Bridgecrew.io
  • About Bridgecrew by Prisma Cloud
Checkov home
  • Docs
    • Quick start
    • Overview
    • Integrations
  • Download
  • Try Bridgecrew
  • Docs
    • Quick start
    • Overview
    • Integrations

Checkov Documentation

  • 1.Welcome
    • What is Checkov?
    • Terms and Concepts
    • Quick Start
    • Feature Descriptions
  • 2.Basics
    • Installing Checkov
    • CLI Command Reference
    • Suppressing and Skipping Policies
    • Hard and soft fail
    • Scanning Credentials and Secrets
    • Reviewing Scan Results
    • Visualizing Checkov Output
    • Handling Variables
  • 3.Custom Policies
    • Custom Policies Overview
    • Python Custom Policies
    • YAML Custom Policies
    • Custom YAML Policies Examples
    • Sharing Custom Policies
  • 4.Integrations
    • Jenkins
    • Bitbucket Cloud Pipelines
    • GitHub Actions
    • GitLab CI
    • Kubernetes
    • Pre-Commit
    • Docker
  • 5.Policy Index
    • all resource scans
    • ansible resource scans
    • argo_workflows resource scans
    • arm resource scans (auto generated)
    • azure_pipelines resource scans
    • bicep resource scans
    • bitbucket_configuration resource scans
    • bitbucket_pipelines resource scans
    • circleci_pipelines resource scans
    • cloudformation resource scans
    • dockerfile resource scans
    • github_actions resource scans
    • github_configuration resource scans
    • gitlab_ci resource scans
    • gitlab_configuration resource scans
    • kubernetes resource scans
    • openapi resource scans
    • secrets resource scans
    • serverless resource scans
    • terraform resource scans
  • 6.Contribution
    • Checkov Runner Contribution Guide
    • Implementing CI Metadata extractor
    • Implementing ImageReferencer
    • Contribution Overview
    • Contribute Python-Based Policies
    • Contribute YAML-based Policies
    • Contribute New Terraform Provider
    • Contribute New Argo Workflows configuration policy
    • Contribute New Azure Pipelines configuration policy
    • Contribute New Bitbucket configuration policy
    • Contribute New GitHub configuration policy
    • Contribute New Gitlab configuration policy
  • 7.Scan Examples
    • Terraform Plan Scanning
    • Terraform Scanning
    • Helm
    • Kustomize
    • AWS SAM configuration scanning
    • Ansible configuration scanning
    • Argo Workflows configuration scanning
    • Azure ARM templates configuration scanning
    • Azure Pipelines configuration scanning
    • Azure Bicep configuration scanning
    • Bitbucket configuration scanning
    • AWS CDK configuration scanning
    • Cloudformation configuration scanning
    • Dockerfile configuration scanning
    • GitHub configuration scanning
    • Gitlab configuration scanning
    • Kubernetes configuration scanning
    • OpenAPI configuration scanning
    • SCA scanning
    • Serverless framework configuration scanning
  • 8.Outputs
    • CSV
    • CycloneDX BOM
    • GitLab SAST
    • JUnit XML
    • SARIF
  • 9.Level up
    • Upgrade from Checkov to Bridgecrew
  • Docs
  • 5.policy index
  • arm resource scans
Edit on GitHub

arm resource scans (auto generated)

  Id Type Entity Policy IaC Resource Link
0 CKV_AZURE_1 resource Microsoft.Compute/virtualMachines Ensure Azure Instance does not use basic authentication(Use SSH Key Instead) arm AzureInstancePassword.py
1 CKV_AZURE_2 resource Microsoft.Compute/disks Ensure Azure managed disk have encryption enabled arm AzureManagedDiscEncryption.py
2 CKV_AZURE_3 resource Microsoft.Storage/storageAccounts Ensure that ‘supportsHttpsTrafficOnly’ is set to ‘true’ arm StorageAccountsTransportEncryption.py
3 CKV_AZURE_4 resource Microsoft.ContainerService/managedClusters Ensure AKS logging to Azure Monitoring is Configured arm AKSLoggingEnabled.py
4 CKV_AZURE_5 resource Microsoft.ContainerService/managedClusters Ensure RBAC is enabled on AKS clusters arm AKSRbacEnabled.py
5 CKV_AZURE_6 resource Microsoft.ContainerService/managedClusters Ensure AKS has an API Server Authorized IP Ranges enabled arm AKSApiServerAuthorizedIpRanges.py
6 CKV_AZURE_7 resource Microsoft.ContainerService/managedClusters Ensure AKS cluster has Network Policy configured arm AKSNetworkPolicy.py
7 CKV_AZURE_8 resource Microsoft.ContainerService/managedClusters Ensure Kubernetes Dashboard is disabled arm AKSDashboardDisabled.py
8 CKV_AZURE_9 resource Microsoft.Network/networkSecurityGroups Ensure that RDP access is restricted from the internet arm NSGRuleRDPAccessRestricted.py
9 CKV_AZURE_9 resource Microsoft.Network/networkSecurityGroups/securityRules Ensure that RDP access is restricted from the internet arm NSGRuleRDPAccessRestricted.py
10 CKV_AZURE_10 resource Microsoft.Network/networkSecurityGroups Ensure that SSH access is restricted from the internet arm NSGRuleSSHAccessRestricted.py
11 CKV_AZURE_10 resource Microsoft.Network/networkSecurityGroups/securityRules Ensure that SSH access is restricted from the internet arm NSGRuleSSHAccessRestricted.py
12 CKV_AZURE_11 resource Microsoft.Sql/servers Ensure no SQL Databases allow ingress from 0.0.0.0/0 (ANY IP) arm SQLServerNoPublicAccess.py
13 CKV_AZURE_12 resource Microsoft.Network/networkWatchers/FlowLogs Ensure that Network Security Group Flow Log retention period is ‘greater than 90 days’ arm NetworkWatcherFlowLogPeriod.py
14 CKV_AZURE_12 resource Microsoft.Network/networkWatchers/FlowLogs/ Ensure that Network Security Group Flow Log retention period is ‘greater than 90 days’ arm NetworkWatcherFlowLogPeriod.py
15 CKV_AZURE_12 resource Microsoft.Network/networkWatchers/flowLogs Ensure that Network Security Group Flow Log retention period is ‘greater than 90 days’ arm NetworkWatcherFlowLogPeriod.py
16 CKV_AZURE_12 resource Microsoft.Network/networkWatchers/flowLogs/ Ensure that Network Security Group Flow Log retention period is ‘greater than 90 days’ arm NetworkWatcherFlowLogPeriod.py
17 CKV_AZURE_13 resource Microsoft.Web/sites/config Ensure App Service Authentication is set on Azure App Service arm AppServiceAuthentication.py
18 CKV_AZURE_13 resource config Ensure App Service Authentication is set on Azure App Service arm AppServiceAuthentication.py
19 CKV_AZURE_14 resource Microsoft.Web/sites Ensure web app redirects all HTTP traffic to HTTPS in Azure App Service arm AppServiceHTTPSOnly.py
20 CKV_AZURE_15 resource Microsoft.Web/sites Ensure web app is using the latest version of TLS encryption arm AppServiceMinTLSVersion.py
21 CKV_AZURE_16 resource Microsoft.Web/sites Ensure that Register with Azure Active Directory is enabled on App Service arm AppServiceIdentity.py
22 CKV_AZURE_17 resource Microsoft.Web/sites Ensure the web app has ‘Client Certificates (Incoming client certificates)’ set arm AppServiceClientCertificate.py
23 CKV_AZURE_18 resource Microsoft.Web/sites Ensure that ‘HTTP Version’ is the latest if used to run the web app arm AppServiceHttps20Enabled.py
24 CKV_AZURE_19 resource Microsoft.Security/pricings Ensure that standard pricing tier is selected arm SecurityCenterStandardPricing.py
25 CKV_AZURE_20 resource Microsoft.Security/securityContacts Ensure that security contact ‘Phone number’ is set arm SecurityCenterContactPhone.py
26 CKV_AZURE_21 resource Microsoft.Security/securityContacts Ensure that ‘Send email notification for high severity alerts’ is set to ‘On’ arm SecurityCenterContactEmailAlert.py
27 CKV_AZURE_22 resource Microsoft.Security/securityContacts Ensure that ‘Send email notification for high severity alerts’ is set to ‘On’ arm SecurityCenterContactEmailAlertAdmins.py
28 CKV_AZURE_23 resource Microsoft.Sql/servers Ensure that ‘Auditing’ is set to ‘Enabled’ for SQL servers arm SQLServerAuditingEnabled.py
29 CKV_AZURE_23 resource Microsoft.Sql/servers/databases Ensure that ‘Auditing’ is set to ‘Enabled’ for SQL servers arm SQLServerAuditingEnabled.py
30 CKV_AZURE_24 resource Microsoft.Sql/servers Ensure that ‘Auditing’ Retention is ‘greater than 90 days’ for SQL servers arm SQLServerAuditingRetention90Days.py
31 CKV_AZURE_25 resource Microsoft.Sql/servers/databases Ensure that ‘Threat Detection types’ is set to ‘All’ arm SQLServerThreatDetectionTypes.py
32 CKV_AZURE_26 resource Microsoft.Sql/servers/databases Ensure that ‘Send Alerts To’ is enabled for MSSQL servers arm SQLServerEmailAlertsEnabled.py
33 CKV_AZURE_27 resource Microsoft.Sql/servers/databases Ensure that ‘Email service and co-administrators’ is ‘Enabled’ for MSSQL servers arm SQLServerEmailAlertsToAdminsEnabled.py
34 CKV_AZURE_28 resource Microsoft.DBforMySQL/servers Ensure ‘Enforce SSL connection’ is set to ‘ENABLED’ for MySQL Database Server arm MySQLServerSSLEnforcementEnabled.py
35 CKV_AZURE_29 resource Microsoft.DBforPostgreSQL/servers Ensure ‘Enforce SSL connection’ is set to ‘ENABLED’ for PostgreSQL Database Server arm PostgreSQLServerSSLEnforcementEnabled.py
36 CKV_AZURE_30 resource Microsoft.DBforPostgreSQL/servers/configurations Ensure server parameter ‘log_checkpoints’ is set to ‘ON’ for PostgreSQL Database Server arm PostgreSQLServerLogCheckpointsEnabled.py
37 CKV_AZURE_30 resource configurations Ensure server parameter ‘log_checkpoints’ is set to ‘ON’ for PostgreSQL Database Server arm PostgreSQLServerLogCheckpointsEnabled.py
38 CKV_AZURE_31 resource Microsoft.DBforPostgreSQL/servers/configurations Ensure configuration ‘log_connections’ is set to ‘ON’ for PostgreSQL Database Server arm PostgreSQLServerLogConnectionsEnabled.py
39 CKV_AZURE_31 resource configurations Ensure configuration ‘log_connections’ is set to ‘ON’ for PostgreSQL Database Server arm PostgreSQLServerLogConnectionsEnabled.py
40 CKV_AZURE_32 resource Microsoft.DBforPostgreSQL/servers/configurations Ensure server parameter ‘connection_throttling’ is set to ‘ON’ for PostgreSQL Database Server arm PostgreSQLServerConnectionThrottlingEnabled.py
41 CKV_AZURE_32 resource configurations Ensure server parameter ‘connection_throttling’ is set to ‘ON’ for PostgreSQL Database Server arm PostgreSQLServerConnectionThrottlingEnabled.py
42 CKV_AZURE_33 resource Microsoft.Storage/storageAccounts/queueServices/providers/diagnosticsettings Ensure Storage logging is enabled for Queue service for read, write and delete requests arm StorageAccountLoggingQueueServiceEnabled.py
43 CKV_AZURE_34 resource Microsoft.Storage/storageAccounts/blobServices/containers Ensure that ‘Public access level’ is set to Private for blob containers arm StorageBlobServiceContainerPrivateAccess.py
44 CKV_AZURE_34 resource blobServices/containers Ensure that ‘Public access level’ is set to Private for blob containers arm StorageBlobServiceContainerPrivateAccess.py
45 CKV_AZURE_34 resource containers Ensure that ‘Public access level’ is set to Private for blob containers arm StorageBlobServiceContainerPrivateAccess.py
46 CKV_AZURE_35 resource Microsoft.Storage/storageAccounts Ensure default network access rule for Storage Accounts is set to deny arm StorageAccountDefaultNetworkAccessDeny.py
47 CKV_AZURE_36 resource Microsoft.Storage/storageAccounts Ensure ‘Trusted Microsoft Services’ is enabled for Storage Account access arm StorageAccountAzureServicesAccessEnabled.py
48 CKV_AZURE_37 resource Microsoft.Insights/logprofiles Ensure that Activity Log Retention is set 365 days or greater arm MonitorLogProfileRetentionDays.py
49 CKV_AZURE_38 resource Microsoft.Insights/logprofiles Ensure audit profile captures all the activities arm MonitorLogProfileCategories.py
50 CKV_AZURE_39 resource Microsoft.Authorization/roleDefinitions Ensure that no custom subscription owner roles are created arm CustomRoleDefinitionSubscriptionOwner.py
51 CKV_AZURE_41 resource Microsoft.KeyVault/vaults/secrets Ensure that the expiration date is set on all secrets arm SecretExpirationDate.py
52 CKV_AZURE_42 resource Microsoft.KeyVault/vaults Ensure the key vault is recoverable arm KeyvaultRecoveryEnabled.py
53 CKV_AZURE_47 resource Microsoft.DBforMariaDB/servers Ensure ‘Enforce SSL connection’ is set to ‘ENABLED’ for MariaDB servers arm MariaDBSSLEnforcementEnabled.py
54 CKV_AZURE_49 resource Microsoft.Compute/virtualMachineScaleSets Ensure Azure linux scale set does not use basic authentication(Use SSH Key Instead) arm AzureScaleSetPassword.py
55 CKV_AZURE_131 parameter secureString SecureString parameter should not have hardcoded default values arm SecureStringParameterNoHardcodedValue.py
56 CKV_AZURE_132 resource Microsoft.DocumentDB/databaseAccounts Ensure cosmosdb does not allow privileged escalation by restricting management plane changes arm CosmosDBDisableAccessKeyWrite.py
57 CKV2_AZURE_23 resource Microsoft.AppPlatform/Spring Ensure Azure spring cloud is configured with Virtual network (Vnet) arm AzureSpringCloudConfigWithVnet.yaml

Powered By

  • Slack Community
  • About Bridgecrew
  • Platform
  • Terms of use
  • GitHub
  • Docs
  • Contact Us
  • Privacy policy