Skip to content

Add initial deployment configuration files for Azure web app #23

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
CalinL merged 1 commit into from
Apr 21, 2025

Add initial deployment configuration files for Azure web app

5b940ef
Select commit
Loading
Failed to load commit list.
Merged

Add initial deployment configuration files for Azure web app #23

Add initial deployment configuration files for Azure web app
5b940ef
Select commit
Loading
Failed to load commit list.
GitHub Advanced Security / templateanalyzer failed Apr 21, 2025 in 5s

1 configuration not found

Warning: Code scanning may not have found all the alerts introduced by this pull request, because 1 configuration present on refs/heads/main was not found:

Actions workflow (MSDO-Microsoft-Security-DevOps.yml)

  • ❓  .github/workflows/MSDO-Microsoft-Security-DevOps.yml:MSDO

New alerts in code changed by this pull request

  • 37 errors

See annotations below for details.

View all branch alerts.

Annotations

Check failure on line 27 in infra/resources.bicep

See this annotation in the file changed.

Code scanning / templateanalyzer

Disable ACR admin user. Error

Azure Container Registry (ACR) includes a built-in local admin user account. The admin user account is a single user account with administrative access to the registry. This account provides single user access for early test and development. The admin user account is not intended for use with production container registries.
Instead of using the admin user account, consider using Entra ID (previously Azure AD) identities. Entra ID provides a centralized identity and authentication system for Azure. This provides a number of benefits including: Strong account protection controls with conditional access, identity governance, and privileged identity management. Auditing and reporting of account activity. Granular access control with role-based access control (RBAC). Separation of account types for users and applications.

Check failure on line 27 in infra/resources.bicep

See this annotation in the file changed.

Code scanning / templateanalyzer

Disable ACR admin user. Error

Azure Container Registry (ACR) includes a built-in local admin user account. The admin user account is a single user account with administrative access to the registry. This account provides single user access for early test and development. The admin user account is not intended for use with production container registries.
Instead of using the admin user account, consider using Entra ID (previously Azure AD) identities. Entra ID provides a centralized identity and authentication system for Azure. This provides a number of benefits including: Strong account protection controls with conditional access, identity governance, and privileged identity management. Auditing and reporting of account activity. Granular access control with role-based access control (RBAC). Separation of account types for users and applications.

Check failure on line 54 in infra/resources.bicep

See this annotation in the file changed.

Code scanning / templateanalyzer

Web apps should only be accessible over HTTPS. Error

Web apps should require HTTPS to ensure connections are made to the expected server and data in transit is protected from network layer eavesdropping attacks.

Check failure on line 54 in infra/resources.bicep

See this annotation in the file changed.

Code scanning / templateanalyzer

Web apps should only be accessible over HTTPS. Error

Web apps should require HTTPS to ensure connections are made to the expected server and data in transit is protected from network layer eavesdropping attacks.

Check failure on line 56 in infra/resources.bicep

See this annotation in the file changed.

Code scanning / templateanalyzer

FTPS only should be required in your web app. Error

Enable FTPS enforcement for enhanced security.

Check failure on line 56 in infra/resources.bicep

See this annotation in the file changed.

Code scanning / templateanalyzer

Latest TLS version should be used in your web app. Error

Web apps should require the latest TLS version.

Check failure on line 56 in infra/resources.bicep

See this annotation in the file changed.

Code scanning / templateanalyzer

FTPS only should be required in your web app. Error

Enable FTPS enforcement for enhanced security.

Check failure on line 56 in infra/resources.bicep

See this annotation in the file changed.

Code scanning / templateanalyzer

Latest TLS version should be used in your web app. Error

Web apps should require the latest TLS version.

Check failure on line 29 in samples/insecure_arm.json

See this annotation in the file changed.

Code scanning / templateanalyzer

API app should only be accessible over HTTPS. Error

API apps should require HTTPS to ensure connections are made to the expected server and data in transit is protected from network layer eavesdropping attacks.

Check failure on line 44 in samples/insecure_arm.json

See this annotation in the file changed.

Code scanning / templateanalyzer

API app should only be accessible over HTTPS. Error

API apps should require HTTPS to ensure connections are made to the expected server and data in transit is protected from network layer eavesdropping attacks.

Check failure on line 70 in samples/insecure_arm.json

See this annotation in the file changed.

Code scanning / templateanalyzer

Function app should only be accessible over HTTPS. Error

Function apps should require HTTPS to ensure connections are made to the expected server and data in transit is protected from network layer eavesdropping attacks.

Check failure on line 85 in samples/insecure_arm.json

See this annotation in the file changed.

Code scanning / templateanalyzer

Function app should only be accessible over HTTPS. Error

Function apps should require HTTPS to ensure connections are made to the expected server and data in transit is protected from network layer eavesdropping attacks.

Check failure on line 111 in samples/insecure_arm.json

See this annotation in the file changed.

Code scanning / templateanalyzer

Web apps should only be accessible over HTTPS. Error

Web apps should require HTTPS to ensure connections are made to the expected server and data in transit is protected from network layer eavesdropping attacks.

Check failure on line 125 in samples/insecure_arm.json

See this annotation in the file changed.

Code scanning / templateanalyzer

Web apps should only be accessible over HTTPS. Error

Web apps should require HTTPS to ensure connections are made to the expected server and data in transit is protected from network layer eavesdropping attacks.

Check failure on line 165 in samples/insecure_arm.json

See this annotation in the file changed.

Code scanning / templateanalyzer

FTPS only should be required in your API app. Error

Enable FTPS enforcement for enhanced security.

Check failure on line 165 in samples/insecure_arm.json

See this annotation in the file changed.

Code scanning / templateanalyzer

Latest TLS version should be used in your API app. Error

API apps should require the latest TLS version.

Check failure on line 179 in samples/insecure_arm.json

See this annotation in the file changed.

Code scanning / templateanalyzer

Diagnostic logs in App Service should be enabled. Error

Enable auditing of diagnostic logs on the app. This enables you to recreate activity trails for investigation purposes if a security incident occurs or your network is compromised.

Check failure on line 179 in samples/insecure_arm.json

See this annotation in the file changed.

Code scanning / templateanalyzer

FTPS only should be required in your function app. Error

Enable FTPS enforcement for enhanced security.

Check failure on line 179 in samples/insecure_arm.json

See this annotation in the file changed.

Code scanning / templateanalyzer

Latest TLS version should be used in your function app. Error

Function apps should require the latest TLS version.

Check failure on line 179 in samples/insecure_arm.json

See this annotation in the file changed.

Code scanning / templateanalyzer

FTPS only should be required in your web app. Error

Enable FTPS enforcement for enhanced security.

Check failure on line 179 in samples/insecure_arm.json

See this annotation in the file changed.

Code scanning / templateanalyzer

Latest TLS version should be used in your web app. Error

Web apps should require the latest TLS version.

Check failure on line 187 in samples/insecure_arm.json

See this annotation in the file changed.

Code scanning / templateanalyzer

Managed identity should be used in your API app. Error

For enhanced authentication security, use a managed identity. On Azure, managed identities eliminate the need for developers to have to manage credentials by providing an identity for the Azure resource in Azure AD and using it to obtain Azure Active Directory (Azure AD) tokens.

Check failure on line 195 in samples/insecure_arm.json

See this annotation in the file changed.

Code scanning / templateanalyzer

FTPS only should be required in your API app. Error

Enable FTPS enforcement for enhanced security.

Check failure on line 195 in samples/insecure_arm.json

See this annotation in the file changed.

Code scanning / templateanalyzer

Latest TLS version should be used in your API app. Error

API apps should require the latest TLS version.

Check failure on line 199 in samples/insecure_arm.json

See this annotation in the file changed.

Code scanning / templateanalyzer

CORS should not allow every resource to access your API app. Error

Cross-Origin Resource Sharing (CORS) should not allow all domains to access your API app. Allow only required domains to interact with your API app.