Bicep framework scan fails for some files
romanrabodzei opened this issue · 2 comments
romanrabodzei commented
Hi all,
I'm testing Azure Bicep with Checkov, and the Bicep framework does not work correctly for some files.
Files I use for scan:
storageaccount.bicep
/*
.Synopsis
Bicep template for Storage Account. Template https://docs.microsoft.com/en-us/azure/templates/Microsoft.Storage/storageAccounts?tabs=bicep#template-format
.NOTES
Author : CoE Azure
Version : 1.0.240805
*/
/// deployment scope
targetScope = 'resourceGroup'
/// parameters
param location string
param subscription string
param storageAccountName string
param storageAccountKind string = 'StorageV2'
param storageAccountType string = 'Standard_LRS'
param storageAccountAccessTier string = 'Hot'
param storageAccountHnsEnabled bool = false
@description('Network access from outside for the storage account.')
@allowed([
'Allow'
'Deny'
])
param networkAccess_default string = 'Allow'
@description(' The resource ID for isolated access to storage account.')
param networkAccess_resource array = []
var resourceAccessRules = [
for (id, item) in networkAccess_resource: {
tenantId: az.subscription().tenantId
resourceId: networkAccess_resource[item]
}
]
param networkingResourceGroupName string = ''
param virtualNetworkName string = ''
param virtualNetworkSubnetName string = ''
var restorePolicy = {
enabled: true
days: 13
}
var changeFeed = {
enabled: true
}
/// monitoring
param logAnalyticsWorkspaceName string = ''
param logAnalyticsWorkspaceResourceGroupName string = ''
/// tags
param tags object = {}
/// resources
resource virtualNetwork_resource 'Microsoft.Network/virtualNetworks@2021-05-01' existing = if (!empty(networkingResourceGroupName) && !empty(virtualNetworkName) && !empty(virtualNetworkSubnetName)) {
scope: resourceGroup(networkingResourceGroupName)
name: virtualNetworkName
resource subnet 'subnets' existing = {
name: virtualNetworkSubnetName
}
}
resource storageAccount_resource 'Microsoft.Storage/storageAccounts@2023-05-01' = {
name: storageAccountName
location: location
tags: tags
sku: {
name: storageAccountType
}
kind: storageAccountKind
properties: {
accessTier: storageAccountAccessTier
minimumTlsVersion: 'TLS1_2'
supportsHttpsTrafficOnly: true
allowBlobPublicAccess: false
allowCrossTenantReplication: true
encryption: {
keySource: 'Microsoft.Storage'
requireInfrastructureEncryption: false
services: {
blob: {
enabled: true
keyType: 'Account'
}
file: {
enabled: true
keyType: 'Account'
}
queue: {
enabled: true
keyType: 'Account'
}
table: {
enabled: true
keyType: 'Account'
}
}
}
isHnsEnabled: storageAccountHnsEnabled
isLocalUserEnabled: false
isNfsV3Enabled: false
isSftpEnabled: false
keyPolicy: {
keyExpirationPeriodInDays: 90
}
largeFileSharesState: 'Disabled'
publicNetworkAccess: 'Enabled'
networkAcls: {
resourceAccessRules: networkAccess_resource == [''] || networkAccess_resource == [] ? [] : resourceAccessRules
bypass: 'AzureServices'
defaultAction: networkAccess_default
virtualNetworkRules: empty(networkingResourceGroupName) && empty(virtualNetworkName) && empty(virtualNetworkSubnetName)
? []
: [
{
id: virtualNetwork_resource::subnet.id
action: 'Allow'
}
]
}
}
}
resource storageAccountBlobService_resource 'Microsoft.Storage/storageAccounts/blobServices@2023-01-01' = {
name: toLower('${storageAccountName}/default')
properties: {
containerDeleteRetentionPolicy: {
enabled: true
days: toLower(subscription) == 'prod' ? 90 : 30
}
deleteRetentionPolicy: {
allowPermanentDelete: false
enabled: true
days: toLower(subscription) == 'prod' ? 90 : 30
}
restorePolicy: storageAccountHnsEnabled == false ? restorePolicy : null
isVersioningEnabled: storageAccountHnsEnabled == false ? true : null
changeFeed: storageAccountHnsEnabled == false ? changeFeed : null
}
dependsOn: [
storageAccount_resource
]
}
resource storageAccountFileService_resource 'Microsoft.Storage/storageAccounts/fileServices@2023-01-01' = {
name: toLower('${storageAccountName}/default')
properties: {
shareDeleteRetentionPolicy: {
enabled: true
days: toLower(subscription) == 'prod' ? 90 : 30
}
}
dependsOn: [
storageAccount_resource
]
}
resource logAnalytics_resource 'Microsoft.OperationalInsights/workspaces@2022-10-01' existing = if (!empty(logAnalyticsWorkspaceName) && !empty(logAnalyticsWorkspaceResourceGroupName)) {
scope: resourceGroup(logAnalyticsWorkspaceResourceGroupName)
name: logAnalyticsWorkspaceName
}
resource send_data_to_logAnalyticsWorkspace 'Microsoft.Insights/diagnosticSettings@2021-05-01-preview' = if (!empty(logAnalyticsWorkspaceName) && !empty(logAnalyticsWorkspaceName)) {
scope: storageAccount_resource
name: toLower('send-data-to-${logAnalyticsWorkspaceName}')
properties: {
workspaceId: logAnalytics_resource.id
metrics: [
{
category: 'Transaction'
enabled: true
}
]
}
}
var storageAccountPrimaryKey = storageAccount_resource.listKeys().keys[0].value
output storageAccountPrimaryKey string = storageAccountPrimaryKey
output storageAccountConnectionString string = 'DefaultEndpointsProtocol=https;AccountName=${storageAccount_resource.name};AccountKey=${storageAccountPrimaryKey};EndpointSuffix=${environment().suffixes.storage}'
output storageAccountId string = storageAccount_resource.id
servicebus.bicep
/*
.Synopsis
Bicep template for Service Bus. Template https://docs.microsoft.com/en-us/azure/templates/Microsoft.ServiceBus/namespaces?tabs=bicep#template-format
.NOTES
Author : CoE Azure
Version : 1.0.231205
*/
/// deployment scope
targetScope = 'resourceGroup'
/// parameters
param location string = ''
param serviceBusName string = ''
param serviceBusSkuName string = 'Standard'
param serviceBusSkuTier string = 'Standard'
@allowed([
'fs'
'cs'
'be'
])
param application string
/// monitoring
param logAnalyticsWorkspaceName string = ''
param logAnalyticsWorkspaceResourceGroupName string = ''
/// tags
param tags object = {}
/// resources
resource serviceBus 'Microsoft.ServiceBus/namespaces@2022-10-01-preview' = {
name: toLower(serviceBusName)
location: location
tags: tags
sku: {
name: serviceBusSkuName
tier: serviceBusSkuTier
}
properties: {
disableLocalAuth: false
}
}
resource serviceBusAuthorizationRules 'Microsoft.ServiceBus/namespaces/AuthorizationRules@2022-10-01-preview' existing = {
parent: serviceBus
name: 'RootManageSharedAccessKey'
}
var serviceBusQueues = {
fs: [
'sl_error_internal'
'sl_event_internal'
'sl_inbound'
'sl_inbound_internal'
'sl_outbound'
'sl_reply_internal'
]
cs: [
'na-acs-sb-qu'
]
be: [
'customerservice-queue'
]
}
resource serviceBusQueue 'Microsoft.ServiceBus/namespaces/queues@2022-01-01-preview' = [for item in serviceBusQueues[application]: {
parent: serviceBus
name: item
properties: {
lockDuration: 'PT5M'
maxSizeInMegabytes: 5120
requiresDuplicateDetection: false
requiresSession: false
defaultMessageTimeToLive: 'P10675199DT2H48M5.4775807S'
deadLetteringOnMessageExpiration: false
duplicateDetectionHistoryTimeWindow: 'PT10M'
maxDeliveryCount: 10
autoDeleteOnIdle: 'P10675199DT2H48M5.4775807S'
enablePartitioning: false
enableExpress: false
}
}]
resource logAnalytics_resource 'Microsoft.OperationalInsights/workspaces@2021-06-01' existing = if (!empty(logAnalyticsWorkspaceName) && !empty(logAnalyticsWorkspaceResourceGroupName)) {
scope: resourceGroup(logAnalyticsWorkspaceResourceGroupName)
name: logAnalyticsWorkspaceName
}
resource send_data_to_logAnalyticsWorkspace 'Microsoft.Insights/diagnosticSettings@2021-05-01-preview' = if (!empty(logAnalyticsWorkspaceName) && !empty(logAnalyticsWorkspaceResourceGroupName)) {
scope: serviceBus
name: toLower('send-data-to-${logAnalyticsWorkspaceName}')
properties: {
workspaceId: logAnalytics_resource.id
logs: [
{
category: 'OperationalLogs'
enabled: true
}
{
category: 'VNetAndIPFilteringLogs'
enabled: true
}
]
metrics: [
{
category: 'AllMetrics'
enabled: true
}
]
}
}
var serviceBusPrimaryConnectionString = serviceBusAuthorizationRules.listKeys().primaryConnectionString
output serviceBusId string = serviceBus.id
output serviceBusPrimaryConnectionString string = serviceBusPrimaryConnectionString
Version I use
- Checkov Version 3.2.230
The output
checkov -f ./servicebus.bicep
[ secrets framework ]: 100%|████████████████████|[1/1], Current File Scanned=./servicebus.bicep
[ bicep framework ]: 100%|████████████████████|[1/1], Current File Scanned=servicebus.bicep
checkov -f ./storageaccount.bicep
[ secrets framework ]: 100%|████████████████████|[1/1], Current File Scanned=./storageaccount.bicep
bicep scan results:
Passed checks: 0, Failed checks: 0, Skipped checks: 0, Parsing errors: 1
Error parsing file storageaccount.bicepֿ
I would be grateful for the help!