fix(bicep): ignore unresolvable properties for Bicep storage account …

…checks (#3946) ignore unresolvable properties for Bicep storage account checks
bridgecrewio · Nov 27, 2022 · fdb39aa · fdb39aa
1 parent 21f3bf0
commit fdb39aa
Show file tree

Hide file tree

Showing 6 changed files with 39 additions and 4 deletions.
diff --git a/checkov/bicep/checks/resource/azure/StorageAccountAzureServicesAccessEnabled.py b/checkov/bicep/checks/resource/azure/StorageAccountAzureServicesAccessEnabled.py
@@ -18,6 +18,9 @@ def scan_resource_conf(self, conf: dict[str, Any]) -> CheckResult:
         self.evaluated_keys = ["properties/networkAcls/defaultAction"]
         properties = conf.get("properties")
         if properties:
+            if not isinstance(properties, dict):
+                return CheckResult.UNKNOWN
+
             nacls = properties.get("networkAcls")
             if nacls:
                 default_action = nacls.get("defaultAction")

diff --git a/checkov/bicep/checks/resource/azure/StorageAccountsTransportEncryption.py b/checkov/bicep/checks/resource/azure/StorageAccountsTransportEncryption.py
@@ -19,6 +19,9 @@ def scan_resource_conf(self, conf: dict[str, Any]) -> CheckResult:
         self.evaluated_keys = ["properties/supportsHttpsTrafficOnly"]
         properties = conf.get("properties")
         if properties:
+            if not isinstance(properties, dict):
+                return CheckResult.UNKNOWN
+
             https_only = properties.get("supportsHttpsTrafficOnly")
             if https_only is True:
                 return CheckResult.PASSED

diff --git a/...s/bicep/checks/resource/azure/example_StorageAccountAzureServicesAccessEnabled/main.bicep b/...s/bicep/checks/resource/azure/example_StorageAccountAzureServicesAccessEnabled/main.bicep
@@ -72,3 +72,16 @@ resource denyAndBypassNone 'Microsoft.Storage/storageAccounts@2019-06-01' = {
     }
   }
 }
+
+// unknown
+
+resource unknown 'Microsoft.Storage/storageAccounts@2019-06-01' = {
+  name: diagStorageAccountName
+  location: location
+  sku: {
+    name: storageAccountType
+  }
+  kind: 'StorageV2'
+
+  properties: storageAccountProperties
+}
diff --git a/tests/bicep/checks/resource/azure/example_StorageAccountsTransportEncryption/main.bicep b/tests/bicep/checks/resource/azure/example_StorageAccountsTransportEncryption/main.bicep
@@ -45,3 +45,17 @@ resource disabled 'Microsoft.Storage/storageAccounts@2019-06-01' = {
     supportsHttpsTrafficOnly: false
   }
 }
+
+// unknown
+
+resource unknown 'Microsoft.Storage/storageAccounts@2019-06-01' = {
+  name: diagStorageAccountName
+  location: location
+  sku: {
+    name: storageAccountType
+  }
+  kind: 'StorageV2'
+
+  properties: storageAccountProperties
+}
+
diff --git a/tests/bicep/checks/resource/azure/test_StorageAccountAzureServicesAccessEnabled.py b/tests/bicep/checks/resource/azure/test_StorageAccountAzureServicesAccessEnabled.py
@@ -29,10 +29,11 @@ def test_examples():
     passed_check_resources = {c.resource for c in report.passed_checks}
     failed_check_resources = {c.resource for c in report.failed_checks}
 
-    assert summary["passed"] == 3
-    assert summary["failed"] == 2
+    assert summary["passed"] == len(passing_resources)
+    assert summary["failed"] == len(failing_resources)
     assert summary["skipped"] == 0
     assert summary["parsing_errors"] == 0
+    assert summary["resource_count"] == len(passing_resources) + len(failing_resources) + 1  # unknown
 
     assert passed_check_resources == passing_resources
     assert failed_check_resources == failing_resources
diff --git a/tests/bicep/checks/resource/azure/test_StorageAccountsTransportEncryption.py b/tests/bicep/checks/resource/azure/test_StorageAccountsTransportEncryption.py
@@ -28,10 +28,11 @@ def test_examples():
     passed_check_resources = {c.resource for c in report.passed_checks}
     failed_check_resources = {c.resource for c in report.failed_checks}
 
-    assert summary["passed"] == 2
-    assert summary["failed"] == 2
+    assert summary["passed"] == len(passing_resources)
+    assert summary["failed"] == len(failing_resources)
     assert summary["skipped"] == 0
     assert summary["parsing_errors"] == 0
+    assert summary["resource_count"] == len(passing_resources) + len(failing_resources) + 1  # unknown
 
     assert passed_check_resources == passing_resources
     assert failed_check_resources == failing_resources