sonar-cloudformation-plugin icon indicating copy to clipboard operation
sonar-cloudformation-plugin copied to clipboard
verified publisher icon Hack23

Missing various checkov rules for Azure bicep etc.

Open munntjlx opened this issue 3 years ago • 11 comments

Describe the bug Lots of items missing from checkov reports, additionally, they are grouped together with the 'cloudformation' quality gate. I suspect this will confuse a lot of people. I am including the relative error messages of missing things. Will help, but I am not a coder!

To Reproduce Steps to reproduce the behavior:

  1. run checkov
  2. run sonarscanner with the following (noted in code section)
  3. lots of errors

Expected behavior Should see 'blockers' etc. as either cfn or Azure

Desktop (please complete the following information):

  • OS: Docker image, alpine 3.16
  • Browser edge
  • Version Version 9.5 (build 56709)

Additional context error follows below

WARN: No active checkov rule detected for:'Ensure default network access rule for Storage Accounts is set to deny' with key cloudformation-plugin-cfn:arm-CKV_AZURE_35 detected in /arm/LoggingInfra/template.json
INFO: Checkov scanned file :/bicep/Labs/splunk test/main.json
WARN: No active checkov rule detected for:'Ensure Azure Instance does not use basic authentication(Use SSH Key Instead)' with key cloudformation-plugin-cfn:arm-CKV_AZURE_1 detected in /bicep/Labs/splunk test/main.json
INFO: Checkov scanned file :/bicep/Labs/fim_lab/main.json
WARN: No active checkov rule detected for:'Ensure Azure Instance does not use basic authentication(Use SSH Key Instead)' with key cloudformation-plugin-cfn:arm-CKV_AZURE_1 detected in /bicep/Labs/fim_lab/main.json
INFO: Checkov scanned file :/bicep/Labs/ama-dcr_lab/main.json
WARN: No active checkov rule detected for:'Ensure Azure Instance does not use basic authentication(Use SSH Key Instead)' with key cloudformation-plugin-cfn:arm-CKV_AZURE_1 detected in /bicep/Labs/ama-dcr_lab/main.json
INFO: Checkov scanned file :/bicep/Labs/ama-dcr_lab/main.json
WARN: No active checkov rule detected for:'Ensure Azure Instance does not use basic authentication(Use SSH Key Instead)' with key cloudformation-plugin-cfn:arm-CKV_AZURE_1 detected in /bicep/Labs/ama-dcr_lab/main.json
INFO: Checkov scanned file :/bicep/Labs/ama-dcr_lab/main.json
WARN: No active checkov rule detected for:'Ensure Azure Instance does not use basic authentication(Use SSH Key Instead)' with key cloudformation-plugin-cfn:arm-CKV_AZURE_1 detected in /bicep/Labs/ama-dcr_lab/main.json
INFO: Checkov scanned file :/bicep/Labs/ama-dcr_lab/main.json
WARN: No active checkov rule detected for:'Ensure Azure Instance does not use basic authentication(Use SSH Key Instead)' with key cloudformation-plugin-cfn:arm-CKV_AZURE_1 detected in /bicep/Labs/ama-dcr_lab/main.json
INFO: Checkov scanned file :/bicep/_references/ARM Exports/ExportedTemplate-AutomationControl.206654498.1300387649.mma/template.json
WARN: No active checkov rule detected for:'Ensure Azure Instance does not use basic authentication(Use SSH Key Instead)' with key cloudformation-plugin-cfn:arm-CKV_AZURE_1 detected in /bicep/_references/ARM Exports/ExportedTemplate-AutomationControl.206654498.1300387649.mma/template.json
INFO: Checkov scanned file :/bicep/_references/Microsoft-Sentinel2Go-master/grocery-list/Deception/honeytokenSolution.json
WARN: No active checkov rule detected for:'Ensure default network access rule for Storage Accounts is set to deny' with key cloudformation-plugin-cfn:arm-CKV_AZURE_35 detected in /bicep/_references/Microsoft-Sentinel2Go-master/grocery-list/Deception/honeytokenSolution.json
INFO: Checkov scanned file :/bicep/_references/Microsoft-Sentinel2Go-master/grocery-list/Deception/honeytokenSolution.json
WARN: No active checkov rule detected for:'Ensure web app is using the latest version of TLS encryption' with key cloudformation-plugin-cfn:arm-CKV_AZURE_15 detected in /bicep/_references/Microsoft-Sentinel2Go-master/grocery-list/Deception/honeytokenSolution.json
INFO: Checkov scanned file :/bicep/_references/Microsoft-Sentinel2Go-master/grocery-list/Deception/honeytokenSolution.json
WARN: No active checkov rule detected for:'Ensure the web app has 'Client Certificates (Incoming client certificates)' set' with key cloudformation-plugin-cfn:arm-CKV_AZURE_17 detected in /bicep/_references/Microsoft-Sentinel2Go-master/grocery-list/Deception/honeytokenSolution.json
INFO: Checkov scanned file :/bicep/_references/Microsoft-Sentinel2Go-master/grocery-list/Deception/honeytokenSolution.json
WARN: No active checkov rule detected for:'Ensure that 'HTTP Version' is the latest if used to run the web app' with key cloudformation-plugin-cfn:arm-CKV_AZURE_18 detected in /bicep/_references/Microsoft-Sentinel2Go-master/grocery-list/Deception/honeytokenSolution.json
INFO: Checkov scanned file :/bicep/_references/Microsoft-Sentinel2Go-master/grocery-list/Deception/honeytokenSolution.json
WARN: No active checkov rule detected for:'Ensure the key vault is recoverable' with key cloudformation-plugin-cfn:arm-CKV_AZURE_42 detected in /bicep/_references/Microsoft-Sentinel2Go-master/grocery-list/Deception/honeytokenSolution.json
INFO: Checkov scanned file :/bicep/_references/Microsoft-Sentinel2Go-master/grocery-list/Deception/honeytokenSolution.json
WARN: No active checkov rule detected for:'Ensure that the expiration date is set on all secrets' with key cloudformation-plugin-cfn:arm-CKV_AZURE_41 detected in /bicep/_references/Microsoft-Sentinel2Go-master/grocery-list/Deception/honeytokenSolution.json
INFO: Checkov scanned file :/bicep/Lab/splunk test/main.json
WARN: No active checkov rule detected for:'Ensure Azure Instance does not use basic authentication(Use SSH Key Instead)' with key cloudformation-plugin-cfn:arm-CKV_AZURE_1 detected in /bicep/Lab/splunk test/main.json
INFO: Checkov scanned file :/bicep/Lab/fim_lab/main.json
WARN: No active checkov rule detected for:'Ensure Azure Instance does not use basic authentication(Use SSH Key Instead)' with key cloudformation-plugin-cfn:arm-CKV_AZURE_1 detected in /bicep/Lab/fim_lab/main.json
INFO: Checkov scanned file :/bicep/Lab/ama-dcr_lab/main.json
WARN: No active checkov rule detected for:'Ensure Azure Instance does not use basic authentication(Use SSH Key Instead)' with key cloudformation-plugin-cfn:arm-CKV_AZURE_1 detected in /bicep/Lab/ama-dcr_lab/main.json
INFO: Checkov scanned file :/bicep/Lab/ama-dcr_lab/main.json
WARN: No active checkov rule detected for:'Ensure Azure Instance does not use basic authentication(Use SSH Key Instead)' with key cloudformation-plugin-cfn:arm-CKV_AZURE_1 detected in /bicep/Lab/ama-dcr_lab/main.json
INFO: Checkov scanned file :/bicep/Lab/ama-dcr_lab/main.json
WARN: No active checkov rule detected for:'Ensure Azure Instance does not use basic authentication(Use SSH Key Instead)' with key cloudformation-plugin-cfn:arm-CKV_AZURE_1 detected in /bicep/Lab/ama-dcr_lab/main.json
INFO: Checkov scanned file :/bicep/Lab/ama-dcr_lab/main.json
WARN: No active checkov rule detected for:'Ensure Azure Instance does not use basic authentication(Use SSH Key Instead)' with key cloudformation-plugin-cfn:arm-CKV_AZURE_1 detected in /bicep/Lab/ama-dcr_lab/main.json
INFO: Checkov scanned file :/bicep/AzureSecControls-DiscoverySession/main.json
WARN: No active checkov rule detected for:'Ensure Azure Instance does not use basic authentication(Use SSH Key Instead)' with key cloudformation-plugin-cfn:arm-CKV_AZURE_1 detected in /bicep/AzureSecControls-DiscoverySession/main.json
INFO: Checkov scanned file :/bicep/ARM Exports/ExportedTemplate-AutomationControl.206654498.1300387649.mma/template.json
WARN: No active checkov rule detected for:'Ensure Azure Instance does not use basic authentication(Use SSH Key Instead)' with key cloudformation-plugin-cfn:arm-CKV_AZURE_1 detected in /bicep/ARM Exports/ExportedTemplate-AutomationControl.206654498.1300387649.mma/template.json
INFO: Checkov scanned file :/bicep/_references/Microsoft-Sentinel2Go-master/grocery-list/custom-log-pipeline/logstash/Dockerfile
WARN: No active checkov rule detected for:'Ensure that HEALTHCHECK instructions have been added to container images' with key cloudformation-plugin-cfn:dockerfile-CKV_DOCKER_2 detected in /bicep/_references/Microsoft-Sentinel2Go-master/grocery-list/custom-log-pipeline/logstash/Dockerfile
INFO: Checkov scanned file :/bicep/_references/Microsoft-Sentinel2Go-master/grocery-list/custom-log-pipeline/logstash/Dockerfile
WARN: No active checkov rule detected for:'Ensure that a user for the container has been created' with key cloudformation-plugin-cfn:dockerfile-CKV_DOCKER_3 detected in /bicep/_references/Microsoft-Sentinel2Go-master/grocery-list/custom-log-pipeline/logstash/Dockerfile
INFO: Checkov scanned file :/bicep/_references/Microsoft-Sentinel2Go-master/grocery-list/CEF-Log-Analytics-Agent/uidefinition.json
WARN: No active checkov rule detected for:'Base64 High Entropy String' with key cloudformation-plugin-cfn:secrets-CKV_SECRET_6 detected in /bicep/_references/Microsoft-Sentinel2Go-master/grocery-list/CEF-Log-Analytics-Agent/uidefinition.json
INFO: Checkov scanned file :/bicep/_references/Microsoft-Sentinel2Go-master/grocery-list/Linux/demos/CVE-2021-38647-OMI/uidefinition.json
WARN: No active checkov rule detected for:'Base64 High Entropy String' with key cloudformation-plugin-cfn:secrets-CKV_SECRET_6 detected in /bicep/_references/Microsoft-Sentinel2Go-master/grocery-list/Linux/demos/CVE-2021-38647-OMI/uidefinition.json
INFO: Checkov scanned file :/bicep/_references/Microsoft-Sentinel2Go-master/grocery-list/Linux/demos/Sysmon-For-Linux/uidefinition.json
WARN: No active checkov rule detected for:'Base64 High Entropy String' with key cloudformation-plugin-cfn:secrets-CKV_SECRET_6 detected in /bicep/_references/Microsoft-Sentinel2Go-master/grocery-list/Linux/demos/Sysmon-For-Linux/uidefinition.json
INFO: Checkov scanned file :/bicep/_references/Microsoft-Sentinel2Go-master/grocery-list/Linux/uidefinition.json
WARN: No active checkov rule detected for:'Base64 High Entropy String' with key cloudformation-plugin-cfn:secrets-CKV_SECRET_6 detected in /bicep/_references/Microsoft-Sentinel2Go-master/grocery-list/Linux/uidefinition.json
INFO: Checkov scanned file :/bicep/_references/Microsoft-Sentinel2Go-master/grocery-list/Win10-AD-ADFS/uidefinition.json
WARN: No active checkov rule detected for:'Base64 High Entropy String' with key cloudformation-plugin-cfn:secrets-CKV_SECRET_6 detected in /bicep/_references/Microsoft-Sentinel2Go-master/grocery-list/Win10-AD-ADFS/uidefinition.json
INFO: Checkov scanned file :/bicep/_references/Microsoft-Sentinel2Go-master/grocery-list/Win10-AD-MXS/uidefinition.json
WARN: No active checkov rule detected for:'Base64 High Entropy String' with key cloudformation-plugin-cfn:secrets-CKV_SECRET_6 detected in /bicep/_references/Microsoft-Sentinel2Go-master/grocery-list/Win10-AD-MXS/uidefinition.json
INFO: Checkov scanned file :/bicep/_references/Microsoft-Sentinel2Go-master/grocery-list/Win10-AD-WEC/uidefinition.json
WARN: No active checkov rule detected for:'Base64 High Entropy String' with key cloudformation-plugin-cfn:secrets-CKV_SECRET_6 detected in /bicep/_references/Microsoft-Sentinel2Go-master/grocery-list/Win10-AD-WEC/uidefinition.json
INFO: Checkov scanned file :/bicep/_references/Microsoft-Sentinel2Go-master/grocery-list/Win10-AD/uidefinition.json
WARN: No active checkov rule detected for:'Base64 High Entropy String' with key cloudformation-plugin-cfn:secrets-CKV_SECRET_6 detected in /bicep/_references/Microsoft-Sentinel2Go-master/grocery-list/Win10-AD/uidefinition.json
INFO: Checkov scanned file :/bicep/_references/Microsoft-Sentinel2Go-master/grocery-list/Win10-PAN-FW/uidefinition.json
WARN: No active checkov rule detected for:'Base64 High Entropy String' with key cloudformation-plugin-cfn:secrets-CKV_SECRET_6 detected in /bicep/_references/Microsoft-Sentinel2Go-master/grocery-list/Win10-PAN-FW/uidefinition.json
INFO: Checkov scanned file :/bicep/_references/Microsoft-Sentinel2Go-master/grocery-list/Win10/uidefinition.json
WARN: No active checkov rule detected for:'Base64 High Entropy String' with key cloudformation-plugin-cfn:secrets-CKV_SECRET_6 detected in /bicep/_references/Microsoft-Sentinel2Go-master/grocery-list/Win10/uidefinition.json
INFO: Checkov scanned file :/bicep/_references/Microsoft-Sentinel2Go-master/grocery-list/custom-log-pipeline/uidefinition.json
WARN: No active checkov rule detected for:'Base64 High Entropy String' with key cloudformation-plugin-cfn:secrets-CKV_SECRET_6 detected in /bicep/_references/Microsoft-Sentinel2Go-master/grocery-list/custom-log-pipeline/uidefinition.json
INFO: Checkov scanned file :/bicep/Labs/ama-dcr_lab/modules/vm.bicep
WARN: No active checkov rule detected for:'Ensure Azure Instance does not use basic authentication(Use SSH Key Instead)' with key cloudformation-plugin-cfn:bicep-CKV_AZURE_1 detected in /bicep/Labs/ama-dcr_lab/modules/vm.bicep
INFO: Checkov scanned file :/bicep/Labs/ama-dcr_lab/modules/vm.bicep
WARN: No active checkov rule detected for:'Ensure Azure Instance does not use basic authentication(Use SSH Key Instead)' with key cloudformation-plugin-cfn:bicep-CKV_AZURE_1 detected in /bicep/Labs/ama-dcr_lab/modules/vm.bicep
INFO: Checkov scanned file :/bicep/Labs/ama-dcr_lab/modules/vm.bicep
WARN: No active checkov rule detected for:'Ensure Azure Instance does not use basic authentication(Use SSH Key Instead)' with key cloudformation-plugin-cfn:bicep-CKV_AZURE_1 detected in /bicep/Labs/ama-dcr_lab/modules/vm.bicep
INFO: Checkov scanned file :/bicep/Labs/ama-dcr_lab/modules/vm.bicep
WARN: No active checkov rule detected for:'Ensure Azure Instance does not use basic authentication(Use SSH Key Instead)' with key cloudformation-plugin-cfn:bicep-CKV_AZURE_1 detected in /bicep/Labs/ama-dcr_lab/modules/vm.bicep
INFO: Checkov scanned file :/bicep/Labs/splunk test/modules/vm.bicep
WARN: No active checkov rule detected for:'Ensure Azure Instance does not use basic authentication(Use SSH Key Instead)' with key cloudformation-plugin-cfn:bicep-CKV_AZURE_1 detected in /bicep/Labs/splunk test/modules/vm.bicep
INFO: Checkov scanned file :/bicep/_references/ARM Exports/ExportedTemplate-AutomationControl.206654498.1300387649.mma/template.bicep
WARN: No active checkov rule detected for:'Ensure Azure Instance does not use basic authentication(Use SSH Key Instead)' with key cloudformation-plugin-cfn:bicep-CKV_AZURE_1 detected in /bicep/_references/ARM Exports/ExportedTemplate-AutomationControl.206654498.1300387649.mma/template.bicep
INFO: Checkov scanned file :/bicep/AzureSecControls-DiscoverySession/modules/vm.bicep
WARN: No active checkov rule detected for:'Ensure Azure Instance does not use basic authentication(Use SSH Key Instead)' with key cloudformation-plugin-cfn:bicep-CKV_AZURE_1 detected in /bicep/AzureSecControls-DiscoverySession/modules/vm.bicep
INFO: Checkov scanned file :/bicep/Lab/splunk test/modules/vm.bicep
WARN: No active checkov rule detected for:'Ensure Azure Instance does not use basic authentication(Use SSH Key Instead)' with key cloudformation-plugin-cfn:bicep-CKV_AZURE_1 detected in /bicep/Lab/splunk test/modules/vm.bicep
INFO: Checkov scanned file :/bicep/Lab/fim_lab/modules/vm.bicep
WARN: No active checkov rule detected for:'Ensure Azure Instance does not use basic authentication(Use SSH Key Instead)' with key cloudformation-plugin-cfn:bicep-CKV_AZURE_1 detected in /bicep/Lab/fim_lab/modules/vm.bicep
INFO: Checkov scanned file :/bicep/ARM Exports/ExportedTemplate-AutomationControl.206654498.1300387649.mma/template.bicep
WARN: No active checkov rule detected for:'Ensure Azure Instance does not use basic authentication(Use SSH Key Instead)' with key cloudformation-plugin-cfn:bicep-CKV_AZURE_1 detected in /bicep/ARM Exports/ExportedTemplate-AutomationControl.206654498.1300387649.mma/template.bicep
INFO: Checkov scanned file :/bicep/Lab/ama-dcr_lab/modules/vm.bicep
WARN: No active checkov rule detected for:'Ensure Azure Instance does not use basic authentication(Use SSH Key Instead)' with key cloudformation-plugin-cfn:bicep-CKV_AZURE_1 detected in /bicep/Lab/ama-dcr_lab/modules/vm.bicep
INFO: Checkov scanned file :/bicep/Lab/ama-dcr_lab/modules/vm.bicep
WARN: No active checkov rule detected for:'Ensure Azure Instance does not use basic authentication(Use SSH Key Instead)' with key cloudformation-plugin-cfn:bicep-CKV_AZURE_1 detected in /bicep/Lab/ama-dcr_lab/modules/vm.bicep
INFO: Checkov scanned file :/bicep/Lab/ama-dcr_lab/modules/vm.bicep
WARN: No active checkov rule detected for:'Ensure Azure Instance does not use basic authentication(Use SSH Key Instead)' with key cloudformation-plugin-cfn:bicep-CKV_AZURE_1 detected in /bicep/Lab/ama-dcr_lab/modules/vm.bicep
INFO: Checkov scanned file :/bicep/Lab/ama-dcr_lab/modules/vm.bicep
WARN: No active checkov rule detected for:'Ensure Azure Instance does not use basic authentication(Use SSH Key Instead)' with key cloudformation-plugin-cfn:bicep-CKV_AZURE_1 detected in /bicep/Lab/ama-dcr_lab/modules/vm.bicep
INFO: Checkov scanned file :/bicep/Labs/fim_lab/modules/vm.bicep
WARN: No active checkov rule detected for:'Ensure Azure Instance does not use basic authentication(Use SSH Key Instead)' with key cloudformation-plugin-cfn:bicep-CKV_AZURE_1 detected in /bicep/Labs/fim_lab/modules/vm.bicep

Ran sonarscanner with the following:

sonar-scanner \
  -Dsonar.projectKey=<myproject>\
  -Dsonar.sources=. \
  -Dsonar.host.url=http://localhost:9000 \
  -Dsonar.login=<redacted> \
  -Dsonar.checkov.reportFiles=template.checkov-report

Finally, ran checkov with the following:

 checkov -d . -o json > template.checkov-report

I also created a quality gate for terraform/cloudformation, as no Azure ARM templates or BICEP options are pesent.

munntjlx avatar Aug 01 '22 16:08 munntjlx

Thanks for reporting an issue.

Have you defined/set your own quality profile for terraform that includes the rules that are triggered ?

Rules exist for https://www.hack23.com/sonar/coding_rules?open=cloudformation-plugin-terraform%3Aterraform-CKV_AZURE_35&q=Ensure+default+network+access+rule+for+Storage+Accounts and https://www.hack23.com/sonar/coding_rules?open=cloudformation-plugin-terraform%3Aterraform-CKV_AZURE_1&q=Ensure+Azure+Instance+does+not+use+basic didn't check the rest of them.

Latest version https://github.com/Hack23/sonar-cloudformation-plugin/releases/tag/sonar-cloudformation-plugin-3.0.7 .

pethers avatar Aug 01 '22 16:08 pethers

I have. I can contribute an Azure specific xml file. Can I just edit the 'cloudformation" template, renamve 'bicep' and put in appropriate things?

I don't mind editing xml files......

From: James Pether Sörling @.***> Sent: Monday, August 1, 2022 12:41 To: Hack23/sonar-cloudformation-plugin Cc: Munn, Thomas (LNG-RDU); Author Subject: Re: [Hack23/sonar-cloudformation-plugin] Missing various checkov rules for Azure bicep etc. (Issue #579)

*** External email: use caution ***

Thanks for reporting an issue.

Have you defined/set your own quality profile for terraform that includes the rules that are triggered ?

Rules exist for https://www.hack23.com/sonar/coding_rules?open=cloudformation-plugin-terraform%3Aterraform-CKV_AZURE_35&q=Ensure+default+network+access+rule+for+Storage+Accountshttps://nam11.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.hack23.com%2Fsonar%2Fcoding_rules%3Fopen%3Dcloudformation-plugin-terraform%253Aterraform-CKV_AZURE_35%26q%3DEnsure%2Bdefault%2Bnetwork%2Baccess%2Brule%2Bfor%2BStorage%2BAccounts&data=05%7C01%7Cthomas.munn%40lexisnexis.com%7C4b566cbd6c654f24045408da73dcc0e4%7C9274ee3f94254109a27f9fb15c10675d%7C0%7C0%7C637949689231933125%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=NWZC2hCQS6Y48ftjOn562YTjoPzyAkgrZKWUAb7JoP0%3D&reserved=0 and https://www.hack23.com/sonar/coding_rules?open=cloudformation-plugin-terraform%3Aterraform-CKV_AZURE_1&q=Ensure+Azure+Instance+does+not+use+basichttps://nam11.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.hack23.com%2Fsonar%2Fcoding_rules%3Fopen%3Dcloudformation-plugin-terraform%253Aterraform-CKV_AZURE_1%26q%3DEnsure%2BAzure%2BInstance%2Bdoes%2Bnot%2Buse%2Bbasic&data=05%7C01%7Cthomas.munn%40lexisnexis.com%7C4b566cbd6c654f24045408da73dcc0e4%7C9274ee3f94254109a27f9fb15c10675d%7C0%7C0%7C637949689231933125%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=Z%2Bw5BZ%2FPlN65Puzi80RADs29z3dYU1pQhTnttaPc7RA%3D&reserved=0 didn't check the rest of them.

Latest version https://github.com/Hack23/sonar-cloudformation-plugin/releases/tag/sonar-cloudformation-plugin-3.0.7https://nam11.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2FHack23%2Fsonar-cloudformation-plugin%2Freleases%2Ftag%2Fsonar-cloudformation-plugin-3.0.7&data=05%7C01%7Cthomas.munn%40lexisnexis.com%7C4b566cbd6c654f24045408da73dcc0e4%7C9274ee3f94254109a27f9fb15c10675d%7C0%7C0%7C637949689231933125%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=JBkGCnLGKf192EbmDDUwFJIEDEIQS801Q5UUX986V6c%3D&reserved=0 .

— Reply to this email directly, view it on GitHubhttps://nam11.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2FHack23%2Fsonar-cloudformation-plugin%2Fissues%2F579%23issuecomment-1201450240&data=05%7C01%7Cthomas.munn%40lexisnexis.com%7C4b566cbd6c654f24045408da73dcc0e4%7C9274ee3f94254109a27f9fb15c10675d%7C0%7C0%7C637949689231933125%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=Oc8YrvK5n3B561MWX9rf%2BugHBg%2BoRzOGn9bJq8xFqDs%3D&reserved=0, or unsubscribehttps://nam11.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fnotifications%2Funsubscribe-auth%2FALVIUB33DIEJ6QU7DXMBJOTVW745NANCNFSM55IFGQCA&data=05%7C01%7Cthomas.munn%40lexisnexis.com%7C4b566cbd6c654f24045408da73dcc0e4%7C9274ee3f94254109a27f9fb15c10675d%7C0%7C0%7C637949689231933125%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=pre%2FNi5Yx5FJIYssNfLqTrZFKOe8UDFrvYVC9Ts2GHU%3D&reserved=0. You are receiving this because you authored the thread.Message ID: @.***>

munntjlx avatar Aug 01 '22 16:08 munntjlx

Only support terraform and cloudformation at the moment, thought you used terraform for azure.

Arm(azure) templates are not supported as a language by the sonar-iac-plugin so dropped support for azure templates in 3.x versions.

pethers avatar Aug 01 '22 16:08 pethers

So if I were going to do a PR with a new 'resource' type for: Azure ARM template, and Azure Bicep, could I just edit (create) a new .xml file using one of the existing ones as a template? I could do the lookups etc. and fill in necessary data for the XML files.

munntjlx avatar Aug 01 '22 16:08 munntjlx

I also suspect that the terraform rules don't like finds from 'bicep' Azure templates. Bicep is MS's new language and answer for 'terraform'. It’s a DSL language specific to Azure.

munntjlx avatar Aug 01 '22 16:08 munntjlx

Would be better if https://github.com/SonarSource/sonar-iac added support for Azure. All rules need to be tied to a language, could use xml that are are added by sonar-xml-plugin but not perfect either.

Use a test https://github.com/Hack23/sonar-cloudformation-plugin/blob/master/src/test/java/com/hack23/sonar/cloudformation/reports/checkov/CheckovSonarqubeRuleGeneratorTest.java , to generate new xml files for terraform/cloudformation.

Sorry, don't use the plugin myself for anything else than cloudformation.

pethers avatar Aug 01 '22 16:08 pethers

Have looked at https://raw.githubusercontent.com/Hack23/sonar-cloudformation-plugin/master/src/test/resources/checkov/rules.txt , latest list of all checkov rules.

57 arm Bicep rules in total.

Make sense to support all of them even it not all resources are scanned by sonarqube so a reference can be created to line items.

Easy to create issues but not to index a new language.

pethers avatar Aug 01 '22 18:08 pethers

cat rules.txt | cut -d'|' -f7 | sort | uniq -c

  2  Argo Workflows          
 57  Bicep                   
158  Cloudformation          
  1  IaC                     
900  Kubernetes              
  6  OpenAPI

1557 Terraform
57 arm
1 bitbucket_configuration 3 bitbucket_pipelines
7 circleci_pipelines
11 dockerfile
8 github_actions
5 github_configuration
2 gitlab_ci
2 gitlab_configuration
18 secrets
3 serverless

So many checkov formats that are not currently supported.

pethers avatar Aug 01 '22 18:08 pethers

Kubernetes now supported in Sonarqube 9.6, so will add checkov rules for it.

pethers avatar Aug 17 '22 21:08 pethers

https://www.hack23.com/sonar/profiles

pethers avatar Aug 17 '22 21:08 pethers

https://www.hack23.com/sonar/profiles/show?name=Sonar+way&language=kubernetes

pethers avatar Aug 17 '22 21:08 pethers