Skip to content

feat(misconf): Update Azure network schema for new checks #9791

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 25 commits into from
Nov 19, 2025
Merged

feat(misconf): Update Azure network schema for new checks #9791

Show file tree
Hide file tree
Changes from 9 commits
Commits
Show all changes
25 commits
Select commit Hold shift + click to select a range
0bf9dc9
update network schema for new checks
yagreut Nov 12, 2025
9210c10
Removed related resource resolution from the ARM adapter
yagreut Nov 12, 2025
5ee7a00
lint fix
yagreut Nov 12, 2025
b5d68da
lint fix
yagreut Nov 12, 2025
4e10dfd
lint fix
yagreut Nov 12, 2025
e0d2efa
use network. NetworkInterface
yagreut Nov 13, 2025
960e332
add support for ip_forwarding_enabled
yagreut Nov 13, 2025
045b842
require enabled
yagreut Nov 13, 2025
ddca880
require enabled in arm
yagreut Nov 13, 2025
e784086
create metadata via NewUnmanagedMetadata()
yagreut Nov 17, 2025
1bfd206
Removed explicit empty/default value initializations from the test
yagreut Nov 17, 2025
fd83746
check all IP configurations
yagreut Nov 17, 2025
5389c7e
Update pkg/iac/adapters/terraform/azure/network/adapt.go
yagreut Nov 17, 2025
2b908fa
expect false when not set
yagreut Nov 17, 2025
ae5bb25
lint fix
yagreut Nov 17, 2025
bff9bac
return an empty slice instead of nil
yagreut Nov 17, 2025
9be4468
Changed the Terraform to use a literal string
yagreut Nov 17, 2025
bb8d408
lint fix
yagreut Nov 17, 2025
6f86175
return an empty slice
yagreut Nov 17, 2025
3149828
lint fix
yagreut Nov 17, 2025
47cfe0e
use var and return empty slice
yagreut Nov 17, 2025
9cb856a
refactor: simplify az network parsing
nikpivkin Nov 19, 2025
98fb9a1
refactor: skip network interface parsing for arm
nikpivkin Nov 19, 2025
2750501
Merge remote-tracking branch 'origin' into reut-update-azure-network
nikpivkin Nov 19, 2025
2a4ceb6
refactor network and fix app service parsing
nikpivkin Nov 19, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
19 changes: 11 additions & 8 deletions pkg/iac/adapters/arm/compute/adapt.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,6 +2,7 @@ package compute

import (
"github.com/aquasecurity/trivy/pkg/iac/providers/azure/compute"
"github.com/aquasecurity/trivy/pkg/iac/providers/azure/network"
"github.com/aquasecurity/trivy/pkg/iac/scanners/azure"
iacTypes "github.com/aquasecurity/trivy/pkg/iac/types"
)
Expand Down Expand Up @@ -93,21 +94,23 @@ func adaptLinuxVirtualMachine(resource azure.Resource) compute.LinuxVirtualMachi

}

func extractNetworkInterfaces(networkProfile azure.Value, metadata iacTypes.Metadata) []compute.NetworkInterface {
var networkInterfaces []compute.NetworkInterface
func extractNetworkInterfaces(networkProfile azure.Value, metadata iacTypes.Metadata) []network.NetworkInterface {
var networkInterfaces []network.NetworkInterface

nicsArray := networkProfile.GetMapValue("networkInterfaces").AsList()
for _, nic := range nicsArray {
nicID := nic.GetMapValue("id").AsStringValue("", metadata)
if nicID.Value() != "" {
// Create a minimal NetworkInterface object with the ID information
// In ARM templates, we don't have direct access to subnet details like in Terraform
networkInterface := compute.NetworkInterface{
Metadata: nicID.GetMetadata(),
SubnetID: iacTypes.StringDefault("", nicID.GetMetadata()),
SecurityGroups: nil,
HasPublicIP: iacTypes.BoolDefault(false, nicID.GetMetadata()),
PublicIPAddress: iacTypes.StringDefault("", nicID.GetMetadata()),
// EnableIPForwarding is not available from the VM's networkProfile, so it defaults to false
networkInterface := network.NetworkInterface{
Metadata: nicID.GetMetadata(),
Copy link
Contributor

@nikpivkin nikpivkin Nov 13, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We have two options for handling the network interface in ARM:

  • Option 1:
    If you do not plan to add checks that require the presence of a network interface, for example:

    count(compute.networkinterfaces) == 0
result.new("Compute instance must have at least one network interface", ...)

    we can simply skip adding them during parsing.

  • Option 2: Otherwise, we should create metadata via NewUnmanagedMetadata(), so that we can skip unmanaged networks in checks, for example:

    some ni in compute.networkinterfaces
isManaged(ni)

Personally, I prefer Option 1, but I’m not sure how these interfaces will be used.

EnableIPForwarding: iacTypes.BoolDefault(false, nicID.GetMetadata()),
SubnetID: iacTypes.StringDefault("", nicID.GetMetadata()),
SecurityGroups: nil,
HasPublicIP: iacTypes.BoolDefault(false, nicID.GetMetadata()),
PublicIPAddress: iacTypes.StringDefault("", nicID.GetMetadata()),
}
networkInterfaces = append(networkInterfaces, networkInterface)
}
Expand Down
49 changes: 27 additions & 22 deletions pkg/iac/adapters/arm/compute/adapt_test.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -5,6 +5,7 @@ import (

"github.com/aquasecurity/trivy/pkg/iac/adapters/arm/adaptertest"
"github.com/aquasecurity/trivy/pkg/iac/providers/azure/compute"
"github.com/aquasecurity/trivy/pkg/iac/providers/azure/network"
"github.com/aquasecurity/trivy/pkg/iac/types"
)

Expand Down Expand Up @@ -116,20 +117,22 @@ func TestAdapt(t *testing.T) {
LinuxVirtualMachines: []compute.LinuxVirtualMachine{{
VirtualMachine: compute.VirtualMachine{
CustomData: types.StringTest("test"),
NetworkInterfaces: []compute.NetworkInterface{
NetworkInterfaces: []network.NetworkInterface{
{
Metadata: types.NewTestMetadata(),
SubnetID: types.StringTest(""),
SecurityGroups: nil,
HasPublicIP: types.BoolTest(false),
PublicIPAddress: types.StringTest(""),
Metadata: types.NewTestMetadata(),
EnableIPForwarding: types.BoolTest(false),
SubnetID: types.StringTest(""),
SecurityGroups: nil,
HasPublicIP: types.BoolTest(false),
PublicIPAddress: types.StringTest(""),
},
{
Metadata: types.NewTestMetadata(),
SubnetID: types.StringTest(""),
SecurityGroups: nil,
HasPublicIP: types.BoolTest(false),
PublicIPAddress: types.StringTest(""),
Metadata: types.NewTestMetadata(),
EnableIPForwarding: types.BoolTest(false),
SubnetID: types.StringTest(""),
SecurityGroups: nil,
HasPublicIP: types.BoolTest(false),
PublicIPAddress: types.StringTest(""),
},
},
},
Expand All @@ -140,20 +143,22 @@ func TestAdapt(t *testing.T) {
WindowsVirtualMachines: []compute.WindowsVirtualMachine{{
VirtualMachine: compute.VirtualMachine{
CustomData: types.StringTest("test"),
NetworkInterfaces: []compute.NetworkInterface{
NetworkInterfaces: []network.NetworkInterface{
{
Metadata: types.NewTestMetadata(),
SubnetID: types.StringTest(""),
SecurityGroups: nil,
HasPublicIP: types.BoolTest(false),
PublicIPAddress: types.StringTest(""),
Metadata: types.NewTestMetadata(),
EnableIPForwarding: types.BoolTest(false),
SubnetID: types.StringTest(""),
SecurityGroups: nil,
HasPublicIP: types.BoolTest(false),
PublicIPAddress: types.StringTest(""),
},
{
Metadata: types.NewTestMetadata(),
SubnetID: types.StringTest(""),
SecurityGroups: nil,
HasPublicIP: types.BoolTest(false),
PublicIPAddress: types.StringTest(""),
Metadata: types.NewTestMetadata(),
EnableIPForwarding: types.BoolTest(false),
SubnetID: types.StringTest(""),
SecurityGroups: nil,
HasPublicIP: types.BoolTest(false),
PublicIPAddress: types.StringTest(""),
},
},
},
Expand Down
51 changes: 49 additions & 2 deletions pkg/iac/adapters/arm/network/adapt.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -15,6 +15,7 @@
return network.Network{
SecurityGroups: adaptSecurityGroups(deployment),
NetworkWatcherFlowLogs: adaptNetworkWatcherFlowLogs(deployment),
NetworkInterfaces: adaptNetworkInterfaces(deployment),
}
}

Expand Down Expand Up @@ -99,12 +100,58 @@
}

func adaptNetworkWatcherFlowLog(resource azure.Resource) network.NetworkWatcherFlowLog {
enabled := resource.Properties.GetMapValue("enabled").AsBoolValue(false, resource.Metadata)
retentionPolicy := resource.Properties.GetMapValue("retentionPolicy")

return network.NetworkWatcherFlowLog{
Metadata: resource.Metadata,
Enabled: enabled,
RetentionPolicy: network.RetentionPolicy{
Metadata: resource.Metadata,
Enabled: resource.Properties.GetMapValue("retentionPolicy").GetMapValue("enabled").AsBoolValue(false, resource.Metadata),
Days: resource.Properties.GetMapValue("retentionPolicy").GetMapValue("days").AsIntValue(0, resource.Metadata),
Enabled: retentionPolicy.GetMapValue("enabled").AsBoolValue(false, resource.Metadata),
Days: retentionPolicy.GetMapValue("days").AsIntValue(0, resource.Metadata),
},
}
}

func adaptNetworkInterfaces(deployment azure.Deployment) []network.NetworkInterface {
var networkInterfaces []network.NetworkInterface

Check failure on line 119 in pkg/iac/adapters/arm/network/adapt.go

View workflow job for this annotation

GitHub Actions / Test (ubuntu-latest) 

File is not properly formatted (gci)
for _, resource := range deployment.GetResourcesByType("Microsoft.Network/networkInterfaces") {
networkInterfaces = append(networkInterfaces, adaptNetworkInterface(resource, deployment))
}

return networkInterfaces
}

func adaptNetworkInterface(resource azure.Resource, _ azure.Deployment) network.NetworkInterface {
ni := network.NetworkInterface{
Metadata: resource.Metadata,
EnableIPForwarding: resource.Properties.GetMapValue("enableIPForwarding").AsBoolValue(false, resource.Metadata),
HasPublicIP: iacTypes.BoolDefault(false, resource.Metadata),
PublicIPAddress: iacTypes.StringDefault("", resource.Metadata),
SecurityGroups: nil,
SubnetID: iacTypes.StringDefault("", resource.Metadata),
}

ipConfigs := resource.Properties.GetMapValue("ipConfigurations").AsList()
if len(ipConfigs) > 0 {
ipConfig := ipConfigs[0]
if !ipConfig.IsNull() {
if subnetID := ipConfig.GetMapValue("subnet").GetMapValue("id").AsStringValue("", resource.Metadata); subnetID.Value() != "" {
ni.SubnetID = subnetID
}
if publicIP := ipConfig.GetMapValue("publicIPAddress"); !publicIP.IsNull() {
ni.HasPublicIP = iacTypes.Bool(true, resource.Metadata)
if publicIPID := publicIP.GetMapValue("id").AsStringValue("", resource.Metadata); publicIPID.Value() != "" {
ni.PublicIPAddress = publicIPID
}
}
}
}

// Note: SecurityGroups are not resolved for ARM templates as related resource search
// is not yet implemented for ARM (parser cannot evaluate expressions/references)

return ni
}
4 changes: 4 additions & 0 deletions pkg/iac/adapters/arm/network/adapt_test.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -35,6 +35,7 @@ func TestAdapt(t *testing.T) {
}`,
expected: network.Network{
NetworkWatcherFlowLogs: []network.NetworkWatcherFlowLog{{
Enabled: types.BoolTest(false),
RetentionPolicy: network.RetentionPolicy{
Days: types.IntTest(0),
Enabled: types.BoolTest(false),
Expand All @@ -46,6 +47,7 @@ func TestAdapt(t *testing.T) {
SourceAddresses: []types.StringValue{types.StringTest("")},
}},
}},
NetworkInterfaces: []network.NetworkInterface{},
},
},
{
Expand Down Expand Up @@ -96,6 +98,7 @@ func TestAdapt(t *testing.T) {
}`,
expected: network.Network{
NetworkWatcherFlowLogs: []network.NetworkWatcherFlowLog{{
Enabled: types.BoolTest(false),
RetentionPolicy: network.RetentionPolicy{
Days: types.IntTest(100),
Enabled: types.BoolTest(true),
Expand Down Expand Up @@ -145,6 +148,7 @@ func TestAdapt(t *testing.T) {
},
}},
}},
NetworkInterfaces: []network.NetworkInterface{},
},
},
}
Expand Down
49 changes: 10 additions & 39 deletions pkg/iac/adapters/terraform/azure/compute/adapt.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -142,8 +142,8 @@
}
}

func resolveNetworkInterfaces(resource *terraform.Block, modules terraform.Modules) []compute.NetworkInterface {
var networkInterfaces []compute.NetworkInterface
func resolveNetworkInterfaces(resource *terraform.Block, modules terraform.Modules) []network.NetworkInterface {
var networkInterfaces []network.NetworkInterface

nicIDsAttr := resource.GetAttribute("network_interface_ids")
if nicIDsAttr.IsNil() {
Expand All @@ -152,54 +152,25 @@

for _, nicIDVal := range nicIDsAttr.AsStringValues() {
if referencedNIC, err := modules.GetReferencedBlock(nicIDsAttr, resource); err == nil {
ni := adaptNetworkInterface(referencedNIC, modules)
ni := anetwork.AdaptNetworkInterface(referencedNIC, modules)
networkInterfaces = append(networkInterfaces, ni)
continue
}

networkInterfaces = append(networkInterfaces, compute.NetworkInterface{
Metadata: iacTypes.NewUnmanagedMetadata(),
SubnetID: iacTypes.StringDefault("", nicIDVal.GetMetadata()),
SecurityGroups: nil,
HasPublicIP: iacTypes.BoolDefault(false, nicIDVal.GetMetadata()),
PublicIPAddress: iacTypes.StringDefault("", nicIDVal.GetMetadata()),
networkInterfaces = append(networkInterfaces, network.NetworkInterface{
Metadata: iacTypes.NewUnmanagedMetadata(),
EnableIPForwarding: iacTypes.BoolDefault(false, nicIDVal.GetMetadata()),
SubnetID: iacTypes.StringDefault("", nicIDVal.GetMetadata()),
SecurityGroups: nil,
HasPublicIP: iacTypes.BoolDefault(false, nicIDVal.GetMetadata()),
PublicIPAddress: iacTypes.StringDefault("", nicIDVal.GetMetadata()),
})
}

return networkInterfaces
}

func adaptNetworkInterface(resource *terraform.Block, modules terraform.Modules) compute.NetworkInterface {
ni := compute.NetworkInterface{
Metadata: resource.GetMetadata(),
SubnetID: iacTypes.StringDefault("", resource.GetMetadata()),
SecurityGroups: nil,
HasPublicIP: iacTypes.BoolDefault(false, resource.GetMetadata()),
PublicIPAddress: iacTypes.StringDefault("", resource.GetMetadata()),
}

if nsgAttr := resource.GetAttribute("network_security_group_id"); nsgAttr.IsNotNil() {
if referencedNSG, err := modules.GetReferencedBlock(nsgAttr, resource); err == nil {
ni.SecurityGroups = []network.SecurityGroup{adaptSecurityGroupFromBlock(referencedNSG)}
}
}

ipConfigs := resource.GetBlocks("ip_configuration")
if len(ipConfigs) > 0 {
ipConfig := ipConfigs[0]
if subnetAttr := ipConfig.GetAttribute("subnet_id"); subnetAttr.IsNotNil() {
ni.SubnetID = subnetAttr.AsStringValueOrDefault("", ipConfig)
}

if publicIPAttr := ipConfig.GetAttribute("public_ip_address_id"); publicIPAttr.IsNotNil() {
ni.HasPublicIP = iacTypes.Bool(true, publicIPAttr.GetMetadata())
}
}

return ni
}

func adaptSecurityGroupFromBlock(resource *terraform.Block) network.SecurityGroup {

Check failure on line 173 in pkg/iac/adapters/terraform/azure/compute/adapt.go

View workflow job for this annotation

GitHub Actions / Test (ubuntu-latest) 

func adaptSecurityGroupFromBlock is unused (unused)
var rules []network.SecurityGroupRule
for _, ruleBlock := range resource.GetBlocks("security_rule") {
rules = append(rules, anetwork.AdaptSGRule(ruleBlock))
Expand Down
33 changes: 18 additions & 15 deletions pkg/iac/adapters/terraform/azure/compute/adapt_test.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -192,11 +192,12 @@ resource "azurerm_network_security_group" "example" {
VirtualMachine: compute.VirtualMachine{
Metadata: iacTypes.NewTestMetadata(),
CustomData: iacTypes.String("", iacTypes.NewTestMetadata()),
NetworkInterfaces: []compute.NetworkInterface{
NetworkInterfaces: []network.NetworkInterface{
{
Metadata: iacTypes.NewTestMetadata(),
HasPublicIP: iacTypes.BoolTest(true),
PublicIPAddress: iacTypes.String("", iacTypes.NewTestMetadata()),
Metadata: iacTypes.NewTestMetadata(),
EnableIPForwarding: iacTypes.BoolDefault(false, iacTypes.NewTestMetadata()),
HasPublicIP: iacTypes.BoolTest(true),
PublicIPAddress: iacTypes.String("", iacTypes.NewTestMetadata()),
SecurityGroups: []network.SecurityGroup{
{
Rules: []network.SecurityGroupRule{
Expand Down Expand Up @@ -329,20 +330,22 @@ resource "azurerm_windows_virtual_machine" "example" {
VirtualMachine: compute.VirtualMachine{
Metadata: iacTypes.NewTestMetadata(),
CustomData: iacTypes.String("", iacTypes.NewTestMetadata()),
NetworkInterfaces: []compute.NetworkInterface{
NetworkInterfaces: []network.NetworkInterface{
{
Metadata: iacTypes.NewTestMetadata(),
SubnetID: iacTypes.String("", iacTypes.NewTestMetadata()),
SecurityGroups: nil,
HasPublicIP: iacTypes.Bool(false, iacTypes.NewTestMetadata()),
PublicIPAddress: iacTypes.String("", iacTypes.NewTestMetadata()),
Metadata: iacTypes.NewTestMetadata(),
EnableIPForwarding: iacTypes.BoolDefault(false, iacTypes.NewTestMetadata()),
SubnetID: iacTypes.String("", iacTypes.NewTestMetadata()),
SecurityGroups: nil,
HasPublicIP: iacTypes.Bool(false, iacTypes.NewTestMetadata()),
PublicIPAddress: iacTypes.String("", iacTypes.NewTestMetadata()),
},
{
Metadata: iacTypes.NewTestMetadata(),
SubnetID: iacTypes.String("", iacTypes.NewTestMetadata()),
SecurityGroups: nil,
HasPublicIP: iacTypes.Bool(false, iacTypes.NewTestMetadata()),
PublicIPAddress: iacTypes.String("", iacTypes.NewTestMetadata()),
Metadata: iacTypes.NewTestMetadata(),
EnableIPForwarding: iacTypes.BoolDefault(false, iacTypes.NewTestMetadata()),
SubnetID: iacTypes.String("", iacTypes.NewTestMetadata()),
SecurityGroups: nil,
HasPublicIP: iacTypes.Bool(false, iacTypes.NewTestMetadata()),
PublicIPAddress: iacTypes.String("", iacTypes.NewTestMetadata()),
},
},
},
Expand Down
Loading
Loading