0

I have the following bicep file:

 param webAppName string = uniqueString(resourceGroup().id) // Generate unique String for web app name
param sku string = 'F1' // The SKU of App Service Plan
param linuxFxVersion string = 'node|14-lts' // The runtime stack of web app
param location string = resourceGroup().location // Location for all resources
param repositoryUrl string = 'https://github.com/Azure-Samples/nodejs-docs-hello-world'
param branch string = 'main'
var appServicePlanName = toLower('AppServicePlan-${webAppName}')
var webSiteName = toLower('wapp-${webAppName}')

resource appServicePlan 'Microsoft.Web/serverfarms@2020-06-01' = {
  name: appServicePlanName
  location: location
  properties: {
    reserved: true
  }
  sku: {
    name: sku
  }
  kind: 'linux'
}

resource appService 'Microsoft.Web/sites@2020-06-01' = {
  name: webSiteName
  location: location
  properties: {
    serverFarmId: appServicePlan.id
    siteConfig: {
      linuxFxVersion: linuxFxVersion
    }
    httpsOnly: false
  }
}

This is my Azure pipeline:

  trigger:
  - master

pool:
  vmImage: 'ubuntu-latest'

steps:
- task: UseDotNet@2
  inputs:
    version: '6.x'
    packageType: 'sdk'

- task: PowerShell@2
  inputs:
    targetType: 'inline'
    script: |
      # Install Checkov
      pip install checkov

      # Verify installation
      checkov --version

- task: PowerShell@2
  inputs:
    targetType: 'inline'
    script: |
      # Scan main.bicep using Checkov
      $output = checkov -f $(System.DefaultWorkingDirectory)/main.bicep --quiet --no-guide

      
    metadata:
      name: "check to ensure HTTPS flag exists and is true"
      id: "chk_https_is_present"
      category: "secrets"
      definition:
      and:
          cond_type: "attribute"
          resource_types: "all"
          attribute: "httpsOnly"
          operator: "exists"

So what am I trying to do, well within my Azure pipeline I'm installing checkov (this part works as expected), I'm then scan the main.bicep (even though this does nothing, it does work up to this point)

The next step I'm trying to create a checkov custom policy which checks to make sure the attribute httpsOnly exists, other wise throw error. Yet, when I deploy it errors saying invalid character at line 19 (which is checkov --version), this works if I remove metadata checkov policy.

I'm new to bicep / azure pipelines and checkov for that matter so currently going through the learning curve, so was wondering if someone could give me a hand to get me started.

Code Ratchet
  • 5,758
  • 18
  • 77
  • 141

0 Answers0