diff --git a/test/rego/azure_monitor_test.go b/test/rego/azure_monitor_test.go new file mode 100644 index 00000000..f650a49b --- /dev/null +++ b/test/rego/azure_monitor_test.go @@ -0,0 +1,190 @@ +package test + +import ( + "github.com/aquasecurity/trivy/pkg/iac/providers/azure" + "github.com/aquasecurity/trivy/pkg/iac/providers/azure/monitor" + "github.com/aquasecurity/trivy/pkg/iac/state" + trivyTypes "github.com/aquasecurity/trivy/pkg/iac/types" +) + +var azureMonitorTestCases = testCases{ + "AVD-AZU-0031": { + { + name: "Log retention policy disabled", + input: state.State{Azure: azure.Azure{Monitor: monitor.Monitor{ + LogProfiles: []monitor.LogProfile{ + { + Metadata: trivyTypes.NewTestMetadata(), + RetentionPolicy: monitor.RetentionPolicy{ + Metadata: trivyTypes.NewTestMetadata(), + Enabled: trivyTypes.Bool(false, trivyTypes.NewTestMetadata()), + Days: trivyTypes.Int(365, trivyTypes.NewTestMetadata()), + }, + }, + }, + }}}, + expected: true, + }, + { + name: "Log retention policy enabled for 90 days", + input: state.State{Azure: azure.Azure{Monitor: monitor.Monitor{ + LogProfiles: []monitor.LogProfile{ + { + Metadata: trivyTypes.NewTestMetadata(), + RetentionPolicy: monitor.RetentionPolicy{ + Metadata: trivyTypes.NewTestMetadata(), + Enabled: trivyTypes.Bool(true, trivyTypes.NewTestMetadata()), + Days: trivyTypes.Int(90, trivyTypes.NewTestMetadata()), + }, + }, + }, + }}}, + expected: true, + }, + { + name: "Log retention policy enabled for 365 days", + input: state.State{Azure: azure.Azure{Monitor: monitor.Monitor{ + LogProfiles: []monitor.LogProfile{ + { + Metadata: trivyTypes.NewTestMetadata(), + RetentionPolicy: monitor.RetentionPolicy{ + Metadata: trivyTypes.NewTestMetadata(), + Enabled: trivyTypes.Bool(true, trivyTypes.NewTestMetadata()), + Days: trivyTypes.Int(365, trivyTypes.NewTestMetadata()), + }, + }, + }, + }}}, + expected: false, + }, + }, + "AVD-AZU-0033": { + { + name: "Log profile captures only write activities", + input: state.State{Azure: azure.Azure{Monitor: monitor.Monitor{ + LogProfiles: []monitor.LogProfile{ + { + Metadata: trivyTypes.NewTestMetadata(), + Categories: []trivyTypes.StringValue{ + trivyTypes.String("Write", trivyTypes.NewTestMetadata()), + }, + }, + }, + }}}, + expected: true, + }, + { + name: "Log profile captures action, write, delete activities", + input: state.State{Azure: azure.Azure{Monitor: monitor.Monitor{ + LogProfiles: []monitor.LogProfile{ + { + Metadata: trivyTypes.NewTestMetadata(), + Categories: []trivyTypes.StringValue{ + trivyTypes.String("Action", trivyTypes.NewTestMetadata()), + trivyTypes.String("Write", trivyTypes.NewTestMetadata()), + trivyTypes.String("Delete", trivyTypes.NewTestMetadata()), + }, + }, + }, + }}}, + expected: false, + }, + }, + "AVD-AZU-0032": { + { + name: "Log profile captures only eastern US region", + input: state.State{Azure: azure.Azure{Monitor: monitor.Monitor{ + LogProfiles: []monitor.LogProfile{ + { + Metadata: trivyTypes.NewTestMetadata(), + Locations: []trivyTypes.StringValue{ + trivyTypes.String("eastus", trivyTypes.NewTestMetadata()), + }, + }, + }, + }}}, + expected: true, + }, + { + name: "Log profile captures all regions", + input: state.State{Azure: azure.Azure{Monitor: monitor.Monitor{ + LogProfiles: []monitor.LogProfile{ + { + Metadata: trivyTypes.NewTestMetadata(), + Locations: []trivyTypes.StringValue{ + trivyTypes.String("eastus", trivyTypes.NewTestMetadata()), + trivyTypes.String("eastus2", trivyTypes.NewTestMetadata()), + trivyTypes.String("southcentralus", trivyTypes.NewTestMetadata()), + trivyTypes.String("westus2", trivyTypes.NewTestMetadata()), + trivyTypes.String("westus3", trivyTypes.NewTestMetadata()), + trivyTypes.String("australiaeast", trivyTypes.NewTestMetadata()), + trivyTypes.String("southeastasia", trivyTypes.NewTestMetadata()), + trivyTypes.String("northeurope", trivyTypes.NewTestMetadata()), + trivyTypes.String("swedencentral", trivyTypes.NewTestMetadata()), + trivyTypes.String("uksouth", trivyTypes.NewTestMetadata()), + trivyTypes.String("westeurope", trivyTypes.NewTestMetadata()), + trivyTypes.String("centralus", trivyTypes.NewTestMetadata()), + trivyTypes.String("northcentralus", trivyTypes.NewTestMetadata()), + trivyTypes.String("westus", trivyTypes.NewTestMetadata()), + trivyTypes.String("southafricanorth", trivyTypes.NewTestMetadata()), + trivyTypes.String("centralindia", trivyTypes.NewTestMetadata()), + trivyTypes.String("eastasia", trivyTypes.NewTestMetadata()), + trivyTypes.String("japaneast", trivyTypes.NewTestMetadata()), + trivyTypes.String("jioindiawest", trivyTypes.NewTestMetadata()), + trivyTypes.String("koreacentral", trivyTypes.NewTestMetadata()), + trivyTypes.String("canadacentral", trivyTypes.NewTestMetadata()), + trivyTypes.String("francecentral", trivyTypes.NewTestMetadata()), + trivyTypes.String("germanywestcentral", trivyTypes.NewTestMetadata()), + trivyTypes.String("norwayeast", trivyTypes.NewTestMetadata()), + trivyTypes.String("switzerlandnorth", trivyTypes.NewTestMetadata()), + trivyTypes.String("uaenorth", trivyTypes.NewTestMetadata()), + trivyTypes.String("brazilsouth", trivyTypes.NewTestMetadata()), + trivyTypes.String("centralusstage", trivyTypes.NewTestMetadata()), + trivyTypes.String("eastusstage", trivyTypes.NewTestMetadata()), + trivyTypes.String("eastus2stage", trivyTypes.NewTestMetadata()), + trivyTypes.String("northcentralusstage", trivyTypes.NewTestMetadata()), + trivyTypes.String("southcentralusstage", trivyTypes.NewTestMetadata()), + trivyTypes.String("westusstage", trivyTypes.NewTestMetadata()), + trivyTypes.String("westus2stage", trivyTypes.NewTestMetadata()), + trivyTypes.String("asia", trivyTypes.NewTestMetadata()), + trivyTypes.String("asiapacific", trivyTypes.NewTestMetadata()), + trivyTypes.String("australia", trivyTypes.NewTestMetadata()), + trivyTypes.String("brazil", trivyTypes.NewTestMetadata()), + trivyTypes.String("canada", trivyTypes.NewTestMetadata()), + trivyTypes.String("europe", trivyTypes.NewTestMetadata()), + trivyTypes.String("global", trivyTypes.NewTestMetadata()), + trivyTypes.String("india", trivyTypes.NewTestMetadata()), + trivyTypes.String("japan", trivyTypes.NewTestMetadata()), + trivyTypes.String("uk", trivyTypes.NewTestMetadata()), + trivyTypes.String("unitedstates", trivyTypes.NewTestMetadata()), + trivyTypes.String("eastasiastage", trivyTypes.NewTestMetadata()), + trivyTypes.String("southeastasiastage", trivyTypes.NewTestMetadata()), + trivyTypes.String("centraluseuap", trivyTypes.NewTestMetadata()), + trivyTypes.String("eastus2euap", trivyTypes.NewTestMetadata()), + trivyTypes.String("westcentralus", trivyTypes.NewTestMetadata()), + trivyTypes.String("southafricawest", trivyTypes.NewTestMetadata()), + trivyTypes.String("australiacentral", trivyTypes.NewTestMetadata()), + trivyTypes.String("australiacentral2", trivyTypes.NewTestMetadata()), + trivyTypes.String("australiasoutheast", trivyTypes.NewTestMetadata()), + trivyTypes.String("japanwest", trivyTypes.NewTestMetadata()), + trivyTypes.String("jioindiacentral", trivyTypes.NewTestMetadata()), + trivyTypes.String("koreasouth", trivyTypes.NewTestMetadata()), + trivyTypes.String("southindia", trivyTypes.NewTestMetadata()), + trivyTypes.String("westindia", trivyTypes.NewTestMetadata()), + trivyTypes.String("canadaeast", trivyTypes.NewTestMetadata()), + trivyTypes.String("francesouth", trivyTypes.NewTestMetadata()), + trivyTypes.String("germanynorth", trivyTypes.NewTestMetadata()), + trivyTypes.String("norwaywest", trivyTypes.NewTestMetadata()), + trivyTypes.String("swedensouth", trivyTypes.NewTestMetadata()), + trivyTypes.String("switzerlandwest", trivyTypes.NewTestMetadata()), + trivyTypes.String("ukwest", trivyTypes.NewTestMetadata()), + trivyTypes.String("uaecentral", trivyTypes.NewTestMetadata()), + trivyTypes.String("brazilsoutheast", trivyTypes.NewTestMetadata()), + }, + }, + }, + }}}, + expected: false, + }, + }, +} diff --git a/test/rego/azure_network_test.go b/test/rego/azure_network_test.go new file mode 100644 index 00000000..85bb6aef --- /dev/null +++ b/test/rego/azure_network_test.go @@ -0,0 +1,331 @@ +package test + +import ( + "github.com/aquasecurity/trivy/pkg/iac/providers/azure" + "github.com/aquasecurity/trivy/pkg/iac/providers/azure/network" + "github.com/aquasecurity/trivy/pkg/iac/state" + trivyTypes "github.com/aquasecurity/trivy/pkg/iac/types" +) + +var azureNetworkTestCases = testCases{ + "AVD-AZU-0048": { + { + name: "Security group inbound rule allowing RDP access from the Internet", + input: state.State{Azure: azure.Azure{Network: network.Network{ + SecurityGroups: []network.SecurityGroup{ + { + Metadata: trivyTypes.NewTestMetadata(), + Rules: []network.SecurityGroupRule{ + { + Metadata: trivyTypes.NewTestMetadata(), + Outbound: trivyTypes.Bool(false, trivyTypes.NewTestMetadata()), + Allow: trivyTypes.Bool(true, trivyTypes.NewTestMetadata()), + SourceAddresses: []trivyTypes.StringValue{ + trivyTypes.String("*", trivyTypes.NewTestMetadata()), + }, + SourcePorts: nil, + DestinationAddresses: nil, + DestinationPorts: []network.PortRange{ + { + Metadata: trivyTypes.NewTestMetadata(), + Start: 3310, + End: 3390, + }, + }, + Protocol: trivyTypes.String("Tcp", trivyTypes.NewTestMetadata()), + }, + }, + }, + }, + }}}, + expected: true, + }, + { + name: "Security group inbound rule allowing RDP access from a specific address", + input: state.State{Azure: azure.Azure{Network: network.Network{ + SecurityGroups: []network.SecurityGroup{ + { + Metadata: trivyTypes.NewTestMetadata(), + Rules: []network.SecurityGroupRule{ + { + Metadata: trivyTypes.NewTestMetadata(), + Allow: trivyTypes.Bool(true, trivyTypes.NewTestMetadata()), + Outbound: trivyTypes.Bool(false, trivyTypes.NewTestMetadata()), + DestinationPorts: []network.PortRange{ + { + Metadata: trivyTypes.NewTestMetadata(), + Start: 3310, + End: 3390, + }, + }, + SourceAddresses: []trivyTypes.StringValue{ + trivyTypes.String("4.53.160.75", trivyTypes.NewTestMetadata()), + }, + Protocol: trivyTypes.String("Tcp", trivyTypes.NewTestMetadata()), + }, + }, + }, + }, + }}}, + expected: false, + }, + { + name: "Security group inbound rule allowing only ICMP", + input: state.State{Azure: azure.Azure{Network: network.Network{ + SecurityGroups: []network.SecurityGroup{ + { + Metadata: trivyTypes.NewTestMetadata(), + Rules: []network.SecurityGroupRule{ + { + Metadata: trivyTypes.NewTestMetadata(), + Outbound: trivyTypes.Bool(false, trivyTypes.NewTestMetadata()), + Allow: trivyTypes.Bool(true, trivyTypes.NewTestMetadata()), + SourceAddresses: []trivyTypes.StringValue{ + trivyTypes.String("*", trivyTypes.NewTestMetadata()), + }, + SourcePorts: nil, + DestinationAddresses: nil, + DestinationPorts: []network.PortRange{ + { + Metadata: trivyTypes.NewTestMetadata(), + Start: 3310, + End: 3390, + }, + }, + Protocol: trivyTypes.String("Icmp", trivyTypes.NewTestMetadata()), + }, + }, + }, + }, + }}}, + expected: false, + }, + }, + "AVD-AZU-0051": { + { + name: "Security group outbound rule with wildcard destination address", + input: state.State{Azure: azure.Azure{Network: network.Network{ + SecurityGroups: []network.SecurityGroup{ + { + Metadata: trivyTypes.NewTestMetadata(), + Rules: []network.SecurityGroupRule{ + { + Metadata: trivyTypes.NewTestMetadata(), + Allow: trivyTypes.Bool(true, trivyTypes.NewTestMetadata()), + Outbound: trivyTypes.Bool(true, trivyTypes.NewTestMetadata()), + DestinationAddresses: []trivyTypes.StringValue{ + trivyTypes.String("*", trivyTypes.NewTestMetadata()), + }, + }, + }, + }, + }, + }}}, + expected: true, + }, + { + name: "Security group outbound rule with private destination address", + input: state.State{Azure: azure.Azure{Network: network.Network{ + SecurityGroups: []network.SecurityGroup{ + { + Metadata: trivyTypes.NewTestMetadata(), + Rules: []network.SecurityGroupRule{ + { + Metadata: trivyTypes.NewTestMetadata(), + Allow: trivyTypes.Bool(true, trivyTypes.NewTestMetadata()), + Outbound: trivyTypes.Bool(true, trivyTypes.NewTestMetadata()), + DestinationAddresses: []trivyTypes.StringValue{ + trivyTypes.String("10.0.0.0/16", trivyTypes.NewTestMetadata()), + }, + }, + }, + }, + }, + }}}, + expected: false, + }, + }, + "AVD-AZU-0047": { + { + name: "Security group inbound rule with wildcard source address", + input: state.State{Azure: azure.Azure{Network: network.Network{ + SecurityGroups: []network.SecurityGroup{ + { + Metadata: trivyTypes.NewTestMetadata(), + Rules: []network.SecurityGroupRule{ + { + Metadata: trivyTypes.NewTestMetadata(), + Allow: trivyTypes.Bool(true, trivyTypes.NewTestMetadata()), + Outbound: trivyTypes.Bool(false, trivyTypes.NewTestMetadata()), + SourceAddresses: []trivyTypes.StringValue{ + trivyTypes.String("*", trivyTypes.NewTestMetadata()), + }, + }, + }, + }, + }, + }}}, + expected: true, + }, + { + name: "Security group inbound rule with private source address", + input: state.State{Azure: azure.Azure{Network: network.Network{ + SecurityGroups: []network.SecurityGroup{ + { + Metadata: trivyTypes.NewTestMetadata(), + Rules: []network.SecurityGroupRule{ + { + Metadata: trivyTypes.NewTestMetadata(), + Allow: trivyTypes.Bool(true, trivyTypes.NewTestMetadata()), + Outbound: trivyTypes.Bool(false, trivyTypes.NewTestMetadata()), + SourceAddresses: []trivyTypes.StringValue{ + trivyTypes.String("10.0.0.0/16", trivyTypes.NewTestMetadata()), + }, + }, + }, + }, + }, + }}}, + expected: false, + }, + }, + "AVD-AZU-0049": { + { + name: "Network watcher flow log retention policy disabled", + input: state.State{Azure: azure.Azure{Network: network.Network{ + NetworkWatcherFlowLogs: []network.NetworkWatcherFlowLog{ + { + Metadata: trivyTypes.NewTestMetadata(), + RetentionPolicy: network.RetentionPolicy{ + Metadata: trivyTypes.NewTestMetadata(), + Enabled: trivyTypes.Bool(false, trivyTypes.NewTestMetadata()), + Days: trivyTypes.Int(100, trivyTypes.NewTestMetadata()), + }, + }, + }, + }}}, + expected: true, + }, + { + name: "Network watcher flow log retention policy enabled for 30 days", + input: state.State{Azure: azure.Azure{Network: network.Network{ + NetworkWatcherFlowLogs: []network.NetworkWatcherFlowLog{ + { + Metadata: trivyTypes.NewTestMetadata(), + RetentionPolicy: network.RetentionPolicy{ + Metadata: trivyTypes.NewTestMetadata(), + Enabled: trivyTypes.Bool(true, trivyTypes.NewTestMetadata()), + Days: trivyTypes.Int(30, trivyTypes.NewTestMetadata()), + }, + }, + }, + }}}, + expected: true, + }, + { + name: "Network watcher flow log retention policy enabled for 100 days", + input: state.State{Azure: azure.Azure{Network: network.Network{ + NetworkWatcherFlowLogs: []network.NetworkWatcherFlowLog{ + { + Metadata: trivyTypes.NewTestMetadata(), + RetentionPolicy: network.RetentionPolicy{ + Metadata: trivyTypes.NewTestMetadata(), + Enabled: trivyTypes.Bool(true, trivyTypes.NewTestMetadata()), + Days: trivyTypes.Int(100, trivyTypes.NewTestMetadata()), + }, + }, + }, + }}}, + expected: false, + }, + }, + "AVD-AZU-0050": { + { + name: "Security group rule allowing SSH access from the public internet", + input: state.State{Azure: azure.Azure{Network: network.Network{ + SecurityGroups: []network.SecurityGroup{ + { + Metadata: trivyTypes.NewTestMetadata(), + Rules: []network.SecurityGroupRule{ + { + Metadata: trivyTypes.NewTestMetadata(), + Allow: trivyTypes.Bool(true, trivyTypes.NewTestMetadata()), + Outbound: trivyTypes.Bool(false, trivyTypes.NewTestMetadata()), + DestinationPorts: []network.PortRange{ + { + Metadata: trivyTypes.NewTestMetadata(), + Start: 22, + End: 22, + }, + }, + SourceAddresses: []trivyTypes.StringValue{ + trivyTypes.String("*", trivyTypes.NewTestMetadata()), + }, + Protocol: trivyTypes.String("Tcp", trivyTypes.NewTestMetadata()), + }, + }, + }, + }, + }}}, + expected: true, + }, + { + name: "Security group rule allowing SSH only ICMP", + input: state.State{Azure: azure.Azure{Network: network.Network{ + SecurityGroups: []network.SecurityGroup{ + { + Metadata: trivyTypes.NewTestMetadata(), + Rules: []network.SecurityGroupRule{ + { + Metadata: trivyTypes.NewTestMetadata(), + Allow: trivyTypes.Bool(true, trivyTypes.NewTestMetadata()), + Outbound: trivyTypes.Bool(false, trivyTypes.NewTestMetadata()), + DestinationPorts: []network.PortRange{ + { + Metadata: trivyTypes.NewTestMetadata(), + Start: 22, + End: 22, + }, + }, + SourceAddresses: []trivyTypes.StringValue{ + trivyTypes.String("*", trivyTypes.NewTestMetadata()), + }, + Protocol: trivyTypes.String("Icmp", trivyTypes.NewTestMetadata()), + }, + }, + }, + }, + }}}, + expected: false, + }, + { + name: "Security group rule allowing SSH access from a specific address", + input: state.State{Azure: azure.Azure{Network: network.Network{ + SecurityGroups: []network.SecurityGroup{ + { + Metadata: trivyTypes.NewTestMetadata(), + Rules: []network.SecurityGroupRule{ + { + Metadata: trivyTypes.NewTestMetadata(), + Allow: trivyTypes.Bool(true, trivyTypes.NewTestMetadata()), + Outbound: trivyTypes.Bool(false, trivyTypes.NewTestMetadata()), + DestinationPorts: []network.PortRange{ + { + Metadata: trivyTypes.NewTestMetadata(), + Start: 22, + End: 22, + }, + }, + SourceAddresses: []trivyTypes.StringValue{ + trivyTypes.String("82.102.23.23", trivyTypes.NewTestMetadata()), + }, + Protocol: trivyTypes.String("Tcp", trivyTypes.NewTestMetadata()), + }, + }, + }, + }, + }}}, + expected: false, + }, + }, +} diff --git a/test/rego/azure_securitycenter_test.go b/test/rego/azure_securitycenter_test.go new file mode 100644 index 00000000..277fb22a --- /dev/null +++ b/test/rego/azure_securitycenter_test.go @@ -0,0 +1,89 @@ +package test + +import ( + "github.com/aquasecurity/trivy/pkg/iac/providers/azure" + "github.com/aquasecurity/trivy/pkg/iac/providers/azure/securitycenter" + "github.com/aquasecurity/trivy/pkg/iac/state" + trivyTypes "github.com/aquasecurity/trivy/pkg/iac/types" +) + +var azureSecurityCenterTestCases = testCases{ + "AVD-AZU-0044": { + { + name: "Security center alert nofifications disabled", + input: state.State{Azure: azure.Azure{SecurityCenter: securitycenter.SecurityCenter{ + Contacts: []securitycenter.Contact{ + { + Metadata: trivyTypes.NewTestMetadata(), + EnableAlertNotifications: trivyTypes.Bool(false, trivyTypes.NewTestMetadata()), + }, + }, + }}}, + expected: true, + }, + { + name: "Security center alert nofifications enabled", + input: state.State{Azure: azure.Azure{SecurityCenter: securitycenter.SecurityCenter{ + Contacts: []securitycenter.Contact{ + { + Metadata: trivyTypes.NewTestMetadata(), + EnableAlertNotifications: trivyTypes.Bool(true, trivyTypes.NewTestMetadata()), + }, + }, + }}}, + expected: false, + }, + }, + "AVD-AZU-0045": { + { + name: "Security center set with free subscription", + input: state.State{Azure: azure.Azure{SecurityCenter: securitycenter.SecurityCenter{ + Subscriptions: []securitycenter.SubscriptionPricing{ + { + Metadata: trivyTypes.NewTestMetadata(), + Tier: trivyTypes.String(securitycenter.TierFree, trivyTypes.NewTestMetadata()), + }, + }, + }}}, + expected: true, + }, + { + name: "Security center set with standard subscription", + input: state.State{Azure: azure.Azure{SecurityCenter: securitycenter.SecurityCenter{ + Subscriptions: []securitycenter.SubscriptionPricing{ + { + Metadata: trivyTypes.NewTestMetadata(), + Tier: trivyTypes.String(securitycenter.TierStandard, trivyTypes.NewTestMetadata()), + }, + }, + }}}, + expected: false, + }, + }, + "AVD-AZU-0046": { + { + name: "Contact's phone number missing", + input: state.State{Azure: azure.Azure{SecurityCenter: securitycenter.SecurityCenter{ + Contacts: []securitycenter.Contact{ + { + Metadata: trivyTypes.NewTestMetadata(), + Phone: trivyTypes.String("", trivyTypes.NewTestMetadata()), + }, + }, + }}}, + expected: true, + }, + { + name: "Contact's phone number provided", + input: state.State{Azure: azure.Azure{SecurityCenter: securitycenter.SecurityCenter{ + Contacts: []securitycenter.Contact{ + { + Metadata: trivyTypes.NewTestMetadata(), + Phone: trivyTypes.String("+1-555-555-5555", trivyTypes.NewTestMetadata()), + }, + }, + }}}, + expected: false, + }, + }, +} diff --git a/test/rego/azure_synapse_test.go b/test/rego/azure_synapse_test.go new file mode 100644 index 00000000..9e50650b --- /dev/null +++ b/test/rego/azure_synapse_test.go @@ -0,0 +1,37 @@ +package test + +import ( + "github.com/aquasecurity/trivy/pkg/iac/providers/azure" + "github.com/aquasecurity/trivy/pkg/iac/providers/azure/synapse" + "github.com/aquasecurity/trivy/pkg/iac/state" + trivyTypes "github.com/aquasecurity/trivy/pkg/iac/types" +) + +var azureSynapseTestCases = testCases{ + "AVD-AZU-0034": { + { + name: "Synapse workspace managed VN disabled", + input: state.State{Azure: azure.Azure{Synapse: synapse.Synapse{ + Workspaces: []synapse.Workspace{ + { + Metadata: trivyTypes.NewTestMetadata(), + EnableManagedVirtualNetwork: trivyTypes.Bool(false, trivyTypes.NewTestMetadata()), + }, + }, + }}}, + expected: true, + }, + { + name: "Synapse workspace managed VN enabled", + input: state.State{Azure: azure.Azure{Synapse: synapse.Synapse{ + Workspaces: []synapse.Workspace{ + { + Metadata: trivyTypes.NewTestMetadata(), + EnableManagedVirtualNetwork: trivyTypes.Bool(true, trivyTypes.NewTestMetadata()), + }, + }, + }}}, + expected: false, + }, + }, +} diff --git a/test/rego/rego_checks_test.go b/test/rego/rego_checks_test.go index d1eb3a27..7a85620f 100644 --- a/test/rego/rego_checks_test.go +++ b/test/rego/rego_checks_test.go @@ -53,6 +53,11 @@ func TestRegoChecks(t *testing.T) { awsConfigTestCases, awsDocumentDBTestCases, awsDynamodbTestCases, + + azureMonitorTestCases, + azureNetworkTestCases, + azureSynapseTestCases, + azureSecurityCenterTestCases, ) regoScanner := rego.NewScanner(trivyTypes.SourceCloud)