diff --git a/.github/agents/sck.malicious-code-scanner.agent.md b/.github/agents/sck.malicious-code-scanner.agent.md index 2bc909e..e26445c 100644 --- a/.github/agents/sck.malicious-code-scanner.agent.md +++ b/.github/agents/sck.malicious-code-scanner.agent.md @@ -46,6 +46,7 @@ The `runTerminal` tool may ONLY be used for: - ✅ `checkov` - Infrastructure as Code security scanner - ✅ `eslint` - JavaScript/TypeScript security scanner - ✅ `trivy` - Container, IaC, and filesystem security scanner +- ✅ `TemplateAnalyzer` - Azure ARM/Bicep IaC security scanner - ✅ `mkdir -p .github/.audit` - Creating output directories - ✅ `which`/`--version` commands - Checking tool availability - ✅ `grep`, `find`, `cat`, `head`, `tail` - Reading/searching files (NOT executing them) @@ -90,6 +91,7 @@ When security skills are available in `.github/skills/`, leverage them for compr | **Checkov** | `.github/skills/checkov-security-scan/SKILL.md` | Infrastructure as Code (IaC) security & compliance | | **ESLint** | `.github/skills/eslint-security-scan/SKILL.md` | JavaScript/TypeScript security analysis | | **Trivy** | `.github/skills/trivy-security-scan/SKILL.md` | Container, IaC, filesystem CVE & secret scanning | +| **Template Analyzer** | `.github/skills/template-analyzer-security-scan/SKILL.md` | Azure ARM/Bicep IaC security & best practices | **Workflow with skills:** 1. Check if `.github/skills/` directory exists @@ -135,6 +137,7 @@ dependency-check --version 2>/dev/null && echo "✅ Dependency-Check available" checkov --version 2>/dev/null && echo "✅ Checkov available" || echo "⚠️ Checkov not installed" eslint --version 2>/dev/null && echo "✅ ESLint available" || echo "⚠️ ESLint not installed" trivy --version 2>/dev/null && echo "✅ Trivy available" || echo "⚠️ Trivy not installed" +TemplateAnalyzer --version 2>/dev/null && echo "✅ Template Analyzer available" || echo "⚠️ Template Analyzer not installed" ``` ### Step 3: Select Operating Mode @@ -175,6 +178,8 @@ Based on the skills' decision matrices, execute in this order: | Filesystem (CVE scan) | `trivy fs --scanners vuln ./` | `dependency-check` | trivy-security-scan | | Secrets in filesystem | `trivy fs --scanners secret ./` | `graudit -d secrets` | trivy-security-scan | | Terraform (.tf) | `trivy config ./` + `checkov --framework terraform` | `graudit -d secrets` | trivy-security-scan + checkov | +| Azure ARM (.json) | `TemplateAnalyzer analyze-template` + `checkov --framework arm` | `graudit -d secrets` | template-analyzer-security-scan | +| Azure Bicep (.bicep) | `TemplateAnalyzer analyze-template` | `graudit -d secrets` | template-analyzer-security-scan | | Kubernetes (manifests) | `trivy config ./` + `checkov --framework kubernetes` | `graudit -d secrets` | trivy-security-scan + checkov | | Kubernetes (cluster) | `trivy k8s cluster` | `checkov` (manifests) | trivy-security-scan | | Dockerfile | `trivy config ./Dockerfile` + `checkov --framework dockerfile` | `shellcheck` (RUN) | trivy-security-scan + checkov | @@ -440,6 +445,7 @@ For each suspicious pattern found, evaluate: | Container Images | **Trivy** | CVEs in OS packages, language dependencies, container misconfigurations | | Filesystems | **Trivy** | Known vulnerabilities in dependencies, hardcoded secrets, license issues | | Terraform | **Trivy** + **Checkov** | IaC misconfigurations, exposed secrets, insecure resource configs, public access | +| Azure ARM/Bicep | **Template Analyzer** | HTTPS/TLS issues, missing encryption, CORS misconfig, disabled auditing, RBAC issues | | Kubernetes | **Trivy** + **Checkov** | Privileged containers, secrets in manifests, security policies, CVEs | | Dockerfile | **Trivy** + **Checkov** | Hardcoded secrets, insecure base images, exposed ports, misconfigurations | | GitHub Actions | **Checkov** | Secrets in workflows, unpinned actions, shell injection risks | @@ -589,6 +595,7 @@ After completing your analysis, save all findings to `.github/.audit/scan-result | checkov-security-scan | ✅ Found / ❌ Not Found | ✅ / ❌ | | eslint-security-scan | ✅ Found / ❌ Not Found | ✅ / ❌ | | trivy-security-scan | ✅ Found / ❌ Not Found | ✅ / ❌ | +| template-analyzer-security-scan | ✅ Found / ❌ Not Found | ✅ / ❌ | ### Limitations (if Standalone Mode) [List any detection limitations due to missing tools] @@ -652,6 +659,7 @@ After completing your analysis, save all findings to `.github/.audit/scan-result | Checkov | `.github/skills/checkov-security-scan/SKILL.md` | | ESLint | `.github/skills/eslint-security-scan/SKILL.md` | | Trivy | `.github/skills/trivy-security-scan/SKILL.md` | +| Template Analyzer | `.github/skills/template-analyzer-security-scan/SKILL.md` | ### If Skills Are Missing: diff --git a/.github/prompts/sck.tools-advisor.prompt.md b/.github/prompts/sck.tools-advisor.prompt.md index 6d615d0..3430e72 100644 --- a/.github/prompts/sck.tools-advisor.prompt.md +++ b/.github/prompts/sck.tools-advisor.prompt.md @@ -192,6 +192,29 @@ Review these skills from the `.github/skills/` folder: - **NOT for**: Dependency CVEs (use npm audit/Dependency-Check), non-JavaScript code, minified/heavily obfuscated code, malicious npm packages (use GuardDog) - **Key distinction**: ESLint scans **JavaScript/TypeScript source code** for vulnerabilities; GuardDog detects **malicious npm packages**; Dependency-Check finds **known CVEs** +### 8. Template Analyzer Security Scan +- **Skill**: `template-analyzer-security-scan` +- **Skill file**: [.github/skills/template-analyzer-security-scan/SKILL.md](.github/skills/template-analyzer-security-scan/SKILL.md) +- **Purpose**: Scan Azure ARM (Azure Resource Manager) and Bicep Infrastructure-as-Code templates for security misconfigurations and best practice violations +- **Supported frameworks**: Azure ARM templates, Azure Bicep +- **File types**: `.json` (ARM templates with Azure schema), `.bicep` files +- **Detection capabilities**: + - HTTPS/TLS enforcement issues (FTPS not enforced, outdated TLS versions) + - Missing encryption (unencrypted automation variables, Redis non-SSL connections) + - Overly permissive CORS policies + - Disabled auditing and logging + - Missing managed identities and service principals + - RBAC misconfigurations and authentication bypass + - Insecure API settings and vulnerable resource configurations + - Classic (non-ARM) resource usage +- **Rule severity levels**: High (1), Medium (2), Low (3) with ~30+ built-in rules +- **Output formats**: Console, SARIF (for CI/CD integration) +- **Integration**: Includes PSRule for Azure integration for Well-Architected Framework compliance +- **MITRE ATT&CK mapped**: Yes (T1071, T1557, T1552, T1190, T1078, T1562) +- **Best for**: Azure IaC security audits, pre-deployment validation of ARM/Bicep templates, Azure compliance checks, CI/CD security gates for Azure deployments +- **NOT for**: Application source code (use Bandit/Graudit), non-Azure IaC like Terraform/CloudFormation/Kubernetes (use Checkov/Trivy), runtime Azure security (use Azure Security Center) +- **Key distinction**: Template Analyzer is **Azure-specific** for ARM/Bicep templates; Checkov and Trivy cover **multi-cloud IaC** including Azure, AWS, GCP + --- ## Quick Decision Flowchart @@ -205,6 +228,8 @@ START: What's the primary concern? │ └─► YES → Graudit (exec+secrets) FIRST, then others │ ├─► "Are there INFRASTRUCTURE AS CODE (IaC) files?" +│ ├─► Azure ARM (.json) → Template Analyzer analyze-template (Azure-specific) + Checkov --framework arm +│ ├─► Azure Bicep (.bicep) → Template Analyzer analyze-template (Azure-specific) │ ├─► Terraform (.tf) → Checkov --framework terraform + Trivy config │ ├─► Kubernetes manifests → Checkov --framework kubernetes + Trivy config │ ├─► CloudFormation (.yaml/.json) → Checkov --framework cloudformation + Trivy config @@ -270,6 +295,8 @@ Use this matrix to determine optimal skill selection: | **Unknown/untrusted** | Graudit (exec, secrets) | All applicable tools | Quick triage | | **Mobile (Android/iOS)** | Graudit (android/ios) | Graudit (secrets) | Platform-specific | | **PHP** | Graudit (php) | Dependency-Check (experimental), Graudit (secrets, sql) | CVE + pattern matching | +| **Azure ARM (.json)** | Template Analyzer (analyze-template) | Checkov (--framework arm), Graudit (secrets) | Azure-specific IaC security | +| **Azure Bicep (.bicep)** | Template Analyzer (analyze-template) | Graudit (secrets) | Azure Bicep security | | **Terraform** | Checkov (--framework terraform) | Graudit (secrets) | IaC misconfiguration detection | | **CloudFormation** | Checkov (--framework cloudformation) | Graudit (secrets) | AWS IaC security | | **Kubernetes manifests** | Checkov (--framework kubernetes) | Graudit (secrets) | K8s security policies | @@ -293,7 +320,8 @@ When multiple tools could apply, use these priority rules: 1. **Untrusted code always wins**: If origin is unknown/suspicious → Start with Graudit (exec+secrets) 2. **Containers first**: If container images exist → Trivy image scan FIRST for CVEs before deployment 3. **IaC before application code**: If IaC files exist → Checkov + Trivy config to catch infrastructure misconfigurations -4. **Dependencies before source**: If dependency files exist → GuardDog verify (malware) AND/OR Dependency-Check/Trivy (CVEs) before scanning source +4. **Azure IaC specificity**: If Azure ARM/Bicep templates → Template Analyzer FIRST (Azure-specific rules), then Checkov for cross-validation +5. **Dependencies before source**: If dependency files exist → GuardDog verify (malware) AND/OR Dependency-Check/Trivy (CVEs) before scanning source 5. **CVE detection vs Malware detection**: Use BOTH GuardDog (malware) + Dependency-Check/Trivy (CVEs) for comprehensive supply chain security 6. **AST tools over regex**: For Python use Bandit over Graudit; for Shell use ShellCheck over Graudit; for IaC use Checkov+Trivy over Graudit 7. **Graudit complements, not replaces**: Always add Graudit `secrets` as secondary scan @@ -362,13 +390,14 @@ Search the target path for: - SBOM files (`.spdx.json`, `.cdx.json`, `sbom.json`) → Scan with Trivy sbom **Infrastructure as Code (IaC) Files**: +- `.json` (with Azure schema: `$schema` containing `deploymentTemplate.json`) → Azure ARM templates +- `.bicep` → Azure Bicep templates - `.tf`, `.tf.json` → Terraform configurations - `.yaml`, `.yml`, `.json`, `.template` (in cloud dirs) → CloudFormation templates - Kubernetes manifests (deployments, services, pods, etc.) - `Dockerfile`, `Dockerfile.*` → Container definitions - `Chart.yaml`, `values.yaml` (in Helm directories) → Helm charts - `kustomization.yaml` → Kustomize -- `.bicep` → Azure Bicep templates - `serverless.yml` → Serverless Framework **CI/CD & Build Files**: @@ -386,6 +415,7 @@ Search the target path for: Determine the risk areas: - **Container risk**: Container images or Docker projects? → Trivy image/fs scan FIRST for CVEs and secrets - **Infrastructure risk**: IaC files present? → Checkov + Trivy config for cloud misconfigurations +- **Azure infrastructure risk**: ARM/Bicep templates present? → Template Analyzer (Azure-specific) + Checkov for validation - **Kubernetes risk**: K8s manifests or live cluster? → Trivy k8s + Checkov for security policies - **Supply chain risk**: Dependencies present? → GuardDog (malware) + Trivy fs/Dependency-Check (CVEs) - **Code vulnerabilities**: Custom code present? → Language-specific tools (ESLint for JS/TS, Bandit for Python, etc.) @@ -548,6 +578,18 @@ When recommending skills, include these optimized commands: - Scan SBOM: `trivy sbom ./sbom.spdx.json` - Dockerfile only: `trivy config ./Dockerfile` +### Template Analyzer +- Scan single ARM template: `TemplateAnalyzer analyze-template ./azuredeploy.json` +- Scan with parameters: `TemplateAnalyzer analyze-template ./azuredeploy.json -p ./parameters.json` +- Scan Bicep template: `TemplateAnalyzer analyze-template ./main.bicep` +- Scan directory (recursive): `TemplateAnalyzer analyze-directory ./infrastructure/` +- SARIF output for CI/CD: `TemplateAnalyzer analyze-template ./template.json --report-format Sarif -o results.sarif` +- Verbose output (all rules): `TemplateAnalyzer analyze-template ./template.json -v` +- Include non-security rules: `TemplateAnalyzer analyze-template ./template.json --include-non-security-rules` +- Custom rules file: `TemplateAnalyzer analyze-template ./template.json --custom-json-rules-path ./custom-rules.json` +- CI/CD gate (exit code 20 = violations): `TemplateAnalyzer analyze-directory ./templates/ --report-format Sarif -o scan.sarif` +- Quick pre-deployment check: `TemplateAnalyzer analyze-template ./azuredeploy.json -p ./params.json && echo "Safe to deploy" || echo "Security violations found"` + --- ## Next Steps @@ -595,6 +637,9 @@ To execute these recommended scans: | Use Trivy alone for malware detection | Trivy detects CVEs—add GuardDog for malicious packages | | Skip Trivy k8s for Kubernetes cluster audits | Trivy k8s scans live clusters—complement with Checkov for manifests | | Ignore compliance requirements | Use Trivy/Dependency-Check with severity filters + Checkov for IaC compliance | +| Skip Template Analyzer for Azure ARM/Bicep | Template Analyzer has Azure-specific rules deeper than Checkov | +| Use Template Analyzer for Terraform/CloudFormation | Template Analyzer is Azure-only—use Checkov/Trivy for other clouds | +| Use only Checkov for Azure IaC | Template Analyzer provides Azure-specific depth—use both for comprehensive coverage | --- @@ -612,6 +657,7 @@ When making recommendations, account for these limitations: | **Checkov** | Runtime misconfigurations, logic flaws in application code, dynamic/computed values, actual deployed state vs declared config, secrets in encrypted/base64 beyond patterns | Static analysis only - validate with cloud security posture tools, combine with Graudit for secrets, cannot scan application source code | | **ESLint** | Runtime vulnerabilities, sophisticated obfuscation, dependency CVEs, minified code, behavioral analysis, malicious npm packages | Static pattern-based only - add npm audit/Dependency-Check for CVEs, GuardDog for malware, manual review for obfuscated code | | **Trivy** | Python source code logic vulnerabilities, malicious package behavior, sophisticated obfuscation, runtime-only issues, zero-day CVEs not in databases | Static CVE/misconfig scanner only - use Bandit for Python code, GuardDog for malware, cannot detect application logic flaws | +| **Template Analyzer** | Non-Azure IaC (Terraform/K8s/CloudFormation), runtime Azure security, logic flaws in application code, dynamic/computed parameter values, secrets detection beyond patterns | Azure ARM/Bicep only - use Checkov/Trivy for multi-cloud, Azure Security Center for runtime, Graudit for secrets, integrates with PSRule for extended rules | ### Combined Blind Spots All tools are static analysis only - they cannot detect: diff --git a/.github/skills/template-analyzer-security-scan/README.md b/.github/skills/template-analyzer-security-scan/README.md new file mode 100644 index 0000000..3e0bace --- /dev/null +++ b/.github/skills/template-analyzer-security-scan/README.md @@ -0,0 +1,99 @@ +# Template Analyzer Security Scan Skill + +An Agent Skill for scanning Azure ARM and Bicep Infrastructure-as-Code templates for security misconfigurations using Microsoft's Template Analyzer. + +## What This Skill Does + +- Scans ARM templates (`.json`) for security violations +- Scans Bicep templates (`.bicep`) for security misconfigurations +- Detects missing encryption, insecure protocols, overly permissive access +- Validates against Azure security best practices +- Integrates with PSRule for Azure for comprehensive rule coverage +- Outputs results in console or SARIF format for CI/CD integration + +## Requirements + +- **Template Analyzer** binary (download from [GitHub releases](https://github.com/Azure/template-analyzer/releases)) +- Linux, macOS, or Windows +- .NET runtime (bundled with Template Analyzer) + +### Quick Install (Linux/macOS) + +```bash +curl -L -o TemplateAnalyzer.zip \ + https://github.com/Azure/template-analyzer/releases/latest/download/TemplateAnalyzer-linux-x64.zip +unzip TemplateAnalyzer.zip -d ~/template-analyzer +chmod +x ~/template-analyzer/TemplateAnalyzer +export PATH="$HOME/template-analyzer:$PATH" +``` + +## Example Prompts for Copilot + +- "Scan this ARM template for security issues" +- "Check my Bicep files for misconfigurations" +- "Validate Azure infrastructure templates before deployment" +- "Find security violations in my Azure templates directory" +- "Check if my web app template enforces HTTPS" +- "Audit my Azure Resource Manager templates" + +## Example CLI Commands + +```bash +# Scan single ARM template +TemplateAnalyzer analyze-template ./azuredeploy.json + +# Scan with parameters for accurate evaluation +TemplateAnalyzer analyze-template ./main.bicep -p ./parameters.json + +# Scan entire directory recursively +TemplateAnalyzer analyze-directory ./infrastructure/ + +# Generate SARIF report for CI/CD +TemplateAnalyzer analyze-template ./template.json --report-format Sarif -o results.sarif + +# Include non-security rules (reliability, cost, performance) +TemplateAnalyzer analyze-directory ./templates/ --include-non-security-rules +``` + +## File Structure + +``` +template-analyzer-security-scan/ +├── SKILL.md # Full skill documentation +├── README.md # This file +└── examples/ + └── misconfigurations.md # Example vulnerable templates +``` + +## Key Detection Categories + +| Category | Examples | +|----------|----------| +| **Transport Security** | Missing HTTPS enforcement, outdated TLS versions | +| **Authentication** | Missing managed identities, AAD not required | +| **Encryption** | Unencrypted storage, missing TDE on databases | +| **Access Control** | Overly permissive CORS, missing RBAC, no IP restrictions | +| **Auditing** | Disabled diagnostic logs, insufficient retention | +| **Network Security** | No VNet integration, exposed management endpoints | + +## Exit Codes + +| Code | Meaning | +|------|---------| +| 0 | Success - no violations | +| 20 | **Security violations found** | +| 21 | Analysis errors | +| 22 | Both violations and errors | + +## Related Tools + +- **Checkov**: Multi-cloud IaC scanning (Terraform, CloudFormation, ARM) +- **Trivy**: Container and IaC scanning with broader coverage +- **Azure Policy**: Runtime compliance enforcement +- **Microsoft Defender for Cloud**: Runtime security posture + +## Resources + +- [Template Analyzer GitHub](https://github.com/Azure/template-analyzer) +- [Built-in Rules Documentation](https://github.com/Azure/template-analyzer/blob/main/docs/built-in-rules.md) +- [PSRule for Azure](https://aka.ms/ps-rule-azure) diff --git a/.github/skills/template-analyzer-security-scan/SKILL.md b/.github/skills/template-analyzer-security-scan/SKILL.md new file mode 100644 index 0000000..3998b9e --- /dev/null +++ b/.github/skills/template-analyzer-security-scan/SKILL.md @@ -0,0 +1,501 @@ +--- +name: template-analyzer-security-scan +description: Scan ARM (Azure Resource Manager) and Bicep Infrastructure-as-Code templates for security misconfigurations and best practice violations. (1) Primary targets *.json ARM templates, *.bicep files, Azure deployment templates. (2) Detects HTTPS/TLS enforcement issues, missing encryption, overly permissive CORS, disabled auditing, missing managed identities, RBAC misconfigurations, insecure API settings. (3) Use for Azure IaC security audits, pre-deployment validation, compliance checks. Do NOT use for application source code (use bandit, graudit) or non-Azure IaC (use checkov, trivy). +--- + +# Template Analyzer Security Scanning Skill + +This skill enables scanning Azure ARM and Bicep Infrastructure-as-Code (IaC) templates for security misconfigurations using **Template Analyzer** - Microsoft's official tool for validating Azure deployment templates against security and best practice rules. + +> **Key Distinction**: Template Analyzer is Azure-specific and focuses on ARM/Bicep templates. For multi-cloud IaC (Terraform, CloudFormation, Kubernetes), use `checkov` or `trivy` instead. + +## Quick Reference + +| Task | Command | +|------|---------| +| Scan single template | `TemplateAnalyzer analyze-template ./azuredeploy.json` | +| Scan with parameters | `TemplateAnalyzer analyze-template ./azuredeploy.json -p ./parameters.json` | +| Scan directory (recursive) | `TemplateAnalyzer analyze-directory ./templates/` | +| SARIF output for CI/CD | `TemplateAnalyzer analyze-template ./template.json --report-format Sarif -o results.sarif` | +| Include non-security rules | `TemplateAnalyzer analyze-template ./template.json --include-non-security-rules` | +| Verbose output | `TemplateAnalyzer analyze-template ./template.json -v` | + +## When to Use This Skill + +**PRIMARY USE CASES:** +- Audit ARM templates (`.json` with Azure schema) for security issues +- Audit Bicep templates (`.bicep`) for security misconfigurations +- Pre-deployment security validation of Azure infrastructure +- CI/CD pipeline security gates for Azure deployments +- Compliance checks against Azure security baselines +- Detect missing encryption, insecure protocols, overly permissive access + +**DO NOT USE FOR:** +- General application source code → use `bandit`, `graudit` +- Terraform/CloudFormation/Kubernetes → use `checkov`, `trivy` +- Azure runtime security issues → use Azure Security Center +- Dependency vulnerabilities → use `guarddog`, `dependency-check` + +## Decision Tree: Choosing the Right Scanner + +``` +What are you scanning? +│ +├── Azure ARM/Bicep templates? +│ └── Use Template Analyzer (this skill) +│ +├── Terraform, CloudFormation, Helm, Kubernetes YAML? +│ └── Use checkov or trivy +│ +├── Dockerfiles? +│ └── Use trivy or checkov +│ +├── Application source code? +│ ├── Python → bandit +│ ├── JavaScript/TypeScript → eslint-security +│ └── Multi-language → graudit +│ +└── Package dependencies? + └── Use guarddog, dependency-check +``` + +## Prerequisites + +Template Analyzer must be installed. Download from [GitHub releases](https://github.com/Azure/template-analyzer/releases): + +### Linux Installation + +```bash +# Download latest release (x64) +curl -L -o TemplateAnalyzer.zip \ + https://github.com/Azure/template-analyzer/releases/latest/download/TemplateAnalyzer-linux-x64.zip + +# Extract +unzip TemplateAnalyzer.zip -d ~/template-analyzer + +# Make executable +chmod +x ~/template-analyzer/TemplateAnalyzer + +# Add to PATH (add to ~/.bashrc for persistence) +export PATH="$HOME/template-analyzer:$PATH" + +# Verify installation +TemplateAnalyzer --help +``` + +### macOS Installation + +```bash +# Download for macOS (arm64 for Apple Silicon, x64 for Intel) +curl -L -o TemplateAnalyzer.zip \ + https://github.com/Azure/template-analyzer/releases/latest/download/TemplateAnalyzer-osx-arm64.zip + +# Extract and setup +unzip TemplateAnalyzer.zip -d ~/template-analyzer +chmod +x ~/template-analyzer/TemplateAnalyzer +export PATH="$HOME/template-analyzer:$PATH" +``` + +### Windows Installation + +```powershell +# Download Windows release +Invoke-WebRequest -Uri "https://github.com/Azure/template-analyzer/releases/latest/download/TemplateAnalyzer-win-x64.zip" -OutFile "TemplateAnalyzer.zip" + +# Extract +Expand-Archive -Path TemplateAnalyzer.zip -DestinationPath "$env:USERPROFILE\template-analyzer" + +# Add to PATH +$env:PATH += ";$env:USERPROFILE\template-analyzer" +``` + +### Docker Usage + +```bash +# Pull the official image (if available) or run in container +docker run --rm -v "$(pwd):/templates" mcr.microsoft.com/templateanalyzer \ + analyze-directory /templates +``` + +## Core Scanning Commands + +### Scan Single ARM Template + +```bash +# Basic scan +TemplateAnalyzer analyze-template ./azuredeploy.json + +# With parameter file for accurate evaluation +TemplateAnalyzer analyze-template ./azuredeploy.json -p ./azuredeploy.parameters.json + +# Verbose output showing all rule evaluations +TemplateAnalyzer analyze-template ./azuredeploy.json -v +``` + +### Scan Bicep Template + +```bash +# Bicep templates are automatically detected by .bicep extension +TemplateAnalyzer analyze-template ./main.bicep + +# With parameter file +TemplateAnalyzer analyze-template ./main.bicep -p ./parameters.json +``` + +### Scan Directory + +```bash +# Recursively scan all ARM and Bicep templates +TemplateAnalyzer analyze-directory ./infrastructure/ + +# Include parameter files automatically (follows naming conventions) +TemplateAnalyzer analyze-directory ./azure-templates/ +``` + +### Generate SARIF Report + +```bash +# Output in SARIF format for CI/CD tools +TemplateAnalyzer analyze-template ./azuredeploy.json \ + --report-format Sarif \ + -o template-analyzer-results.sarif + +# Scan directory with SARIF output +TemplateAnalyzer analyze-directory ./templates/ \ + --report-format Sarif \ + -o scan-results.sarif +``` + +### Use Custom Rules + +```bash +# Apply custom JSON rules file +TemplateAnalyzer analyze-template ./azuredeploy.json \ + --custom-json-rules-path ./custom-rules.json + +# Use custom configuration file +TemplateAnalyzer analyze-template ./azuredeploy.json \ + -c ./template-analyzer-config.json +``` + +## Built-in Security Rules + +Template Analyzer includes JSON-based rules and integrates with PSRule for Azure for comprehensive coverage. + +### Rule Severity Levels +- **1 = High**: Critical security issues requiring immediate attention +- **2 = Medium**: Significant security concerns to address +- **3 = Low**: Best practice recommendations + +### High Severity Rules (Critical) + +| Rule ID | Description | MITRE ATT&CK | +|---------|-------------|--------------| +| TA-000003 | FTPS not enforced in API app | T1071 (Application Layer Protocol) | +| TA-000005 | Latest TLS version not used in API app | T1557 (MITM) | +| TA-000009 | FTPS not enforced in function app | T1071 | +| TA-000011 | Latest TLS version not used in function app | T1557 | +| TA-000015 | FTPS not enforced in web app | T1071 | +| TA-000017 | Latest TLS version not used in web app | T1557 | +| TA-000021 | Automation account variables not encrypted | T1552 (Unsecured Credentials) | +| TA-000022 | Redis Cache allows non-SSL connections | T1557 | +| TA-000023 | Kubernetes - No authorized IP ranges | T1190 (Exploit Public-Facing App) | +| TA-000024 | Kubernetes - RBAC not enabled | T1078 (Valid Accounts) | +| TA-000025 | Kubernetes uses vulnerable version | T1203 (Exploitation) | +| TA-000026 | Service Fabric - AAD not required | T1078 | +| TA-000029 | API Management APIs not using HTTPS only | T1557 | +| TA-000030 | Classic Compute VM (not ARM) | T1078 | +| TA-000031 | Classic Storage Account (not ARM) | T1078 | + +### Medium Severity Rules + +| Rule ID | Description | MITRE ATT&CK | +|---------|-------------|--------------| +| TA-000001 | Diagnostic logs not enabled in App Service | T1562 (Impair Defenses) | +| TA-000004 | API app not requiring HTTPS | T1557 | +| TA-000007 | Managed identity not used in API app | T1552 | +| TA-000010 | Function app not requiring HTTPS | T1557 | +| TA-000013 | Managed identity not used in function app | T1552 | +| TA-000016 | Web app not requiring HTTPS | T1557 | +| TA-000019 | Managed identity not used in web app | T1552 | +| TA-000032 | API Management bypasses cert validation | T1557 | +| TA-000034 | API Management min API version too low | T1552 | +| TA-000035 | API Management secrets not in Key Vault | T1552 | +| TA-000036 | API Management not using VNet | T1190 | +| TA-000037 | API Management subscription scoped to all APIs | T1078 | + +### Low Severity Rules (Best Practices) + +| Rule ID | Description | +|---------|-------------| +| TA-000002 | Remote debugging enabled in API app | +| TA-000006 | CORS allows all origins in API app | +| TA-000008 | Remote debugging enabled in function app | +| TA-000012 | CORS allows all origins in function app | +| TA-000014 | Remote debugging enabled in web app | +| TA-000018 | CORS allows all origins in web app | +| TA-000020 | Custom RBAC roles used instead of built-in | +| TA-000027 | TDE not enabled on SQL databases | +| TA-000028 | SQL auditing retention less than 90 days | +| TA-000033 | API Management direct management endpoint enabled | + +### PSRule for Azure Integration + +Template Analyzer integrates with [PSRule for Azure](https://aka.ms/ps-rule-azure) for additional security rules under the Security pillar. Use `--include-non-security-rules` to also check Well-Architected Framework pillars (Reliability, Cost, Operational Excellence, Performance). + +## Workflow for Security Audit + +### Quick Pre-Deployment Check + +```bash +# Validate template before deployment +TemplateAnalyzer analyze-template ./azuredeploy.json -p ./params.json + +# Check exit code (20 = violations found) +if [ $? -eq 20 ]; then + echo "Security violations found - do not deploy!" + exit 1 +fi +``` + +### Comprehensive Audit + +```bash +# Step 1: Scan all templates in directory +TemplateAnalyzer analyze-directory ./infrastructure/ -v + +# Step 2: Generate SARIF report for documentation +TemplateAnalyzer analyze-directory ./infrastructure/ \ + --report-format Sarif -o scan-report.sarif + +# Step 3: Include non-security rules for full compliance +TemplateAnalyzer analyze-directory ./infrastructure/ \ + --include-non-security-rules +``` + +### CI/CD Pipeline Integration + +```bash +# Run in CI - fail pipeline on violations +TemplateAnalyzer analyze-directory ./templates/ \ + --report-format Sarif -o results.sarif + +# Exit codes: +# 0 = Success, no violations +# 20 = Violations found +# 21 = Errors during analysis +# 22 = Both violations and errors +``` + +## CI/CD Integration + +### GitHub Actions + +```yaml +name: Azure Template Security Scan +on: [push, pull_request] + +jobs: + template-analyzer: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v4 + + - name: Download Template Analyzer + run: | + curl -L -o TemplateAnalyzer.zip \ + https://github.com/Azure/template-analyzer/releases/latest/download/TemplateAnalyzer-linux-x64.zip + unzip TemplateAnalyzer.zip -d $HOME/template-analyzer + chmod +x $HOME/template-analyzer/TemplateAnalyzer + echo "$HOME/template-analyzer" >> $GITHUB_PATH + + - name: Scan ARM/Bicep Templates + run: | + TemplateAnalyzer analyze-directory ./infrastructure/ \ + --report-format Sarif -o results.sarif + continue-on-error: true + + - name: Upload SARIF Results + uses: github/codeql-action/upload-sarif@v3 + with: + sarif_file: results.sarif +``` + +### Azure DevOps Pipeline + +```yaml +trigger: + - main + +pool: + vmImage: 'ubuntu-latest' + +steps: + - task: Bash@3 + displayName: 'Install Template Analyzer' + inputs: + targetType: 'inline' + script: | + curl -L -o TemplateAnalyzer.zip \ + https://github.com/Azure/template-analyzer/releases/latest/download/TemplateAnalyzer-linux-x64.zip + unzip TemplateAnalyzer.zip -d $(Agent.ToolsDirectory)/template-analyzer + chmod +x $(Agent.ToolsDirectory)/template-analyzer/TemplateAnalyzer + echo "##vso[task.prependpath]$(Agent.ToolsDirectory)/template-analyzer" + + - task: Bash@3 + displayName: 'Scan Templates' + inputs: + targetType: 'inline' + script: | + TemplateAnalyzer analyze-directory ./infrastructure/ \ + --report-format Sarif -o $(Build.ArtifactStagingDirectory)/template-analyzer.sarif + + - task: PublishBuildArtifacts@1 + inputs: + pathtoPublish: '$(Build.ArtifactStagingDirectory)/template-analyzer.sarif' + artifactName: 'SecurityScanResults' +``` + +## Interpreting Results + +### Console Output Example + +``` +>TemplateAnalyzer analyze-template "azuredeploy.json" + +File: azuredeploy.json + + TA-000004: API app should only be accessible over HTTPS + Severity: Medium + Recommendation: Use HTTPS to ensure server/service authentication + and protect data in transit from network layer eavesdropping attacks + More information: https://github.com/Azure/template-analyzer/blob/main/docs/built-in-rules.md#ta-000004 + Result: Failed + Line: 67 + + TA-000017: Latest TLS version should be used in your web app + Severity: High + Recommendation: Set minTlsVersion to 1.2 + Result: Failed + Line: 89 + + Rules passed: 16 + +Execution summary: + The execution completed successfully +``` + +### Exit Codes + +| Exit Code | Meaning | +|-----------|---------| +| 0 | Success - no violations | +| 1 | Invalid command | +| 2 | Invalid file/directory path | +| 3 | Missing file/directory path | +| 4 | Configuration file error | +| 10 | Invalid ARM template | +| 11 | Invalid Bicep template | +| 20 | **Violations found** | +| 21 | Analysis error | +| 22 | Both violations and errors | + +### Remediation Priority + +1. **Exit code 20 (Violations)**: Review and fix security issues before deployment +2. **High severity (1)**: Address immediately - encryption, TLS, authentication +3. **Medium severity (2)**: Address before production - HTTPS, managed identity +4. **Low severity (3)**: Best practices - disable debugging, restrict CORS + +## Configuration File + +Create `configuration.json` to customize rule behavior: + +```json +{ + "rules": { + "TA-000002": { + "enabled": false + }, + "TA-000006": { + "severity": 2 + } + } +} +``` + +Apply with `-c` flag: + +```bash +TemplateAnalyzer analyze-template ./template.json -c ./configuration.json +``` + +## Custom Rules + +Create custom JSON rules for organization-specific checks. See [authoring-json-rules.md](https://github.com/Azure/template-analyzer/blob/main/docs/authoring-json-rules.md). + +Example custom rule: + +```json +{ + "name": "CUSTOM-001", + "description": "Storage accounts must use customer-managed keys", + "recommendation": "Enable customer-managed key encryption", + "severity": 1, + "resourceType": "Microsoft.Storage/storageAccounts", + "jsonPath": "$.properties.encryption.keySource", + "expectedValue": "Microsoft.Keyvault" +} +``` + +## Combining with Other Tools + +For comprehensive Azure security, combine Template Analyzer with: + +| Tool | Use For | +|------|---------| +| **Template Analyzer** | ARM/Bicep template security before deployment | +| **Checkov** | Multi-cloud IaC (Terraform, CloudFormation) + comprehensive checks | +| **Trivy** | Container images, SBOM, broader IaC coverage | +| **Azure Policy** | Runtime compliance enforcement | +| **Microsoft Defender for Cloud** | Runtime security posture management | + +### Recommended Azure IaC Audit Workflow + +```bash +# 1. Scan ARM/Bicep with Template Analyzer (Azure-specific deep rules) +TemplateAnalyzer analyze-directory ./azure-templates/ + +# 2. Cross-check with Checkov (broader coverage, CIS benchmarks) +checkov -d ./azure-templates/ --framework arm + +# 3. Scan for secrets (shouldn't be in templates) +graudit -d secrets ./azure-templates/ +``` + +## Limitations + +- **Azure-only**: Only scans ARM and Bicep templates, not Terraform/CloudFormation/Kubernetes +- **Static analysis**: Cannot detect runtime issues or actual deployment state +- **Parameter-dependent**: Some rules evaluate differently based on parameter values provided +- **No secrets detection**: Does not check for hardcoded secrets (use graudit -d secrets) +- **Bicep compilation**: Requires .NET runtime for Bicep template compilation +- **Rule coverage**: Not all Azure services have dedicated rules yet + +## Troubleshooting + +| Issue | Solution | +|-------|----------| +| `Invalid ARM template` | Verify JSON schema contains valid `$schema` property | +| `Invalid Bicep template` | Ensure Bicep CLI is available for compilation | +| Slow directory scans | Reduce scope or exclude test/example directories | +| False positives | Use configuration file to disable specific rules | +| Missing rule violations | Provide parameter file for accurate evaluation | + +## Additional Resources + +- [Misconfiguration Examples](./examples/misconfigurations.md) - Common ARM/Bicep misconfigurations +- [Template Analyzer GitHub](https://github.com/Azure/template-analyzer) - Official repository +- [Built-in Rules Reference](https://github.com/Azure/template-analyzer/blob/main/docs/built-in-rules.md) - Full rule documentation +- [PSRule for Azure](https://aka.ms/ps-rule-azure) - Additional integrated rules +- [MITRE ATT&CK Framework](https://attack.mitre.org/) - Threat classification reference diff --git a/.github/skills/template-analyzer-security-scan/examples/misconfigurations.md b/.github/skills/template-analyzer-security-scan/examples/misconfigurations.md new file mode 100644 index 0000000..d88e7ad --- /dev/null +++ b/.github/skills/template-analyzer-security-scan/examples/misconfigurations.md @@ -0,0 +1,697 @@ +# Azure Template Misconfiguration Examples + +This document provides examples of common security misconfigurations in ARM and Bicep templates that Template Analyzer detects. + +> **Purpose**: Educational reference for understanding what Template Analyzer scans for and how to remediate findings. + +## Transport Security Issues + +### TA-000004/010/016: HTTPS Not Enforced + +**Vulnerable ARM Template:** +```json +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "resources": [ + { + "type": "Microsoft.Web/sites", + "apiVersion": "2022-03-01", + "name": "myWebApp", + "location": "[resourceGroup().location]", + "properties": { + "httpsOnly": false + } + } + ] +} +``` + +**Secure ARM Template:** +```json +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "resources": [ + { + "type": "Microsoft.Web/sites", + "apiVersion": "2022-03-01", + "name": "myWebApp", + "location": "[resourceGroup().location]", + "properties": { + "httpsOnly": true + } + } + ] +} +``` + +**Vulnerable Bicep:** +```bicep +resource webApp 'Microsoft.Web/sites@2022-03-01' = { + name: 'myWebApp' + location: resourceGroup().location + properties: { + httpsOnly: false // INSECURE + } +} +``` + +**Secure Bicep:** +```bicep +resource webApp 'Microsoft.Web/sites@2022-03-01' = { + name: 'myWebApp' + location: resourceGroup().location + properties: { + httpsOnly: true // SECURE + } +} +``` + +--- + +### TA-000005/011/017: Outdated TLS Version + +**Vulnerable:** +```json +{ + "type": "Microsoft.Web/sites/config", + "apiVersion": "2022-03-01", + "name": "myWebApp/web", + "properties": { + "minTlsVersion": "1.0" + } +} +``` + +**Secure:** +```json +{ + "type": "Microsoft.Web/sites/config", + "apiVersion": "2022-03-01", + "name": "myWebApp/web", + "properties": { + "minTlsVersion": "1.2" + } +} +``` + +**Secure Bicep:** +```bicep +resource webConfig 'Microsoft.Web/sites/config@2022-03-01' = { + name: 'myWebApp/web' + properties: { + minTlsVersion: '1.2' // Always use TLS 1.2 or higher + } +} +``` + +--- + +### TA-000003/009/015: FTPS Not Enforced + +**Vulnerable:** +```json +{ + "type": "Microsoft.Web/sites/config", + "name": "myApp/web", + "properties": { + "ftpsState": "AllAllowed" + } +} +``` + +**Secure:** +```json +{ + "type": "Microsoft.Web/sites/config", + "name": "myApp/web", + "properties": { + "ftpsState": "FtpsOnly" + } +} +``` + +Or disable FTP entirely: +```json +{ + "properties": { + "ftpsState": "Disabled" + } +} +``` + +--- + +## Authentication & Identity Issues + +### TA-000007/013/019: No Managed Identity + +**Vulnerable - No identity configured:** +```json +{ + "type": "Microsoft.Web/sites", + "name": "myFunctionApp", + "properties": { + "siteConfig": {} + } +} +``` + +**Secure - System-assigned managed identity:** +```json +{ + "type": "Microsoft.Web/sites", + "name": "myFunctionApp", + "identity": { + "type": "SystemAssigned" + }, + "properties": { + "siteConfig": {} + } +} +``` + +**Secure Bicep:** +```bicep +resource functionApp 'Microsoft.Web/sites@2022-03-01' = { + name: 'myFunctionApp' + location: resourceGroup().location + identity: { + type: 'SystemAssigned' // Or 'UserAssigned' or 'SystemAssigned, UserAssigned' + } + properties: {} +} +``` + +--- + +### TA-000026: Service Fabric Without AAD + +**Vulnerable:** +```json +{ + "type": "Microsoft.ServiceFabric/clusters", + "name": "myCluster", + "properties": { + "azureActiveDirectory": {} + } +} +``` + +**Secure:** +```json +{ + "type": "Microsoft.ServiceFabric/clusters", + "name": "myCluster", + "properties": { + "azureActiveDirectory": { + "tenantId": "[parameters('aadTenantId')]", + "clusterApplication": "[parameters('aadClusterApplicationId')]", + "clientApplication": "[parameters('aadClientApplicationId')]" + } + } +} +``` + +--- + +## Encryption Issues + +### TA-000021: Automation Account Variables Not Encrypted + +**Vulnerable:** +```json +{ + "type": "Microsoft.Automation/automationAccounts/variables", + "name": "myAutomationAccount/dbPassword", + "properties": { + "value": "sensitive-password-here", + "isEncrypted": false + } +} +``` + +**Secure:** +```json +{ + "type": "Microsoft.Automation/automationAccounts/variables", + "name": "myAutomationAccount/dbPassword", + "properties": { + "value": "[parameters('dbPassword')]", + "isEncrypted": true + } +} +``` + +--- + +### TA-000022: Redis Cache Allows Non-SSL + +**Vulnerable:** +```json +{ + "type": "Microsoft.Cache/Redis", + "name": "myRedisCache", + "properties": { + "enableNonSslPort": true + } +} +``` + +**Secure:** +```json +{ + "type": "Microsoft.Cache/Redis", + "name": "myRedisCache", + "properties": { + "enableNonSslPort": false, + "minimumTlsVersion": "1.2" + } +} +``` + +--- + +### TA-000027: SQL Database Without TDE + +**Vulnerable - No Transparent Data Encryption:** +```json +{ + "type": "Microsoft.Sql/servers/databases", + "name": "myServer/myDatabase", + "properties": {} +} +``` + +**Secure - TDE Enabled:** +```json +{ + "type": "Microsoft.Sql/servers/databases/transparentDataEncryption", + "name": "myServer/myDatabase/current", + "properties": { + "state": "Enabled" + } +} +``` + +--- + +## Access Control Issues + +### TA-000006/012/018: CORS Allows All Origins + +**Vulnerable:** +```json +{ + "type": "Microsoft.Web/sites/config", + "name": "myApp/web", + "properties": { + "cors": { + "allowedOrigins": ["*"] + } + } +} +``` + +**Secure:** +```json +{ + "type": "Microsoft.Web/sites/config", + "name": "myApp/web", + "properties": { + "cors": { + "allowedOrigins": [ + "https://myapp.contoso.com", + "https://admin.contoso.com" + ] + } + } +} +``` + +--- + +### TA-000023: Kubernetes Without Authorized IP Ranges + +**Vulnerable:** +```json +{ + "type": "Microsoft.ContainerService/managedClusters", + "name": "myAKSCluster", + "properties": { + "apiServerAccessProfile": {} + } +} +``` + +**Secure - Authorized IP Ranges:** +```json +{ + "type": "Microsoft.ContainerService/managedClusters", + "name": "myAKSCluster", + "properties": { + "apiServerAccessProfile": { + "authorizedIPRanges": [ + "203.0.113.0/24", + "198.51.100.0/24" + ] + } + } +} +``` + +**Secure - Private Cluster:** +```json +{ + "type": "Microsoft.ContainerService/managedClusters", + "name": "myAKSCluster", + "properties": { + "apiServerAccessProfile": { + "enablePrivateCluster": true + } + } +} +``` + +--- + +### TA-000024: Kubernetes Without RBAC + +**Vulnerable:** +```json +{ + "type": "Microsoft.ContainerService/managedClusters", + "name": "myAKSCluster", + "properties": { + "enableRBAC": false + } +} +``` + +**Secure:** +```json +{ + "type": "Microsoft.ContainerService/managedClusters", + "name": "myAKSCluster", + "properties": { + "enableRBAC": true, + "aadProfile": { + "managed": true, + "enableAzureRBAC": true + } + } +} +``` + +--- + +## API Management Issues + +### TA-000029: APIs Not Using HTTPS Only + +**Vulnerable:** +```json +{ + "type": "Microsoft.ApiManagement/service/apis", + "name": "myAPIM/myAPI", + "properties": { + "protocols": ["http", "https"] + } +} +``` + +**Secure:** +```json +{ + "type": "Microsoft.ApiManagement/service/apis", + "name": "myAPIM/myAPI", + "properties": { + "protocols": ["https"] + } +} +``` + +--- + +### TA-000035: Secrets Not in Key Vault + +**Vulnerable - Inline secrets:** +```json +{ + "type": "Microsoft.ApiManagement/service/namedValues", + "name": "myAPIM/dbConnectionString", + "properties": { + "displayName": "DbConnectionString", + "value": "Server=tcp:myserver.database.windows.net;...", + "secret": true + } +} +``` + +**Secure - Key Vault reference:** +```json +{ + "type": "Microsoft.ApiManagement/service/namedValues", + "name": "myAPIM/dbConnectionString", + "properties": { + "displayName": "DbConnectionString", + "keyVault": { + "secretIdentifier": "https://mykeyvault.vault.azure.net/secrets/DbConnectionString" + }, + "secret": true + } +} +``` + +--- + +## Debugging & Auditing Issues + +### TA-000002/008/014: Remote Debugging Enabled + +**Vulnerable:** +```json +{ + "type": "Microsoft.Web/sites/config", + "name": "myApp/web", + "properties": { + "remoteDebuggingEnabled": true + } +} +``` + +**Secure:** +```json +{ + "type": "Microsoft.Web/sites/config", + "name": "myApp/web", + "properties": { + "remoteDebuggingEnabled": false + } +} +``` + +--- + +### TA-000001: Diagnostic Logging Disabled + +**Vulnerable:** +```json +{ + "type": "Microsoft.Web/sites/config", + "name": "myApp/web", + "properties": { + "detailedErrorLoggingEnabled": false, + "httpLoggingEnabled": false, + "requestTracingEnabled": false + } +} +``` + +**Secure:** +```json +{ + "type": "Microsoft.Web/sites/config", + "name": "myApp/web", + "properties": { + "detailedErrorLoggingEnabled": true, + "httpLoggingEnabled": true, + "requestTracingEnabled": true + } +} +``` + +--- + +### TA-000028: SQL Auditing Retention Too Short + +**Vulnerable:** +```json +{ + "type": "Microsoft.Sql/servers/auditingSettings", + "name": "myServer/default", + "properties": { + "state": "Enabled", + "retentionDays": 30 + } +} +``` + +**Secure:** +```json +{ + "type": "Microsoft.Sql/servers/auditingSettings", + "name": "myServer/default", + "properties": { + "state": "Enabled", + "retentionDays": 90 + } +} +``` + +--- + +## Legacy Resource Issues + +### TA-000030/031: Classic (non-ARM) Resources + +**Vulnerable - Classic Compute:** +```json +{ + "type": "Microsoft.ClassicCompute/virtualMachines", + "name": "myClassicVM" +} +``` + +**Secure - ARM Resource:** +```json +{ + "type": "Microsoft.Compute/virtualMachines", + "name": "myVM", + "properties": { + "securityProfile": { + "securityType": "TrustedLaunch" + } + } +} +``` + +**Vulnerable - Classic Storage:** +```json +{ + "type": "Microsoft.ClassicStorage/storageAccounts", + "name": "myclassicstorage" +} +``` + +**Secure - ARM Storage:** +```json +{ + "type": "Microsoft.Storage/storageAccounts", + "name": "mysecurestorage", + "properties": { + "minimumTlsVersion": "TLS1_2", + "supportsHttpsTrafficOnly": true, + "encryption": { + "services": { + "blob": { "enabled": true }, + "file": { "enabled": true } + } + } + } +} +``` + +--- + +## Comprehensive Secure Template Example + +Below is a fully secure web app template addressing multiple checks: + +```json +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "webAppName": { + "type": "string" + }, + "allowedOrigins": { + "type": "array", + "defaultValue": ["https://app.contoso.com"] + } + }, + "resources": [ + { + "type": "Microsoft.Web/sites", + "apiVersion": "2022-03-01", + "name": "[parameters('webAppName')]", + "location": "[resourceGroup().location]", + "identity": { + "type": "SystemAssigned" + }, + "properties": { + "httpsOnly": true, + "siteConfig": { + "minTlsVersion": "1.2", + "ftpsState": "Disabled", + "remoteDebuggingEnabled": false, + "detailedErrorLoggingEnabled": true, + "httpLoggingEnabled": true, + "requestTracingEnabled": true, + "cors": { + "allowedOrigins": "[parameters('allowedOrigins')]" + } + } + } + } + ] +} +``` + +**Equivalent Secure Bicep:** + +```bicep +param webAppName string +param allowedOrigins array = ['https://app.contoso.com'] + +resource webApp 'Microsoft.Web/sites@2022-03-01' = { + name: webAppName + location: resourceGroup().location + identity: { + type: 'SystemAssigned' + } + properties: { + httpsOnly: true + siteConfig: { + minTlsVersion: '1.2' + ftpsState: 'Disabled' + remoteDebuggingEnabled: false + detailedErrorLoggingEnabled: true + httpLoggingEnabled: true + requestTracingEnabled: true + cors: { + allowedOrigins: allowedOrigins + } + } + } +} +``` + +--- + +## Quick Remediation Reference + +| Issue | Property to Fix | Secure Value | +|-------|----------------|--------------| +| HTTPS not enforced | `httpsOnly` | `true` | +| Old TLS version | `minTlsVersion` | `"1.2"` | +| FTP allowed | `ftpsState` | `"FtpsOnly"` or `"Disabled"` | +| No managed identity | `identity.type` | `"SystemAssigned"` | +| CORS allows all | `cors.allowedOrigins` | Specific domains (not `*`) | +| Remote debugging on | `remoteDebuggingEnabled` | `false` | +| Logging disabled | `*LoggingEnabled` | `true` | +| Redis non-SSL | `enableNonSslPort` | `false` | +| TDE disabled | `transparentDataEncryption.state` | `"Enabled"` | +| No RBAC on AKS | `enableRBAC` | `true` | diff --git a/README.md b/README.md index ca62280..42fe477 100644 --- a/README.md +++ b/README.md @@ -49,6 +49,7 @@ Skills teach Copilot how to use specific security tools: | **guarddog-security-scan** | Supply chain & malware detection | Dependencies (`requirements.txt`, `package.json`), typosquatting, malicious packages | | **shellcheck-security-scan** | Shell script static analysis | Bash/sh scripts, command injection, unquoted variables | | **graudit-security-scan** | Multi-language pattern matching | Quick scans on unknown codebases, secrets detection, 15+ languages | +| **template-analyzer-security-scan** | Azure ARM/Bicep IaC security analysis | Azure ARM templates, Bicep files, HTTPS/TLS enforcement, missing encryption, RBAC misconfigurations, Azure-specific security rules | | **trivy-security-scan** | Container, IaC, CVE & secret scanning | Container images, filesystem dependencies, Kubernetes clusters, IaC misconfigurations, hardcoded secrets, SBOM generation | --- @@ -62,7 +63,7 @@ Skills teach Copilot how to use specific security tools: | **`/sechek.security-scan`** | Full workspace scan with the security scanner agent | | **`/sechek.security-scan-quick`** | Fast scan for malicious patterns, exfiltration, reverse shells | | **`/sechek.security-scan-python`** | Python-focused scan using Bandit and GuardDog | -| **`/sechek.security-scan-iac`** | Infrastructure as Code scan using Checkov for cloud misconfigurations | +| **`/sechek.security-scan-iac`** | Infrastructure as Code scan using Checkov and Template Analyzer for Azure ARM/Bicep | | **`/sechek.security-scan-shell`** | Shell script scan using ShellCheck and Graudit | | **`/sechek.security-scan-supply-chain`** | Scan dependencies for supply chain attacks | | **`/sechek.security-scan-precommit`** | Pre-commit check for secrets and vulnerabilities | @@ -130,10 +131,12 @@ Runs comprehensive analysis using available tools and pattern detection. ├── skills/ │ ├── bandit-security-scan/ # Python security │ ├── checkov-security-scan/ # IaC security +│ ├── dependency-check-security-scan/ # SCA for CVEs │ ├── eslint-security-scan/ # JavaScript/TypeScript │ ├── guarddog-security-scan/ # Supply chain │ ├── shellcheck-security-scan/ # Shell scripts │ ├── graudit-security-scan/ # Multi-language +│ ├── template-analyzer-security-scan/ # Azure ARM/Bicep IaC │ └── trivy-security-scan/ # Container & cloud-native ├── prompts/ # Custom prompts └── .context/ # Attack patterns reference