From 7faa2ba731f9ed606b52f2c55501af16a25fd8c3 Mon Sep 17 00:00:00 2001 From: Ricardo Jesus <219317970+cx-ricardo-jesus@users.noreply.github.com> Date: Tue, 20 Jan 2026 16:08:51 +0000 Subject: [PATCH 1/9] fixed %s on website azure active directory disabled --- .../query.rego | 56 ++++++++----------- .../test/positive7.bicep | 12 ++++ .../test/positive7.json | 27 +++++++++ .../test/positive_expected_result.json | 12 ++++ 4 files changed, 73 insertions(+), 34 deletions(-) create mode 100644 assets/queries/azureResourceManager/website_azure_active_directory_disabled/test/positive7.bicep create mode 100644 assets/queries/azureResourceManager/website_azure_active_directory_disabled/test/positive7.json diff --git a/assets/queries/azureResourceManager/website_azure_active_directory_disabled/query.rego b/assets/queries/azureResourceManager/website_azure_active_directory_disabled/query.rego index e2be8902dee..6517e2b149e 100644 --- a/assets/queries/azureResourceManager/website_azure_active_directory_disabled/query.rego +++ b/assets/queries/azureResourceManager/website_azure_active_directory_disabled/query.rego @@ -8,7 +8,7 @@ CxPolicy[result] { value.type == "Microsoft.Web/sites" - not common_lib.valid_key(value, "identity") + get_res(value, path) result := { "documentId": input.document[i].id, @@ -21,43 +21,31 @@ CxPolicy[result] { "searchLine": common_lib.build_search_line(path, ["name"]), } } - -CxPolicy[result] { - doc := input.document[i] - [path, value] = walk(doc) - - value.type == "Microsoft.Web/sites" +get_res(value, path) = res { + not common_lib.valid_key(value, "identity") + res := { + "sk": sprintf("%s.name={{%s}}", [common_lib.concat_path(path), value.name]), + "it": "MissingAttribute", + "kev": "resource with type 'Microsoft.Web/sites' should have the 'identity' property defined", + "kav": "resource with type 'Microsoft.Web/sites' doesn't have 'identity' property defined", + "sl": common_lib.build_search_line(path, ["name"]) + } +} else = res { not common_lib.valid_key(value.identity, "type") - - result := { - "documentId": input.document[i].id, - "resourceType": value.type, - "resourceName": value.name, - "searchKey": sprintf("%s.name={{%s}}.identity", [common_lib.concat_path(path), value.name]), - "issueType": "MissingAttribute", - "keyExpectedValue": "resource with type 'Microsoft.Web/sites' should have the identity type set to 'SystemAssigned' or 'UserAssigned' and 'userAssignedIdentities' defined", - "keyActualValue": "resource with type 'Microsoft.Web/sites' doesn't have the identity type set to 'SystemAssigned' or 'UserAssigned' and 'userAssignedIdentities' defined", - "searchLine": common_lib.build_search_line(path, ["identity"]), + res := { + "sk": sprintf("%s.name={{%s}}.identity", [common_lib.concat_path(path), value.name]), + "it": "MissingAttribute", + "kev": "resource with type 'Microsoft.Web/sites' should have the identity type set to 'SystemAssigned' or 'UserAssigned' and 'userAssignedIdentities' defined", + "kav": "resource with type 'Microsoft.Web/sites' doesn't have the identity type set to 'SystemAssigned' or 'UserAssigned' and 'userAssignedIdentities' defined" } -} - -CxPolicy[result] { - doc := input.document[i] - [path, value] = walk(doc) - - value.type == "Microsoft.Web/sites" +} else = res { common_lib.valid_key(value.identity, "type") not is_valid_identity(value.identity) - - result := { - "documentId": input.document[i].id, - "resourceType": value.type, - "resourceName": value.name, - "searchKey": sprintf("%s.name={{%s}}.identity", [common_lib.concat_path(path), value.name]), - "issueType": "IncorrectValue", - "keyExpectedValue": "resource with type 'Microsoft.Web/sites' should have the identity type set to %s", - "keyActualValue": "resource with type 'Microsoft.Web/sites' doesn't have the identity type set to %s", - "searchLine": common_lib.build_search_line(path, ["identity"]), + res := { + "sk": sprintf("%s.name={{%s}}.identity", [common_lib.concat_path(path), value.name]), + "it": "IncorrectValue", + "kev": "resource with type 'Microsoft.Web/sites' should have the identity type set to 'SystemAssigned' or 'UserAssigned'", + "kav": "resource with type 'Microsoft.Web/sites' doesn't have the identity type set to '%s'" } } diff --git a/assets/queries/azureResourceManager/website_azure_active_directory_disabled/test/positive7.bicep b/assets/queries/azureResourceManager/website_azure_active_directory_disabled/test/positive7.bicep new file mode 100644 index 00000000000..42fb8b522e0 --- /dev/null +++ b/assets/queries/azureResourceManager/website_azure_active_directory_disabled/test/positive7.bicep @@ -0,0 +1,12 @@ +resource webSitePositive7 'Microsoft.Web/sites@2020-12-01' = { + name: 'webSitePositive7' + location: 'location1' + tags: {} + identity: { + type: 'UserAssigned' + } + properties: { + enabled: true + httpsOnly: true + } +} diff --git a/assets/queries/azureResourceManager/website_azure_active_directory_disabled/test/positive7.json b/assets/queries/azureResourceManager/website_azure_active_directory_disabled/test/positive7.json new file mode 100644 index 00000000000..8433fd94106 --- /dev/null +++ b/assets/queries/azureResourceManager/website_azure_active_directory_disabled/test/positive7.json @@ -0,0 +1,27 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "metadata": { + "_generator": { + "name": "bicep", + "version": "0.39.26.7824", + "templateHash": "623030832249271008" + } + }, + "resources": [ + { + "type": "Microsoft.Web/sites", + "apiVersion": "2020-12-01", + "name": "webSitePositive7", + "location": "location1", + "tags": {}, + "identity": { + "type": "UserAssigned" + }, + "properties": { + "enabled": true, + "httpsOnly": true + } + } + ] +} \ No newline at end of file diff --git a/assets/queries/azureResourceManager/website_azure_active_directory_disabled/test/positive_expected_result.json b/assets/queries/azureResourceManager/website_azure_active_directory_disabled/test/positive_expected_result.json index 294c2c55972..a9ace49214f 100644 --- a/assets/queries/azureResourceManager/website_azure_active_directory_disabled/test/positive_expected_result.json +++ b/assets/queries/azureResourceManager/website_azure_active_directory_disabled/test/positive_expected_result.json @@ -35,6 +35,12 @@ "line": 17, "fileName": "positive6.json" }, + { + "queryName": "Website Azure Active Directory Disabled", + "severity": "LOW", + "line": 15, + "fileName": "positive7.json" + }, { "queryName": "Website Azure Active Directory Disabled", "severity": "LOW", @@ -70,5 +76,11 @@ "severity": "LOW", "line": 5, "fileName": "positive6.bicep" + }, + { + "queryName": "Website Azure Active Directory Disabled", + "severity": "LOW", + "line": 2, + "fileName": "positive7.bicep" } ] From e1f91ec82d48406ff9552a800f869000d8f91ea8 Mon Sep 17 00:00:00 2001 From: Ricardo Jesus <219317970+cx-ricardo-jesus@users.noreply.github.com> Date: Wed, 21 Jan 2026 11:35:05 +0000 Subject: [PATCH 2/9] removing %s --- .../website_azure_active_directory_disabled/query.rego | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/assets/queries/azureResourceManager/website_azure_active_directory_disabled/query.rego b/assets/queries/azureResourceManager/website_azure_active_directory_disabled/query.rego index 6517e2b149e..42fd1c6dbb7 100644 --- a/assets/queries/azureResourceManager/website_azure_active_directory_disabled/query.rego +++ b/assets/queries/azureResourceManager/website_azure_active_directory_disabled/query.rego @@ -45,7 +45,7 @@ get_res(value, path) = res { "sk": sprintf("%s.name={{%s}}.identity", [common_lib.concat_path(path), value.name]), "it": "IncorrectValue", "kev": "resource with type 'Microsoft.Web/sites' should have the identity type set to 'SystemAssigned' or 'UserAssigned'", - "kav": "resource with type 'Microsoft.Web/sites' doesn't have the identity type set to '%s'" + "kav": "resource with type 'Microsoft.Web/sites' doesn't have the identity type set to 'SystemAssigned' or 'UserAssigned'" } } From fcf384f6b0e59b23ecf223893423197494fa1918 Mon Sep 17 00:00:00 2001 From: Ricardo Jesus <219317970+cx-ricardo-jesus@users.noreply.github.com> Date: Wed, 21 Jan 2026 11:42:58 +0000 Subject: [PATCH 3/9] added sprintf to handle %s --- .../aws/api_gateway_with_invalid_compression/query.rego | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/assets/queries/cloudFormation/aws/api_gateway_with_invalid_compression/query.rego b/assets/queries/cloudFormation/aws/api_gateway_with_invalid_compression/query.rego index 1552a1b43ac..0bd371a0f04 100644 --- a/assets/queries/cloudFormation/aws/api_gateway_with_invalid_compression/query.rego +++ b/assets/queries/cloudFormation/aws/api_gateway_with_invalid_compression/query.rego @@ -18,8 +18,8 @@ CxPolicy[result] { "resourceName": cf_lib.get_resource_name(resource, name), "searchKey": sprintf("%s%s.Properties.MinimumCompressionSize", [cf_lib.getPath(path), name]), "issueType": "IncorrectValue", - "keyExpectedValue": "Resources.%s.Properties.MinimumCompressionSize should be greater than -1 and smaller than 10485760", - "keyActualValue": "Resources.%s.Properties.MinimumCompressionSize is set to smaller than 0", + "keyExpectedValue": sprintf("Resources.%s.Properties.MinimumCompressionSize should be greater than -1 and smaller than 10485760", [name]), + "keyActualValue": sprintf("Resources.%s.Properties.MinimumCompressionSize is set to smaller than 0", [name]), "searchLine": common_lib.build_search_line(path, [name, "Properties", "MinimumCompressionSize"]), } } @@ -39,8 +39,8 @@ CxPolicy[result] { "resourceName": cf_lib.get_resource_name(resource, name), "searchKey": sprintf("%s%s.Properties.MinimumCompressionSize", [cf_lib.getPath(path), name]), "issueType": "IncorrectValue", - "keyExpectedValue": "Resources.%s.Properties.MinimumCompressionSize should be greater than -1 and smaller than 10485760", - "keyActualValue": "Resources.%s.Properties.MinimumCompressionSize is set to greater than 10485759", + "keyExpectedValue": sprintf("Resources.%s.Properties.MinimumCompressionSize should be greater than -1 and smaller than 10485760", [name]), + "keyActualValue": sprintf("Resources.%s.Properties.MinimumCompressionSize is set to greater than 10485759", [name]), "searchLine": common_lib.build_search_line(path, [name, "Properties", "MinimumCompressionSize"]), } } From 71fc7973aceb29e66053aa409de5cfed9daaf7da Mon Sep 17 00:00:00 2001 From: Ricardo Jesus <219317970+cx-ricardo-jesus@users.noreply.github.com> Date: Wed, 21 Jan 2026 11:50:17 +0000 Subject: [PATCH 4/9] added sprintf to handle %s on alb_listening_on_http alicloud query --- .../terraform/alicloud/alb_listening_on_http/query.rego | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/assets/queries/terraform/alicloud/alb_listening_on_http/query.rego b/assets/queries/terraform/alicloud/alb_listening_on_http/query.rego index e68cad6f295..76ae001ba1d 100644 --- a/assets/queries/terraform/alicloud/alb_listening_on_http/query.rego +++ b/assets/queries/terraform/alicloud/alb_listening_on_http/query.rego @@ -13,8 +13,8 @@ CxPolicy[result] { "resourceName": tf_lib.get_resource_name(resource, name), "searchKey": sprintf("alicloud_alb_listener[%s].listener_protocol", [name]), "issueType": "IncorrectValue", - "keyExpectedValue": "'alicloud_alb_listener[%s].listener_protocol' should not be 'HTTP'", - "keyActualValue": "'alicloud_alb_listener[%s].listener_protocol' is 'HTTP'", + "keyExpectedValue": sprintf("'alicloud_alb_listener[%s].listener_protocol' should not be 'HTTP'", [name]), + "keyActualValue": sprintf("'alicloud_alb_listener[%s].listener_protocol' is 'HTTP'", [name]), "searchLine": common_lib.build_search_line(["resource", "alicloud_alb_listener", name, "listener_protocol"], []), "remediation": json.marshal({ "before": "HTTP", From d5576cd66c820249249143f8e97d2b88c6cc4f30 Mon Sep 17 00:00:00 2001 From: Ricardo Jesus <219317970+cx-ricardo-jesus@users.noreply.github.com> Date: Wed, 21 Jan 2026 12:04:09 +0000 Subject: [PATCH 5/9] simplified api_gateway_with_invalid_compression query --- .../query.rego | 73 ++++++++----------- 1 file changed, 30 insertions(+), 43 deletions(-) diff --git a/assets/queries/cloudFormation/aws/api_gateway_with_invalid_compression/query.rego b/assets/queries/cloudFormation/aws/api_gateway_with_invalid_compression/query.rego index 0bd371a0f04..a1f49a92fbc 100644 --- a/assets/queries/cloudFormation/aws/api_gateway_with_invalid_compression/query.rego +++ b/assets/queries/cloudFormation/aws/api_gateway_with_invalid_compression/query.rego @@ -10,58 +10,45 @@ CxPolicy[result] { resource.Type == "AWS::ApiGateway::RestApi" properties := resource.Properties - properties.MinimumCompressionSize < 0 + res := get_res(properties, name, path) result := { "documentId": input.document[i].id, "resourceType": resource.Type, "resourceName": cf_lib.get_resource_name(resource, name), - "searchKey": sprintf("%s%s.Properties.MinimumCompressionSize", [cf_lib.getPath(path), name]), - "issueType": "IncorrectValue", - "keyExpectedValue": sprintf("Resources.%s.Properties.MinimumCompressionSize should be greater than -1 and smaller than 10485760", [name]), - "keyActualValue": sprintf("Resources.%s.Properties.MinimumCompressionSize is set to smaller than 0", [name]), - "searchLine": common_lib.build_search_line(path, [name, "Properties", "MinimumCompressionSize"]), + "searchKey": res.sk, + "issueType": res.it, + "keyExpectedValue": res.kev, + "keyActualValue": res.kav, + "searchLine": res.sl, } } -CxPolicy[result] { - docs := input.document[i] - [path, Resources] := walk(docs) - resource := Resources[name] - resource.Type == "AWS::ApiGateway::RestApi" - properties := resource.Properties - +get_res(properties, name, path) = res { + properties.MinimumCompressionSize < 0 + res := { + "sk": sprintf("%s%s.Properties.MinimumCompressionSize", [cf_lib.getPath(path), name]), + "it": "IncorrectValue", + "kev": sprintf("Resources.%s.Properties.MinimumCompressionSize should be greater than -1 and smaller than 10485760", [name]), + "kav": sprintf("Resources.%s.Properties.MinimumCompressionSize is set to smaller than 0", [name]), + "sl": common_lib.build_search_line(path, [name, "Properties", "MinimumCompressionSize"]), + } +} else = res { properties.MinimumCompressionSize > 10485759 - - result := { - "documentId": input.document[i].id, - "resourceType": resource.Type, - "resourceName": cf_lib.get_resource_name(resource, name), - "searchKey": sprintf("%s%s.Properties.MinimumCompressionSize", [cf_lib.getPath(path), name]), - "issueType": "IncorrectValue", - "keyExpectedValue": sprintf("Resources.%s.Properties.MinimumCompressionSize should be greater than -1 and smaller than 10485760", [name]), - "keyActualValue": sprintf("Resources.%s.Properties.MinimumCompressionSize is set to greater than 10485759", [name]), - "searchLine": common_lib.build_search_line(path, [name, "Properties", "MinimumCompressionSize"]), + res := { + "sk": sprintf("%s%s.Properties.MinimumCompressionSize", [cf_lib.getPath(path), name]), + "it": "IncorrectValue", + "kev": sprintf("Resources.%s.Properties.MinimumCompressionSize should be greater than -1 and smaller than 10485760", [name]), + "kav": sprintf("Resources.%s.Properties.MinimumCompressionSize is set to greater than 10485759", [name]), + "sl": common_lib.build_search_line(path, [name, "Properties", "MinimumCompressionSize"]), } -} - -CxPolicy[result] { - docs := input.document[i] - [path, Resources] := walk(docs) - resource := Resources[name] - resource.Type == "AWS::ApiGateway::RestApi" - properties := resource.Properties - +} else = res { not common_lib.valid_key(properties, "MinimumCompressionSize") - - result := { - "documentId": input.document[i].id, - "resourceType": resource.Type, - "resourceName": cf_lib.get_resource_name(resource, name), - "searchKey": sprintf("%s%s.Properties", [cf_lib.getPath(path), name]), - "issueType": "MissingAttribute", - "keyExpectedValue": sprintf("Resources.%s.Properties.MinimumCompressionSize should be defined", [name]), - "keyActualValue": sprintf("Resources.%s.Properties.MinimumCompressionSize is not defined", [name]), - "searchLine": common_lib.build_search_line(path, [name, "Properties"]), + res := { + "sk": sprintf("%s%s.Properties", [cf_lib.getPath(path), name]), + "it": "MissingAttribute", + "kev": sprintf("Resources.%s.Properties.MinimumCompressionSize should be defined", [name]), + "kav": sprintf("Resources.%s.Properties.MinimumCompressionSize is not defined", [name]), + "sl": common_lib.build_search_line(path, [name, "Properties"]), } -} +} \ No newline at end of file From 36ad7acef7da8c51105a12d009930285c3ad8a5a Mon Sep 17 00:00:00 2001 From: Ricardo Jesus <219317970+cx-ricardo-jesus@users.noreply.github.com> Date: Wed, 21 Jan 2026 12:12:14 +0000 Subject: [PATCH 6/9] added sprintf to handle %s on api_gateway_access_logging_disabled --- .../aws/api_gateway_access_logging_disabled/query.rego | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/assets/queries/terraform/aws/api_gateway_access_logging_disabled/query.rego b/assets/queries/terraform/aws/api_gateway_access_logging_disabled/query.rego index b57520d3242..f6d3042c8f9 100644 --- a/assets/queries/terraform/aws/api_gateway_access_logging_disabled/query.rego +++ b/assets/queries/terraform/aws/api_gateway_access_logging_disabled/query.rego @@ -90,7 +90,7 @@ CxPolicy[result] { "searchKey": sprintf("aws_apigatewayv2_stage[%s].default_route_settings.logging_level", [name]), "issueType": "IncorrectValue", "keyExpectedValue": sprintf("aws_apigatewayv2_stage[%s].default_route_settings.logging_level should not be set to OFF", [name]), - "keyActualValue": "aws_apigatewayv2_stage[%s].default_route_settings.logging_level is set to OFF", + "keyActualValue": sprintf("aws_apigatewayv2_stage[%s].default_route_settings.logging_level is set to OFF", [name]), "searchLine": common_lib.build_search_line(["resource", "aws_apigatewayv2_stage", name], ["default_route_settings", "logging_level"]), } } @@ -224,7 +224,7 @@ CxPolicy[result] { "searchKey": sprintf("aws_api_gateway_method_settings[%s].settings.logging_level", [settingsId]), "issueType": "IncorrectValue", "keyExpectedValue": sprintf("aws_api_gateway_method_settings[%s].settings.logging_level should not be set to OFF", [settingsId]), - "keyActualValue": "aws_api_gateway_method_settings[%s].settings.logging_level is set to OFF", + "keyActualValue": sprintf("aws_api_gateway_method_settings[%s].settings.logging_level is set to OFF", [settingsId]), "searchLine": common_lib.build_search_line(["resource", "aws_api_gateway_method_settings", settingsId], ["settings", "logging_level"]), } } From 4b22db478e855a2e227780a9b1eae68c24c07dfc Mon Sep 17 00:00:00 2001 From: Ricardo Jesus <219317970+cx-ricardo-jesus@users.noreply.github.com> Date: Wed, 21 Jan 2026 12:35:16 +0000 Subject: [PATCH 7/9] simplified query + added sprintf on unhandled %s --- .../query.rego | 47 +++++++++---------- 1 file changed, 23 insertions(+), 24 deletions(-) diff --git a/assets/queries/cloudFormation/aws_sam/serverless_api_without_content_encoding/query.rego b/assets/queries/cloudFormation/aws_sam/serverless_api_without_content_encoding/query.rego index 7365b716973..81c44b1f1e6 100644 --- a/assets/queries/cloudFormation/aws_sam/serverless_api_without_content_encoding/query.rego +++ b/assets/queries/cloudFormation/aws_sam/serverless_api_without_content_encoding/query.rego @@ -9,43 +9,42 @@ CxPolicy[result] { resource.Type == "AWS::Serverless::Api" properties := resource.Properties - unrecommended_minimum_compression_size(properties.MinimumCompressionSize) + res := get_res(properties, name) result := { "documentId": input.document[i].id, "resourceType": resource.Type, "resourceName": cf_lib.get_resource_name(resource, name), - "searchKey": sprintf("Resources.%s.Properties.MinimumCompressionSize", [name]), - "issueType": "IncorrectValue", - "keyExpectedValue": "Resources.%s.Properties.MinimumCompressionSize should be greater than -1 and smaller than 10485760", - "keyActualValue": "Resources.%s.Properties.MinimumCompressionSize is set but smaller than 0 or greater than 10485759", - "searchLine": common_lib.build_search_line(["Resources", name, "Properties", "MinimumCompressionSize"], []), + "searchKey": res.sk, + "issueType": res.it, + "keyExpectedValue": res.kev, + "keyActualValue": res.kav, + "searchLine": res.sl, } } -CxPolicy[result] { - document := input.document - resource = document[i].Resources[name] - resource.Type == "AWS::Serverless::Api" - properties := resource.Properties - +get_res(properties, name) = res { + unrecommended_minimum_compression_size(properties.MinimumCompressionSize) + res := { + "sk": sprintf("Resources.%s.Properties.MinimumCompressionSize", [name]), + "it": "IncorrectValue", + "kev": sprintf("Resources.%s.Properties.MinimumCompressionSize should be greater than -1 and smaller than 10485760", [name]), + "kav": sprintf("Resources.%s.Properties.MinimumCompressionSize is set but smaller than 0 or greater than 10485759", [name]), + "sl": common_lib.build_search_line(["Resources", name, "Properties", "MinimumCompressionSize"], []), + } +} else = res { not common_lib.valid_key(properties, "MinimumCompressionSize") - - result := { - "documentId": input.document[i].id, - "resourceType": resource.Type, - "resourceName": cf_lib.get_resource_name(resource, name), - "searchKey": sprintf("Resources.%s.Properties", [name]), - "issueType": "MissingAttribute", - "keyExpectedValue": sprintf("Resources.%s.Properties.MinimumCompressionSize should be defined and not null", [name]), - "keyActualValue": sprintf("Resources.%s.Properties.MinimumCompressionSize is not defined or null", [name]), - "searchLine": common_lib.build_search_line(["Resources", name, "Properties"], []), + res := { + "sk": sprintf("Resources.%s.Properties", [name]), + "it": "MissingAttribute", + "kev": sprintf("Resources.%s.Properties.MinimumCompressionSize should be defined and not null", [name]), + "kav": sprintf("Resources.%s.Properties.MinimumCompressionSize is not defined or null", [name]), + "sl": common_lib.build_search_line(["Resources", name, "Properties"], []), } } - unrecommended_minimum_compression_size(value) { value < 0 } else { value > 10485759 -} +} \ No newline at end of file From 1372e2d5d4e9f095a606eeca037b3cdce8827cb1 Mon Sep 17 00:00:00 2001 From: Ricardo Jesus <219317970+cx-ricardo-jesus@users.noreply.github.com> Date: Wed, 21 Jan 2026 13:03:53 +0000 Subject: [PATCH 8/9] fixed positive_expected_result --- .../test/positive_expected_result.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/assets/queries/azureResourceManager/website_azure_active_directory_disabled/test/positive_expected_result.json b/assets/queries/azureResourceManager/website_azure_active_directory_disabled/test/positive_expected_result.json index a9ace49214f..4f01a67feb6 100644 --- a/assets/queries/azureResourceManager/website_azure_active_directory_disabled/test/positive_expected_result.json +++ b/assets/queries/azureResourceManager/website_azure_active_directory_disabled/test/positive_expected_result.json @@ -44,7 +44,7 @@ { "queryName": "Website Azure Active Directory Disabled", "severity": "LOW", - "line": 2, + "line": 5, "fileName": "positive1.bicep" }, { From 9db87c974b630481d63ef39c1c64f0985232bbe3 Mon Sep 17 00:00:00 2001 From: Ricardo Jesus <219317970+cx-ricardo-jesus@users.noreply.github.com> Date: Wed, 21 Jan 2026 14:15:17 +0000 Subject: [PATCH 9/9] fixes results + positive_expected_result --- .../query.rego | 19 +++++++++++-------- .../test/positive_expected_result.json | 6 +++--- 2 files changed, 14 insertions(+), 11 deletions(-) diff --git a/assets/queries/azureResourceManager/website_azure_active_directory_disabled/query.rego b/assets/queries/azureResourceManager/website_azure_active_directory_disabled/query.rego index 42fd1c6dbb7..e82d266e471 100644 --- a/assets/queries/azureResourceManager/website_azure_active_directory_disabled/query.rego +++ b/assets/queries/azureResourceManager/website_azure_active_directory_disabled/query.rego @@ -8,19 +8,20 @@ CxPolicy[result] { value.type == "Microsoft.Web/sites" - get_res(value, path) + res := get_res(value, path) result := { "documentId": input.document[i].id, "resourceType": value.type, "resourceName": value.name, - "searchKey": sprintf("%s.name={{%s}}", [common_lib.concat_path(path), value.name]), - "issueType": "MissingAttribute", - "keyExpectedValue": "resource with type 'Microsoft.Web/sites' should have the 'identity' property defined", - "keyActualValue": "resource with type 'Microsoft.Web/sites' doesn't have 'identity' property defined", - "searchLine": common_lib.build_search_line(path, ["name"]), + "searchKey": res.sk, + "issueType": res.it, + "keyExpectedValue": res.kev, + "keyActualValue": res.kav, + "searchLine": res.sl, } } + get_res(value, path) = res { not common_lib.valid_key(value, "identity") res := { @@ -36,7 +37,8 @@ get_res(value, path) = res { "sk": sprintf("%s.name={{%s}}.identity", [common_lib.concat_path(path), value.name]), "it": "MissingAttribute", "kev": "resource with type 'Microsoft.Web/sites' should have the identity type set to 'SystemAssigned' or 'UserAssigned' and 'userAssignedIdentities' defined", - "kav": "resource with type 'Microsoft.Web/sites' doesn't have the identity type set to 'SystemAssigned' or 'UserAssigned' and 'userAssignedIdentities' defined" + "kav": "resource with type 'Microsoft.Web/sites' doesn't have the identity type set to 'SystemAssigned' or 'UserAssigned' and 'userAssignedIdentities' defined", + "sl": common_lib.build_search_line(path, ["identity"]) } } else = res { common_lib.valid_key(value.identity, "type") @@ -45,7 +47,8 @@ get_res(value, path) = res { "sk": sprintf("%s.name={{%s}}.identity", [common_lib.concat_path(path), value.name]), "it": "IncorrectValue", "kev": "resource with type 'Microsoft.Web/sites' should have the identity type set to 'SystemAssigned' or 'UserAssigned'", - "kav": "resource with type 'Microsoft.Web/sites' doesn't have the identity type set to 'SystemAssigned' or 'UserAssigned'" + "kav": "resource with type 'Microsoft.Web/sites' doesn't have the identity type set to 'SystemAssigned' or 'UserAssigned'", + "sl": common_lib.build_search_line(path, ["identity"]) } } diff --git a/assets/queries/azureResourceManager/website_azure_active_directory_disabled/test/positive_expected_result.json b/assets/queries/azureResourceManager/website_azure_active_directory_disabled/test/positive_expected_result.json index 4f01a67feb6..a4f6d28793d 100644 --- a/assets/queries/azureResourceManager/website_azure_active_directory_disabled/test/positive_expected_result.json +++ b/assets/queries/azureResourceManager/website_azure_active_directory_disabled/test/positive_expected_result.json @@ -38,13 +38,13 @@ { "queryName": "Website Azure Active Directory Disabled", "severity": "LOW", - "line": 15, + "line": 18, "fileName": "positive7.json" }, { "queryName": "Website Azure Active Directory Disabled", "severity": "LOW", - "line": 5, + "line": 2, "fileName": "positive1.bicep" }, { @@ -80,7 +80,7 @@ { "queryName": "Website Azure Active Directory Disabled", "severity": "LOW", - "line": 2, + "line": 5, "fileName": "positive7.bicep" } ]