Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix(bicep): Add bicep specific for CKV_AZURE_25 since ARM implementation fails #6996

Merged
merged 6 commits into from
Feb 5, 2025
Merged

fix(bicep): Add bicep specific for CKV_AZURE_25 since ARM implementation fails #6996

merged 6 commits into from
Feb 5, 2025

Conversation

mLe110
Copy link
Contributor

@mLe110 mLe110 commented Feb 4, 2025
edited by baz-reviewer bot
Loading

User description

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.

Description

The change uses the graph to properly check for the 'state' and 'disabledAlerts' attributes in the required securityAlertPolicies for Azure SQL servers and databases. As of now, checkov uses the ARM implementation for this check, which fails for bicep scripts.

Fixes #6963

Checklist:

  • I have performed a self-review of my own code
  • I have commented my code, particularly in hard-to-understand areas
  • I have made corresponding changes to the documentation
  • I have added tests that prove my feature, policy, or fix is effective and works
  • New and existing tests pass locally with my changes

Generated description

Below is a concise technical summary of the changes proposed in this PR:

Implements a new graph-based check for Azure SQL Server threat detection alerts in Bicep scripts. Adds a YAML configuration file for the check, creates test cases to verify the implementation, and updates the test suite to include the new check. The change addresses an issue where the existing ARM implementation fails for Bicep scripts, ensuring that all threat types are properly enabled for Azure SQL servers and databases.

TopicDetails
Test Cases Adds test cases and resources to verify the new graph-based check implementation
Modified files (3)
  • tests/bicep/graph/checks/resources/SQLServerThreatDetectionTypes/main.bicep
  • tests/bicep/graph/checks/resources/SQLServerThreatDetectionTypes/expected.yaml
  • tests/bicep/graph/checks/test_yaml_policies.py
Latest Contributors(2)
UserCommitDate
tsmithv11feat-bicep-Add-bicep-v...April 19, 2024
lirshindalmanfeat-general-Add-image...September 28, 2023
Graph Check Impl Implements a new graph-based check for Azure SQL Server threat detection alerts in Bicep scripts
Modified files (1)
  • checkov/bicep/checks/graph_checks/SQLServerThreatDetectionTypes.yaml
Latest Contributors(0)
UserCommitDate
This pull request is reviewed by Baz. Join @mLe110 and the rest of your team on (Baz).

@mLe110 mLe110 changed the title [WIP] added test resources for CKV_AZURE_25 fix(bicep) Fix check in bicep for CKV_AZURE_25 Feb 4, 2025
@mLe110 mLe110 changed the title fix(bicep) Fix check in bicep for CKV_AZURE_25 fix(bicep): Add bicep specific for CKV_AZURE_25 since ARM implementation fails Feb 4, 2025
tsmithv11
tsmithv11 reviewed Feb 4, 2025
View reviewed changes
Copy link
Collaborator

@tsmithv11 tsmithv11 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Great work and thanks for the contribution! Can you add a test of a Microsoft.Sql/servers or Microsoft.Sql/servers/databases without a nested securityAlertPolicies to make sure it has the desired behavior?

@mLe110
Copy link
Contributor Author

mLe110 commented Feb 4, 2025

Great work and thanks for the contribution! Can you add a test of a Microsoft.Sql/servers or Microsoft.Sql/servers/databases without a nested securityAlertPolicies to make sure it has the desired behavior?

Good point! I'll do that right away

@mLe110
Copy link
Contributor Author

mLe110 commented Feb 4, 2025

Great work and thanks for the contribution! Can you add a test of a Microsoft.Sql/servers or Microsoft.Sql/servers/databases without a nested securityAlertPolicies to make sure it has the desired behavior?

Done

tsmithv11
tsmithv11 approved these changes Feb 5, 2025
View reviewed changes
Copy link
Collaborator

@tsmithv11 tsmithv11 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🚀

@tsmithv11 tsmithv11 merged commit b2a018f into bridgecrewio:main Feb 5, 2025
47 checks passed
Saarett pushed a commit that referenced this pull request Feb 5, 2025
@mLe110 @actions-user
fix(bicep): Add bicep specific for CKV_AZURE_25 since ARM implementat…
e9fb26f 
…ion fails (#6996)

* added test resources for CKV_AZURE_25

* added graph check for CKV_AZURE_25

* added main.bicep test file

* added expected file for graph checks

* added new tests for CKV_AZURE_25 if no security policy is provided
Saarett pushed a commit that referenced this pull request Feb 5, 2025
@mLe110 @actions-user
fix(bicep): Add bicep specific for CKV_AZURE_25 since ARM implementat…
eee38b1 
…ion fails (#6996)

* added test resources for CKV_AZURE_25

* added graph check for CKV_AZURE_25

* added main.bicep test file

* added expected file for graph checks

* added new tests for CKV_AZURE_25 if no security policy is provided
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@maxamel maxamel maxamel approved these changes

@tsmithv11 tsmithv11 tsmithv11 approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

CKV_AZURE_25 fails for bicep files
3 participants
@mLe110 @maxamel @tsmithv11