checkov icon indicating copy to clipboard operation
checkov copied to clipboard
verified publisher icon bridgecrewio

CKV_AZURE_189 is not being marked as passed in Bicep code

Open mmassey1993 opened this issue 1 year ago • 4 comments

Describe the issue The checkov scan is failing on CKV_AZURE_189 (Ensure public network access for key vault is disabled) even though the correct property is in place

Examples resource keyVault 'Microsoft.KeyVault/vaults@2022-07-01' = { name: keyVaultName location: location properties: { sku: { family: 'A' name: 'standard' } tenantId: tenant().tenantId enablePurgeProtection: true enableSoftDelete: true enabledForTemplateDeployment: true enabledForDiskEncryption: true enabledForDeployment: true enableRbacAuthorization: true publicNetworkAccess: 'Disabled' } }

I would expect this to work as public network access value is disabled

Additional context I had an issue with a different checkov check, and the issue was because it was not checking for string values of "Enabled" or "Disabled" correctly in BICEP compared to terraform

mmassey1993 avatar Jun 10 '24 13:06 mmassey1993

Hey @mmassey1993 when using changing the value from "publicNetworkAccess: 'Disabled' to lowercase 'disabled' seems to have fixed this issue for me.

Example of updated code: resource keyVault 'Microsoft.KeyVault/vaults@2022-07-01' = { name: keyVaultName location: location properties: { sku: { family: 'A' name: 'standard' } tenantId: tenant().tenantId enablePurgeProtection: true enableSoftDelete: true enabledForTemplateDeployment: true enabledForDiskEncryption: true enabledForDeployment: true enableRbacAuthorization: true publicNetworkAccess: 'disabled' } }

Seems to be the format that listed in the following documenatation: https://learn.microsoft.com/en-us/azure/templates/microsoft.keyvault/vaults?pivots=deployment-language-bicep#resource-format:~:text=RegisteringDns%27%0A%27Succeeded%27-,publicNetworkAccess,the%20firewall%20rules%20are%20present%20we%20will%20not%20honor%20the%20rules.,-string

Other notes: Checkov version 3.2.133

mannycepeda1989 avatar Jun 10 '24 23:06 mannycepeda1989

@mannycepeda1989 Thank you that has worked. However i use the same Disabled value for other things and it works perfectly fine. Would be nice if there was consistency or if it just use a lower() function to ensure its always the lowercase if that is what's needed.

mmassey1993 avatar Jun 11 '24 08:06 mmassey1993

The check also fails if the value is a parameter. Even if that parameters is "disabled" by default, it will still fail. Can checkov evaluate the parameter values?

@description('Optional. Whether or not public network access is allowed for this resource. For security reasons it should be disabled. If not specified, it will be disabled by default if private endpoints are set and networkAcls are not set.') @allowed([ 'enabled' 'disabled' ]) param publicNetworkAccess string = 'disabled'

resource keyVault 'Microsoft.KeyVault/vaults@2022-07-01' = { name: name location: location tags: tags properties: { enabledForDeployment: true enabledForTemplateDeployment: true enabledForDiskEncryption: true enableSoftDelete: true softDeleteRetentionInDays: softDeleteRetentionInDays enableRbacAuthorization: true enablePurgeProtection: true tenantId: subscription().tenantId accessPolicies: formattedAccessPolicies sku: { name: vaultSku family: 'A' } networkAcls: { defaultAction: 'Deny' bypass: 'AzureServices' } publicNetworkAccess: publicNetworkAccess } }

mmassey1993 avatar Jun 12 '24 08:06 mmassey1993

@mmassey1993 this PR will support Disabled and disabled: https://github.com/bridgecrewio/checkov/pull/6609

In terms of parameters, we do support parameters in the same file and your code passes for me: Screenshot 2024-07-26 at 3 33 34 PM

We don't support parameters across files. If that's the issue, it would be a feature request to support it and since that's not the same as this policy issue, can you open another Issue for this?

tsmithv11 avatar Jul 26 '24 22:07 tsmithv11

Thanks for contributing to Checkov! We've automatically marked this issue as stale to keep our issues list tidy, because it has not had any activity for 6 months. It will be closed in 14 days if no further activity occurs. Commenting on this issue will remove the stale tag. If you want to talk through the issue or help us understand the priority and context, feel free to add a comment or join us in the Checkov slack channel at codifiedsecurity.slack.com Thanks!

stale[bot] avatar Jan 25 '25 17:01 stale[bot]

Closing issue due to inactivity. If you feel this is in error, please re-open, or reach out to the community via slack: codifiedsecurity.slack.com Thanks!

stale[bot] avatar Feb 08 '25 21:02 stale[bot]