From 8e6141bb04b59fee7c1111199244528cfef21752 Mon Sep 17 00:00:00 2001 From: Eitan Shteinberg Date: Fri, 1 Aug 2025 14:47:57 -0700 Subject: [PATCH 1/5] Docs: Update built-in rule help links Updates the helpUri for several built-in rules to point to the correct documentation file. --- src/Analyzer.Core/Rules/BuiltInRules.json | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) diff --git a/src/Analyzer.Core/Rules/BuiltInRules.json b/src/Analyzer.Core/Rules/BuiltInRules.json index 4ac1b61b..a42ced7e 100644 --- a/src/Analyzer.Core/Rules/BuiltInRules.json +++ b/src/Analyzer.Core/Rules/BuiltInRules.json @@ -807,7 +807,7 @@ }, { "path": "properties.retentionDays", - "equals": 0 // 0 == unlimited retention + "equals": 0 }, { "path": "properties.retentionDays", @@ -882,7 +882,7 @@ "shortDescription": "API Management calls to API backends should not bypass certificate thumbprint or name validation", "fullDescription": "API Management calls to API backends should not bypass certificate thumbprint or name validation", "recommendation": "To improve security, API Management should validate the backend server certificate for all API calls. Enable SSL certificate thumbprint and name validation by setting the tls.validateCertificateName and tls.validateCertificateChain properties to true.", - "helpUri": "https://github.com/Azure/template-analyzer/blob/main/docs/built-in-bpa-rules.md/#ta-000032-api-management-calls-to-api-backends-should-not-bypass-certificate-thumbprint-or-name-validation", + "helpUri": "https://github.com/Azure/template-analyzer/blob/main/docs/built-in-rules.md/#ta-000032-api-management-calls-to-api-backends-should-not-bypass-certificate-thumbprint-or-name-validation", "severity": 2, "evaluation": { "resourceType": "Microsoft.ApiManagement/service/backends", @@ -904,7 +904,7 @@ "shortDescription": "API Management direct management endpoint should not be enabled", "fullDescription": "The direct management REST API in Azure API Management bypasses Azure Resource Manager (ARM) Role-Based Access Control (RBAC), authorization, and throttling mechanisms, thus increasing the vulnerability of your service.", "recommendation": "Set the properties.enabled field to false to ensure that direct access to the management REST API is disabled.", - "helpUri": "https://github.com/Azure/template-analyzer/blob/main/docs/built-in-bpa-rules.md/#ta-000033-api-management-direct-management-endpoint-should-not-be-enabled", + "helpUri": "https://github.com/Azure/template-analyzer/blob/main/docs/built-in-rules.md/#ta-000033-api-management-direct-management-endpoint-should-not-be-enabled", "severity": 3, "evaluation": { "resourceType": "Microsoft.ApiManagement/service/tenant", @@ -927,7 +927,7 @@ "shortDescription": "API Management minimum API version should be set to 2019-12-01 or higher", "fullDescription": "To prevent service secrets from being shared with read-only users, the minimum API version should be set to 2019-12-01 or higher.", "recommendation": "Set the apiVersionContstraint.minAPIversion property to 2019-12-01 or higher to prevent service secrets from being shared with read-only users.", - "helpUri": "https://github.com/Azure/template-analyzer/blob/main/docs/built-in-bpa-rules.md/#ta-000034-api-management-minimum-api-version-should-be-set-to-2019-12-01-or-higher", + "helpUri": "https://github.com/Azure/template-analyzer/blob/main/docs/built-in-rules.md/#ta-000034-api-management-minimum-api-version-should-be-set-to-2019-12-01-or-higher", "severity": 2, "evaluation": { "resourceType": "Microsoft.ApiManagement/service", @@ -961,7 +961,7 @@ "shortDescription": "API Management Named Values secrets should be stored in Azure Key Vault", "fullDescription": "Named Values are a collection of name and value pairs in each API Management service. Secret values can be stored either as encrypted text in API Management (custom secrets) or by referencing secrets in Azure Key Vault. To improve security of API Management and secrets, reference secret Named Values from Azure Key Vault. Azure Key Vault supports granular access management and secret rotation policies.", "recommendation": "To utilize secrets stored in Key Vault for Azure API Management, learn more here: https://learn.microsoft.com/azure/api-management/api-management-howto-properties?tabs=azure-portal#key-vault-secrets", - "helpUri": "https://github.com/Azure/template-analyzer/blob/main/docs/built-in-bpa-rules.md/#ta-000035-api-management-named-value-secrets-should-be-stored-in-azure-key-vault", + "helpUri": "https://github.com/Azure/template-analyzer/blob/main/docs/built-in-rules.md/#ta-000035-api-management-named-value-secrets-should-be-stored-in-azure-key-vault", "severity": 2, "evaluation": { "resourceType": "Microsoft.ApiManagement/service/namedValues", @@ -991,7 +991,7 @@ "shortDescription": "API Management services should use a virtual network", "fullDescription": "Azure Virtual Network deployment provides enhanced security, isolation and allows you to place your API Management service in a non-internet routable network that you control access to. These networks can then be connected to your on-premises networks using various VPN technologies, which enables access to your backend services within the network and/or on-premises. The developer portal and API gateway, can be configured to be accessible either from the Internet or only within the virtual network.", "recommendation": "To learn more about virtual networks for Azure API Management, please visit here: https://aka.ms/apim-vnet. To see an example of how to configure a VNet via Azure Policy, please visit here: https://learn.microsoft.com/samples/azure/azure-quickstart-templates/api-management-create-with-internal-vnet-application-gateway/", - "helpUri": "https://github.com/Azure/template-analyzer/blob/main/docs/built-in-bpa-rules.md/#ta-000036-api-management-services-should-use-a-virtual-network", + "helpUri": "https://github.com/Azure/template-analyzer/blob/main/docs/built-in-rules.md/#ta-000036-api-management-services-should-use-a-virtual-network", "severity": 2, "evaluation": { "resourceType": "Microsoft.ApiManagement/service", @@ -1025,7 +1025,7 @@ "shortDescription": "API Management subscriptions should not be scoped at the all API scope", "fullDescription": "API Management subscriptions should be scoped to a product or an individual API instead of all APIs, which could result in an excessive data exposure.", "recommendation": "To ensure the API Management service is not configured at the all API scope, please set the properties.scope property to a value other than /apis. For example, /product/{productId}, or /apis/{apiId}", - "helpUri": "https://github.com/Azure/template-analyzer/blob/main/docs/built-in-bpa-rules.md/#ta-000037-api-management-subscriptions-should-not-be-scoped-at-the-all-api-scope", + "helpUri": "https://github.com/Azure/template-analyzer/blob/main/docs/built-in-rules.md/#ta-000037-api-management-subscriptions-should-not-be-scoped-at-the-all-api-scope", "severity": 2, "evaluation": { "resourceType": "Microsoft.ApiManagement/service/subscriptions", @@ -1049,7 +1049,7 @@ "shortDescription": "API Management calls to API backends should be authenticated", "fullDescription": "Calls from API Management to backends should use some form of authentication, whether via certificates or credentials. Does not apply to Service Fabric backends.", "recommendation": "To enable API backend authentication, configure authentication credentials in the query parameters, client certificate, or authorization header. To learn more about configuring Authentication in Azure API Management, please visit here: https://learn.microsoft.com/azure/api-management/authentication-authorization-overview", - "helpUri": "https://github.com/Azure/template-analyzer/blob/main/docs/built-in-bpa-rules.md/#ta-000038-api-management-calls-to-api-backends-should-be-authenticated", + "helpUri": "https://github.com/Azure/template-analyzer/blob/main/docs/built-in-rules.md/#ta-000038-api-management-calls-to-api-backends-should-be-authenticated", "severity": 2, "evaluation": { "resourceType": "Microsoft.ApiManagement/service/backends", @@ -1097,4 +1097,4 @@ ] } } -] \ No newline at end of file +] From 53f89bd9f4950a025d145ed09fa6c8bac5840ea9 Mon Sep 17 00:00:00 2001 From: Eitan Shteinberg Date: Fri, 1 Aug 2025 16:26:52 -0700 Subject: [PATCH 2/5] Docs: Update rule descriptions and recommendations Updates the descriptions and recommendations for several built-in rules to be more accurate and up-to-date. --- src/Analyzer.Core/Rules/BuiltInRules.json | 22 +++++++++++----------- 1 file changed, 11 insertions(+), 11 deletions(-) diff --git a/src/Analyzer.Core/Rules/BuiltInRules.json b/src/Analyzer.Core/Rules/BuiltInRules.json index a42ced7e..43e39614 100644 --- a/src/Analyzer.Core/Rules/BuiltInRules.json +++ b/src/Analyzer.Core/Rules/BuiltInRules.json @@ -712,8 +712,8 @@ "id": "TA-000025", "name": "AKS.UpgradeToNonVulnerableVersion", "shortDescription": "Kubernetes Services should be upgraded to a non-vulnerable Kubernetes version", - "fullDescription": "Upgrade your Kubernetes service cluster to a later Kubernetes version to protect against known vulnerabilities in your current Kubernetes version. Vulnerability CVE-2019-9946 has been patched in Kubernetes versions 1.11.9+, 1.12.7+, 1.13.5+, and 1.14.0+. Running on older versions could mean you are not using latest security classes. Usage of such old classes and types can make your application vulnerable.", - "recommendation": "Upgrade to a non-vulnerable Kubernetes version (1.11.9+, 1.12.7+, 1.13.5+, and 1.14.0+)", + "fullDescription": "Upgrade your Kubernetes service cluster to the latest stable version to protect against known vulnerabilities.", + "recommendation": "Upgrade to the latest stable Kubernetes version.", "helpUri": "https://github.com/Azure/template-analyzer/blob/main/docs/built-in-rules.md/#ta-000025-kubernetes-services-should-be-upgraded-to-a-non-vulnerable-kubernetes-version", "severity": 1, "evaluation": { @@ -851,9 +851,9 @@ { "id": "TA-000030", "name": "ClassicCompute.MigrateToARM", - "shortDescription": "Migrate your Classic Compute VM to ARM", - "fullDescription": "Azure supports two deployment models: Classic and Azure Resource Manager (ARM). ARM provides several security enhancements to the Classic model.", - "recommendation": "Use ARM for your virtual machines to provide security enhancements such as: stronger access control (RBAC), better auditing, ARM-based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management", + "shortDescription": "Migrate Classic Compute VMs to ARM", + "fullDescription": "Azure Resource Manager (ARM) provides several security enhancements over the Classic deployment model.", + "recommendation": "Use Azure Resource Manager for your virtual machines for improved security and access to features like RBAC, better auditing, managed identities, and Key Vault integration.", "helpUri": "https://github.com/Azure/template-analyzer/blob/main/docs/built-in-rules.md/#ta-000030-migrate-your-classic-compute-vm-to-arm", "severity": 1, "evaluation": { @@ -865,9 +865,9 @@ { "id": "TA-000031", "name": "ClassicStorage.MigrateToARM", - "shortDescription": "Migrate your Classic Storage Account to ARM", - "fullDescription": "Azure supports two deployment models: Classic and Azure Resource Manager (ARM). ARM provides several security enhancements to the Classic model.", - "recommendation": "Use ARM for your storage accounts to provide security enhancements such as: stronger access control (RBAC), better auditing, ARM-based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management", + "shortDescription": "Migrate Classic Storage Accounts to ARM", + "fullDescription": "Azure Resource Manager (ARM) provides several security enhancements over the Classic deployment model.", + "recommendation": "Use Azure Resource Manager for your storage accounts for improved security and access to features like RBAC, better auditing, managed identities, and Key Vault integration.", "helpUri": "https://github.com/Azure/template-analyzer/blob/main/docs/built-in-rules.md/#ta-000031-migrate-your-classic-storage-account-to-arm", "severity": 1, "evaluation": { @@ -924,9 +924,9 @@ { "id": "TA-000034", "name": "APIM.DisabletServiceSecretsSharingWithReadOnlyUsers", - "shortDescription": "API Management minimum API version should be set to 2019-12-01 or higher", - "fullDescription": "To prevent service secrets from being shared with read-only users, the minimum API version should be set to 2019-12-01 or higher.", - "recommendation": "Set the apiVersionContstraint.minAPIversion property to 2019-12-01 or higher to prevent service secrets from being shared with read-only users.", + "shortDescription": "API Management minimum API version should be recent", + "fullDescription": "To prevent service secrets from being shared with read-only users, the minimum API version should be set to a recent date.", + "recommendation": "Set the apiVersionConstraint.minApiVersion property to a recent date to prevent service secrets from being shared with read-only users.", "helpUri": "https://github.com/Azure/template-analyzer/blob/main/docs/built-in-rules.md/#ta-000034-api-management-minimum-api-version-should-be-set-to-2019-12-01-or-higher", "severity": 2, "evaluation": { From 56cd97d50b2a049f44046f920a0fb5be7e4a4f00 Mon Sep 17 00:00:00 2001 From: Eitan Shteinberg Date: Fri, 1 Aug 2025 16:27:45 -0700 Subject: [PATCH 3/5] Fix: Correct typo in TA-000020 Corrects the spelling of 'Contributor' in the description and recommendation for rule TA-000020. --- src/Analyzer.Core/Rules/BuiltInRules.json | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/Analyzer.Core/Rules/BuiltInRules.json b/src/Analyzer.Core/Rules/BuiltInRules.json index 43e39614..725f3ca2 100644 --- a/src/Analyzer.Core/Rules/BuiltInRules.json +++ b/src/Analyzer.Core/Rules/BuiltInRules.json @@ -626,8 +626,8 @@ "id": "TA-000020", "name": "Authorization.UseBuiltInRBAC", "shortDescription": "Audit usage of custom RBAC roles", - "fullDescription": "Audit built-in roles such as 'Owner, Contributer, Reader' instead of custom RBAC roles, which are error prone. Using custom roles is treated as an exception and requires a rigorous review and threat modeling.", - "recommendation": "Audit built-in roles such as 'Owner, Contributer, Reader' instead of custom RBAC roles, which are error prone. Using custom roles is treated as an exception and requires a rigorous review and threat modeling", + "fullDescription": "Audit built-in roles such as 'Owner, Contributor, Reader' instead of custom RBAC roles, which are error prone. Using custom roles is treated as an exception and requires a rigorous review and threat modeling.", + "recommendation": "Audit built-in roles such as 'Owner, Contributor, Reader' instead of custom RBAC roles, which are error prone. Using custom roles is treated as an exception and requires a rigorous review and threat modeling", "helpUri": "https://github.com/Azure/template-analyzer/blob/main/docs/built-in-rules.md/#ta-000020-audit-usage-of-custom-rbac-roles", "severity": 3, "evaluation": { From 0f83cffa2935b4b9fc26dfc3f1d385537a2ec779 Mon Sep 17 00:00:00 2001 From: Eitan Shteinberg Date: Fri, 1 Aug 2025 16:32:19 -0700 Subject: [PATCH 4/5] Feat: Update TA-000025 with specific AKS versions Updates the recommendation and evaluation logic for rule TA-000025 to recommend specific, supported AKS versions based on the current release calendar. --- src/Analyzer.Core/Rules/BuiltInRules.json | 22 ++++++---------------- 1 file changed, 6 insertions(+), 16 deletions(-) diff --git a/src/Analyzer.Core/Rules/BuiltInRules.json b/src/Analyzer.Core/Rules/BuiltInRules.json index 725f3ca2..c65601cf 100644 --- a/src/Analyzer.Core/Rules/BuiltInRules.json +++ b/src/Analyzer.Core/Rules/BuiltInRules.json @@ -712,26 +712,16 @@ "id": "TA-000025", "name": "AKS.UpgradeToNonVulnerableVersion", "shortDescription": "Kubernetes Services should be upgraded to a non-vulnerable Kubernetes version", - "fullDescription": "Upgrade your Kubernetes service cluster to the latest stable version to protect against known vulnerabilities.", - "recommendation": "Upgrade to the latest stable Kubernetes version.", + "fullDescription": "Upgrade your Kubernetes service cluster to a supported version to protect against known vulnerabilities. Older versions of Kubernetes are not supported and do not receive security patches.", + "recommendation": "Upgrade to a supported Kubernetes version. According to the AKS release calendar, supported versions are 1.31, 1.32, 1.33, and newer.", "helpUri": "https://github.com/Azure/template-analyzer/blob/main/docs/built-in-rules.md/#ta-000025-kubernetes-services-should-be-upgraded-to-a-non-vulnerable-kubernetes-version", "severity": 1, "evaluation": { "resourceType": "Microsoft.ContainerService/managedClusters", - "allOf": [ - { - "not": { - "path": "properties.kubernetesVersion", - "regex": "^1\\.((11\\.[0-8])|(12\\.[0-6])|(13\\.[0-4]))" - } - }, - { - "not": { - "path": "properties.kubernetesVersion", - "regex": "^1\\.(([0-9]|10)\\.\\d+)" - } - } - ] + "not": { + "path": "properties.kubernetesVersion", + "regex": "^1\\.(3[1-9]|[4-9][0-9])\\.\\d+" + } } }, { From ec9755b910aaeb74bc762a9124863e4d846d9c77 Mon Sep 17 00:00:00 2001 From: Eitan Shteinberg Date: Fri, 1 Aug 2025 16:33:23 -0700 Subject: [PATCH 5/5] Refactor: Revert TA-000034 to specific API version Reverts the recommendation for TA-000034 to use the specific API version '2019-12-01' and clarifies the security reasoning in the description. --- src/Analyzer.Core/Rules/BuiltInRules.json | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/src/Analyzer.Core/Rules/BuiltInRules.json b/src/Analyzer.Core/Rules/BuiltInRules.json index c65601cf..37c3bc9b 100644 --- a/src/Analyzer.Core/Rules/BuiltInRules.json +++ b/src/Analyzer.Core/Rules/BuiltInRules.json @@ -914,9 +914,9 @@ { "id": "TA-000034", "name": "APIM.DisabletServiceSecretsSharingWithReadOnlyUsers", - "shortDescription": "API Management minimum API version should be recent", - "fullDescription": "To prevent service secrets from being shared with read-only users, the minimum API version should be set to a recent date.", - "recommendation": "Set the apiVersionConstraint.minApiVersion property to a recent date to prevent service secrets from being shared with read-only users.", + "shortDescription": "API Management minimum API version should be set to 2019-12-01 or higher", + "fullDescription": "To prevent service secrets from being shared with read-only users, the minimum API version should be set to 2019-12-01 or higher. This opts in to a breaking change that enhances security by not returning secrets for users with read-only permissions.", + "recommendation": "Set the properties.apiVersionConstraint.minApiVersion property to '2019-12-01' or a later date to prevent service secrets from being shared with read-only users.", "helpUri": "https://github.com/Azure/template-analyzer/blob/main/docs/built-in-rules.md/#ta-000034-api-management-minimum-api-version-should-be-set-to-2019-12-01-or-higher", "severity": 2, "evaluation": {