Hello All
/ __| '_ \ / _ \/ __| |/ / _ \ \ / /
| (__| | | | __/ (__| < (_) \ V /
\___|_| |_|\___|\___|_|\_\___/ \_/
By bridgecrew.io | version: 2.4.39
Update available 2.4.39 -> 2.4.48
Run pip3 install -U checkov to update
terraform scan results:
Passed checks: 1, Failed checks: 1, Skipped checks: 0
Check: CKV_AZURE_122: "Ensure that Application Gateway uses WAF in "Detection" or "Prevention" modes"
PASSED for resource: azurerm_web_application_firewall_policy.main
File: \main.tf:1-65
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-secur...
Check: CKV_AZURE_135: "Ensure Application Gateway WAF prevents message lookup in Log4j2. See CVE-2021-44228 aka log4jshell"
FAILED for resource: azurerm_web_application_firewall_policy.main
File: \main.tf:1-65
Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-secur...
Code lines for this resource are too many. Please use IDE of your choice to review the file.
log4j scan is failing
resource "azurerm_web_application_firewall_policy" "main" {
name = var.name
resource_group_name = var.resource_group_name
location = var.location
tags = var.tags
policy_settings {
enabled = var.waf_enabled
file_upload_limit_in_mb = var.file_upload_limit_mb
max_request_body_size_in_kb = var.max_request_body_size_kb
mode = var.firewall_mode
}
dynamic "custom_rules" {
for_each = var.custom_policies
content {
name = custom_rules.value.name
priority = custom_rules.value.priority
rule_type = custom_rules.value.rule_type
action = custom_rules.value.action
dynamic "match_conditions" {
for_each = var.match_conditions
content {
dynamic "match_variables" {
for_each = var.match_variables
content {
variable_name = match_variables.value.match_variable
selector = match_variables.value.selector
}
}
operator = match_conditions.value.operator
negation_condition = match_conditions.value.negation_condition
match_values = match_conditions.value.match_values
}
}
}
}
managed_rules {
managed_rule_set {
type = var.rule_set_type
version = var.rule_set_version
dynamic "rule_group_override" {
for_each = var.managed_policies_override
content {
rule_group_name = rule_group_override.value.rule_group_name
disabled_rules = rule_group_override.value.disabled_rules
}
}
}
dynamic "exclusion" {
for_each = var.managed_policies_exclusions
content {
match_variable = exclusion.value.match_variable
selector = exclusion.value.selector
selector_match_operator = exclusion.value.selector_match_operator
}
}
}
}