SAST & IaC Scan Workflow #46
obs-gh-nikhilduaAnnotations
2 errors and 8 warnings
|
Orca Scan
Orca IaC scan failed with exit code 3
|
|
[HIGH] default network access rule for Storage Accounts is not set to deny:
main.tf#L171
Details:
Access to Storage Account can be granted to traffic from specific Azure Virtual
networks, allowing a secure network boundary for specific applications to be
built. Access can also be granted to public internet IP address ranges, to enable
connections from specific internet or on-premises clients. When network rules are
configured, only applications from allowed networks can access a storage account.
When calling from an allowed network, applications continue to require proper
authorization (a valid access key or SAS token) to access the storage account.
Recommendation:
azurerm_storage_account.public_network_access_enabled should be set to 'false'
|
|
[INFO] Name Is Not Snake Case:
.github/terraform/main.tf#L48
Details:
All names should follow snake case pattern.
Recommendation:
All names should be on snake case pattern
|
|
[INFO] Azure Key vault diagnostic settings are not configured properly:
main.tf#L33
Details:
Ensure that logging for Azure KeyVault is 'Enabled'
Recommendation:
'azurerm_key_vault' should be associated with
'azurerm_monitor_diagnostic_setting'
|
|
[INFO] Key Vault secret without expiration time:
main.tf#L76
Details:
Make sure that for all secrets the expiration date is set
Recommendation:
'expiration_date' should exist
|
|
[INFO] Key Vault secret without expiration time:
main.tf#L87
Details:
Make sure that for all secrets the expiration date is set
Recommendation:
'expiration_date' should exist
|
|
[LOW] Microsoft Services not excluded from Firewall:
main.tf#L152
Details:
Some Azure services interact with storage accounts from networks that cannot be
granted access through network rules. It was detected that the setting 'Allow
Azure services on the trusted services list to access this storage account' is
not enabled. Enabling this setting allows trusted Azure services to bypass the
network rules and use strong authentication to access the storage account.
Allowing it to bypass the firewall can help avoid networking compatibility
issues. For more information, see **[Grant access to trusted Azure
services](https://learn.microsoft.com/en-us/azure/storage/common/storage-network-security?tabs=azure-portal#exceptions)**.
Recommendation:
'network_rules' should be defined and not null
|
|
[MEDIUM] Key Vault Secrets Content Type Undefined:
main.tf#L87
Details:
Key Vault Secrets should have set Content Type
Recommendation:
'azurerm_key_vault_secret[observe_password].content_type' should be defined and
not null
|
|
[MEDIUM] Key Vault Secrets Content Type Undefined:
main.tf#L76
Details:
Key Vault Secrets should have set Content Type
Recommendation:
'azurerm_key_vault_secret[observe_token].content_type' should be defined and not
null
|
|
[MEDIUM] Missing timeout in requests module can cause DoS:
ithub/scripts/query_observe.py#L96
Details:
The application uses the `requests` module without a configured timeout, which
may lead to excessive resource consumption and potential Denial of Service (DoS)
due to exhaustion of socket descriptors. To mitigate this risk, ensure to include
a `timeout=` argument in each `requests` call. For more details on the `requests`
module, refer to the official documentation:
https://requests.readthedocs.io/en/latest/api/.
Recommendation:
Always configure a timeout for requests to prevent uncontrolled resource
consumption. For example, use `requests.get('https://example.com', timeout=10)`
to set a 10-second timeout for HTTP GET requests.
|