Skip to content

feat(misconf): Add Azure Network checks #507

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
yagreut wants to merge 6 commits into
base: main
Choose a base branch
from
Open

feat(misconf): Add Azure Network checks #507

yagreut wants to merge 6 commits into from

Conversation

@yagreut
Copy link
Contributor

@yagreut yagreut commented Nov 26, 2025

Add Azure Network checks AVD-AZU-0073 - AVD-AZU-0076

@yagreut yagreut requested a review from simar7 as a code owner November 26, 2025 11:44
@nikpivkin
Copy link
Contributor

nikpivkin commented Nov 26, 2025
edited
Loading

I created a PR to fix an issue with the AVD-AZU-0066 check

nikpivkin
nikpivkin requested changes Nov 27, 2025
View reviewed changes
checks/cloud/azure/network/network_interface_public_ip.rego Outdated

import data.lib.cloud.metadata

networkinterfaces := input.azure.network.networkinterfaces
Copy link
Contributor

@nikpivkin nikpivkin Nov 27, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

input.azure.network.networkinterfaces is used only once, does it make sense to make it a variable?

checks/cloud/azure/network/network_ip_forwarding_enabled.rego Outdated

import data.lib.cloud.metadata

networkinterfaces := input.azure.network.networkinterfaces
Copy link
Contributor

@nikpivkin nikpivkin Nov 27, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

ditto

checks/cloud/azure/network/network_watcher_flow_disabled.rego Outdated

import data.lib.cloud.metadata

flowlogs := input.azure.network.networkwatcherflowlogs
Copy link
Contributor

@nikpivkin nikpivkin Nov 27, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

ditto

checks/cloud/azure/network/network_watcher_flow_disabled.rego Outdated

deny contains res if {
some flowlog in flowlogs
not flowlog.enabled.value
Copy link
Contributor

@nikpivkin nikpivkin Nov 27, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

you need to use the helper function value.is_false, as the value may be unknown.

checks/cloud/azure/network/sensitive_port_exposed_to_network.rego
import data.lib.net

# Sensitive ports that should not be exposed to broad networks
sensitive_ports := {20, 21, 23, 25, 53, 110, 135, 139, 143, 161, 389, 636, 993, 995, 1433, 1521, 3306, 5432, 6379}
Copy link
Contributor

@nikpivkin nikpivkin Nov 27, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can you add a comment to each port to understand which protocol or service uses them?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@nikpivkin nikpivkin nikpivkin requested changes

@simar7 simar7 Awaiting requested review from simar7 simar7 is a code owner

Requested changes must be addressed to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@yagreut @nikpivkin