feat(arm): add CKV_AZURE_163 Enable vulnerability scanning for container images

checkov/arm/checks/resource/ACRContainerScanEnabled.py

@@ -0,0 +1,28 @@
+
+from __future__ import annotations
+from typing import Any, Dict
+from checkov.common.models.enums import CheckResult, CheckCategories
+from checkov.arm.base_resource_check import BaseResourceCheck
+
+
+class ACRContainerScanEnabled(BaseResourceCheck):
+    SKUS = {"Standard", "Premium"}  # noqa: CCE003  # a static attribute
+
+    def __init__(self) -> None:
+        name = "Enable vulnerability scanning for container images."
+        id = "CKV_AZURE_163"
+        supported_resources = ("Microsoft.ContainerRegistry/registries",)
+        categories = (CheckCategories.GENERAL_SECURITY,)
+        super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources)
+
+    def scan_resource_conf(self, conf: Dict[str, Any]) -> CheckResult:
+        sku = conf.get("sku", {})
+        sku_name = sku.get("name")
+
+        if isinstance(sku_name, str) and sku_name in ACRContainerScanEnabled.SKUS:
+            return CheckResult.PASSED
+
+        return CheckResult.FAILED
+
+
+check = ACRContainerScanEnabled()

tests/arm/checks/resource/example_ACRContainerScanEnabled/fail.json

@@ -0,0 +1,37 @@
+{
+  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+  "contentVersion": "1.0.0.1",
+  "resources": [
+    {
+      "apiVersion": "2019-05-01",
+      "type": "Microsoft.ContainerRegistry/registries",
+      "name": "failed",
+      "location": "[resourceGroup().location]",
+      "sku": {
+        "name": "Basic"
+      },
+      "properties": {
+        "adminUserEnabled": true,
+        "anonymousPullEnabled": true,
+        "dataEndpointEnabled": true,
+        "encryption": {
+          "keyVaultProperties": {
+            "identity": "someIdentity",
+            "keyIdentifier": "someKeyIdentifier"
+          },
+          "status": "enabled"
+        },
+        "networkRuleBypassOptions": "AzureServices",
+        "networkRuleSet": {
+          "defaultAction": "Deny",
+          "ipRules": [
+            {
+              "action": "Allow",
+              "value": "127.0.0.1"
+            }
+          ]
+        }
+      }
+    }
+  ]
+}

tests/arm/checks/resource/example_ACRContainerScanEnabled/pass.json

@@ -0,0 +1,37 @@
+{
+  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+  "contentVersion": "1.0.0.1",
+  "resources": [
+    {
+      "apiVersion": "2019-05-01",
+      "type": "Microsoft.ContainerRegistry/registries",
+      "name": "pass",
+      "location": "[resourceGroup().location]",
+      "sku": {
+        "name": "Standard"
+      },
+      "properties": {
+        "adminUserEnabled": true,
+        "anonymousPullEnabled": true,
+        "dataEndpointEnabled": true,
+        "encryption": {
+          "keyVaultProperties": {
+            "identity": "someIdentity",
+            "keyIdentifier": "someKeyIdentifier"
+          },
+          "status": "enabled"
+        },
+        "networkRuleBypassOptions": "AzureServices",
+        "networkRuleSet": {
+          "defaultAction": "Deny",
+          "ipRules": [
+            {
+              "action": "Allow",
+              "value": "127.0.0.1"
+            }
+          ]
+        }
+      }
+    }
+  ]
+}

tests/arm/checks/resource/test_ACRContainerScanEnabled.py

@@ -0,0 +1,43 @@
+import os
+import unittest
+
+from checkov.arm.checks.resource.ACRContainerScanEnabled import check
+from checkov.arm.runner import Runner
+from checkov.runner_filter import RunnerFilter
+
+
+class TestACRContainerScanEnabled(unittest.TestCase):
+
+    def test_summary(self):
+        runner = Runner()
+        current_dir = os.path.dirname(os.path.realpath(__file__))
+
+        test_files_dir = current_dir + "/example_ACRContainerScanEnabled"
+        report = runner.run(root_folder=test_files_dir,
+                            runner_filter=RunnerFilter(checks=[check.id]))
+        summary = report.get_summary()
+
+        passing_resources = {
+            'Microsoft.ContainerRegistry/registries.pass',
+        }
+        failing_resources = {
+            'Microsoft.ContainerRegistry/registries.fail'
+        }
+        skipped_resources = {}
+
+        passed_check_resources = set([c.resource for c in report.passed_checks])
+        failed_check_resources = set([c.resource for c in report.failed_checks])
+
+
+
+        self.assertEqual(summary['passed'], len(passing_resources))
+        self.assertEqual(summary['failed'], len(failing_resources))
+        self.assertEqual(summary['skipped'], len(skipped_resources))
+        self.assertEqual(summary['parsing_errors'], 0)
+
+        self.assertEqual(passing_resources, passed_check_resources)
+        self.assertEqual(failing_resources, failed_check_resources)
+
+
+if __name__ == '__main__':
+    unittest.main()