Bicep framework scan fails for some files #6682

romanrabodzei · 2024-08-25T19:15:32Z

Hi all,

I'm testing Azure Bicep with Checkov, and the Bicep framework does not work correctly for some files.

Files I use for scan:
storageaccount.bicep

/*
.Synopsis
    Bicep template for Storage Account. Template https://docs.microsoft.com/en-us/azure/templates/Microsoft.Storage/storageAccounts?tabs=bicep#template-format

.NOTES
    Author     : CoE Azure
    Version    : 1.0.240805
*/

/// deployment scope
targetScope = 'resourceGroup'

/// parameters
param location string
param subscription string

param storageAccountName string
param storageAccountKind string = 'StorageV2'
param storageAccountType string = 'Standard_LRS'
param storageAccountAccessTier string = 'Hot'
param storageAccountHnsEnabled bool = false

@description('Network access from outside for the storage account.')
@allowed([
  'Allow'
  'Deny'
])
param networkAccess_default string = 'Allow'
@description(' The resource ID for isolated access to storage account.')
param networkAccess_resource array = []

var resourceAccessRules = [
  for (id, item) in networkAccess_resource: {
    tenantId: az.subscription().tenantId
    resourceId: networkAccess_resource[item]
  }
]

param networkingResourceGroupName string = ''
param virtualNetworkName string = ''
param virtualNetworkSubnetName string = ''

var restorePolicy = {
  enabled: true
  days: 13
}

var changeFeed = {
  enabled: true
}

/// monitoring
param logAnalyticsWorkspaceName string = ''
param logAnalyticsWorkspaceResourceGroupName string = ''

/// tags
param tags object = {}

/// resources
resource virtualNetwork_resource 'Microsoft.Network/virtualNetworks@2021-05-01' existing = if (!empty(networkingResourceGroupName) && !empty(virtualNetworkName) && !empty(virtualNetworkSubnetName)) {
  scope: resourceGroup(networkingResourceGroupName)
  name: virtualNetworkName
  resource subnet 'subnets' existing = {
    name: virtualNetworkSubnetName
  }
}

resource storageAccount_resource 'Microsoft.Storage/storageAccounts@2023-05-01' = {
  name: storageAccountName
  location: location
  tags: tags
  sku: {
    name: storageAccountType
  }
  kind: storageAccountKind
  properties: {
    accessTier: storageAccountAccessTier
    minimumTlsVersion: 'TLS1_2'
    supportsHttpsTrafficOnly: true
    allowBlobPublicAccess: false
    allowCrossTenantReplication: true
    encryption: {
      keySource: 'Microsoft.Storage'
      requireInfrastructureEncryption: false
      services: {
        blob: {
          enabled: true
          keyType: 'Account'
        }
        file: {
          enabled: true
          keyType: 'Account'
        }
        queue: {
          enabled: true
          keyType: 'Account'
        }
        table: {
          enabled: true
          keyType: 'Account'
        }
      }
    }
    isHnsEnabled: storageAccountHnsEnabled
    isLocalUserEnabled: false
    isNfsV3Enabled: false
    isSftpEnabled: false
    keyPolicy: {
      keyExpirationPeriodInDays: 90
    }
    largeFileSharesState: 'Disabled'
    publicNetworkAccess: 'Enabled'
    networkAcls: {
      resourceAccessRules: networkAccess_resource == [''] || networkAccess_resource == [] ? [] : resourceAccessRules
      bypass: 'AzureServices'
      defaultAction: networkAccess_default
      virtualNetworkRules: empty(networkingResourceGroupName) && empty(virtualNetworkName) && empty(virtualNetworkSubnetName)
        ? []
        : [
            {
              id: virtualNetwork_resource::subnet.id
              action: 'Allow'
            }
          ]
    }
  }
}

resource storageAccountBlobService_resource 'Microsoft.Storage/storageAccounts/blobServices@2023-01-01' = {
  name: toLower('${storageAccountName}/default')
  properties: {
    containerDeleteRetentionPolicy: {
      enabled: true
      days: toLower(subscription) == 'prod' ? 90 : 30
    }
    deleteRetentionPolicy: {
      allowPermanentDelete: false
      enabled: true
      days: toLower(subscription) == 'prod' ? 90 : 30
    }
    restorePolicy: storageAccountHnsEnabled == false ? restorePolicy : null
    isVersioningEnabled: storageAccountHnsEnabled == false ? true : null
    changeFeed: storageAccountHnsEnabled == false ? changeFeed : null
  }
  dependsOn: [
    storageAccount_resource
  ]
}

resource storageAccountFileService_resource 'Microsoft.Storage/storageAccounts/fileServices@2023-01-01' = {
  name: toLower('${storageAccountName}/default')
  properties: {
    shareDeleteRetentionPolicy: {
      enabled: true
      days: toLower(subscription) == 'prod' ? 90 : 30
    }
  }
  dependsOn: [
    storageAccount_resource
  ]
}

resource logAnalytics_resource 'Microsoft.OperationalInsights/workspaces@2022-10-01' existing = if (!empty(logAnalyticsWorkspaceName) && !empty(logAnalyticsWorkspaceResourceGroupName)) {
  scope: resourceGroup(logAnalyticsWorkspaceResourceGroupName)
  name: logAnalyticsWorkspaceName
}

resource send_data_to_logAnalyticsWorkspace 'Microsoft.Insights/diagnosticSettings@2021-05-01-preview' = if (!empty(logAnalyticsWorkspaceName) && !empty(logAnalyticsWorkspaceName)) {
  scope: storageAccount_resource
  name: toLower('send-data-to-${logAnalyticsWorkspaceName}')
  properties: {
    workspaceId: logAnalytics_resource.id
    metrics: [
      {
        category: 'Transaction'
        enabled: true
      }
    ]
  }
}

var storageAccountPrimaryKey = storageAccount_resource.listKeys().keys[0].value
output storageAccountPrimaryKey string = storageAccountPrimaryKey
output storageAccountConnectionString string = 'DefaultEndpointsProtocol=https;AccountName=${storageAccount_resource.name};AccountKey=${storageAccountPrimaryKey};EndpointSuffix=${environment().suffixes.storage}'
output storageAccountId string = storageAccount_resource.id

servicebus.bicep

/*
.Synopsis
    Bicep template for Service Bus. Template https://docs.microsoft.com/en-us/azure/templates/Microsoft.ServiceBus/namespaces?tabs=bicep#template-format

.NOTES
    Author     : CoE Azure
    Version    : 1.0.231205
*/

/// deployment scope
targetScope = 'resourceGroup'

/// parameters
param location string = ''

param serviceBusName string = ''
param serviceBusSkuName string = 'Standard'
param serviceBusSkuTier string = 'Standard'

@allowed([
  'fs'
  'cs'
  'be'
])
param application string

/// monitoring
param logAnalyticsWorkspaceName string = ''
param logAnalyticsWorkspaceResourceGroupName string = ''

/// tags
param tags object = {}

/// resources
resource serviceBus 'Microsoft.ServiceBus/namespaces@2022-10-01-preview' = {
  name: toLower(serviceBusName)
  location: location
  tags: tags
  sku: {
    name: serviceBusSkuName
    tier: serviceBusSkuTier
  }
  properties: {
    disableLocalAuth: false
  }
}

resource serviceBusAuthorizationRules 'Microsoft.ServiceBus/namespaces/AuthorizationRules@2022-10-01-preview' existing = {
  parent: serviceBus
  name: 'RootManageSharedAccessKey'
}

var serviceBusQueues = {
  fs: [
    'sl_error_internal'
    'sl_event_internal'
    'sl_inbound'
    'sl_inbound_internal'
    'sl_outbound'
    'sl_reply_internal'
  ]
  cs: [
    'na-acs-sb-qu'
  ]
  be: [
    'customerservice-queue'
  ]
}

resource serviceBusQueue 'Microsoft.ServiceBus/namespaces/queues@2022-01-01-preview' = [for item in serviceBusQueues[application]: {
  parent: serviceBus
  name: item
  properties: {
    lockDuration: 'PT5M'
    maxSizeInMegabytes: 5120
    requiresDuplicateDetection: false
    requiresSession: false
    defaultMessageTimeToLive: 'P10675199DT2H48M5.4775807S'
    deadLetteringOnMessageExpiration: false
    duplicateDetectionHistoryTimeWindow: 'PT10M'
    maxDeliveryCount: 10
    autoDeleteOnIdle: 'P10675199DT2H48M5.4775807S'
    enablePartitioning: false
    enableExpress: false
  }
}]

resource logAnalytics_resource 'Microsoft.OperationalInsights/workspaces@2021-06-01' existing = if (!empty(logAnalyticsWorkspaceName) && !empty(logAnalyticsWorkspaceResourceGroupName)) {
  scope: resourceGroup(logAnalyticsWorkspaceResourceGroupName)
  name: logAnalyticsWorkspaceName
}

resource send_data_to_logAnalyticsWorkspace 'Microsoft.Insights/diagnosticSettings@2021-05-01-preview' = if (!empty(logAnalyticsWorkspaceName) && !empty(logAnalyticsWorkspaceResourceGroupName)) {
  scope: serviceBus
  name: toLower('send-data-to-${logAnalyticsWorkspaceName}')
  properties: {
    workspaceId: logAnalytics_resource.id
    logs: [
      {
        category: 'OperationalLogs'
        enabled: true
      }
      {
        category: 'VNetAndIPFilteringLogs'
        enabled: true
      }
    ]
    metrics: [
      {
        category: 'AllMetrics'
        enabled: true
      }
    ]
  }
}

var serviceBusPrimaryConnectionString = serviceBusAuthorizationRules.listKeys().primaryConnectionString

output serviceBusId string = serviceBus.id
output serviceBusPrimaryConnectionString string = serviceBusPrimaryConnectionString

Version I use

Checkov Version 3.2.230

The output

checkov -f ./servicebus.bicep
[ secrets framework ]: 100%|████████████████████|[1/1], Current File Scanned=./servicebus.bicep
[ bicep framework ]: 100%|████████████████████|[1/1], Current File Scanned=servicebus.bicep

checkov -f ./storageaccount.bicep
[ secrets framework ]: 100%|████████████████████|[1/1], Current File Scanned=./storageaccount.bicep

bicep scan results:
Passed checks: 0, Failed checks: 0, Skipped checks: 0, Parsing errors: 1
Error parsing file storageaccount.bicepֿ

I would be grateful for the help!

The text was updated successfully, but these errors were encountered:

romanrabodzei added the checks Check additions or changes label Aug 25, 2024

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Bicep framework scan fails for some files #6682

Bicep framework scan fails for some files #6682

romanrabodzei commented Aug 25, 2024 •

edited

Loading

Bicep framework scan fails for some files #6682

Bicep framework scan fails for some files #6682

Comments

romanrabodzei commented Aug 25, 2024 • edited Loading

romanrabodzei commented Aug 25, 2024 •

edited

Loading