Blog Post

Microsoft Developer Community Blog
12 MIN READ

Enforcing security controls right from CI/CD pipeline with AzSK - Deep Dive

stephaneeyskens's avatar
stephaneeyskens
MVP
Feb 13, 2019
First published on MSDN on Dec 29, 2018 Authored by Stephane Eyskens Azure Security Kit  aka AzSK is a framework that is used internally by Microsoft to...
Published Feb 13, 2019
Version 1.0
Eric Yew's avatar
Eric Yew
Copper Contributor
Dec 12, 2019

Hi stephaneeyskens,

You mentioned a few times about a bug in the arm checker. What specifically is the issues/bug? Does it work with a customised armcontrols.json file yet?

 

I have been trying to change a control in armcontrols.json file but it still seems to be using the original control:

2019-12-12T00:36:29.4115259Z ARMTemplatePath D:\a\r1\a\_CloudServicesInfra\Test\Storage\deploy-Storage.json 
2019-12-12T00:36:29.4115491Z ================================================================================
2019-12-12T00:36:29.9207765Z ================================================================================
2019-12-12T00:36:29.9208578Z Starting analysis: [FileName: .\deploy-Storage.json] 
2019-12-12T00:36:29.9209091Z --------------------------------------------------------------------------------
2019-12-12T00:36:30.0026375Z Passed: [Azure_Storage_DP_Encrypt_In_Transit]
2019-12-12T00:36:30.0122719Z Verify: [Azure_Storage_BCDR_Enable_Soft_Delete]
2019-12-12T00:36:30.0187967Z --------------------------------------------------------------------------------
2019-12-12T00:36:30.1365996Z Summary  Total Passed Verify
2019-12-12T00:36:30.1366295Z -------  ----- ------ ------
2019-12-12T00:36:30.1366723Z High         1      1      0
2019-12-12T00:36:30.1366938Z Medium       1      0      1
2019-12-12T00:36:30.1367135Z ------  ------ ------ ------
2019-12-12T00:36:30.1367306Z Total        2      1      1
2019-12-12T00:36:30.1367709Z ------  ------ ------ ------
2019-12-12T00:36:30.1806063Z ================================================================================
2019-12-12T00:36:30.2786775Z Summary  Total Passed Verify
2019-12-12T00:36:30.2787495Z -------  ----- ------ ------
2019-12-12T00:36:30.2787848Z High         1      1      0
2019-12-12T00:36:30.2788175Z Medium       1      0      1
2019-12-12T00:36:30.2788436Z ------  ------ ------ ------
2019-12-12T00:36:30.2788717Z Total        2      1      1
2019-12-12T00:36:30.2789197Z ------  ------ ------ ------
2019-12-12T00:36:30.2789496Z Total scanned file(s): 1

Changes I made:

{
          "id": "AzureStorage270",
          "controlId": "Azure_Storage_BCDR_Enable_Soft_Delete",
          "isEnabled": true,
          "description": "Soft delete should be enabled to allow recovery of deleted blobs or blob snapshots",
          "rationale": "Enabling soft delete feature on Storage acts as a safety measure to recover inadvertently or maliciously deleted blobs or blob snapshots. If your data is critical, this can be a valuable BC/DR mechanism.",
          "recommendation": "Refer: https://docs.microsoft.com/en-us/azure/storage/blobs/storage-blob-soft-delete to enable soft delete feature on Storage.",
          "severity": "Low",
          "jsonPath": [ "$.properties.deleteRetentionPolicy.enabled" ],
          "matchType": "VerifiableBooleanSingleToken",
          "data": {
            "value": "true",
            "Type": "",
            "IfNoPropertyFound": "Passed",
            "ControlDesiredState": "Passed"
          }
        }

Any suggestion or help will be greatly appreciated...