It is now possible to scan the ARM json files you have created with the best practices by the Core Services Engineering & Operations (CSEO) division at Microsoft. Secure DevOps Kit for Azure can be used to check the ARM files before deployment. But you can also check the status of your subscription and resources. This way you can increase the security of your code and deployments.
Build Pipeline
Before any code will be deployed the ARM fiels need to be checked for best practices. This option to check files takes a long time. And this is worth the waiting if you have ARM files present in your solution. But this is not always the case, so i created to files to speed up this process when files are not present.
Exclusions
Within the script you now have the option to exclude files or controls. This is done with the help of three files:
- Severity
- AzSSkipFiles.csv
- [Filename].AzSSkipControlsFromFile.csv
When using these files you will be able to skip checks specified during deployment. This can be done for regulation requirements or other reasons to make sure that the build finishes.
Severity
Filter by severity of control E.g., Critical, High, Medium, Low
AzSSkipFiles.csv
This file needs to be stored in the directory the ARM files are stored in. When the files are configured here these files will not be checked by the script.
The file content needs to look like this, the following files will not be scanned that are present in the directory.
host.json local.settings.json proxies.json
[Filename].AzSSkipControlsFromFile.csv
Before you can make an exclusion for the ARM checks you first need to run the build once. After the build is done it will fail on the ARM check part.
When you select the job that has failed you have on the right side three dots. Select them and select “Download Logs”. Download the zip file and extract the file.
In the extracted file there is another zip file called ARMTemplateChecker_****.
Open then ARMCheckerResults** file and fix the problems that needs to fix. If you decide to not fix these problems copy the content of this file and place it into the test.AzSSkipControlsFromFile.csv file and upload this.
The file content needs to look like this:
"ControlId","FeatureName","Status","SupportedResources","Severity","PropertyPath","LineNumber","CurrentValue","ExpectedProperty","ExpectedValue","ResourcePath","ResourceLineNumber","Description","FilePath" "Azure_AppService_BCDR_Use_Multiple_Instances","AppService","Skipped","Microsoft.Web/sites , Microsoft.Web/serverfarms , Microsoft.Web/sites/config","Medium","resources[0].sku.capacity","25","0","$.sku.capacity","GreaterThan 1","resources[0]","15","App Service must be deployed on a minimum of two instances to ensure availability",".\template.json" "Azure_AppService_Config_Disable_Remote_Debugging","AppService","Passed","Microsoft.Web/sites , Microsoft.Web/serverfarms , Microsoft.Web/sites/config","High","resources[2].properties.remoteDebuggingEnabled","95","false","$.properties.siteConfig.remoteDebuggingEnabled | $.properties.remoteDebuggingEnabled","'False'","resources[2]","71","Remote debugging must be turned off for App Service",".\template.json" "Azure_AppService_Config_Disable_Web_Sockets","AppService","Passed","Microsoft.Web/sites , Microsoft.Web/serverfarms , Microsoft.Web/sites/config","High","resources[2].properties.webSocketsEnabled","102","false","$.properties.siteConfig.webSocketsEnabled | $.properties.webSocketsEnabled","'False'","resources[2]","71","Web Sockets should be disabled for App Service",".\template.json" "Azure_AppService_BCDR_Use_AlwaysOn","AppService","Skipped","Microsoft.Web/sites , Microsoft.Web/serverfarms , Microsoft.Web/sites/config","Medium","resources[2].properties.alwaysOn","103","false","$.properties.siteConfig.alwaysOn | $.properties.alwaysOn","'True'","resources[2]","71","'Always On' should be configured for App Service",".\template.json" "Azure_AppService_Deploy_Use_Latest_Version","AppService","Passed","Microsoft.Web/sites , Microsoft.Web/serverfarms , Microsoft.Web/sites/config","Low","resources[2].properties.netFrameworkVersion","92","""v4.0""","$.properties.siteConfig.netFrameworkVersion | $.properties.netFrameworkVersion","Allow '^(v4.0|v4.7)$'","resources[2]","71","The latest version of .NET framework version should be used for App Service",".\template.json" "Azure_AppService_Audit_Enable_Logging_and_Monitoring","AppService","Passed","Microsoft.Web/sites , Microsoft.Web/serverfarms , Microsoft.Web/sites/config","Medium","resources[2].properties.requestTracingEnabled","94","true","$.properties.siteConfig.requestTracingEnabled | $.properties.requestTracingEnabled","'True'","resources[2]","71","Auditing and Monitoring must be enabled for App Service",".\template.json" "Azure_AppService_Audit_Enable_Logging_and_Monitoring","AppService","Passed","Microsoft.Web/sites , Microsoft.Web/serverfarms , Microsoft.Web/sites/config","Medium","resources[2].properties.httpLoggingEnabled","97","true","$.properties.siteConfig.httpLoggingEnabled | $.properties.httpLoggingEnabled","'True'","resources[2]","71","Auditing and Monitoring must be enabled for App Service",".\template.json" "Azure_AppService_Audit_Enable_Logging_and_Monitoring","AppService","Passed","Microsoft.Web/sites , Microsoft.Web/serverfarms , Microsoft.Web/sites/config","Medium","resources[2].properties.detailedErrorLoggingEnabled","98","true","$.properties.siteConfig.detailedErrorLoggingEnabled | $.properties.detailedErrorLoggingEnabled","'True'","resources[2]","71","Auditing and Monitoring must be enabled for App Service",".\template.json" "Azure_AppService_DP_Dont_Allow_HTTP_Access","AppService","Passed","Microsoft.Web/sites , Microsoft.Web/serverfarms , Microsoft.Web/sites/config","High","resources[1].properties.httpsOnly","67","true","$.properties.httpsOnly","'True'","resources[1]","39","App Service must only be accessible over HTTPS",".\template.json" "Azure_AppService_AuthN_Use_AAD_for_Client_AuthN","AppService","Skipped","Microsoft.Web/sites , Microsoft.Web/serverfarms , Microsoft.Web/sites/config","High","Not found","-1","","$.properties.siteConfig.siteAuthEnabled | $.properties.siteAuthEnabled","'True'","resources[2] , resources[1] , resources[0]","15","App Service must authenticate users using Azure Active Directory backed credentials",".\template.json" "Azure_AppService_AuthN_Use_AAD_for_Client_AuthN","AppService","Skipped","Microsoft.Web/sites , Microsoft.Web/serverfarms , Microsoft.Web/sites/config","High","Not found","-1","","$.properties.siteConfig.siteAuthSettings.clientId | $.properties.siteAuthSettings.clientId","Non-null string","resources[2] , resources[1] , resources[0]","15","App Service must authenticate users using Azure Active Directory backed credentials",".\template.json" "Azure_AppService_AuthN_Use_Managed_Service_Identity","AppService","Skipped","Microsoft.Web/sites , Microsoft.Web/serverfarms , Microsoft.Web/sites/config","Medium","Not found","-1","","$.identity.type","Allow 'SystemAssigned'","resources[2] , resources[1] , resources[0]","15","Use Managed Service Identity (MSI) for accessing other AAD-protected resources from the app service.",".\template.json" "Azure_AppService_DP_Use_Secure_TLS_Version","AppService","Passed","Microsoft.Web/sites , Microsoft.Web/serverfarms , Microsoft.Web/sites/config","High","resources[2].properties.minTlsVersion","135","""1.2""","$.properties.siteConfig.minTlsVersion | $.properties.minTlsVersion","GreaterThanOrEqual '1.2'","resources[2]","71","Use approved version of TLS for the App Service",".\template.json" "Azure_AppService_DP_Review_CORS_Request_Credential","AppService","Passed","Microsoft.Web/sites , Microsoft.Web/serverfarms , Microsoft.Web/sites/config","Medium","Not found","-1","","$.properties.siteConfig.cors.supportCredentials | $.properties.cors.supportCredentials","'False'","resources[2] , resources[1] , resources[0]","15","Review use of credentials in CORS request for App Service",".\template.json"
- task: PowerShell@2
displayName: Start checking ARM files for AzSKARMTemplateSecurity
inputs:
targetType: "inline"
pwsh: true
failOnStderr: false
script: Invoke-Build -Task TestARMAZSK -ModuleName $(module.Name)
workingDirectory: $(System.DefaultWorkingDirectory)