terraformaccount1\" {\n name = \"iacmapping1212\"\n resource_group_name = azurerm_resource_group.resourcegroup.name\n location = \"Central US\"\n account_tier = \"Standard\"\n account_replication_type = \"GRS\"\n\n tags = {\n \"mapping_tag\" = \"6189b638-15a5-42ec-b934-0d2b8e035ce1\"\n }\n}\n" - } - } - } - } - ], - "fingerprints": { - "gdnPrimarySignature": "43638c4e55b51ed9f346ab462c059ca30a19b570565c7de7ea7b5daee1d6d9ef", - "gdnAlternativeSignature0": "4b4ba219a803a0d61f213eab7cfdf2792eda5bd536ccf4992d1b5d9342e26ac3" - }, - "attachments": [] - }, - { - "ruleId": "CKV2_AZURE_41", - "ruleIndex": 7, - "message": { - "text": "Ensure storage account is configured with SAS expiration policy" - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "samples/IaCMapping/main.tf" - }, - "region": { - "startLine": 19, - "endLine": 29, - "snippet": { - "text": "resource \"azurerm_storage_account\" \"terraformaccount1\" {\n name = \"iacmapping1212\"\n resource_group_name = azurerm_resource_group.resourcegroup.name\n location = \"Central US\"\n account_tier = \"Standard\"\n account_replication_type = \"GRS\"\n\n tags = {\n \"mapping_tag\" = \"6189b638-15a5-42ec-b934-0d2b8e035ce1\"\n }\n}\n" - } - } - } - } - ], - "fingerprints": { - "gdnPrimarySignature": "761254b9af4e347b1a2a05bc08bd77da3c0a640e44671e27f0fa7cbbc88d2b93", - "gdnAlternativeSignature0": "3358ef85a8762cda2cea0b4f31eebe014dc97571753cefc4394067b9f23cf0f2" - }, - "attachments": [] - }, - { - "ruleId": "CKV2_AZURE_38", - "ruleIndex": 8, - "message": { - "text": "Ensure soft-delete is enabled on Azure storage account" - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "samples/IaCMapping/main.tf" - }, - "region": { - "startLine": 19, - "endLine": 29, - "snippet": { - "text": "resource \"azurerm_storage_account\" \"terraformaccount1\" {\n name = \"iacmapping1212\"\n resource_group_name = azurerm_resource_group.resourcegroup.name\n location = \"Central US\"\n account_tier = \"Standard\"\n account_replication_type = \"GRS\"\n\n tags = {\n \"mapping_tag\" = \"6189b638-15a5-42ec-b934-0d2b8e035ce1\"\n }\n}\n" - } - } - } - } - ], - "fingerprints": { - "gdnPrimarySignature": "8fdd2b7bd19cdd5ce21a89b95330d3a80ecd9efbe30f89c35f0b146a42a65d0f", - "gdnAlternativeSignature0": "e05ba2b227cc43fd36ea7fe66359bf553cdf88de6ff3aa184fc24ed97fa3c3c4" - }, - "attachments": [] - }, - { - "ruleId": "CKV2_AZURE_1", - "ruleIndex": 9, - "level": "error", - "message": { - "text": "Ensure storage for critical data are encrypted with Customer Managed Key" - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "samples/IaCMapping/main.tf" - }, - "region": { - "startLine": 19, - "endLine": 29, - "snippet": { - "text": "resource \"azurerm_storage_account\" \"terraformaccount1\" {\n name = \"iacmapping1212\"\n resource_group_name = azurerm_resource_group.resourcegroup.name\n location = \"Central US\"\n account_tier = \"Standard\"\n account_replication_type = \"GRS\"\n\n tags = {\n \"mapping_tag\" = \"6189b638-15a5-42ec-b934-0d2b8e035ce1\"\n }\n}\n" - } - } - } - } - ], - "fingerprints": { - "gdnPrimarySignature": "b6600702be50525edb979f621ecf387776351f02b51dc4d37b822d660e575787", - "gdnAlternativeSignature0": "d1feda229fb89c3ecbaaaf3edec8f23599c5bccd3a725020863ea9b593ae4375" - }, - "attachments": [] - } - ], - "columnKind": "utf16CodeUnits", - "policies": [ - { - "name": "Microsoft", - "version": "2.0.3" - } - ], - "properties": { - "toolInfoId": "checkov>>6>>202411062057" - } - } - ], - "properties": { - "producer": "MicrosoftSecurityDevOps", - "pipelineRunUrl": "Unknown", - "sourcePipelineId": "Unknown" - } -} \ No newline at end of file