Scanning Azure Resource Manager (ARM) Templates with Bridgecrew

Bridgecrew for Azure Resource Manager (ARM) templates

When managing cloud resources at scale, declarative frameworks help consolidate scripts, improve resource visibility, and control access. Azure Resource Manager (ARM) is the built-in service for teams looking to more efficiently manage and deploy Azure resources at scale. Another benefit of utilizing declarative templates such as ARM is that they provide an opportunity to implement security controls earlier, eradicating the need to find and remediate misconfigurations down the line in production.

To help teams automate that process, Bridgecrew now supports ARM template misconfiguration scanning in addition to monitoring of deployed Azure resources.

 

Getting started with Bridgecrew for ARM templates

Bridgecrew is designed to find both cloud misconfigurations in run-time and to prevent them in build-time. The simplest way to integrate ARM template scanning is by connecting a code repository. Bridgecrew supports GitHub (Cloud & Enterprise) as well as Bitbucket and GitLab. Create a new account on Bridgecrew to get started. After you successfully log in, go to integrations and select your source control provider, authorize the Bridgecrew app, and select which repositories you’d like to cover.

From that point, Bridgecrew will automatically identify any infrastructure-as-code template files and analyze them using built-in security and compliance policies.

To get end-to-end coverage for your Azure cloud managed with ARM templates, we recommend connecting Bridgecrew with both your Microsoft Azure environment and your ARM templates. Connecting Bridgecrew to an Azure subscription enables Bridgecrew to read configurations from Azure Resource Manager and identify misconfigurations.

You can also include a Bridgecrew ARM template scan as part of a build job or run it locally on a Windows workstation. For that, you’ll need to get an API Token. It’s located in the Integration tab under the Continuous Integration category. Simply Copy the API Token and you are ready to go.

Installing Bridgecrew CLI

Let’s start by walking you through using Bridgecrew CLI to scan an ARM template to identify security configuration issues within the code. In the Microsoft Azure spirit, this blog uses Bridgecrew on Windows, but it can easily be adapted to a Linux or Mac setup.

There are two approaches to using Bridgecrew on Windows: Python or Docker.

To get started with Bridgecrew for ARM template scanning on your Windows machine, you’ll need to have git installed and either Python 3.8 or 3.7 or Docker for Windows installed.

If you’re using Python, take the following steps:

Install Bridgecrew CLI:

pip install bridgecrew

Now install a helper script in your path for Bridgecrew CLI  to run:

echo %PATH%

For my deployment I used the below directory in my path to install:

cd C:\Users\<my_username>\AppData\Local\Microsoft\WindowsApps
curl -o bridgecrew.cmd https://raw.githubusercontent.com/bridgecrewio/bridgecrew/master/bin/bridgecrew.cmd

Verify that Bridgecrew CLI  runs:

bridgecrew -v

This should return a version (1.0.458 at the time of writing).

If you’re using Docker, take the following steps:

Download Bridgecrew docker  and verify it runs:

docker pull bridgecrew/bridgecrew
docker run -it bridgecrew/bridgecrew -v

This should return a version (1.0.458 at the time of writing).

Identifying misconfigurations in ARM templates

Now that we have Bridgecrew CLI installed, we’ll walk through using it to scan an ARM template.  For the remainder of this tutorial, I’ll use Bridgecrew directly in Python.  However, if using the docker approach, just replace “bridgecrew” in the command with “docker run -it bridgecrew/bridgecrew” and use the same flags after the command.

First, look at all the checks provided for ARM templates today. We have an initial 42 checks, but this number will grow as we continue to add additional coverage.

bridgecrew -l --framework arm

Next, get an ARM template to scan.  We will use a WordPress example from the Azure quickstart templates:

git clone https://github.com/Azure/azure-quickstart-templates.git

cd azure-quickstart-templates\wordpress-mysql-replication

Run Bridgecrew:

bridgecrew -d . --bc-api-key <key> --repo-id <repo_id> --branch

If using Docker, that command with volume mount of the local directory is:

docker run -t -v %cd%:/arm bridgecrew/bridgecrew -d --bc-api-key <key> --repo-id <repo_id> --branch /arm

Look through the results for the various security misconfigurations that were identified:

    _            _           
    __         _     __                                 
   / /_  _____(_)___/ /___ ____  _____________ _      __
  / __ \/ ___/ / __  / __ `/ _ \/ ___/ ___/ _ \ | /| / /
 / /_/ / /  / / /_/ / /_/ /  __/ /__/ /  /  __/ |/ |/ / 
/_.___/_/  /_/\__,_/\__, /\___/\___/_/   \___/|__/|__/  
                   /____/    

by bridgecrew.io | version: 1.0.455

arm scan results:

Passed checks: 0, Failed checks: 6, Skipped checks: 0

Check: CKV_AZURE_15: "Ensure web app is using the latest version of TLS encryption"
     FAILED for resource: Microsoft.Web/sites.[parameters('siteName')]
     Guide: https://docs.bridgecrew.io/docs/bc_azr_networking_6
     File: /nested/website.json:70-128

...

Bridgecrew then identifies all passing and failing resources, including the file and lines of the template that need fixing. This allows you to catch issues before deploying a template into your environment.

Suppressing checks

As with other infrastructure as code tools we support such as Terraform and CloudFormation, Bridgecrew allows you to suppress a failed check in an ARM template. Instead of using inline comments in JSON, we utilize metadata in the template. Resource Manager ignores the metadata object and this ensures that there is no issue with JSON reading the comments with other tools.

For this example, we are going to skip the minimum TLS version check shown above.  This would be useful if our application still needed to support legacy clients.

Using a text editor, open the file indicated by Bridgecrew CLI.  In this case, nested/website.json.  Go to the lines indicated in the check (70-128) and add a metadata suppression including your justification as shown below:

...
   {
      "apiVersion": "2016-08-01",
      "name": "[parameters('siteName')]",
      "type": "Microsoft.Web/sites",
      "metadata": {
        "bridgecrew": "CKV_AZURE_15:Need earlier version of TLS to support legacy clients"
      },
      "location": "[parameters('location')]",
      "tags": {
        "[concat('hidden-related:', '/subscriptions/', subscription().subscriptionId,'/resourcegroups/', resourceGroup().name, '/providers/Microsoft.Web/serverfarms/', variables('hostingPlanName'))]": "empty"
      },
      "dependsOn": [
        "[concat('Microsoft.Web/serverfarms/', variables('hostingPlanName'))]"
      ],
      "properties": {
        "name": "[parameters('siteName')]",
        "serverFarmId": "[concat('/subscriptions/', subscription().subscriptionId,'/resourcegroups/', resourceGroup().name, '/providers/Microsoft.Web/serverfarms/', variables('hostingPlanName'))]",
        "hostingEnvironment": ""
      },
      "resources": [
        {
          "apiVersion": "2016-08-01",
          "name": "connectionstrings",
          "type": "config",
          "dependsOn": [
            "[concat('Microsoft.Web/Sites/', parameters('siteName'))]"
          ],
          "properties": {
            "defaultConnection": {
              "value": "[variables('connectionString')]",
              "type": "MySql"
            }
          }
        },
        {
          "apiVersion": "2016-08-01",
          "name": "web",
          "type": "config",
          "dependsOn": [
            "[concat('Microsoft.Web/Sites/', parameters('siteName'))]"
          ],
          "properties": {
            "phpVersion": "5.6"
          }
        },
        {
          "apiVersion": "2016-08-01",
          "name": "web",
          "type": "sourcecontrols",
          "dependsOn": [
            "[resourceId('Microsoft.Web/Sites', parameters('siteName'))]",
            "[concat('Microsoft.Web/Sites/', parameters('siteName'), '/config/connectionstrings')]",
            "[concat('Microsoft.Web/Sites/', parameters('siteName'), '/config/web')]"
          ],
          "properties": {
            "RepoUrl": "[variables('repoUrl')]",
            "branch": "[variables('branch')]",
            "IsManualIntegration": true
          }
        }
      ]
    }
...

Now rerun the check against this file and you will see that the resource is suppressed.

bridgecrew -f nested\website.json 
                       
    _            _          
    __         _     __                                 
   / /_  _____(_)___/ /___ ____  _____________ _      __
  / __ \/ ___/ / __  / __ `/ _ \/ ___/ ___/ _ \ | /| / /
 / /_/ / /  / / /_/ / /_/ /  __/ /__/ /  /  __/ |/ |/ / 
/_.___/_/  /_/\__,_/\__, /\___/\___/_/   \___/|__/|__/  
                   /____/    


by bridgecrew.io | version: 1.0.455

arm scan results:

Passed checks: 0, Failed checks: 4, Skipped checks: 1

… 

Check: CKV_AZURE_15: "Ensure web app is using the latest version of TLS encryption"
     SKIPPED for resource: Microsoft.Web/sites.[parameters('siteName')]
     Guide: https://docs.bridgecrew.io/docs/bc_azr_networking_6
     Suppress comment: Need earlier version of TLS to support legacy clients
     File: /Users/jjozwiak/Documents/azure-quickstart-templates/wordpress-mysql-replication/nested/website.json:70-131

It is worth noting that if you need to suppress multiple checks for a resource you can use an array for that as shown below:

"metadata": {
 "bridgecrew": [
   "CKV_AZURE_2",
   "CKV_AZURE_3:We don't care about this check."
 ]
}

Automating ARM template scanning

To ensure that your ARM templates aren’t misconfigured before deployment, it’s best practice to integrate Bridgecrew with your code review processes. With Bridgecrew’s source control and CI/CD integrations, you can get continuous scanning and automated remediation of misconfigurations. You can run Bridgecrew CLI as a GitHub Action, a CircleCI orb, or a Jenkins job.

Then, when your scans run, the results will be reported back in the Bridgecrew platform where misconfigurations are tracked, grouped by category, and prioritized with all context inline. To save time manually implementing fixes, Bridgecrew also enables teams to open pull requests containing all the necessary code.

ARM template misconfiguration in Bridgecrew

In our goal to provide more preventative cloud governance, we’re thrilled to take our platform a step beyond what traditional cloud security solutions offer when it comes to Azure security. Bridgecrew prevents ARM security issues from being deployed in the first place and automates the remediation of misconfigurations at the source to keep them from resurfacing down the road.

To get started with Bridgecrew and take your Azure security to the next level, sign up for a free account.