ben.carrasco/prowler
1
0
Fork 0
mirror of https://github.com/prowler-cloud/prowler.git synced 2026-01-25 02:08:11 +00:00
Code Issues Packages Projects Releases Wiki Activity

chore(azure): enhance metadata for app service (#9613)

Browse Source 
Co-authored-by: Daniel Barranquero <danielbo2001@gmail.com>
This commit is contained in:
Rubén De la Torre Vico
2026-01-22 13:07:24 +01:00
committed by GitHub
parent 799826758e
commit 3bb326133a
20 changed files with 372 additions and 232 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
prowler/CHANGELOG.md
View File

@@ -2,6 +2,14 @@
All notable changes to the **Prowler SDK** are documented in this file.
## [5.18.0] (Prowler UNRELEASED)
### Changed
- Update Azure App Service service metadata to new format [(#9613)](https://github.com/prowler-cloud/prowler/pull/9613)
---
## [5.17.0] (Prowler v5.17.0)
### Added

30
prowler/providers/azure/services/app/app_client_certificates_on/app_client_certificates_on.metadata.json
View File

@@ -1,30 +1,36 @@
{
"Provider": "azure",
"CheckID": "app_client_certificates_on",
"CheckTitle": "Ensure the web app has 'Client Certificates (Incoming client certificates)' set to 'On'",
"CheckTitle": "Web app requires incoming client certificates",
"CheckType": [],
"ServiceName": "app",
"SubServiceName": "",
"ResourceIdTemplate": "",
"Severity": "medium",
"ResourceType": "Microsoft.Web/sites/config",
"ResourceType": "microsoft.web/sites/config",
"ResourceGroup": "serverless",
"Description": "Client certificates allow for the app to request a certificate for incoming requests. Only clients that have a valid certificate will be able to reach the app.",
"Risk": "The TLS mutual authentication technique in enterprise environments ensures the authenticity of clients to the server. If incoming client certificates are enabled, then only an authenticated client who has valid certificates can access the app.",
"RelatedUrl": "https://learn.microsoft.com/en-us/azure/app-service/app-service-web-configure-tls-mutual-auth?tabs=azurecli",
"Description": "**Azure App Service apps** enforce **mutual TLS** when `client certificate mode` is set to `Required`, meaning every inbound request must present a valid client certificate that the app can validate.",
"Risk": "Without **mTLS**, clients aren't cryptographically authenticated at the transport layer. Adversaries can reach endpoints using spoofed sources or stolen tokens, leading to unauthorized data access (confidentiality), request tampering (integrity), and automated abuse that degrades service (availability).",
"RelatedUrl": "",
"AdditionalURLs": [
"https://learn.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-identity-management#im-4-authenticate-server-and-services",
"https://learn.microsoft.com/en-us/azure/app-service/app-service-web-configure-tls-mutual-auth"
],
"Remediation": {
"Code": {
"CLI": "az webapp update --resource-group <RESOURCE_GROUP_NAME> --name <APP_NAME> --set clientCertEnabled=true",
"NativeIaC": "",
"Other": "",
"Terraform": "https://docs.prowler.com/checks/azure/azure-networking-policies/bc_azr_networking_7#terraform"
"CLI": "az webapp update --resource-group <RESOURCE_GROUP_NAME> --name <APP_NAME> --set clientCertEnabled=true clientCertMode=Required",
"NativeIaC": "```bicep\n// Require client certificates for the web app\nresource appService 'Microsoft.Web/sites@2022-03-01' = {\n name: '<example_resource_name>'\n location: '<example_location>'\n properties: {\n serverFarmId: '<example_resource_id>'\n clientCertEnabled: true // Critical: enables mutual TLS\n clientCertMode: 'Required' // Critical: enforces client certs (passes the check)\n }\n}\n```",
"Other": "1. Open Azure Portal and go to App Services\n2. Select your web app\n3. Go to Configuration > General settings\n4. Under Client certificate mode, select Required\n5. Click Save",
"Terraform": "```hcl\n# Require client certificates for the App Service (use azurerm_linux_web_app or azurerm_windows_web_app)\nresource \"azurerm_linux_web_app\" \"<example_resource_name>\" {\n name = \"<example_resource_name>\"\n location = \"<example_location>\"\n resource_group_name = \"<example_resource_name>\"\n service_plan_id = \"<example_resource_id>\"\n\n client_certificate_enabled = true # Critical: enables mutual TLS\n client_certificate_mode = \"Required\" # Critical: enforces client certs (passes the check)\n\n site_config {}\n}\n```"
},
"Recommendation": {
"Text": "1. Login to Azure Portal using https://portal.azure.com 2. Go to App Services 3. Click on each App 4. Under the Settings section, Click on Configuration, then General settings 5. Set the option Client certificate mode located under Incoming client certificates to Require",
"Url": "https://learn.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-identity-management#im-4-authenticate-server-and-services"
"Text": "Set `client certificate mode` to `Required` and validate client certs in application logic (issuer, validity, revocation).\n\nEnforce HTTPS only, avoid broad exclusion paths, and manage certs via a trusted CA with rotation and revocation. Apply **least privilege** and **zero trust**, layering with private access or IP restrictions *as needed*.",
"Url": "https://hub.prowler.com/check/app_client_certificates_on"
}
},
"Categories": [],
"Categories": [
"identity-access"
],
"DependsOn": [],
"RelatedTo": [],
"Notes": "Utilizing and maintaining client certificates will require additional work to obtain and manage replacement and key rotation."

29
prowler/providers/azure/services/app/app_ensure_auth_is_set_up/app_ensure_auth_is_set_up.metadata.json
View File

@@ -1,30 +1,37 @@
{
"Provider": "azure",
"CheckID": "app_ensure_auth_is_set_up",
"CheckTitle": "Ensure App Service Authentication is set up for apps in Azure App Service",
"CheckTitle": "App Service app has App Service Authentication enabled",
"CheckType": [],
"ServiceName": "app",
"SubServiceName": "",
"ResourceIdTemplate": "",
"Severity": "medium",
"ResourceType": "Microsoft.Web/sites",
"ResourceType": "microsoft.web/sites",
"ResourceGroup": "serverless",
"Description": "Azure App Service Authentication is a feature that can prevent anonymous HTTP requests from reaching a Web Application or authenticate those with tokens before they reach the app. If an anonymous request is received from a browser, App Service will redirect to a logon page. To handle the logon process, a choice from a set of identity providers can be made, or a custom authentication mechanism can be implemented.",
"Risk": "By Enabling App Service Authentication, every incoming HTTP request passes through it before being handled by the application code. It also handles authentication of users with the specified provider (Azure Active Directory, Facebook, Google, Microsoft Account, and Twitter), validation, storing and refreshing of tokens, managing the authenticated sessions and injecting identity information into request headers.",
"RelatedUrl": "https://learn.microsoft.com/en-us/azure/app-service/overview-authentication-authorization",
"Description": "**Azure App Service** can enforce built-in **Authentication/Authorization** (Easy Auth) so requests are authenticated by a provider before reaching app code.\n\nThis evaluates whether platform auth is enabled for the app and an identity provider is configured.",
"Risk": "Without platform **authentication**, apps may accept **anonymous requests**, enabling unauthorized access to APIs and data. Attackers can enumerate endpoints and bypass weak app checks, risking data exposure (C), unauthorized changes (I), and automated abuse impacting availability (A).",
"RelatedUrl": "",
"AdditionalURLs": [
"https://www.trendmicro.com/cloudoneconformity/knowledge-base/azure/AppService/enable-app-service-authentication.html",
"https://learn.microsoft.com/en-us/azure/app-service/scenario-secure-app-authentication-app-service",
"https://learn.microsoft.com/en-us/azure/app-service/overview-authentication-authorization"
],
"Remediation": {
"Code": {
"CLI": "az webapp auth update --resource-group <RESOURCE_GROUP_NAME> --name <APP_NAME> --enabled true",
"NativeIaC": "",
"Other": "https://www.trendmicro.com/cloudoneconformity/knowledge-base/azure/AppService/enable-app-service-authentication.html",
"Terraform": "https://docs.prowler.com/checks/azure/azure-general-policies/bc_azr_general_2#terraform"
"NativeIaC": "```bicep\n// Enable App Service Authentication (Easy Auth) for an existing Web App\nresource auth 'Microsoft.Web/sites/config@2022-03-01' = {\n name: '<example_resource_name>/authsettingsV2'\n properties: {\n platformEnabled: true // CRITICAL: Turns on built-in authentication for the app\n }\n}\n```",
"Other": "1. Sign in to the Azure Portal and go to App Services\n2. Select <APP_NAME> and open Authentication\n3. Click Add identity provider, choose Microsoft, and click Add\n4. Save changes\n\nThis enables App Service Authentication for the app",
"Terraform": "```hcl\n# Enable App Service Authentication for an App Service (use azurerm_linux_web_app or azurerm_windows_web_app)\nresource \"azurerm_linux_web_app\" \"<example_resource_name>\" {\n name = \"<example_resource_name>\"\n resource_group_name = \"<example_resource_name>\"\n location = \"<example_resource_name>\"\n service_plan_id = \"<example_resource_id>\"\n\n site_config {}\n\n auth_settings_v2 {\n auth_enabled = true # CRITICAL: Enables built-in authentication (Easy Auth)\n }\n}\n```"
},
"Recommendation": {
"Text": "1. Login to Azure Portal using https://portal.azure.com 2. Go to App Services 3. Click on each App 4. Under Setting section, click on Authentication 5. If no identity providers are set up, then click Add identity provider 6. Choose other parameters as per your requirements and click on Add",
"Url": "https://learn.microsoft.com/en-us/azure/role-based-access-control/built-in-roles#website-contributor"
"Text": "Enable App Service **Authentication/Authorization** and set `Require authentication` for unauthenticated requests. Use **Microsoft Entra** or a trusted IdP, restrict tenants/audiences, enforce HTTPS, and apply **least privilege** with role/claim checks and Conditional Access for defense-in-depth. Avoid `Allow anonymous requests`.",
"Url": "https://hub.prowler.com/check/app_ensure_auth_is_set_up"
}
},
"Categories": [],
"Categories": [
"identity-access"
],
"DependsOn": [],
"RelatedTo": [],
"Notes": "This is only required for App Services which require authentication. Enabling on site like a marketing or support website will prevent unauthenticated access which would be undesirable. Adding Authentication requirement will increase cost of App Service and require additional security components to facilitate the authentication"

31
prowler/providers/azure/services/app/app_ensure_http_is_redirected_to_https/app_ensure_http_is_redirected_to_https.metadata.json
View File

@@ -1,30 +1,37 @@
{
"Provider": "azure",
"CheckID": "app_ensure_http_is_redirected_to_https",
"CheckTitle": "Ensure Web App Redirects All HTTP traffic to HTTPS in Azure App Service",
"CheckTitle": "App Service web app redirects HTTP to HTTPS",
"CheckType": [],
"ServiceName": "app",
"SubServiceName": "",
"ResourceIdTemplate": "",
"Severity": "medium",
"ResourceType": "Microsoft.Web/sites/config",
"Severity": "high",
"ResourceType": "microsoft.web/sites",
"ResourceGroup": "serverless",
"Description": "Azure Web Apps allows sites to run under both HTTP and HTTPS by default. Web apps can be accessed by anyone using non-secure HTTP links by default. Non-secure HTTP requests can be restricted and all HTTP requests redirected to the secure HTTPS port. It is recommended to enforce HTTPS-only traffic.",
"Risk": "Enabling HTTPS-only traffic will redirect all non-secure HTTP requests to HTTPS ports. HTTPS uses the TLS/SSL protocol to provide a secure connection which is both encrypted and authenticated. It is therefore important to support HTTPS for the security benefits.",
"RelatedUrl": "https://learn.microsoft.com/en-us/azure/app-service/configure-ssl-bindings#enforce-https",
"Description": "**Azure App Service web apps** redirect `HTTP` traffic to `HTTPS` when the `HTTPS Only` setting is enabled. This evaluation identifies apps that do not force secure transport by checking whether plaintext requests are automatically redirected to encrypted endpoints.",
"Risk": "Leaving **HTTP accessible** enables **man-in-the-middle** interception, credential and cookie theft, and response tampering. This undermines **confidentiality** and **integrity**, and can lead to session hijacking or downgrade attacks that bypass TLS.",
"RelatedUrl": "",
"AdditionalURLs": [
"https://learn.microsoft.com/en-us/azure/app-service/configure-ssl-bindings#enforce-https",
"https://www.trendmicro.com/cloudoneconformity/knowledge-base/azure/AppService/enable-https-only-traffic.html#",
"https://learn.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-data-protection#dp-3-encrypt-sensitive-data-in-transit"
],
"Remediation": {
"Code": {
"CLI": "az webapp update --resource-group <RESOURCE_GROUP_NAME> --name <APP_NAME> --set httpsOnly=true",
"NativeIaC": "",
"Other": "https://www.trendmicro.com/cloudoneconformity/knowledge-base/azure/AppService/enable-https-only-traffic.html#",
"Terraform": "https://docs.prowler.com/checks/azure/azure-networking-policies/bc_azr_networking_5#terraform"
"NativeIaC": "```bicep\n// Enable HTTPS-only redirect on an existing App Service\nresource app 'Microsoft.Web/sites@2022-09-01' = {\n name: '<example_resource_name>'\n location: resourceGroup().location\n properties: {\n httpsOnly: true // Critical: forces redirect from HTTP to HTTPS\n }\n}\n```",
"Other": "1. Sign in to the Azure portal and go to App Services\n2. Select your web app\n3. Go to TLS/SSL settings and set HTTPS Only to On\n4. Click Save",
"Terraform": "```hcl\n# Enforce HTTPS-only on an App Service\nresource \"azurerm_windows_web_app\" \"<example_resource_name>\" {\n name = \"<example_resource_name>\"\n resource_group_name = \"<example_resource_name>\"\n location = \"<example_location>\"\n service_plan_id = \"<example_resource_id>\"\n\n https_only = true # Critical: redirects HTTP to HTTPS\n}\n```"
},
"Recommendation": {
"Text": "1. Login to Azure Portal using https://portal.azure.com 2. Go to App Services 3. Click on each App 4. Under Setting section, Click on Configuration 5. In the General Settings section, set the HTTPS Only to On 6. Click Save",
"Url": "https://learn.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-data-protection#dp-3-encrypt-sensitive-data-in-transit"
"Text": "Enforce **HTTPS-only** for all apps.\n- Use trusted certificates and require `TLS 1.2` or later\n- Enable **HSTS** to prevent downgrade/mixed-content\n- Redirect legacy `http` links to `https`\n- Minimize HTTP exposure via WAF/CDN or private access\nApply **defense in depth** to protect data in transit.",
"Url": "https://hub.prowler.com/check/app_ensure_http_is_redirected_to_https"
}
},
"Categories": [],
"Categories": [
"encryption"
],
"DependsOn": [],
"RelatedTo": [],
"Notes": "When it is enabled, every incoming HTTP request is redirected to the HTTPS port. This means an extra level of security will be added to the HTTP requests made to the app."

31
prowler/providers/azure/services/app/app_ensure_java_version_is_latest/app_ensure_java_version_is_latest.metadata.json
View File

@@ -1,30 +1,37 @@
{
"Provider": "azure",
"CheckID": "app_ensure_java_version_is_latest",
"CheckTitle": "Ensure that 'Java version' is the latest, if used to run the Web App",
"CheckTitle": "App Service web app uses the latest supported Java version or 17 by default",
"CheckType": [],
"ServiceName": "app",
"SubServiceName": "",
"ResourceIdTemplate": "",
"Severity": "low",
"ResourceType": "Microsoft.Web/sites",
"ResourceType": "microsoft.web/sites",
"ResourceGroup": "serverless",
"Description": "Periodically, newer versions are released for Java software either due to security flaws or to include additional functionality. Using the latest Java version for web apps is recommended in order to take advantage of security fixes, if any, and/or new functionalities of the newer version.",
"Risk": "Newer versions may contain security enhancements and additional functionality. Using the latest software version is recommended in order to take advantage of enhancements and new capabilities. With each software installation, organizations need to determine if a given update meets their requirements. They must also verify the compatibility and support provided for any additional software against the update revision that is selected.",
"RelatedUrl": "https://learn.microsoft.com/en-us/azure/app-service/configure-common?tabs=portal#general-settings",
"Description": "**Azure App Service web apps** that run **Java** are assessed to ensure their configured runtime uses the **latest supported major version** (LTS) for the environment, across Linux and Windows.\n\n*Only apps with Java enabled are considered.*",
"Risk": "Using an **outdated Java runtime** enables known exploits like **remote code execution**, unsafe **deserialization**, and **cryptographic flaws**, risking data theft and tampering (**confidentiality, integrity**) and outages or takeover (**availability**). Unsupported versions also delay critical security patches.",
"RelatedUrl": "",
"AdditionalURLs": [
"https://www.trendmicro.com/cloudoneconformity/knowledge-base/azure/AppService/latest-version-of-java.html",
"https://learn.microsoft.com/en-us/azure/app-service/configure-language-java?pivots=platform-linux#choosing-a-java-runtime-version",
"https://learn.microsoft.com/en-us/azure/app-service/configure-common?tabs=portal#general-settings"
],
"Remediation": {
"Code": {
"CLI": "",
"NativeIaC": "",
"Other": "https://www.trendmicro.com/cloudoneconformity/knowledge-base/azure/AppService/latest-version-of-java.html",
"Terraform": "https://docs.prowler.com/checks/azure/azure-general-policies/ensure-that-java-version-is-the-latest-if-used-to-run-the-web-app#terraform"
"CLI": "az webapp config set --resource-group <RESOURCE_GROUP> --name <APP_NAME> --linux-fx-version \"JAVA|17-java17\"",
"NativeIaC": "```bicep\n// Set Java 17 for a Linux App Service\nresource app 'Microsoft.Web/sites@2022-09-01' existing = {\n name: '<example_resource_name>'\n}\n\nresource appConfig 'Microsoft.Web/sites/config@2022-09-01' = {\n name: '${app.name}/web'\n properties: {\n linuxFxVersion: 'JAVA|17-java17' // Critical: ensures runtime includes 'java17' so the check passes\n }\n}\n```",
"Other": "1. In the Azure portal, go to App Services and open your web app\n2. Select Settings > Configuration > General settings\n3. For Linux apps: under Stack settings, choose Java and set Java version to 17 (or choose Tomcat/JBoss with Java version 17)\n4. For Windows apps: under Stack settings, set Java version to 17\n5. Click Save and restart if prompted",
"Terraform": "```hcl\n# Linux Web App configured to use Java 17\nresource \"azurerm_linux_web_app\" \"<example_resource_name>\" {\n name = \"<example_resource_name>\"\n resource_group_name = \"<example_resource_name>\"\n location = \"<example_resource_name>\"\n service_plan_id = \"<example_resource_id>\"\n\n site_config {\n application_stack {\n java_version = \"17\" # Critical: sets Java to 17 to pass the check\n }\n }\n}\n```"
},
"Recommendation": {
"Text": "1. Login to Azure Portal using https://portal.azure.com 2. Go to App Services 3. Click on each App 4. Under Settings section, click on Configuration 5. Click on the General settings pane and ensure that for a Stack of Java the Major Version and Minor Version reflect the latest stable and supported release, and that the Java web server version is set to the auto-update option. NOTE: No action is required if Java version is set to Off, as Java is not used by your web app.",
"Url": "https://learn.microsoft.com/en-us/azure/app-service/configure-language-java?pivots=platform-linux#choosing-a-java-runtime-version"
"Text": "Adopt the **latest supported LTS Java** (`java <latest LTS>`) and standardize on that major line.\n- Enable automatic minor/patch updates\n- Validate upgrades in a staging environment before production\n- Retire deprecated runtimes and track vendor EOL\n\nApply **change management** and **defense in depth** to reduce exposure.",
"Url": "https://hub.prowler.com/check/app_ensure_java_version_is_latest"
}
},
"Categories": [],
"Categories": [
"vulnerabilities"
],
"DependsOn": [],
"RelatedTo": [],
"Notes": "If your app is written using version-dependent features or libraries, they may not be available on the latest version. If you wish to upgrade, research the impact thoroughly. Upgrading may have unforeseen consequences that could result in downtime."

31
prowler/providers/azure/services/app/app_ensure_php_version_is_latest/app_ensure_php_version_is_latest.metadata.json
View File

@@ -1,30 +1,37 @@
{
"Provider": "azure",
"CheckID": "app_ensure_php_version_is_latest",
"CheckTitle": "Ensure That 'PHP version' is the Latest, If Used to Run the Web App",
"CheckTitle": "App Service web app uses the latest supported PHP version or 8.2 by default",
"CheckType": [],
"ServiceName": "app",
"SubServiceName": "",
"ResourceIdTemplate": "",
"Severity": "low",
"ResourceType": "Microsoft.Web/sites",
"ResourceType": "microsoft.web/sites",
"ResourceGroup": "serverless",
"Description": "Periodically newer versions are released for PHP software either due to security flaws or to include additional functionality. Using the latest PHP version for web apps is recommended in order to take advantage of security fixes, if any, and/or additional functionalities of the newer version.",
"Risk": "Newer versions may contain security enhancements and additional functionality. Using the latest software version is recommended in order to take advantage of enhancements and new capabilities. With each software installation, organizations need to determine if a given update meets their requirements. They must also verify the compatibility and support provided for any additional software against the update revision that is selected.",
"RelatedUrl": "https://learn.microsoft.com/en-us/azure/app-service/configure-common?tabs=portal#general-settings",
"Description": "**Azure App Service web apps** running **PHP** are evaluated to ensure the runtime is configured to the **latest supported** release. The finding compares the app's PHP stack (from `linuxFxVersion` or `php_version`) with the newest available version.",
"Risk": "Using **outdated PHP** enables exploitation of known flaws, including **remote code execution**, causing secret disclosure (confidentiality), unauthorized changes (integrity), and crashes or downtime (availability). Deprecated versions lack patches, widening exposure and instability.",
"RelatedUrl": "",
"AdditionalURLs": [
"https://www.trendmicro.com/cloudoneconformity/knowledge-base/azure/AppService/latest-version-of-php.html",
"https://learn.microsoft.com/en-us/azure/app-service/configure-language-php?pivots=platform-linux#set-php-version",
"https://learn.microsoft.com/en-us/azure/app-service/configure-common?tabs=portal#general-settings"
],
"Remediation": {
"Code": {
"CLI": "az webapp config set --resource-group <resource group name> --name <app name> [--linux-fx-version <php runtime version>][--php-version <php version>]",
"NativeIaC": "",
"Other": "https://www.trendmicro.com/cloudoneconformity/knowledge-base/azure/AppService/latest-version-of-php.html",
"Terraform": "https://docs.prowler.com/checks/azure/azure-general-policies/ensure-that-php-version-is-the-latest-if-used-to-run-the-web-app#terraform"
"CLI": "az webapp config set --resource-group <RESOURCE_GROUP_NAME> --name <APP_NAME> --linux-fx-version \"PHP|8.2\"",
"NativeIaC": "```bicep\n// Update App Service runtime to latest PHP\nresource appConfig 'Microsoft.Web/sites/config@2022-09-01' = {\n name: '<example_resource_name>/web'\n properties: {\n linuxFxVersion: 'PHP|8.2' // Critical: sets the app runtime to PHP 8.2 (latest) to pass the check\n }\n}\n```",
"Other": "1. In Azure Portal, go to App Services and select your app\n2. Navigate to Settings > Configuration > General settings\n3. Under Stack settings, select PHP and set Version to 8.2\n4. Click Save and confirm the restart",
"Terraform": "```hcl\n# Set latest PHP version on Linux Web App\nresource \"azurerm_linux_web_app\" \"app\" {\n name = \"<example_resource_name>\"\n resource_group_name = \"<example_resource_name>\"\n location = \"<example_location>\"\n service_plan_id = \"<example_resource_id>\"\n\n site_config {\n application_stack {\n php_version = \"8.2\" # Critical: sets PHP to latest to pass the check\n }\n }\n}\n```"
},
"Recommendation": {
"Text": "1. From Azure Home open the Portal Menu in the top left 2. Go to App Services 3. Click on each App 4. Under Settings section, click on Configuration 5. Click on the General settings pane, ensure that for a Stack of PHP the Major Version and Minor Version reflect the latest stable and supported release. NOTE: No action is required If PHP version is set to Off or is set with an empty value as PHP is not used by your web app",
"Url": "https://learn.microsoft.com/en-us/azure/app-service/configure-language-php?pivots=platform-linux#set-php-version"
"Text": "Standardize on the **latest supported PHP** and avoid EoL releases. Update promptly after security advisories, validate in staging, and automate version governance across apps. Prefer supported Linux runtimes, limit optional extensions, and apply **defense in depth** and **least privilege** to reduce blast radius.",
"Url": "https://hub.prowler.com/check/app_ensure_php_version_is_latest"
}
},
"Categories": [],
"Categories": [
"vulnerabilities"
],
"DependsOn": [],
"RelatedTo": [],
"Notes": "If your app is written using version-dependent features or libraries, they may not be available on the latest version. If you wish to upgrade, research the impact thoroughly. Upgrading may have unforeseen consequences that could result in downtime"

31
prowler/providers/azure/services/app/app_ensure_python_version_is_latest/app_ensure_python_version_is_latest.metadata.json
View File

@@ -1,30 +1,37 @@
{
"Provider": "azure",
"CheckID": "app_ensure_python_version_is_latest",
"CheckTitle": "Ensure that 'Python version' is the Latest Stable Version, if Used to Run the Web App",
"CheckTitle": "App Service web app uses the latest supported Python version or 3.12 by default",
"CheckType": [],
"ServiceName": "app",
"SubServiceName": "",
"ResourceIdTemplate": "",
"Severity": "low",
"ResourceType": "Microsoft.Web/sites",
"ResourceType": "microsoft.web/sites",
"ResourceGroup": "serverless",
"Description": "Periodically, newer versions are released for Python software either due to security flaws or to include additional functionality. Using the latest full Python version for web apps is recommended in order to take advantage of security fixes, if any, and/or additional functionalities of the newer version.",
"Risk": "Newer versions may contain security enhancements and additional functionality. Using the latest software version is recommended in order to take advantage of enhancements and new capabilities. With each software installation, organizations need to determine if a given update meets their requirements. They must also verify the compatibility and support provided for any additional software against the update revision that is selected. Using the latest full version will keep your stack secure to vulnerabilities and exploits.",
"RelatedUrl": "https://learn.microsoft.com/en-us/azure/app-service/configure-common?tabs=portal#general-settings",
"Description": "**Azure App Service web apps** using **Python** are assessed to confirm the runtime is the **latest supported version** (e.g., `3.12`). The evaluation reads the app's stack configuration to detect Python usage and compares the configured runtime against the defined latest baseline.",
"Risk": "Outdated **Python runtimes** weaken security and reliability:\n- Compromise confidentiality via known interpreter/SSL flaws\n- Undermine integrity through RCE and package exploitation\n- Reduce availability when deprecated versions lose patches and break under load",
"RelatedUrl": "",
"AdditionalURLs": [
"https://www.trendmicro.com/cloudoneconformity/knowledge-base/azure/AppService/latest-version-of-python.html",
"https://learn.microsoft.com/en-us/azure/app-service/configure-common?tabs=portal#general-settings",
"https://learn.microsoft.com/en-us/azure/app-service/configure-language-python#configure-python-version"
],
"Remediation": {
"Code": {
"CLI": "az webapp config set --resource-group <RESOURCE_GROUP_NAME> --name <APP_NAME> [--linux-fx-version 'PYTHON|3.12']",
"NativeIaC": "",
"Other": "https://www.trendmicro.com/cloudoneconformity/knowledge-base/azure/AppService/latest-version-of-python.html",
"Terraform": "https://docs.prowler.com/checks/azure/azure-general-policies/ensure-that-python-version-is-the-latest-if-used-to-run-the-web-app"
"CLI": "az webapp config set --resource-group <RESOURCE_GROUP_NAME> --name <APP_NAME> --linux-fx-version \"PYTHON|3.12\"",
"NativeIaC": "```bicep\n// Set the Web App runtime to the latest Python version\nresource app 'Microsoft.Web/sites@2022-03-01' existing = {\n name: '<example_resource_name>'\n}\n\nresource config 'Microsoft.Web/sites/config@2022-03-01' = {\n name: '${app.name}/web'\n properties: {\n linuxFxVersion: 'PYTHON|3.12' // Critical: sets Python runtime to 3.12 to pass the check\n }\n}\n```",
"Other": "1. In the Azure portal, go to App Services and select your app\n2. Go to Settings > Configuration > General settings\n3. Under Stack settings, set Python version to 3.12\n4. Click Save and confirm the restart",
"Terraform": "```hcl\n# Configure the Web App to use the latest Python version\nresource \"azurerm_linux_web_app\" \"<example_resource_name>\" {\n name = \"<example_resource_name>\"\n resource_group_name = \"<example_resource_name>\"\n location = \"<example_location>\"\n service_plan_id = \"<example_resource_id>\"\n\n site_config {\n application_stack {\n python_version = \"3.12\" # Critical: sets Python runtime to 3.12 to pass the check\n }\n }\n}\n```"
},
"Recommendation": {
"Text": "From Azure Portal 1. From Azure Home open the Portal Menu in the top left 2. Go to App Services 3. Click on each App 4. Under Settings section, click on Configuration 5. Click on the General settings pane and ensure that the Major Version and the Minor Version is set to the latest stable version available (Python 3.11, at the time of writing) NOTE: No action is required if Python version is set to Off, as Python is not used by your web app.",
"Url": "https://learn.microsoft.com/en-us/azure/app-service/configure-language-python#configure-python-version"
"Text": "Adopt the **latest supported Python minor** for App Service and maintain a consistent upgrade policy. Track vendor EOL, test in staging, and roll out via CI/CD.\n\nApply **defense in depth**: minimize privileges and enforce strong TLS to reduce exposure during updates.",
"Url": "https://hub.prowler.com/check/app_ensure_python_version_is_latest"
}
},
"Categories": [],
"Categories": [
"vulnerabilities"
],
"DependsOn": [],
"RelatedTo": [],
"Notes": "If your app is written using version-dependent features or libraries, they may not be available on the latest version. If you wish to upgrade, research the impact thoroughly. Upgrading may have unforeseen consequences that could result in downtime."

29
prowler/providers/azure/services/app/app_ensure_using_http20/app_ensure_using_http20.metadata.json
View File

@@ -1,30 +1,37 @@
{
"Provider": "azure",
"CheckID": "app_ensure_using_http20",
"CheckTitle": "Ensure that 'HTTP Version' is the Latest, if Used to Run the Web App",
"CheckTitle": "App Service web app has HTTP/2.0 enabled",
"CheckType": [],
"ServiceName": "app",
"SubServiceName": "",
"ResourceIdTemplate": "",
"Severity": "low",
"ResourceType": "Microsoft.Web/sites",
"ResourceType": "microsoft.web/sites",
"ResourceGroup": "serverless",
"Description": "Periodically, newer versions are released for HTTP either due to security flaws or to include additional functionality. Using the latest HTTP version for web apps to take advantage of security fixes, if any, and/or new functionalities of the newer version.",
"Risk": "Newer versions may contain security enhancements and additional functionality. Using the latest version is recommended in order to take advantage of enhancements and new capabilities. With each software installation, organizations need to determine if a given update meets their requirements. They must also verify the compatibility and support provided for any additional software against the update revision that is selected. HTTP 2.0 has additional performance improvements on the head-of-line blocking problem of old HTTP version, header compression, and prioritization of requests. HTTP 2.0 no longer supports HTTP 1.1's chunked transfer encoding mechanism, as it provides its own, more efficient, mechanisms for data streaming.",
"RelatedUrl": "https://learn.microsoft.com/en-us/azure/app-service/configure-common?tabs=portal#general-settings",
"Description": "**Azure App Service web apps** are evaluated for **HTTP/2 support** via the `http20_enabled` configuration, indicating whether the site serves traffic using the HTTP/2 protocol",
"Risk": "Without **HTTP/2**, apps remain on **HTTP/1.1**, increasing connection overhead and head-of-line blocking, which can reduce **availability** under load. Inefficient use of TLS sessions raises **DoS susceptibility** and degrades user experience, impacting service reliability",
"RelatedUrl": "",
"AdditionalURLs": [
"https://azure.microsoft.com/en-us/blog/announcing-http-2-support-in-azure-app-service/",
"https://www.trendmicro.com/cloudoneconformity/knowledge-base/azure/AppService/enable-http-2-for-app-service-web-applications.html",
"https://learn.microsoft.com/en-us/azure/app-service/configure-common?tabs=portal#general-settings"
],
"Remediation": {
"Code": {
"CLI": "az webapp config set --resource-group <RESOURCE_GROUP_NAME> --name <APP_NAME> --http20-enabled true",
"NativeIaC": "",
"Other": "https://www.trendmicro.com/cloudoneconformity/knowledge-base/azure/AppService/enable-http-2-for-app-service-web-applications.html",
"Terraform": ""
"NativeIaC": "```bicep\n// Enable HTTP/2.0 on an existing App Service web app\nresource webConfig 'Microsoft.Web/sites/config@2022-09-01' = {\n name: '<example_resource_name>/web'\n properties: {\n http20Enabled: true // Critical: enables HTTP/2.0 for the app\n }\n}\n```",
"Other": "1. Sign in to the Azure portal and go to App Services\n2. Select your web app\n3. Navigate to Settings > Configuration > General settings\n4. Set HTTP version to 2.0\n5. Click Save",
"Terraform": "```hcl\n# Enable HTTP/2.0 for an App Service (use azurerm_linux_web_app or azurerm_windows_web_app)\nresource \"azurerm_linux_web_app\" \"<example_resource_name>\" {\n name = \"<example_resource_name>\"\n location = \"<LOCATION>\"\n resource_group_name = \"<example_resource_group>\"\n service_plan_id = \"<example_resource_id>\"\n\n site_config {\n http2_enabled = true # Critical: enables HTTP/2.0\n }\n}\n```"
},
"Recommendation": {
"Text": "1. Login to Azure Portal using https://portal.azure.com 2. Go to App Services 3. Click on each App 4. Under Setting section, Click on Configuration 5. Set HTTP version to 2.0 under General settings",
"Url": "https://azure.microsoft.com/en-us/blog/announcing-http-2-support-in-azure-app-service/"
"Text": "Enable **HTTP/2** (`http20_enabled=true`) to use a modern, efficient transport.\n\n- Enforce `HTTPS Only` and a strong minimum `TLS` version for defense-in-depth\n- Validate app/library compatibility before rollout\n- Monitor performance and errors post-change; deploy gradually",
"Url": "https://hub.prowler.com/check/app_ensure_using_http20"
}
},
"Categories": [],
"Categories": [
"resilience"
],
"DependsOn": [],
"RelatedTo": [],
"Notes": "https://learn.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-posture-vulnerability-management#pv-7-rapidly-and-automatically-remediate-software-vulnerabilities"

34
prowler/providers/azure/services/app/app_ftp_deployment_disabled/app_ftp_deployment_disabled.metadata.json
View File

@@ -1,30 +1,38 @@
{
"Provider": "azure",
"CheckID": "app_ftp_deployment_disabled",
"CheckTitle": "Ensure FTP deployments are Disabled",
"CheckTitle": "App Service web app has FTP disabled or FTPS-only enforced",
"CheckType": [],
"ServiceName": "app",
"SubServiceName": "",
"ResourceIdTemplate": "",
"Severity": "medium",
"ResourceType": "Microsoft.Web/sites/config",
"Severity": "high",
"ResourceType": "microsoft.web/sites",
"ResourceGroup": "serverless",
"Description": "By default, Azure Functions, Web, and API Services can be deployed over FTP. If FTP is required for an essential deployment workflow, FTPS should be required for FTP login for all App Service Apps and Functions.",
"Risk": "Azure FTP deployment endpoints are public. An attacker listening to traffic on a wifi network used by a remote employee or a corporate network could see login traffic in clear-text which would then grant them full control of the code base of the app or service. This finding is more severe if User Credentials for deployment are set at the subscription level rather than using the default Application Credentials which are unique per App.",
"RelatedUrl": "https://learn.microsoft.com/en-us/azure/app-service/deploy-ftp?tabs=portal",
"Description": "**Azure App Service web apps** are evaluated for **FTP exposure** via the `ftpsState` setting. Values `FtpsOnly` or `Disabled` indicate FTP is not allowed; `AllAllowed` means both FTP and FTPS are accepted.",
"Risk": "Allowing **FTP (unencrypted)** exposes credentials on public endpoints, enabling **credential theft** and **session hijacking**.\n\nCompromise grants write access to code and content, enabling **malicious deployments**, backdoors, and data leakage, degrading **integrity** and **confidentiality**-with greater blast radius if shared, user-scope publishing credentials are used.",
"RelatedUrl": "",
"AdditionalURLs": [
"https://learn.microsoft.com/en-us/azure/app-service/deploy-ftp?tabs=portal",
"https://www.trendmicro.com/cloudoneconformity/knowledge-base/azure/AppService/ftp-access-disabled.html",
"https://learn.microsoft.com/en-gb/answers/questions/1323820/can-i-create-an-azure-policy-that-disables-both-ft",
"https://icompaas.freshdesk.com/support/solutions/articles/62000234759-ensure-ftp-state-is-set-to-ftps-only-or-disabled-"
],
"Remediation": {
"Code": {
"CLI": "az webapp config set --resource-group <resource group name> --name <app name> --ftps-state [disabled|FtpsOnly]",
"NativeIaC": "",
"Other": "https://www.trendmicro.com/cloudoneconformity/knowledge-base/azure/AppService/ftp-access-disabled.html",
"Terraform": "https://docs.prowler.com/checks/azure/azure-general-policies/ensure-ftp-deployments-are-disabled#terraform"
"CLI": "az webapp config set --resource-group <RESOURCE_GROUP> --name <APP_NAME> --ftps-state FtpsOnly",
"NativeIaC": "```bicep\n// Configure an existing App Service to enforce FTPS-only\nresource webConfig 'Microsoft.Web/sites/config@2022-03-01' = {\n name: '<example_resource_name>/web'\n properties: {\n ftpsState: 'FtpsOnly' // CRITICAL: Sets FTP state to FTPS-only, avoiding insecure 'AllAllowed'\n }\n}\n```",
"Other": "1. In Azure Portal, go to App Services and select your app\n2. Go to Settings > Configuration > General settings\n3. Set FTP state to FTPS only (or Disabled)\n4. Click Save",
"Terraform": "```hcl\n# Enforce FTPS-only on an App Service\nresource \"azurerm_windows_web_app\" \"<example_resource_name>\" {\n name = \"<example_resource_name>\"\n resource_group_name = \"<example_resource_name>\"\n location = \"<example_resource_name>\"\n service_plan_id = \"<example_resource_id>\"\n\n site_config {\n ftps_state = \"FtpsOnly\" # CRITICAL: Enforces FTPS-only (not AllAllowed)\n }\n}\n```"
},
"Recommendation": {
"Text": "1. Go to the Azure Portal 2. Select App Services 3. Click on an app 4. Select Settings and then Configuration 5. Under General Settings, for the Platform Settings, the FTP state should be set to Disabled or FTPS Only",
"Url": ""
"Text": "Disable FTP or enforce **FTPS** (`ftpsState: FtpsOnly` or `Disabled`).\n\nPrefer **CI/CD** over manual FTP and apply **least privilege** with app-scoped credentials. Rotate publishing secrets, enforce modern TLS, and restrict access via private networking. *If FTP is unavoidable*, require FTPS and monitor publishing logs.",
"Url": "https://hub.prowler.com/check/app_ftp_deployment_disabled"
}
},
"Categories": [],
"Categories": [
"encryption"
],
"DependsOn": [],
"RelatedTo": [],
"Notes": "Any deployment workflows that rely on FTP or FTPs rather than the WebDeploy or HTTPs endpoints may be affected."

30
prowler/providers/azure/services/app/app_function_access_keys_configured/app_function_access_keys_configured.metadata.json
View File

@@ -1,30 +1,38 @@
{
"Provider": "azure",
"CheckID": "app_function_access_keys_configured",
"CheckTitle": "Ensure that Azure Functions are using access keys for enhanced security",
"CheckTitle": "Function app has function keys configured",
"CheckType": [],
"ServiceName": "app",
"SubServiceName": "function",
"SubServiceName": "",
"ResourceIdTemplate": "",
"Severity": "high",
"ResourceType": "Microsoft.Web/sites",
"ResourceType": "microsoft.web/sites",
"ResourceGroup": "serverless",
"Description": "Azure Functions provide a way to secure HTTP function endpoints during development and production. Using access keys adds an extra layer of protection, ensuring that only authorized users or systems can access the functions. This is particularly important when dealing with public apps or sensitive data.",
"Risk": "Unprotected function endpoints may be vulnerable to unauthorized access, leading to potential data breaches or malicious activity.",
"RelatedUrl": "https://learn.microsoft.com/en-us/azure/azure-functions/functions-bindings-http-webhook-trigger?tabs=python-v2%2Cisolated-process%2Cnodejs-v4%2Cfunctionsv2&pivots=programming-language-csharp#authorization-keys",
"Description": "**Azure Function apps** are evaluated for configured **function access keys** on HTTP endpoints.\n\nThe finding distinguishes functions with at least one access key defined from those without any keys configured.",
"Risk": "Missing **access keys** weakens authentication, enabling unsolicited calls to function endpoints. This risks:\n- loss of **confidentiality** via data exposure\n- compromised **integrity** by triggering unintended actions\n- reduced **availability** from abuse, throttling, and cost spikes",
"RelatedUrl": "",
"AdditionalURLs": [
"https://learn.microsoft.com/en-us/azure/azure-functions/security-concepts?tabs=v4#function-access-keys",
"https://learn.microsoft.com/en-us/azure/azure-functions/functions-bindings-http-webhook-trigger",
"https://www.trendmicro.com/cloudoneconformity/knowledge-base/azure/Functions/azure-function-anonymous-access.html"
],
"Remediation": {
"Code": {
"CLI": "",
"CLI": "az functionapp function keys set --resource-group <RESOURCE_GROUP> --name <FUNCTION_APP_NAME> --function-name <FUNCTION_NAME> --key-name default --key-value <KEY_VALUE>",
"NativeIaC": "",
"Other": "https://www.trendmicro.com/cloudoneconformity/knowledge-base/azure/Functions/azure-function-anonymous-access.html",
"Other": "1. Sign in to the Azure portal and go to your Function App\n2. Select Functions, then click the specific function\n3. Open Function keys (or API keys)\n4. Click Add (New function key), set Name (e.g., default) and value (or generate)\n5. Save to create the key",
"Terraform": ""
},
"Recommendation": {
"Text": "Use access keys to secure Azure Functions. You can create and manage keys in the Azure portal or using the Azure CLI. For more information, see the official documentation.",
"Url": "https://learn.microsoft.com/en-us/azure/azure-functions/security-concepts?tabs=v4#function-access-keys"
"Text": "Enforce **function keys** for non-public endpoints and apply **least privilege**:\n- avoid `anonymous` when not required\n- rotate keys; don't share the `admin` key\n- enable **App Service Authentication** or **API Management** for identity-aware access\n- restrict inbound networks and monitor logs\n- store and rotate secrets in **Key Vault**",
"Url": "https://hub.prowler.com/check/app_function_access_keys_configured"
}
},
"Categories": [],
"Categories": [
"identity-access",
"secrets"
],
"DependsOn": [],
"RelatedTo": [],
"Notes": "For additional security, consider using managed identities and key vaults along with access keys. This provides granular control over resource access and improves auditability."

35
prowler/providers/azure/services/app/app_function_application_insights_enabled/app_function_application_insights_enabled.metadata.json
View File

@@ -1,30 +1,37 @@
{
"Provider": "azure",
"CheckID": "app_function_application_insights_enabled",
"CheckTitle": "Ensure Function App has Application Insights configured",
"CheckTitle": "Function App has Application Insights configured",
"CheckType": [],
"ServiceName": "app",
"SubServiceName": "function",
"SubServiceName": "",
"ResourceIdTemplate": "",
"Severity": "high",
"ResourceType": "Microsoft.Web/sites",
"Severity": "medium",
"ResourceType": "microsoft.web/sites",
"ResourceGroup": "serverless",
"Description": "Application Insights is a powerful tool for monitoring the performance and health of Azure Function Apps. It provides valuable insights into exceptions, performance issues, and usage patterns, enabling timely detection and resolution of issues.",
"Risk": "Without Application Insights, you may miss critical errors, performance degradation, or abnormal behavior in your Function App, potentially impacting availability and user experience.",
"RelatedUrl": "https://learn.microsoft.com/en-us/azure/azure-monitor/app/app-insights-overview",
"Description": "**Azure Function apps** are configured to send telemetry to **Application Insights** when application settings include `APPLICATIONINSIGHTS_CONNECTION_STRING` or `APPINSIGHTS_INSTRUMENTATIONKEY`.",
"Risk": "Without this telemetry, **visibility** into exceptions, dependencies, and performance is lost, reducing **availability** and delaying response. Gaps in traces mask anomalous traffic and failures, enabling prolonged outages and undermining **integrity** of processing (e.g., undetected retries or timeouts).",
"RelatedUrl": "",
"AdditionalURLs": [
"https://learn.microsoft.com/en-us/azure/azure-monitor/app/monitor-functions",
"https://learn.microsoft.com/en-us/azure/azure-monitor/app/app-insights-overview",
"https://www.trendmicro.com/cloudoneconformity/knowledge-base/azure/Functions/function-app-insights-on.html"
],
"Remediation": {
"Code": {
"CLI": "",
"NativeIaC": "",
"Other": "https://www.trendmicro.com/cloudoneconformity/knowledge-base/azure/Functions/function-app-insights-on.html",
"Terraform": ""
"CLI": "az functionapp config appsettings set --resource-group <RESOURCE_GROUP> --name <FUNCTION_APP_NAME> --settings APPLICATIONINSIGHTS_CONNECTION_STRING=<CONNECTION_STRING>",
"NativeIaC": "```bicep\n// Add Application Insights connection string to an existing Function App\nresource functionApp 'Microsoft.Web/sites@2022-09-01' existing = {\n name: '<example_resource_name>'\n}\n\nresource appSettings 'Microsoft.Web/sites/config@2022-09-01' = {\n name: '${functionApp.name}/appsettings'\n properties: {\n APPLICATIONINSIGHTS_CONNECTION_STRING: '<CONNECTION_STRING>' // Critical: setting this enables Application Insights for the Function App\n }\n}\n```",
"Other": "1. In Azure Portal, go to Function App > Configuration > Application settings\n2. Click + New application setting\n3. Name: APPLICATIONINSIGHTS_CONNECTION_STRING\n4. Value: paste the connection string from your Application Insights resource (Overview > Connection string)\n5. Click OK, then Save\n6. If prompted, click Continue to apply the changes",
"Terraform": "```hcl\n# Add Application Insights connection string to an existing Function App via ARM deployment\nresource \"azurerm_resource_group_template_deployment\" \"<example_resource_name>\" {\n name = \"<example_resource_name>\"\n resource_group_name = \"<RESOURCE_GROUP>\"\n deployment_mode = \"Incremental\"\n\n template_content = jsonencode({\n \"$schema\" = \"https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#\",\n \"contentVersion\" = \"1.0.0.0\",\n \"resources\" = [\n {\n \"type\" = \"Microsoft.Web/sites/config\",\n \"apiVersion\" = \"2022-09-01\",\n \"name\" = \"<FUNCTION_APP_NAME>/appsettings\",\n \"properties\" = {\n \"APPLICATIONINSIGHTS_CONNECTION_STRING\" = \"<CONNECTION_STRING>\" // Critical: setting this enables Application Insights for the Function App\n }\n }\n ]\n })\n}\n```"
},
"Recommendation": {
"Text": "Enable Application Insights for your Azure Function App to monitor its performance and health.",
"Url": "https://learn.microsoft.com/en-us/azure/azure-monitor/app/monitor-functions"
"Text": "Enable **Application Insights** for each Function App using a `APPLICATIONINSIGHTS_CONNECTION_STRING` and standardize telemetry. Apply **defense in depth**: use distributed tracing, alert on errors/latency, and enforce least-privilege access and retention on logs to prevent blind spots and speed recovery.",
"Url": "https://hub.prowler.com/check/app_function_application_insights_enabled"
}
},
"Categories": [],
"Categories": [
"logging"
],
"DependsOn": [],
"RelatedTo": [],
"Notes": ""

31
prowler/providers/azure/services/app/app_function_ftps_deployment_disabled/app_function_ftps_deployment_disabled.metadata.json
View File

@@ -1,31 +1,36 @@
{
"Provider": "azure",
"CheckID": "app_function_ftps_deployment_disabled",
"CheckTitle": "Ensure that FTP and FTPS deployments are disabled for Azure Functions to prevent unauthorized access and data breaches.",
"CheckTitle": "Function app has FTP and FTPS deployments disabled",
"CheckType": [],
"ServiceName": "app",
"SubServiceName": "function",
"SubServiceName": "",
"ResourceIdTemplate": "",
"Severity": "medium",
"ResourceType": "Microsoft.Web/sites",
"ResourceType": "microsoft.web/sites",
"ResourceGroup": "serverless",
"Description": "Azure FTP deployment endpoints are unencrypted and public, making them vulnerable to attacks. Disabling FTP and FTPS deployments enhances security by preventing unauthorized access to login credentials and sensitive codebases.",
"Risk": "If left enabled, attackers can intercept network traffic and gain full control of the app or service, leading to potential data breaches and unauthorized modifications.",
"RelatedUrl": "https://docs.microsoft.com/en-us/azure/app-service/deploy-ftp",
"Description": "**Azure Function apps** are evaluated for the `ftps_state` setting that controls **FTP/FTPS deployment endpoints**. Values `AllAllowed` or `FtpsOnly` indicate deployment over FTP/FTPS is enabled, while `Disabled` indicates both endpoints are turned off.",
"Risk": "Enabled **FTP/FTPS deployment** undermines confidentiality and integrity. FTP exposes credentials in cleartext; FTPS still presents a public basic-auth endpoint susceptible to brute force and credential reuse. Compromise enables **unauthorized code pushes**, leading to RCE, data leakage, and service disruption.",
"RelatedUrl": "",
"AdditionalURLs": [
"https://learn.microsoft.com/en-us/azure/azure-functions/functions-deployment-technologies?tabs=windows#trigger-syncing",
"https://docs.microsoft.com/en-us/azure/app-service/deploy-ftp"
],
"Remediation": {
"Code": {
"CLI": "az webapp config set --resource-group <resource-group> --name <app-name> --ftps-state Disabled",
"NativeIaC": "",
"Other": "",
"Terraform": "",
"Arm": ""
"NativeIaC": "```bicep\n// Disable FTP and FTPS on an existing Function App\nresource functionApp 'Microsoft.Web/sites@2022-09-01' existing = {\n name: '<example_resource_name>'\n}\n\nresource webConfig 'Microsoft.Web/sites/config@2022-09-01' = {\n name: 'web'\n parent: functionApp\n properties: {\n ftpsState: 'Disabled' // CRITICAL: Disables both FTP and FTPS deployments\n }\n}\n```",
"Other": "1. In the Azure portal, go to your Function App\n2. Select Configuration > General settings\n3. Under Platform settings, set FTP state to Disabled\n4. Click Save",
"Terraform": "```hcl\n# Disable FTP and FTPS on a Function App\nresource \"azurerm_linux_function_app\" \"<example_resource_name>\" {\n name = \"<example_resource_name>\"\n resource_group_name = \"<example_resource_name>\"\n location = \"<example_location>\"\n service_plan_id = \"<example_resource_id>\"\n storage_account_name = \"<example_resource_name>\"\n storage_account_access_key = \"<example_secret_value>\"\n functions_extension_version = \"~4\"\n\n site_config {\n ftps_state = \"Disabled\" # CRITICAL: Disables both FTP and FTPS deployments\n }\n}\n```"
},
"Recommendation": {
"Text": "It is recommended to disable FTP and FTPS deployments for Azure Functions to mitigate security risks. Instead, consider using more secure deployment methods such as Docker contianer or enabling continuous deployment with GitHub Actions.",
"Url": "https://learn.microsoft.com/en-us/azure/azure-functions/functions-deployment-technologies?tabs=windows#trigger-syncing"
"Text": "Disable **FTP and FTPS deployment** on Function apps (`ftps_state: Disabled`). Adopt **defense in depth**: deploy via **CI/CD** with packaged artifacts (zip or containers), enforce **least privilege** publishing access, and limit exposure of build and deployment endpoints. *If unavoidable, use FTPS-only with TLS 1.2 and rotate credentials promptly.*",
"Url": "https://hub.prowler.com/check/app_function_ftps_deployment_disabled"
}
},
"Categories": [],
"Categories": [
"internet-exposed"
],
"DependsOn": [],
"RelatedTo": [],
"Notes": "This check ensures that Azure Functions are deployed securely, reducing the attack surface and protecting sensitive information."

33
prowler/providers/azure/services/app/app_function_identity_is_configured/app_function_identity_is_configured.metadata.json
View File

@@ -1,30 +1,37 @@
{
"Provider": "azure",
"CheckID": "app_function_identity_is_configured",
"CheckTitle": "Ensure Azure function has system or user assigned managed identity configured",
"CheckTitle": "Function app has a system-assigned or user-assigned managed identity enabled",
"CheckType": [],
"ServiceName": "app",
"SubServiceName": "function",
"SubServiceName": "",
"ResourceIdTemplate": "",
"Severity": "medium",
"ResourceType": "Microsoft.Web/sites",
"ResourceType": "microsoft.web/sites",
"ResourceGroup": "serverless",
"Description": "Azure Functions should have managed identities configured for enhanced security and access control.",
"Risk": "Not using managed identities can lead to less secure authentication and authorization practices, potentially exposing sensitive data.",
"RelatedUrl": "https://learn.microsoft.com/en-us/entra/identity/managed-identities-azure-resources/overview",
"Description": "**Azure Function Apps** are evaluated for an enabled **managed identity** (`SystemAssigned` or `UserAssigned`) configured on the app.\n\nThe finding indicates whether an identity is present to support token-based access to other Azure resources.",
"Risk": "Without **managed identities**, apps rely on stored secrets/keys, risking:\n- Confidentiality loss from leaked credentials\n- Integrity tampering via unauthorized writes\n- Availability outages from secret expiry/rotation\n\nCompromised keys enable unauthorized access and lateral movement.",
"RelatedUrl": "",
"AdditionalURLs": [
"https://www.trendmicro.com/cloudoneconformity/knowledge-base/azure/Functions/azure-function-system-assigned-identity.html",
"https://learn.microsoft.com/en-us/azure/app-service/overview-managed-identity",
"https://learn.microsoft.com/en-us/entra/identity/managed-identities-azure-resources/overview"
],
"Remediation": {
"Code": {
"CLI": "az functionapp identity assign --name <function_name> --resource-group <resource_group> --identities [system]",
"NativeIaC": "",
"Other": "https://www.trendmicro.com/cloudoneconformity/knowledge-base/azure/Functions/azure-function-system-assigned-identity.html",
"Terraform": ""
"CLI": "az functionapp identity assign --resource-group <resource_group> --name <function_name>",
"NativeIaC": "```bicep\n// Enable managed identity on an existing Function App\nparam location string = resourceGroup().location\n\nresource functionApp 'Microsoft.Web/sites@2022-03-01' = {\n name: '<example_resource_name>'\n location: location\n identity: {\n type: 'SystemAssigned' // CRITICAL: Enables a system-assigned managed identity so the check passes\n }\n}\n```",
"Other": "1. In Azure Portal, go to your Function App\n2. Under Settings, select Identity\n3. On the System assigned tab, set Status to On\n4. Click Save",
"Terraform": "```hcl\n# Enable managed identity on an existing Function App via PATCH\nresource \"azapi_update_resource\" \"<example_resource_name>\" {\n type = \"Microsoft.Web/sites@2022-03-01\"\n resource_id = \"<example_resource_id>\"\n body = jsonencode({\n identity = {\n type = \"SystemAssigned\" # CRITICAL: Enables a system-assigned managed identity so the check passes\n }\n })\n}\n```"
},
"Recommendation": {
"Text": "It is recommended to enable managed identities for Azure Functions to enhance security and access control. This allows the function app to easily access other Azure resources securely and with the appropriate permissions.",
"Url": "https://learn.microsoft.com/en-us/azure/app-service/overview-managed-identity"
"Text": "Enable a **managed identity** on each Function App (`SystemAssigned` per app, `UserAssigned` for shared/long-lived needs). Replace secrets with token-based access and grant only required RBAC roles (**least privilege**). Remove keys from settings, apply **separation of duties**, and monitor access as part of **defense in depth**.",
"Url": "https://hub.prowler.com/check/app_function_identity_is_configured"
}
},
"Categories": [],
"Categories": [
"identity-access"
],
"DependsOn": [],
"RelatedTo": [],
"Notes": ""

29
prowler/providers/azure/services/app/app_function_identity_without_admin_privileges/app_function_identity_without_admin_privileges.metadata.json
View File

@@ -1,30 +1,37 @@
{
"Provider": "azure",
"CheckID": "app_function_identity_without_admin_privileges",
"CheckTitle": "Ensure that your Azure functions are not configured with an identity with admin privileges",
"CheckTitle": "Function app managed identity is not assigned Owner, Contributor, User Access Administrator, or Role Based Access Control Administrator roles",
"CheckType": [],
"ServiceName": "app",
"SubServiceName": "function",
"SubServiceName": "",
"ResourceIdTemplate": "",
"Severity": "high",
"ResourceType": "Microsoft.Web/sites",
"ResourceType": "microsoft.web/sites",
"ResourceGroup": "serverless",
"Description": "It is important to ensure that Azure functions are not configured with administrative privileges to maintain the principle of least privilege and reduce the attack surface. By limiting the privileges of Azure functions, potential security risks and data leaks can be mitigated.",
"Risk": "If Azure functions are configured with administrative privileges, it increases the risk of unauthorized access, privilege escalation, and data breaches. Attackers can exploit these privileges to gain access to sensitive data and compromise the entire system.",
"RelatedUrl": "https://learn.microsoft.com/en-us/entra/identity/managed-identities-azure-resources/overview",
"Description": "**Azure Function apps** with managed identities are evaluated for assignments to broad **administrative roles**: **Owner**, **Contributor**, **User Access Administrator**, **RBAC Administrator**.\n\nThe finding highlights functions whose identity carries elevated permissions beyond normal runtime needs.",
"Risk": "Admin rights on a function's identity expose the control plane.\n- Confidentiality: read secrets and data\n- Integrity: alter configs, grant roles, deploy changes\n- Availability: stop or delete resources\nA runtime compromise can enable **lateral movement** and **privilege escalation** across the environment.",
"RelatedUrl": "",
"AdditionalURLs": [
"https://www.trendmicro.com/cloudoneconformity/knowledge-base/azure/Functions/azure-function-admin-permissions.html",
"https://docs.microsoft.com/en-us/azure/architecture/framework/security/design-identity-authorization#use-the-principle-of-least-privilege",
"https://learn.microsoft.com/en-us/entra/identity/managed-identities-azure-resources/overview"
],
"Remediation": {
"Code": {
"CLI": "",
"CLI": "az role assignment delete --assignee <MANAGED_IDENTITY_PRINCIPAL_ID> --scope <SCOPE_ID>",
"NativeIaC": "",
"Other": "https://www.trendmicro.com/cloudoneconformity/knowledge-base/azure/Functions/azure-function-admin-permissions.html",
"Other": "1. In the Azure portal, open the scope where the role is assigned (e.g., Subscription, Resource group, or the Function App resource)\n2. Go to Access control (IAM) > Role assignments\n3. In the Principal filter, search for the Function App's managed identity (<function-app-name>)\n4. For each assignment with role Owner, Contributor, User Access Administrator, or Role Based Access Control Administrator, click Remove\n5. Repeat steps 1-4 at all relevant scopes (subscription, resource group, and Function App) until no such admin roles remain for this identity",
"Terraform": ""
},
"Recommendation": {
"Text": "To remediate this issue, ensure that Azure functions are not configured with an identity that has administrative privileges. Instead, use the principle of least privilege to grant only the necessary permissions to Azure functions. For more information, refer to the official documentation: Use the principle of least privilege.",
"Url": "https://docs.microsoft.com/en-us/azure/architecture/framework/security/design-identity-authorization#use-the-principle-of-least-privilege"
"Text": "Apply **least privilege**: grant only narrowly scoped, data-plane permissions needed by the function; avoid broad roles like `Owner` or `Contributor`.\nUse **separation of duties** and **just-in-time** elevation for rare admin tasks.\nRegularly review role assignments and restrict scope to the smallest necessary boundary.",
"Url": "https://hub.prowler.com/check/app_function_identity_without_admin_privileges"
}
},
"Categories": [],
"Categories": [
"identity-access"
],
"DependsOn": [],
"RelatedTo": [],
"Notes": "This check helps prevent privilege escalation attacks and ensures that Azure functions operate with the necessary permissions, reducing the impact of potential security breaches."

33
prowler/providers/azure/services/app/app_function_latest_runtime_version/app_function_latest_runtime_version.metadata.json
View File

@@ -1,30 +1,37 @@
{
"Provider": "azure",
"CheckID": "app_function_latest_runtime_version",
"CheckTitle": "Ensure Azure Functions are using the latest supported runtime",
"CheckTitle": "Function app uses the latest supported runtime version (~4)",
"CheckType": [],
"ServiceName": "app",
"SubServiceName": "function",
"SubServiceName": "",
"ResourceIdTemplate": "",
"Severity": "high",
"ResourceType": "Microsoft.Web/sites",
"Severity": "medium",
"ResourceType": "microsoft.web/sites",
"ResourceGroup": "serverless",
"Description": "Keeping Azure Functions up to date with the latest supported runtime version is crucial for security and performance. Updates often include security patches and enhancements, helping to protect against known vulnerabilities and potential exploits. Additionally, newer runtime versions may offer improved functionality and optimized resource utilization.",
"Risk": "Using outdated runtime versions may introduce security risks and performance degradation. Outdated runtimes may have unpatched vulnerabilities, making them susceptible to attacks.",
"RelatedUrl": "https://docs.microsoft.com/en-us/azure/azure-functions/functions-versions",
"Description": "**Azure Function apps** are assessed for the **runtime version** set via `FUNCTIONS_EXTENSION_VERSION`. The finding identifies apps not configured to use the current supported major version `~4`.",
"Risk": "Outdated Functions runtimes erode CIA:\n- **Confidentiality**: known flaws enable unauthorized data access.\n- **Integrity**: RCE or binding bugs allow code tampering.\n- **Availability**: missing fixes cause crashes and scale faults.\n\nEnd-of-support versions (e.g., 2.x/3.x) lack security patches, increasing exploitability.",
"RelatedUrl": "",
"AdditionalURLs": [
"https://docs.microsoft.com/en-us/azure/azure-functions/functions-versions",
"https://learn.microsoft.com/en-us/azure/azure-functions/migrate-version-3-version-4?tabs=net8%2Cazure-cli%2Cwindows&pivots=programming-language-python",
"https://www.trendmicro.com/cloudoneconformity/knowledge-base/azure/Functions/azure-function-runtime-version.html"
],
"Remediation": {
"Code": {
"CLI": "az functionapp config appsettings set --name <function_app_name> --resource-group <resource_group_name> --settings FUNCTIONS_EXTENSION_VERSION=~4",
"NativeIaC": "",
"Other": "https://www.trendmicro.com/cloudoneconformity/knowledge-base/azure/Functions/azure-function-runtime-version.html",
"Terraform": ""
"NativeIaC": "```bicep\n// Set Azure Functions runtime to v4 for an existing Function App\nresource functionApp 'Microsoft.Web/sites@2022-09-01' existing = {\n name: '<example_resource_name>'\n}\n\nresource appSettings 'Microsoft.Web/sites/config@2022-09-01' = {\n name: '${functionApp.name}/appsettings'\n properties: {\n FUNCTIONS_EXTENSION_VERSION: '~4' // Critical: ensures the Function App uses runtime ~4\n }\n}\n```",
"Other": "1. In the Azure portal, go to Function App <example_resource_name>\n2. Select Configuration > Application settings\n3. Add or edit the setting:\n - Name: FUNCTIONS_EXTENSION_VERSION\n - Value: ~4\n4. Click Save and confirm the restart\n5. Verify the setting shows FUNCTIONS_EXTENSION_VERSION = ~4",
"Terraform": "```hcl\n# Minimal Function App with runtime set to v4 (~4) - use azurerm_linux_function_app or azurerm_windows_function_app\nresource \"azurerm_resource_group\" \"example\" {\n name = \"<example_resource_name>\"\n location = \"eastus\"\n}\n\nresource \"azurerm_storage_account\" \"example\" {\n name = \"<example_resource_name>\"\n resource_group_name = azurerm_resource_group.example.name\n location = azurerm_resource_group.example.location\n account_tier = \"Standard\"\n account_replication_type = \"LRS\"\n}\n\nresource \"azurerm_service_plan\" \"example\" {\n name = \"<example_resource_name>\"\n resource_group_name = azurerm_resource_group.example.name\n location = azurerm_resource_group.example.location\n os_type = \"Linux\"\n sku_name = \"Y1\"\n}\n\nresource \"azurerm_linux_function_app\" \"example\" {\n name = \"<example_resource_name>\"\n location = azurerm_resource_group.example.location\n resource_group_name = azurerm_resource_group.example.name\n service_plan_id = azurerm_service_plan.example.id\n storage_account_name = azurerm_storage_account.example.name\n storage_account_access_key = azurerm_storage_account.example.primary_access_key\n\n site_config {}\n\n app_settings = {\n FUNCTIONS_EXTENSION_VERSION = \"~4\" # Critical: ensures the Function App uses runtime ~4\n }\n}\n```"
},
"Recommendation": {
"Text": "",
"Url": "https://learn.microsoft.com/en-us/azure/azure-functions/migrate-version-3-version-4?tabs=net8%2Cazure-cli%2Cwindows&pivots=programming-language-python"
"Text": "Standardize on supported runtime `~4` and align language/extension versions.\n- Enforce upgrades in CI/CD and use staging to validate before rollout.\n- Apply **least privilege** for app identities and secrets.\n- Prefer automated patching and periodic reviews to avoid drift; avoid downgrades or indefinite minor pinning.",
"Url": "https://hub.prowler.com/check/app_function_latest_runtime_version"
}
},
"Categories": [],
"Categories": [
"vulnerabilities"
],
"DependsOn": [],
"RelatedTo": [],
"Notes": "Stay informed about the latest security updates and patch releases for Azure Functions to maintain a secure and up-to-date environment."

33
prowler/providers/azure/services/app/app_function_not_publicly_accessible/app_function_not_publicly_accessible.metadata.json
View File

@@ -1,30 +1,37 @@
{
"Provider": "azure",
"CheckID": "app_function_not_publicly_accessible",
"CheckTitle": "Ensure Azure Functions are not publicly accessible",
"CheckTitle": "Function app is not publicly accessible",
"CheckType": [],
"ServiceName": "app",
"SubServiceName": "function",
"SubServiceName": "",
"ResourceIdTemplate": "",
"Severity": "high",
"ResourceType": "Microsoft.Web/sites",
"ResourceType": "microsoft.web/sites",
"ResourceGroup": "serverless",
"Description": "Azure Functions should not be exposed to the public internet. Restricting access helps protect applications from potential threats and reduces the attack surface.",
"Risk": "Exposing Azure Functions to the public internet increases the risk of unauthorized access, data breaches, and other security threats.",
"RelatedUrl": "https://learn.microsoft.com/en-us/azure/azure-functions/functions-networking-options",
"Description": "**Azure Function apps** are assessed for whether they are reachable from the public Internet. The evaluation considers the app's `publicNetworkAccess` state and the presence of access restrictions or private endpoints to limit inbound traffic.",
"Risk": "Public exposure allows unauthorized invocation, risking data disclosure and tampering (**confidentiality** and **integrity**). Attackers can brute-force tokens or abuse misconfigurations for remote execution. Unrestricted calls also enable abuse and DoS, driving cost and harming **availability**.",
"RelatedUrl": "",
"AdditionalURLs": [
"https://learn.microsoft.com/en-us/azure/app-service/overview-access-restrictions",
"https://www.trendmicro.com/cloudoneconformity/knowledge-base/azure/Functions/azure-function-exposed.html",
"https://learn.microsoft.com/en-us/azure/azure-functions/functions-networking-options"
],
"Remediation": {
"Code": {
"CLI": "",
"NativeIaC": "",
"Other": "https://www.trendmicro.com/cloudoneconformity/knowledge-base/azure/Functions/azure-function-exposed.html",
"Terraform": ""
"CLI": "az functionapp update --resource-group <RESOURCE_GROUP> --name <FUNCTION_APP_NAME> --set publicNetworkAccess=Disabled",
"NativeIaC": "```bicep\n// Disable public access by denying all unmatched traffic\nresource functionApp 'Microsoft.Web/sites@2022-09-01' existing = {\n name: '<example_resource_name>'\n}\n\nresource siteConfig 'Microsoft.Web/sites/config@2022-09-01' = {\n name: '${functionApp.name}/web'\n properties: {\n ipSecurityRestrictionsDefaultAction: 'Deny' // Critical: blocks public access via default endpoint\n }\n}\n```",
"Other": "1. In the Azure portal, go to your Function App\n2. Select Networking\n3. Under Public access, set Public network access to Disabled\n4. Click Save",
"Terraform": "```hcl\n# Disable public network access for the Function App\nresource \"azurerm_linux_function_app\" \"<example_resource_name>\" {\n name = \"<example_resource_name>\"\n location = azurerm_resource_group.main.location\n resource_group_name = azurerm_resource_group.main.name\n service_plan_id = azurerm_service_plan.main.id\n storage_account_name = azurerm_storage_account.main.name\n storage_account_access_key = azurerm_storage_account.main.primary_access_key\n\n public_network_access_enabled = false # Critical: disables public endpoint access\n}\n```"
},
"Recommendation": {
"Text": "Review the Azure Functions security guidelines and ensure that access restrictions are in place. Use Azure Private Link and Key Vault for enhanced security.",
"Url": "https://learn.microsoft.com/en-us/azure/app-service/overview-access-restrictions"
"Text": "Apply network isolation and least privilege:\n- Set `publicNetworkAccess=Disabled`\n- Use access restrictions for trusted IPs/VNets or **Private Endpoints**\n- Require strong auth (e.g., **Microsoft Entra ID**) over shared keys\n- Front with **API Management/WAF**\n- Keep secrets in **Key Vault** and monitor access logs",
"Url": "https://hub.prowler.com/check/app_function_not_publicly_accessible"
}
},
"Categories": [],
"Categories": [
"internet-exposed"
],
"DependsOn": [],
"RelatedTo": [],
"Notes": ""

35
prowler/providers/azure/services/app/app_function_vnet_integration_enabled/app_function_vnet_integration_enabled.metadata.json
View File

@@ -1,30 +1,37 @@
{
"Provider": "azure",
"CheckID": "app_function_vnet_integration_enabled",
"CheckTitle": "Ensure Virtual Network Integration is Enabled for Azure Functions",
"CheckTitle": "Function app has Virtual Network integration enabled",
"CheckType": [],
"ServiceName": "app",
"SubServiceName": "function",
"SubServiceName": "",
"ResourceIdTemplate": "",
"Severity": "high",
"ResourceType": "Microsoft.Web/sites",
"Severity": "medium",
"ResourceType": "microsoft.web/sites",
"ResourceGroup": "serverless",
"Description": "Enabling Virtual Network Integration for Azure Functions provides an additional layer of security by restricting access to selected virtual network subnets. This helps to protect your Function Apps from unauthorized access and potential threats.",
"Risk": "Without Virtual Network Integration, your Function Apps may be exposed to the public internet, increasing the risk of unauthorized access and potential security breaches.",
"RelatedUrl": "https://docs.microsoft.com/en-us/azure/azure-functions/functions-networking-options#virtual-network-integration",
"Description": "**Azure Function apps** configured with **Virtual Network integration** uses a chosen subnet so outbound traffic is routed via the VNet and can reach private or service-endpoint-secured resources.\n\nThe finding reflects whether a function app is associated with a subnet resource ID.",
"Risk": "Without VNet integration, function apps send egress directly to the public Internet and cannot reach private endpoints.\n\nThis weakens confidentiality and integrity by bypassing NSG/UDR controls, enables data exfiltration from compromised code, and may force exposing backends publicly, increasing attack surface.",
"RelatedUrl": "",
"AdditionalURLs": [
"https://www.trendmicro.com/cloudoneconformity/knowledge-base/azure/Functions/azure-function-vnet-integration-on.html",
"https://docs.microsoft.com/en-us/azure/azure-functions/functions-networking-options#enable-virtual-network-integration",
"https://docs.microsoft.com/en-us/azure/azure-functions/functions-networking-options#virtual-network-integration"
],
"Remediation": {
"Code": {
"CLI": "az functionapp vnet-integration update --name <function_app_name> --resource-group <resource_group_name> --vnet <vnet_name> --subnet <subnet_name>",
"NativeIaC": "",
"Other": "https://www.trendmicro.com/cloudoneconformity/knowledge-base/azure/Functions/azure-function-vnet-integration-on.html",
"Terraform": ""
"CLI": "az functionapp vnet-integration add --name <function_app_name> --resource-group <resource_group_name> --vnet <vnet_name> --subnet <subnet_name>",
"NativeIaC": "```bicep\n// Enable VNet integration for an existing Function App\nresource vnetConn 'Microsoft.Web/sites/virtualNetworkConnections@2022-03-01' = {\n name: '<example_resource_name>/<example_resource_name>' // <function_app_name>/<vnet_name>\n properties: {\n subnetResourceId: '/subscriptions/<example_resource_id>/resourceGroups/<example_resource_name>/providers/Microsoft.Network/virtualNetworks/<example_resource_name>/subnets/<example_resource_name>' // CRITICAL: attaches the Function App to this subnet\n isSwift: true // CRITICAL: enables regional VNet (Swift) integration\n }\n}\n```",
"Other": "1. In the Azure portal, go to your Function App\n2. Select Networking > VNet Integration\n3. Click Add VNet\n4. Choose the target Virtual network and Subnet\n5. Click OK/Save to apply\n",
"Terraform": "```hcl\n# Enable VNet integration for an existing Function App\nresource \"azurerm_app_service_virtual_network_swift_connection\" \"<example_resource_name>\" {\n app_service_id = \"/subscriptions/<example_resource_id>/resourceGroups/<example_resource_name>/providers/Microsoft.Web/sites/<example_resource_name>\" # CRITICAL: target Function App resource ID\n subnet_id = \"/subscriptions/<example_resource_id>/resourceGroups/<example_resource_name>/providers/Microsoft.Network/virtualNetworks/<example_resource_name>/subnets/<example_resource_name>\" # CRITICAL: subnet to integrate with\n}\n```"
},
"Recommendation": {
"Text": "It is recommended to enable Virtual Network Integration for Azure Functions to enhance security and protect against unauthorized access.",
"Url": "https://docs.microsoft.com/en-us/azure/azure-functions/functions-networking-options#enable-virtual-network-integration"
"Text": "Enable **Virtual Network integration** and attach function apps to a dedicated subnet to enforce **least privilege network access**.\n\nRoute egress through the VNet (e.g., `Route All`), apply **NSGs/UDRs**, and use **private endpoints** or service endpoints for dependencies. Restrict outbound traffic by default as part of **defense in depth**.",
"Url": "https://hub.prowler.com/check/app_function_vnet_integration_enabled"
}
},
"Categories": [],
"Categories": [
"trust-boundaries"
],
"DependsOn": [],
"RelatedTo": [],
"Notes": ""

30
prowler/providers/azure/services/app/app_http_logs_enabled/app_http_logs_enabled.metadata.json
View File

@@ -1,30 +1,36 @@
{
"Provider": "azure",
"CheckID": "app_http_logs_enabled",
"CheckTitle": "Ensure that logging for Azure AppService 'HTTP logs' is enabled",
"CheckTitle": "App Service web app has HTTP logs enabled in diagnostic settings",
"CheckType": [],
"ServiceName": "app",
"SubServiceName": "",
"ResourceIdTemplate": "",
"Severity": "low",
"ResourceType": "Microsoft.Web/sites/config",
"ResourceType": "microsoft.web/sites",
"ResourceGroup": "serverless",
"Description": "Enable AppServiceHTTPLogs diagnostic log category for Azure App Service instances to ensure all http requests are captured and centrally logged.",
"Risk": "Capturing web requests can be important supporting information for security analysts performing monitoring and incident response activities. Once logging, these logs can be ingested into SIEM or other central aggregation point for the organization.",
"RelatedUrl": "https://learn.microsoft.com/en-us/security/benchmark/azure/mcsb-logging-threat-detection#lt-3-enable-logging-for-security-investigation",
"Description": "**Azure App Service web apps** diagnostic settings include **HTTP request logging** when the `AppServiceHTTPLogs` category (or the `allLogs` group) is enabled to capture web access events.",
"Risk": "Without **HTTP access logs**, visibility into requests is lost, hindering **detection** of brute force, probing, and injection attempts. This weakens **forensics** and reduces **confidentiality** and **integrity** by masking data access paths and blocking reliable incident timelines.",
"RelatedUrl": "",
"AdditionalURLs": [
"https://learn.microsoft.com/en-us/security/benchmark/azure/mcsb-logging-threat-detection#lt-3-enable-logging-for-security-investigation",
"https://docs.microsoft.com/en-us/azure/app-service/troubleshoot-diagnostic-logs"
],
"Remediation": {
"Code": {
"CLI": "",
"NativeIaC": "",
"Other": "",
"Terraform": "https://docs.prowler.com/checks/azure/azure-logging-policies/ensure-that-app-service-enables-http-logging#terraform"
"CLI": "az monitor diagnostic-settings create --name <example_resource_name> --resource /subscriptions/<SUBSCRIPTION_ID>/resourceGroups/<RESOURCE_GROUP>/providers/Microsoft.Web/sites/<APP_NAME> --workspace <LOG_ANALYTICS_WORKSPACE_RESOURCE_ID> --logs '[{\"category\":\"AppServiceHTTPLogs\",\"enabled\":true}]'",
"NativeIaC": "```bicep\n// Enable HTTP Logs for an existing App Service via Azure Monitor diagnostic setting\nresource app 'Microsoft.Web/sites@2022-03-01' existing = {\n name: '<example_resource_name>'\n}\n\nresource diag 'Microsoft.Insights/diagnosticSettings@2021-05-01-preview' = {\n name: '<example_resource_name>'\n scope: app\n properties: {\n workspaceId: '<example_resource_id>' // Destination Log Analytics workspace\n logs: [\n {\n category: 'AppServiceHTTPLogs' // Critical: enable the HTTP Logs category\n enabled: true // Critical: turns HTTP Logs on\n }\n ]\n }\n}\n```",
"Other": "1. In Azure Portal, go to your App Service > Monitoring > Diagnostic settings\n2. Click + Add diagnostic setting\n3. Under Logs, check AppServiceHTTPLogs (or select the allLogs category group)\n4. Choose a destination (Log Analytics workspace, Storage account, or Event Hub)\n5. Click Save",
"Terraform": "```hcl\n# Enable HTTP Logs for App Service via Azure Monitor diagnostic setting\nresource \"azurerm_monitor_diagnostic_setting\" \"<example_resource_name>\" {\n name = \"<example_resource_name>\"\n target_resource_id = \"/subscriptions/<SUBSCRIPTION_ID>/resourceGroups/<RESOURCE_GROUP>/providers/Microsoft.Web/sites/<example_resource_name>\"\n log_analytics_workspace_id = \"<example_resource_id>\" # Destination Log Analytics workspace\n\n log { # Critical: enables the HTTP Logs category\n category = \"AppServiceHTTPLogs\"\n enabled = true\n }\n}\n```"
},
"Recommendation": {
"Text": "1. Go to App Services For each App Service: 2. Go to Diagnostic Settings 3. Click Add Diagnostic Setting 4. Check the checkbox next to 'HTTP logs' 5. Configure a destination based on your specific logging consumption capability (for example Stream to an event hub and then consuming with SIEM integration for Event Hub logging).",
"Url": "https://docs.microsoft.com/en-us/azure/app-service/troubleshoot-diagnostic-logs"
"Text": "Enable **diagnostic settings** with `AppServiceHTTPLogs` (or `allLogs`) and route logs to a centralized store. Enforce **least privilege**, retention, and tamper-resistant storage. Integrate with a **SIEM** for analytics and alerting, and periodically verify logging coverage across all apps and regions.",
"Url": "https://hub.prowler.com/check/app_http_logs_enabled"
}
},
"Categories": [],
"Categories": [
"logging"
],
"DependsOn": [],
"RelatedTo": [],
"Notes": "Log consumption and processing will incur additional cost."

32
prowler/providers/azure/services/app/app_minimum_tls_version_12/app_minimum_tls_version_12.metadata.json
View File

@@ -1,30 +1,38 @@
{
"Provider": "azure",
"CheckID": "app_minimum_tls_version_12",
"CheckTitle": "Ensure Web App is using the latest version of TLS encryption",
"CheckTitle": "App Service web app has minimum TLS version set to 1.2 or 1.3",
"CheckType": [],
"ServiceName": "app",
"SubServiceName": "",
"ResourceIdTemplate": "",
"Severity": "high",
"ResourceType": "Microsoft.Web/sites/config",
"Severity": "medium",
"ResourceType": "microsoft.web/sites/config",
"ResourceGroup": "serverless",
"Description": "The TLS (Transport Layer Security) protocol secures transmission of data over the internet using standard encryption technology. Encryption should be set with the latest version of TLS. App service allows TLS 1.2 by default, which is the recommended TLS level by industry standards such as PCI DSS.",
"Risk": "App service currently allows the web app to set TLS versions 1.0, 1.1 and 1.2. It is highly recommended to use the latest TLS 1.2 version for web app secure connections.",
"RelatedUrl": "https://learn.microsoft.com/en-us/azure/app-service/configure-ssl-bindings#enforce-tls-versions",
"Description": "**Azure App Service web apps** are assessed for the configured minimum TLS version for HTTPS. The expected baseline is `1.2` or `1.3`; settings that permit lower versions indicate acceptance of legacy TLS during client negotiation.",
"Risk": "Allowing `TLS 1.0/1.1` enables protocol downgrades and weak cipher negotiation, exposing HTTPS traffic to **MITM** interception, credential theft, and tampering. This undermines the **confidentiality** and **integrity** of sessions and data in transit, and can enable account takeover via stolen tokens.",
"RelatedUrl": "",
"AdditionalURLs": [
"https://learn.microsoft.com/en-us/+azure/app-service/overview-tls",
"https://learn.microsoft.com/en-us/azure/app-service/configure-ssl-bindings#enforce-tls-versions",
"https://www.trendmicro.com/cloudoneconformity/knowledge-base/azure/AppService/latest-version-of-tls-encryption-in-use.html",
"https://icompaas.freshdesk.com/support/solutions/articles/62000234773-ensure-that-minimum-tls-version-is-set-to-tls-v1-2-or-higher"
],
"Remediation": {
"Code": {
"CLI": "az webapp config set --resource-group <RESOURCE_GROUP_NAME> --name <APP_NAME> --min-tls-version 1.2",
"NativeIaC": "",
"Other": "https://www.trendmicro.com/cloudoneconformity/knowledge-base/azure/AppService/latest-version-of-tls-encryption-in-use.html",
"Terraform": "https://docs.prowler.com/checks/azure/azure-networking-policies/bc_azr_networking_6#terraform"
"NativeIaC": "```bicep\n// Update existing App Service to enforce minimum TLS 1.2\nresource app 'Microsoft.Web/sites@2023-01-01' existing = {\n name: '<example_resource_name>'\n}\n\nresource appConfig 'Microsoft.Web/sites/config@2023-01-01' = {\n name: '${app.name}/web'\n properties: {\n minTlsVersion: '1.2' // CRITICAL: Enforces minimum TLS version 1.2 to pass the check\n }\n}\n```",
"Other": "1. Sign in to Azure Portal and go to App Services\n2. Select your app\n3. Go to Settings > Configuration > General settings\n4. Set Minimum TLS Version to 1.2 (or 1.3 if available)\n5. Click Save",
"Terraform": "```hcl\n# Enforce minimum TLS 1.2 on an Azure Linux Web App\nresource \"azurerm_linux_web_app\" \"<example_resource_name>\" {\n name = \"<example_resource_name>\"\n resource_group_name = \"<example_resource_name>\"\n location = \"<example_resource_name>\"\n service_plan_id = \"<example_resource_id>\"\n\n site_config {\n minimum_tls_version = \"1.2\" # CRITICAL: Enforces minimum TLS 1.2 to pass the check\n }\n}\n```"
},
"Recommendation": {
"Text": "1. Login to Azure Portal using https://portal.azure.com 2. Go to App Services 3. Click on each App 4. Under Setting section, Click on TLS/SSL settings 5. Under the Bindings pane, ensure that Minimum TLS Version set to 1.2 under Protocol Settings",
"Url": "https://docs.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-data-protection#dp-3-encrypt-sensitive-data-in-transit"
"Text": "Enforce a minimum of `TLS 1.2` (prefer `1.3`) and disable `1.0/1.1`. Require **HTTPS-only**, enable HSTS, and align with modern cipher suites. Test client compatibility and phase out legacy agents. Document narrow exceptions with compensating controls to uphold **defense in depth** and prevent downgrades.",
"Url": "https://hub.prowler.com/check/app_minimum_tls_version_12"
}
},
"Categories": [],
"Categories": [
"encryption"
],
"DependsOn": [],
"RelatedTo": [],
"Notes": "By default, TLS Version feature will be set to 1.2 when a new app is created using the command-line tool or Azure Portal console."

29
prowler/providers/azure/services/app/app_register_with_identity/app_register_with_identity.metadata.json
View File

@@ -1,30 +1,37 @@
{
"Provider": "azure",
"CheckID": "app_register_with_identity",
"CheckTitle": "Ensure that Register with Azure Active Directory is enabled on App Service",
"CheckTitle": "App Service web app has a managed identity configured",
"CheckType": [],
"ServiceName": "app",
"SubServiceName": "",
"ResourceIdTemplate": "",
"Severity": "medium",
"ResourceType": "Microsoft.Web/sites",
"ResourceType": "microsoft.web/sites",
"ResourceGroup": "serverless",
"Description": "Managed service identity in App Service provides more security by eliminating secrets from the app, such as credentials in the connection strings. When registering with Azure Active Directory in App Service, the app will connect to other Azure services securely without the need for usernames and passwords.",
"Risk": "App Service provides a highly scalable, self-patching web hosting service in Azure. It also provides a managed identity for apps, which is a turn-key solution for securing access to Azure SQL Database and other Azure services.",
"RelatedUrl": "https://learn.microsoft.com/en-us/azure/app-service/configure-authentication-provider-aad?tabs=workforce-tenant",
"Description": "**Azure App Service web apps** are configured with a **managed identity** (`identity`: `SystemAssigned` or `UserAssigned`) for token-based access to Azure resources without embedded credentials",
"Risk": "**Missing managed identity** drives reliance on stored secrets. Leaked credentials enable **unauthorized access** to SQL, Storage, or Key Vault, leading to **data exfiltration**, tampering, and lateral movement. Secret expiry or revocation can break connectivity, degrading **availability**.",
"RelatedUrl": "",
"AdditionalURLs": [
"https://learn.microsoft.com/en-us/azure/azure-app-configuration/howto-integrate-azure-managed-service-identity",
"https://learn.microsoft.com/en-us/azure/app-service/configure-authentication-provider-aad?tabs=workforce-tenant",
"https://www.trendmicro.com/cloudoneconformity/knowledge-base/azure/AppService/enable-registration-with-microsoft-entra-id.html"
],
"Remediation": {
"Code": {
"CLI": "az webapp identity assign --resource-group <RESOURCE_GROUP_NAME> --name <APP_NAME>",
"NativeIaC": "",
"Other": "https://www.trendmicro.com/cloudoneconformity/knowledge-base/azure/AppService/enable-registration-with-microsoft-entra-id.html",
"Terraform": "https://docs.prowler.com/checks/azure/azure-iam-policies/bc_azr_iam_1#terraform"
"NativeIaC": "```bicep\n// Enable system-assigned managed identity on an existing App Service app\nresource app 'Microsoft.Web/sites@2022-09-01' = {\n name: '<example_resource_name>'\n location: resourceGroup().location\n identity: {\n type: 'SystemAssigned' // Critical: enables a managed identity for the app\n }\n}\n```",
"Other": "1. Sign in to the Azure portal\n2. Go to App Services and select your app\n3. Under Settings, select Identity\n4. On the System assigned tab, set Status to On\n5. Click Save and confirm",
"Terraform": "```hcl\n# Enable system-assigned managed identity on the App Service app (use azurerm_linux_web_app or azurerm_windows_web_app)\nresource \"azurerm_linux_web_app\" \"<example_resource_name>\" {\n name = \"<example_resource_name>\"\n location = azurerm_resource_group.<example_resource_name>.location\n resource_group_name = azurerm_resource_group.<example_resource_name>.name\n service_plan_id = azurerm_service_plan.<example_resource_name>.id\n\n site_config {}\n\n identity { # Critical: enables managed identity\n type = \"SystemAssigned\" # Creates a system-assigned identity for the app\n }\n}\n```"
},
"Recommendation": {
"Text": "1. Login to Azure Portal using https://portal.azure.com 2. Go to App Services 3. Click on each App 4. Under Setting section, Click on Identity 5. Under the System assigned pane, set Status to On",
"Url": "https://learn.microsoft.com/en-us/azure/app-service/scenario-secure-app-authentication-app-service"
"Text": "Enable a **managed identity** and use it for all service-to-service access. Apply **least privilege** on target resources and eliminate secrets from code and app settings. Remove legacy credentials, rotate residual keys, and monitor usage for **defense in depth**. *Use system-assigned per app; user-assigned for reuse or separation.*",
"Url": "https://hub.prowler.com/check/app_register_with_identity"
}
},
"Categories": [],
"Categories": [
"identity-access"
],
"DependsOn": [],
"RelatedTo": [],
"Notes": "By default, Managed service identity via Azure AD is disabled."