We read every piece of feedback, and take your input very seriously.
To see all available qualifiers, see our documentation.
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Hi all,
I'm testing Azure Bicep with Checkov, and the Bicep framework does not work correctly for some files.
Files I use for scan: storageaccount.bicep
/* .Synopsis Bicep template for Storage Account. Template https://docs.microsoft.com/en-us/azure/templates/Microsoft.Storage/storageAccounts?tabs=bicep#template-format .NOTES Author : CoE Azure Version : 1.0.240805 */ /// deployment scope targetScope = 'resourceGroup' /// parameters param location string param subscription string param storageAccountName string param storageAccountKind string = 'StorageV2' param storageAccountType string = 'Standard_LRS' param storageAccountAccessTier string = 'Hot' param storageAccountHnsEnabled bool = false @description('Network access from outside for the storage account.') @allowed([ 'Allow' 'Deny' ]) param networkAccess_default string = 'Allow' @description(' The resource ID for isolated access to storage account.') param networkAccess_resource array = [] var resourceAccessRules = [ for (id, item) in networkAccess_resource: { tenantId: az.subscription().tenantId resourceId: networkAccess_resource[item] } ] param networkingResourceGroupName string = '' param virtualNetworkName string = '' param virtualNetworkSubnetName string = '' var restorePolicy = { enabled: true days: 13 } var changeFeed = { enabled: true } /// monitoring param logAnalyticsWorkspaceName string = '' param logAnalyticsWorkspaceResourceGroupName string = '' /// tags param tags object = {} /// resources resource virtualNetwork_resource 'Microsoft.Network/virtualNetworks@2021-05-01' existing = if (!empty(networkingResourceGroupName) && !empty(virtualNetworkName) && !empty(virtualNetworkSubnetName)) { scope: resourceGroup(networkingResourceGroupName) name: virtualNetworkName resource subnet 'subnets' existing = { name: virtualNetworkSubnetName } } resource storageAccount_resource 'Microsoft.Storage/storageAccounts@2023-05-01' = { name: storageAccountName location: location tags: tags sku: { name: storageAccountType } kind: storageAccountKind properties: { accessTier: storageAccountAccessTier minimumTlsVersion: 'TLS1_2' supportsHttpsTrafficOnly: true allowBlobPublicAccess: false allowCrossTenantReplication: true encryption: { keySource: 'Microsoft.Storage' requireInfrastructureEncryption: false services: { blob: { enabled: true keyType: 'Account' } file: { enabled: true keyType: 'Account' } queue: { enabled: true keyType: 'Account' } table: { enabled: true keyType: 'Account' } } } isHnsEnabled: storageAccountHnsEnabled isLocalUserEnabled: false isNfsV3Enabled: false isSftpEnabled: false keyPolicy: { keyExpirationPeriodInDays: 90 } largeFileSharesState: 'Disabled' publicNetworkAccess: 'Enabled' networkAcls: { resourceAccessRules: networkAccess_resource == [''] || networkAccess_resource == [] ? [] : resourceAccessRules bypass: 'AzureServices' defaultAction: networkAccess_default virtualNetworkRules: empty(networkingResourceGroupName) && empty(virtualNetworkName) && empty(virtualNetworkSubnetName) ? [] : [ { id: virtualNetwork_resource::subnet.id action: 'Allow' } ] } } } resource storageAccountBlobService_resource 'Microsoft.Storage/storageAccounts/blobServices@2023-01-01' = { name: toLower('${storageAccountName}/default') properties: { containerDeleteRetentionPolicy: { enabled: true days: toLower(subscription) == 'prod' ? 90 : 30 } deleteRetentionPolicy: { allowPermanentDelete: false enabled: true days: toLower(subscription) == 'prod' ? 90 : 30 } restorePolicy: storageAccountHnsEnabled == false ? restorePolicy : null isVersioningEnabled: storageAccountHnsEnabled == false ? true : null changeFeed: storageAccountHnsEnabled == false ? changeFeed : null } dependsOn: [ storageAccount_resource ] } resource storageAccountFileService_resource 'Microsoft.Storage/storageAccounts/fileServices@2023-01-01' = { name: toLower('${storageAccountName}/default') properties: { shareDeleteRetentionPolicy: { enabled: true days: toLower(subscription) == 'prod' ? 90 : 30 } } dependsOn: [ storageAccount_resource ] } resource logAnalytics_resource 'Microsoft.OperationalInsights/workspaces@2022-10-01' existing = if (!empty(logAnalyticsWorkspaceName) && !empty(logAnalyticsWorkspaceResourceGroupName)) { scope: resourceGroup(logAnalyticsWorkspaceResourceGroupName) name: logAnalyticsWorkspaceName } resource send_data_to_logAnalyticsWorkspace 'Microsoft.Insights/diagnosticSettings@2021-05-01-preview' = if (!empty(logAnalyticsWorkspaceName) && !empty(logAnalyticsWorkspaceName)) { scope: storageAccount_resource name: toLower('send-data-to-${logAnalyticsWorkspaceName}') properties: { workspaceId: logAnalytics_resource.id metrics: [ { category: 'Transaction' enabled: true } ] } } var storageAccountPrimaryKey = storageAccount_resource.listKeys().keys[0].value output storageAccountPrimaryKey string = storageAccountPrimaryKey output storageAccountConnectionString string = 'DefaultEndpointsProtocol=https;AccountName=${storageAccount_resource.name};AccountKey=${storageAccountPrimaryKey};EndpointSuffix=${environment().suffixes.storage}' output storageAccountId string = storageAccount_resource.id
servicebus.bicep
/* .Synopsis Bicep template for Service Bus. Template https://docs.microsoft.com/en-us/azure/templates/Microsoft.ServiceBus/namespaces?tabs=bicep#template-format .NOTES Author : CoE Azure Version : 1.0.231205 */ /// deployment scope targetScope = 'resourceGroup' /// parameters param location string = '' param serviceBusName string = '' param serviceBusSkuName string = 'Standard' param serviceBusSkuTier string = 'Standard' @allowed([ 'fs' 'cs' 'be' ]) param application string /// monitoring param logAnalyticsWorkspaceName string = '' param logAnalyticsWorkspaceResourceGroupName string = '' /// tags param tags object = {} /// resources resource serviceBus 'Microsoft.ServiceBus/namespaces@2022-10-01-preview' = { name: toLower(serviceBusName) location: location tags: tags sku: { name: serviceBusSkuName tier: serviceBusSkuTier } properties: { disableLocalAuth: false } } resource serviceBusAuthorizationRules 'Microsoft.ServiceBus/namespaces/AuthorizationRules@2022-10-01-preview' existing = { parent: serviceBus name: 'RootManageSharedAccessKey' } var serviceBusQueues = { fs: [ 'sl_error_internal' 'sl_event_internal' 'sl_inbound' 'sl_inbound_internal' 'sl_outbound' 'sl_reply_internal' ] cs: [ 'na-acs-sb-qu' ] be: [ 'customerservice-queue' ] } resource serviceBusQueue 'Microsoft.ServiceBus/namespaces/queues@2022-01-01-preview' = [for item in serviceBusQueues[application]: { parent: serviceBus name: item properties: { lockDuration: 'PT5M' maxSizeInMegabytes: 5120 requiresDuplicateDetection: false requiresSession: false defaultMessageTimeToLive: 'P10675199DT2H48M5.4775807S' deadLetteringOnMessageExpiration: false duplicateDetectionHistoryTimeWindow: 'PT10M' maxDeliveryCount: 10 autoDeleteOnIdle: 'P10675199DT2H48M5.4775807S' enablePartitioning: false enableExpress: false } }] resource logAnalytics_resource 'Microsoft.OperationalInsights/workspaces@2021-06-01' existing = if (!empty(logAnalyticsWorkspaceName) && !empty(logAnalyticsWorkspaceResourceGroupName)) { scope: resourceGroup(logAnalyticsWorkspaceResourceGroupName) name: logAnalyticsWorkspaceName } resource send_data_to_logAnalyticsWorkspace 'Microsoft.Insights/diagnosticSettings@2021-05-01-preview' = if (!empty(logAnalyticsWorkspaceName) && !empty(logAnalyticsWorkspaceResourceGroupName)) { scope: serviceBus name: toLower('send-data-to-${logAnalyticsWorkspaceName}') properties: { workspaceId: logAnalytics_resource.id logs: [ { category: 'OperationalLogs' enabled: true } { category: 'VNetAndIPFilteringLogs' enabled: true } ] metrics: [ { category: 'AllMetrics' enabled: true } ] } } var serviceBusPrimaryConnectionString = serviceBusAuthorizationRules.listKeys().primaryConnectionString output serviceBusId string = serviceBus.id output serviceBusPrimaryConnectionString string = serviceBusPrimaryConnectionString
Version I use
The output
checkov -f ./servicebus.bicep [ secrets framework ]: 100%|████████████████████|[1/1], Current File Scanned=./servicebus.bicep [ bicep framework ]: 100%|████████████████████|[1/1], Current File Scanned=servicebus.bicep
checkov -f ./storageaccount.bicep [ secrets framework ]: 100%|████████████████████|[1/1], Current File Scanned=./storageaccount.bicep bicep scan results: Passed checks: 0, Failed checks: 0, Skipped checks: 0, Parsing errors: 1 Error parsing file storageaccount.bicepֿ
I would be grateful for the help!
The text was updated successfully, but these errors were encountered:
No branches or pull requests
Hi all,
I'm testing Azure Bicep with Checkov, and the Bicep framework does not work correctly for some files.
Files I use for scan:
storageaccount.bicep
servicebus.bicep
Version I use
The output
I would be grateful for the help!
The text was updated successfully, but these errors were encountered: