Checkmarx · cx-antero-silva · Apr 15, 2026 · Apr 15, 2026 · Apr 15, 2026 · Apr 15, 2026
@@ -0,0 +1,14 @@
+{
+  "id": "721c26ff-776f-4d7a-b151-45447712343b",
+  "queryName": "Beta - App Service Application Insights Not Configured",
+  "severity": "MEDIUM",
+  "category": "Observability",
+  "descriptionText": "Ensures that Azure App Services and Function Apps are linked to Application Insights for performance monitoring and error tracking.",
+  "descriptionUrl": "https://learn.microsoft.com/en-us/azure/azure-functions/configure-monitoring?tabs=v2#enable-application-insights-integration",
+  "platform": "Terraform",
+  "descriptionID": "721c26ff",
+  "cloudProvider": "azure",
+  "cwe": "778",
+  "riskScore": "3.0",
+  "experimental": "true"
+}
@@ -0,0 +1,58 @@
+package Cx
+
+import data.generic.common as common_lib
+import data.generic.terraform as tf_lib
+
+targets := {
+    "azurerm_linux_web_app",
+    "azurerm_windows_web_app",
+    "azurerm_linux_function_app",
+    "azurerm_windows_function_app"
+}
+
+application_insights_keys := [
+    "APPLICATIONINSIGHTS_CONNECTION_STRING",
+    "APPINSIGHTS_INSTRUMENTATIONKEY",
+]
+
+# RULE 1: The 'app_settings' block is missing entirely.
+CxPolicy[result] {
+    doc := input.document[i]
+    resource_type := targets[_]
+    app := doc.resource[resource_type][name]
+
+    not app.app_settings
+
+    result := {
+        "documentId": doc.id,
+        "resourceType": resource_type,
+        "resourceName": tf_lib.get_resource_name(app, name),
+        "searchKey": sprintf("%s[%s]", [resource_type, name]),
+        "searchLine": common_lib.build_search_line(["resource", resource_type, name], []),
+        "issueType": "MissingAttribute",
+        "keyExpectedValue": sprintf("'%s.%s' should have 'app_settings' with an Application Insights key configured", [resource_type, name]),
+        "keyActualValue": sprintf("'%s.%s' is missing 'app_settings'", [resource_type, name]),
+    }
+}
+
+# RULE 2: 'app_settings' exists but neither Application Insights key is configured.
+# Iterates application_insights_keys and counts how many are present; fires when none are found.
+CxPolicy[result] {
+    doc := input.document[i]
+    resource_type := targets[_]
+    app := doc.resource[resource_type][name]
+
+    app.app_settings
+    count({k | k := application_insights_keys[_]; app.app_settings[k]}) == 0
+
+    result := {
+        "documentId": doc.id,
+        "resourceType": resource_type,
+        "resourceName": tf_lib.get_resource_name(app, name),
+        "searchKey": sprintf("%s[%s].app_settings", [resource_type, name]),
+        "searchLine": common_lib.build_search_line(["resource", resource_type, name, "app_settings"], []),
+        "issueType": "IncorrectValue",
+        "keyExpectedValue": sprintf("'app_settings' should contain '%s' or '%s'", [application_insights_keys[0], application_insights_keys[1]]),
+        "keyActualValue": "'app_settings' does not contain any Application Insights configuration key",
+    }
+}
@@ -0,0 +1,11 @@
+# Case: Connection String (Recommended)
+resource "azurerm_linux_web_app" "pass_connection_string" {
+  name                = "pass-app-1"
+  resource_group_name = "rg"
+  location            = "West Europe"
+  service_plan_id     = "plan-id"
+
+  app_settings = {
+    "APPLICATIONINSIGHTS_CONNECTION_STRING" = "InstrumentationKey=0000;IngestionEndpoint=https://..."
+  }
+}
@@ -0,0 +1,11 @@
+# Case: Instrumentation Key (Legacy)
+resource "azurerm_windows_web_app" "pass_instrumentation_key" {
+  name                = "pass-app-2"
+  resource_group_name = "rg"
+  location            = "West Europe"
+  service_plan_id     = "plan-id"
+
+  app_settings = {
+    "APPINSIGHTS_INSTRUMENTATIONKEY" = "0000-0000-0000-0000"
+  }
+}
@@ -0,0 +1,6 @@
+resource "azurerm_linux_web_app" "fail_no_settings" {
+  name                = "fail-app-no-settings"
+  resource_group_name = "rg"
+  location            = "West Europe"
+  service_plan_id     = "plan-id"
+}
@@ -0,0 +1,10 @@
+resource "azurerm_windows_web_app" "fail_incomplete_settings" {
+  name                = "fail-app-incomplete"
+  resource_group_name = "rg"
+  location            = "West Europe"
+  service_plan_id     = "plan-id"
+
+  app_settings = {
+    "WEBSITE_NODE_DEFAULT_VERSION" = "14.15.0"
+  }
+}
@@ -0,0 +1,14 @@
+[
+  {
+    "queryName": "Beta - App Service Application Insights Not Configured",
+    "severity": "MEDIUM",
+    "line": 1,
+    "fileName": "positive1.tf"
+  },
+  {
+    "queryName": "Beta - App Service Application Insights Not Configured",
+    "severity": "MEDIUM",
+    "line": 7,
+    "fileName": "positive2.tf"
+  }
+]
@@ -0,0 +1,14 @@
+{
+  "id": "0117fb32-4265-444d-8030-a0a034958489",
+  "queryName": "Beta - Backup Vault Cross Region Restore Disabled",
+  "severity": "MEDIUM",
+  "category": "Backup",
+  "descriptionText": "Ensures that 'Cross Region Restore' is enabled for Azure Backup Vaults. This allows backup data to be restored in a secondary region, which is critical for disaster recovery scenarios.",
+  "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/data_protection_backup_vault#cross_region_restore_enabled",
+  "platform": "Terraform",
+  "descriptionID": "0117fb32",
+  "cloudProvider": "azure",
+  "cwe": "668",
+  "riskScore": "3.0",
+  "experimental": "true"
+}
@@ -0,0 +1,45 @@
+package Cx
+
+import data.generic.common as common_lib
+import data.generic.terraform as tf_lib
+
+# RULE 1: Vault redundancy is GeoRedundant but 'cross_region_restore_enabled' is not defined.
+# The attribute defaults to false when absent; it is only applicable to GeoRedundant vaults.
+CxPolicy[result] {
+    doc := input.document[i]
+    vault := doc.resource.azurerm_data_protection_backup_vault[name]
+
+    vault.redundancy == "GeoRedundant"
+    object.get(vault, "cross_region_restore_enabled", null) == null
+
+    result := {
+        "documentId": doc.id,
+        "resourceType": "azurerm_data_protection_backup_vault",
+        "resourceName": tf_lib.get_resource_name(vault, name),
+        "searchKey": sprintf("azurerm_data_protection_backup_vault[%s]", [name]),
+        "searchLine": common_lib.build_search_line(["resource", "azurerm_data_protection_backup_vault", name], []),
+        "issueType": "MissingAttribute",
+        "keyExpectedValue": sprintf("'azurerm_data_protection_backup_vault.%s' should have 'cross_region_restore_enabled' set to true when 'redundancy' is 'GeoRedundant'", [name]),
+        "keyActualValue": sprintf("'azurerm_data_protection_backup_vault.%s' is missing 'cross_region_restore_enabled' (defaults to false)", [name]),
+    }
+}
+
+# RULE 2: Vault redundancy is GeoRedundant but 'cross_region_restore_enabled' is explicitly false.
+CxPolicy[result] {
+    doc := input.document[i]
+    vault := doc.resource.azurerm_data_protection_backup_vault[name]
+
+    vault.redundancy == "GeoRedundant"
+    vault.cross_region_restore_enabled == false
+
+    result := {
+        "documentId": doc.id,
+        "resourceType": "azurerm_data_protection_backup_vault",
+        "resourceName": tf_lib.get_resource_name(vault, name),
+        "searchKey": sprintf("azurerm_data_protection_backup_vault[%s].cross_region_restore_enabled", [name]),
+        "searchLine": common_lib.build_search_line(["resource", "azurerm_data_protection_backup_vault", name, "cross_region_restore_enabled"], []),
+        "issueType": "IncorrectValue",
+        "keyExpectedValue": "'cross_region_restore_enabled' should be set to true when 'redundancy' is 'GeoRedundant'",
+        "keyActualValue": "'cross_region_restore_enabled' is explicitly set to false",
+    }
+}
@@ -0,0 +1,9 @@
+resource "azurerm_data_protection_backup_vault" "pass" {
+  name                         = "vault-ok"
+  resource_group_name          = "rg-test"
+  location                     = "West Europe"
+  datastore_type               = "VaultStore"
+  redundancy                   = "GeoRedundant"
+
+  cross_region_restore_enabled = true
+}
@@ -0,0 +1,8 @@
+# PASS: LocallyRedundant vault — cross_region_restore_enabled is not applicable
+resource "azurerm_data_protection_backup_vault" "pass_local_redundant" {
+  name                = "vault-local-redundant"
+  resource_group_name = "rg-test"
+  location            = "West Europe"
+  datastore_type      = "VaultStore"
+  redundancy          = "LocallyRedundant"
+}
@@ -0,0 +1,8 @@
+resource "azurerm_data_protection_backup_vault" "fail_missing" {
+  name                = "vault-missing-crr"
+  resource_group_name = "rg-test"
+  location            = "West Europe"
+  datastore_type      = "VaultStore"
+  redundancy          = "GeoRedundant"
+  # FAIL: Missing cross_region_restore_enabled
+}
@@ -0,0 +1,9 @@
+resource "azurerm_data_protection_backup_vault" "fail_explicit" {
+  name                         = "vault-disabled-crr"
+  resource_group_name          = "rg-test"
+  location                     = "West Europe"
+  datastore_type               = "VaultStore"
+  redundancy                   = "GeoRedundant"
+
+  cross_region_restore_enabled = false # FAIL
+}
@@ -0,0 +1,14 @@
+[
+  {
+    "queryName": "Beta - Backup Vault Cross Region Restore Disabled",
+    "severity": "MEDIUM",
+    "line": 1,
+    "fileName": "positive1.tf"
+  },
+  {
+    "queryName": "Beta - Backup Vault Cross Region Restore Disabled",
+    "severity": "MEDIUM",
+    "line": 8,
+    "fileName": "positive2.tf"
+  }
+]
@@ -0,0 +1,14 @@
+{
+  "id": "f7bf03d5-ae0e-4b36-aab3-f8d2346a8843",
+  "queryName": "Beta - Backup Vault Managed Identity Not Configured",
+  "severity": "MEDIUM",
+  "category": "Encryption",
+  "descriptionText": "Ensures that Azure Backup Vaults have a managed identity configured. The 'identity' block is required to enable Customer-Managed Keys (CMK) for vault encryption. Without it, the vault relies solely on Microsoft-managed platform encryption, removing customer control over key lifecycle and rotation.",
+  "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/data_protection_backup_vault#identity",
+  "platform": "Terraform",
+  "descriptionID": "f7bf03d5",
+  "cloudProvider": "azure",
+  "cwe": "312",
+  "riskScore": "3.0",
+  "experimental": "true"
+}
@@ -0,0 +1,25 @@
+package Cx
+
+import data.generic.common as common_lib
+import data.generic.terraform as tf_lib
+
+# RULE 1: The 'identity' block is absent, preventing Customer-Managed Key (CMK) encryption.
+# Without a managed identity the vault is limited to Microsoft-managed platform encryption,
+# removing customer control over key lifecycle and rotation.
+CxPolicy[result] {
+    doc := input.document[i]
+    vault := doc.resource.azurerm_data_protection_backup_vault[name]
+
+    not vault.identity
+
+    result := {
+        "documentId": doc.id,
+        "resourceType": "azurerm_data_protection_backup_vault",
+        "resourceName": tf_lib.get_resource_name(vault, name),
+        "searchKey": sprintf("azurerm_data_protection_backup_vault[%s]", [name]),
+        "searchLine": common_lib.build_search_line(["resource", "azurerm_data_protection_backup_vault", name], []),
+        "issueType": "MissingAttribute",
+        "keyExpectedValue": sprintf("'azurerm_data_protection_backup_vault.%s' should have an 'identity' block to enable Customer-Managed Key (CMK) encryption", [name]),
+        "keyActualValue": sprintf("'azurerm_data_protection_backup_vault.%s' is missing the 'identity' block; vault uses Microsoft-managed platform encryption only", [name]),
+    }
+}
@@ -0,0 +1,11 @@
+resource "azurerm_data_protection_backup_vault" "pass" {
+  name                = "vault-with-identity"
+  resource_group_name = "rg"
+  location            = "West Europe"
+  datastore_type      = "VaultStore"
+  redundancy          = "LocallyRedundant"
+
+  identity {
+    type = "SystemAssigned"
+  }
+}
@@ -0,0 +1,8 @@
+resource "azurerm_data_protection_backup_vault" "fail" {
+  name                = "vault-no-identity"
+  resource_group_name = "rg"
+  location            = "West Europe"
+  datastore_type      = "VaultStore"
+  redundancy          = "LocallyRedundant"
+  # FAIL: Missing identity block
+}
@@ -0,0 +1,8 @@
+[
+  {
+    "queryName": "Beta - Backup Vault Managed Identity Not Configured",
+    "severity": "MEDIUM",
+    "line": 1,
+    "fileName": "positive1.tf"
+  }
+]
@@ -0,0 +1,14 @@
+{
+  "id": "a3e941c5-7708-40d1-943b-7093446ef5e6",
+  "queryName": "Beta - Azure Bastion Host Missing",
+  "severity": "MEDIUM",
+  "category": "Networking and Firewall",
+  "descriptionText": "Ensures Azure Virtual Networks are protected by a Bastion Host with a valid ip_configuration block. Azure Bastion provides secure RDP/SSH access to VMs without public internet exposure. A complete setup requires an azurerm_bastion_host with ip_configuration referencing AzureBastionSubnet and a Standard-tier public IP. Note: subnet-level VNet association is not verified.",
+  "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/bastion_host",
+  "platform": "Terraform",
+  "descriptionID": "a3e941c5",
+  "cloudProvider": "azure",
+  "cwe": "284",
+  "riskScore": "3.0",
+  "experimental": "true"
+}
@@ -0,0 +1,47 @@
+package Cx
+
+import data.generic.common as common_lib
+import data.generic.terraform as tf_lib
+
+# RULE 1: A VNet exists but no azurerm_bastion_host is declared in the same document.
+# Note: this is a document-level check; Bastion association to a specific VNet subnet
+# cannot be verified without cross-resource reference resolution.
+CxPolicy[result] {
+    doc := input.document[i]
+
+    vnet := doc.resource.azurerm_virtual_network[name]
+
+    count([b | b := doc.resource.azurerm_bastion_host[_]]) == 0
+
+    result := {
+        "documentId": doc.id,
+        "resourceType": "azurerm_virtual_network",
+        "resourceName": tf_lib.get_resource_name(vnet, name),
+        "searchKey": sprintf("azurerm_virtual_network[%s]", [name]),
+        "searchLine": common_lib.build_search_line(["resource", "azurerm_virtual_network", name], []),
+        "issueType": "MissingAttribute",
+        "keyExpectedValue": sprintf("An 'azurerm_bastion_host' resource should be defined to protect Virtual Network '%s'", [name]),
+        "keyActualValue": "No 'azurerm_bastion_host' resource was found in the configuration",
+    }
+}
+
+# RULE 2: An azurerm_bastion_host is declared but missing the required ip_configuration block.
+# ip_configuration is mandatory in the Terraform schema and must reference a dedicated
+# subnet named 'AzureBastionSubnet' and a Standard-tier public IP address.
+CxPolicy[result] {
+    doc := input.document[i]
+
+    bastion := doc.resource.azurerm_bastion_host[name]
+    not bastion.ip_configuration
+
+    result := {
+        "documentId": doc.id,
+        "resourceType": "azurerm_bastion_host",
+        "resourceName": tf_lib.get_resource_name(bastion, name),
+        "searchKey": sprintf("azurerm_bastion_host[%s]", [name]),
+        "searchLine": common_lib.build_search_line(["resource", "azurerm_bastion_host", name], []),
+        "issueType": "MissingAttribute",
+        "keyExpectedValue": sprintf("'azurerm_bastion_host.%s' should have an 'ip_configuration' block referencing an 'AzureBastionSubnet' subnet", [name]),
+        "keyActualValue": sprintf("'azurerm_bastion_host.%s' is missing the required 'ip_configuration' block", [name]),
+    }
+}