aquasecurity · nikpivkin · Nov 19, 2025 · Nov 12, 2025 · Nov 12, 2025 · Nov 12, 2025
@@ -2,6 +2,7 @@ package compute
 
 import (
 	"github.com/aquasecurity/trivy/pkg/iac/providers/azure/compute"
+	"github.com/aquasecurity/trivy/pkg/iac/providers/azure/network"
 	"github.com/aquasecurity/trivy/pkg/iac/scanners/azure"
 	iacTypes "github.com/aquasecurity/trivy/pkg/iac/types"
 )
@@ -93,25 +94,6 @@ func adaptLinuxVirtualMachine(resource azure.Resource) compute.LinuxVirtualMachi
 
 }
 
-func extractNetworkInterfaces(networkProfile azure.Value, metadata iacTypes.Metadata) []compute.NetworkInterface {
-	var networkInterfaces []compute.NetworkInterface
-
-	nicsArray := networkProfile.GetMapValue("networkInterfaces").AsList()
-	for _, nic := range nicsArray {
-		nicID := nic.GetMapValue("id").AsStringValue("", metadata)
-		if nicID.Value() != "" {
-			// Create a minimal NetworkInterface object with the ID information
-			// In ARM templates, we don't have direct access to subnet details like in Terraform
-			networkInterface := compute.NetworkInterface{
-				Metadata:        nicID.GetMetadata(),
-				SubnetID:        iacTypes.StringDefault("", nicID.GetMetadata()),
-				SecurityGroups:  nil,
-				HasPublicIP:     iacTypes.BoolDefault(false, nicID.GetMetadata()),
-				PublicIPAddress: iacTypes.StringDefault("", nicID.GetMetadata()),
-			}
-			networkInterfaces = append(networkInterfaces, networkInterface)
-		}
-	}
-
-	return networkInterfaces
+func extractNetworkInterfaces(_ azure.Value, _ iacTypes.Metadata) []network.NetworkInterface {
+	return nil
 }
@@ -116,22 +116,6 @@ func TestAdapt(t *testing.T) {
 				LinuxVirtualMachines: []compute.LinuxVirtualMachine{{
 					VirtualMachine: compute.VirtualMachine{
 						CustomData: types.StringTest("test"),
-						NetworkInterfaces: []compute.NetworkInterface{
-							{
-								Metadata:        types.NewTestMetadata(),
-								SubnetID:        types.StringTest(""),
-								SecurityGroups:  nil,
-								HasPublicIP:     types.BoolTest(false),
-								PublicIPAddress: types.StringTest(""),
-							},
-							{
-								Metadata:        types.NewTestMetadata(),
-								SubnetID:        types.StringTest(""),
-								SecurityGroups:  nil,
-								HasPublicIP:     types.BoolTest(false),
-								PublicIPAddress: types.StringTest(""),
-							},
-						},
 					},
 					OSProfileLinuxConfig: compute.OSProfileLinuxConfig{
 						DisablePasswordAuthentication: types.BoolTest(false),
@@ -140,22 +124,6 @@ func TestAdapt(t *testing.T) {
 				WindowsVirtualMachines: []compute.WindowsVirtualMachine{{
 					VirtualMachine: compute.VirtualMachine{
 						CustomData: types.StringTest("test"),
-						NetworkInterfaces: []compute.NetworkInterface{
-							{
-								Metadata:        types.NewTestMetadata(),
-								SubnetID:        types.StringTest(""),
-								SecurityGroups:  nil,
-								HasPublicIP:     types.BoolTest(false),
-								PublicIPAddress: types.StringTest(""),
-							},
-							{
-								Metadata:        types.NewTestMetadata(),
-								SubnetID:        types.StringTest(""),
-								SecurityGroups:  nil,
-								HasPublicIP:     types.BoolTest(false),
-								PublicIPAddress: types.StringTest(""),
-							},
-						},
 					},
 				}},
 			},

@@ -15,6 +15,7 @@ func Adapt(deployment azure.Deployment) network.Network {
 	return network.Network{
 		SecurityGroups:         adaptSecurityGroups(deployment),
 		NetworkWatcherFlowLogs: adaptNetworkWatcherFlowLogs(deployment),
+		NetworkInterfaces:      adaptNetworkInterfaces(deployment),
 	}
 }
 
@@ -42,7 +43,9 @@ func adaptSecurityGroupRules(deployment azure.Deployment) (rules []network.Secur
 
 func adaptSecurityGroupRule(resource azure.Resource) network.SecurityGroupRule {
 	sourceAddressPrefixes := resource.Properties.GetMapValue("sourceAddressPrefixes").AsStringValuesList("")
-	sourceAddressPrefixes = append(sourceAddressPrefixes, resource.Properties.GetMapValue("sourceAddressPrefix").AsStringValue("", resource.Metadata))
+	if prefix := resource.Properties.GetMapValue("sourceAddressPrefix").AsStringValue("", resource.Metadata); prefix.IsNotEmpty() {
+		sourceAddressPrefixes = append(sourceAddressPrefixes, prefix)
+	}
 
 	var sourcePortRanges []common.PortRange
 	for _, portRange := range resource.Properties.GetMapValue("sourcePortRanges").AsList() {
@@ -56,7 +59,9 @@ func adaptSecurityGroupRule(resource azure.Resource) network.SecurityGroupRule {
 	}
 
 	destinationAddressPrefixes := resource.Properties.GetMapValue("destinationAddressPrefixes").AsStringValuesList("")
-	destinationAddressPrefixes = append(destinationAddressPrefixes, resource.Properties.GetMapValue("destinationAddressPrefix").AsStringValue("", resource.Metadata))
+	if prefix := resource.Properties.GetMapValue("destinationAddressPrefix").AsStringValue("", resource.Metadata); prefix.IsNotEmpty() {
+		destinationAddressPrefixes = append(destinationAddressPrefixes, prefix)
+	}
 
 	var destinationPortRanges []common.PortRange
 	for _, portRange := range resource.Properties.GetMapValue("destinationPortRanges").AsList() {
@@ -99,12 +104,57 @@ func adaptNetworkWatcherFlowLogs(deployment azure.Deployment) (flowLogs []networ
 }
 
 func adaptNetworkWatcherFlowLog(resource azure.Resource) network.NetworkWatcherFlowLog {
+	enabled := resource.Properties.GetMapValue("enabled").AsBoolValue(false, resource.Metadata)
+	retentionPolicy := resource.Properties.GetMapValue("retentionPolicy")
+
 	return network.NetworkWatcherFlowLog{
 		Metadata: resource.Metadata,
+		Enabled:  enabled,
 		RetentionPolicy: network.RetentionPolicy{
 			Metadata: resource.Metadata,
-			Enabled:  resource.Properties.GetMapValue("retentionPolicy").GetMapValue("enabled").AsBoolValue(false, resource.Metadata),
-			Days:     resource.Properties.GetMapValue("retentionPolicy").GetMapValue("days").AsIntValue(0, resource.Metadata),
+			Enabled:  retentionPolicy.GetMapValue("enabled").AsBoolValue(false, resource.Metadata),
+			Days:     retentionPolicy.GetMapValue("days").AsIntValue(0, resource.Metadata),
 		},
 	}
 }
+
+func adaptNetworkInterfaces(deployment azure.Deployment) []network.NetworkInterface {
+	var networkInterfaces []network.NetworkInterface
+	for _, resource := range deployment.GetResourcesByType("Microsoft.Network/networkInterfaces") {
+		networkInterfaces = append(networkInterfaces, adaptNetworkInterface(resource, deployment))
+	}
+	return networkInterfaces
+}
+
+func adaptNetworkInterface(resource azure.Resource, _ azure.Deployment) network.NetworkInterface {
+	ni := network.NetworkInterface{
+		Metadata:           resource.Metadata,
+		EnableIPForwarding: resource.Properties.GetMapValue("enableIPForwarding").AsBoolValue(false, resource.Metadata),
+		HasPublicIP:        iacTypes.BoolDefault(false, resource.Metadata),
+		PublicIPAddress:    iacTypes.StringDefault("", resource.Metadata),
+		SubnetID:           iacTypes.StringDefault("", resource.Metadata),
+	}
+
+	ipConfigs := resource.Properties.GetMapValue("ipConfigurations").AsList()
+	ni.IPConfigurations = make([]network.IPConfiguration, 0, len(ipConfigs))
+
+	for _, ipConfig := range ipConfigs {
+		if ipConfig.IsNull() {
+			continue
+		}
+		ipConfigProps := ipConfig.GetMapValue("properties")
+		ni.IPConfigurations = append(ni.IPConfigurations, network.IPConfiguration{
+			Metadata: resource.Metadata,
+			PublicIPAddress: ipConfigProps.GetMapValue("publicIPAddress").
+				GetMapValue("id").AsStringValue("", resource.Metadata),
+			SubnetID: ipConfigProps.GetMapValue("subnet").
+				GetMapValue("id").AsStringValue("", resource.Metadata),
+			Primary: ipConfigProps.GetMapValue("primary").AsBoolValue(false, resource.Metadata),
+		})
+	}
+	ni.Setup()
+
+	// Note: SecurityGroups are not resolved for ARM templates as related resource search
+	// is not yet implemented for ARM (parser cannot evaluate expressions/references)
+	return ni
+}
@@ -35,16 +35,10 @@ func TestAdapt(t *testing.T) {
 }`,
 			expected: network.Network{
 				NetworkWatcherFlowLogs: []network.NetworkWatcherFlowLog{{
-					RetentionPolicy: network.RetentionPolicy{
-						Days:    types.IntTest(0),
-						Enabled: types.BoolTest(false),
-					},
+					RetentionPolicy: network.RetentionPolicy{},
 				}},
 				SecurityGroups: []network.SecurityGroup{{
-					Rules: []network.SecurityGroupRule{{
-						DestinationAddresses: []types.StringValue{types.StringTest("")},
-						SourceAddresses:      []types.StringValue{types.StringTest("")},
-					}},
+					Rules: []network.SecurityGroupRule{{}},
 				}},
 			},
 		},
@@ -147,6 +141,71 @@ func TestAdapt(t *testing.T) {
 				}},
 			},
 		},
+		{
+			name: "network interface with ip configurations",
+			source: `{
+			"resources": [
+				{
+					"type": "Microsoft.Network/networkInterfaces",
+					"properties": {
+						"enableIPForwarding": true,
+						"ipConfigurations": [
+							{
+								"name": "primary-ip",
+								"properties": {
+									"primary": true,
+									"subnet": {
+										"id": "/subscriptions/abc/resourceGroups/rg/providers/Microsoft.Network/virtualNetworks/vnet/subnets/subnet-primary"
+									},
+									"publicIPAddress": {
+										"id": "/subscriptions/abc/resourceGroups/rg/providers/Microsoft.Network/publicIPAddresses/pip-primary"
+									}
+								}
+							},
+							{
+								"name": "secondary-ip",
+								"properties": {
+									"primary": false,
+									"subnet": {
+										"id": "/subscriptions/abc/resourceGroups/rg/providers/Microsoft.Network/virtualNetworks/vnet/subnets/subnet-secondary"
+									}
+								}
+							}
+						]
+					}
+				}
+			]
+		}`,
+			expected: network.Network{
+				NetworkInterfaces: []network.NetworkInterface{
+					{
+						EnableIPForwarding: types.BoolTest(true),
+
+						// backward compatibility — filled from primary config
+						SubnetID:        types.StringTest("/subscriptions/abc/resourceGroups/rg/providers/Microsoft.Network/virtualNetworks/vnet/subnets/subnet-primary"),
+						HasPublicIP:     types.BoolTest(true),
+						PublicIPAddress: types.StringTest("/subscriptions/abc/resourceGroups/rg/providers/Microsoft.Network/publicIPAddresses/pip-primary"),
+
+						IPConfigurations: []network.IPConfiguration{
+							{
+								Primary: types.BoolTest(true),
+								SubnetID: types.StringTest(
+									"/subscriptions/abc/resourceGroups/rg/providers/Microsoft.Network/virtualNetworks/vnet/subnets/subnet-primary",
+								),
+								HasPublicIP:     types.BoolTest(true),
+								PublicIPAddress: types.StringTest("/subscriptions/abc/resourceGroups/rg/providers/Microsoft.Network/publicIPAddresses/pip-primary"),
+							},
+							{
+								Primary:         types.BoolTest(false),
+								SubnetID:        types.StringTest("/subscriptions/abc/resourceGroups/rg/providers/Microsoft.Network/virtualNetworks/vnet/subnets/subnet-secondary"),
+								HasPublicIP:     types.BoolTest(false),
+								PublicIPAddress: types.StringTest(""),
+							},
+						},
+					},
+				},
+			},
+		},
 	}
 
 	for _, tt := range tests {

@@ -1,10 +1,9 @@
 package appservice
 
 import (
-	"github.com/samber/lo"
-
 	"github.com/aquasecurity/trivy/pkg/iac/providers/azure/appservice"
 	"github.com/aquasecurity/trivy/pkg/iac/terraform"
+	"github.com/aquasecurity/trivy/pkg/iac/types"
 )
 
 func Adapt(modules terraform.Modules) appservice.AppService {
@@ -31,30 +30,42 @@ func adaptFunctionApps(modules terraform.Modules) []appservice.FunctionApp {
 }
 
 func adaptService(resource *terraform.Block) appservice.Service {
-	siteBlock := resource.GetBlock("site_config")
-	identityBlock := resource.GetBlock("identity")
-	authBlock := resource.GetBlock("auth_settings")
-	return appservice.Service{
+	service := appservice.Service{
 		Metadata:         resource.GetMetadata(),
 		EnableClientCert: resource.GetAttribute("client_cert_enabled").AsBoolValueOrDefault(false, resource),
 		HTTPSOnly:        resource.GetAttribute("https_only").AsBoolValueOrDefault(false, resource),
-		Identity: appservice.Identity{
-			Metadata: lo.TernaryF(identityBlock.IsNil(), resource.GetMetadata, identityBlock.GetMetadata),
-			Type:     identityBlock.GetAttribute("type").AsStringValueOrDefault("", identityBlock),
+		Site: appservice.Site{
+			Metadata:          resource.GetMetadata(),
+			MinimumTLSVersion: types.StringDefault("1.2", resource.GetMetadata()),
 		},
-		Authentication: appservice.Authentication{
-			Metadata: lo.TernaryF(identityBlock.IsNil(), resource.GetMetadata, authBlock.GetMetadata),
+	}
+
+	if identityBlock := resource.GetBlock("identity"); identityBlock.IsNotNil() {
+		service.Identity = appservice.Identity{
+			Metadata: identityBlock.GetMetadata(),
+			Type:     identityBlock.GetAttribute("type").AsStringValueOrDefault("", identityBlock),
+		}
+	}
+
+	if authBlock := resource.GetBlock("auth_settings"); authBlock.IsNotNil() {
+		service.Authentication = appservice.Authentication{
+			Metadata: authBlock.GetMetadata(),
 			Enabled:  authBlock.GetAttribute("enabled").AsBoolValueOrDefault(false, authBlock),
-		},
-		Site: appservice.Site{
-			Metadata:          lo.TernaryF(identityBlock.IsNil(), resource.GetMetadata, siteBlock.GetMetadata),
+		}
+	}
+
+	if siteBlock := resource.GetBlock("site_config"); siteBlock.IsNotNil() {
+		service.Site = appservice.Site{
+			Metadata:          siteBlock.GetMetadata(),
 			EnableHTTP2:       siteBlock.GetAttribute("http2_enabled").AsBoolValueOrDefault(false, siteBlock),
 			MinimumTLSVersion: siteBlock.GetAttribute("min_tls_version").AsStringValueOrDefault("1.2", siteBlock),
 			PHPVersion:        siteBlock.GetAttribute("php_version").AsStringValueOrDefault("", siteBlock),
 			PythonVersion:     siteBlock.GetAttribute("python_version").AsStringValueOrDefault("", siteBlock),
 			FTPSState:         siteBlock.GetAttribute("ftps_state").AsStringValueOrDefault("", siteBlock),
-		},
+		}
 	}
+
+	return service
 }
 
 func adaptFunctionApp(resource *terraform.Block) appservice.FunctionApp {