fix(bicep): Add bicep specific for CKV_AZURE_25 since ARM implementat…

…ion fails (#6996)

* added test resources for CKV_AZURE_25

* added graph check for CKV_AZURE_25

* added main.bicep test file

* added expected file for graph checks

* added new tests for CKV_AZURE_25 if no security policy is provided

checkov/bicep/checks/graph_checks/SQLServerThreatDetectionTypes.yaml

@@ -0,0 +1,61 @@
+metadata:
+  id: "CKV_AZURE_25"
+  name: "Azure SQL Server threat detection alerts are enabled for all threat types"
+  category: "LOGGING"
+definition:
+  and:
+    - cond_type: filter
+      attribute: resource_type
+      operator: within
+      value:
+        - Microsoft.Sql/servers
+        - Microsoft.Sql/servers/databases
+    - or:
+        - and:
+            - cond_type: connection
+              resource_types:
+                - Microsoft.Sql/servers
+              connected_resource_types:
+                - Microsoft.Sql/servers/securityAlertPolicies
+              operator: exists
+            - cond_type: attribute
+              resource_types:
+                - Microsoft.Sql/servers/securityAlertPolicies
+              attribute: properties.state
+              operator: equals
+              value: Enabled
+            - or:
+              - cond_type: attribute
+                resource_types:
+                  - Microsoft.Sql/servers/securityAlertPolicies
+                attribute: properties.disabledAlerts
+                operator: is_empty
+              - cond_type: attribute
+                resource_types:
+                  - Microsoft.Sql/servers/securityAlertPolicies
+                attribute: properties.disabledAlerts
+                operator: not_exists
+        - and:
+            - cond_type: connection
+              resource_types:
+                - Microsoft.Sql/servers/databases
+              connected_resource_types:
+                - Microsoft.Sql/servers/databases/securityAlertPolicies
+              operator: exists
+            - cond_type: attribute
+              resource_types:
+                - Microsoft.Sql/servers/databases/securityAlertPolicies
+              attribute: properties.state
+              operator: equals
+              value: Enabled
+            - or:
+                - cond_type: attribute
+                  resource_types:
+                    - Microsoft.Sql/servers/databases/securityAlertPolicies
+                  attribute: properties.disabledAlerts
+                  operator: is_empty
+                - cond_type: attribute
+                  resource_types:
+                    - Microsoft.Sql/servers/databases/securityAlertPolicies
+                  attribute: properties.disabledAlerts
+                  operator: not_exists

tests/bicep/graph/checks/resources/SQLServerThreatDetectionTypes/expected.yaml

@@ -0,0 +1,18 @@
+pass:
+  - 'Microsoft.Sql/servers.serverEnabled'
+  - 'Microsoft.Sql/servers.serverEnabledWithoutAlertsAttribute'
+  - 'Microsoft.Sql/servers/databases.databaseEnabled'
+  - 'Microsoft.Sql/servers/databases.databaseEnabledWithoutAlertsAttribute'
+fail:
+  - 'Microsoft.Sql/servers.serverWithoutSecurityPolicy'
+  - 'Microsoft.Sql/servers.serverDisabledState'
+  - 'Microsoft.Sql/servers.serverDisabledAlerts'
+  - 'Microsoft.Sql/servers.serverDisabled'
+  - 'Microsoft.Sql/servers/databases.databaseWithoutSecurityPolicy'
+  - 'Microsoft.Sql/servers/databases.databaseDisabledState'
+  - 'Microsoft.Sql/servers/databases.databaseDisabledAlerts'
+  - 'Microsoft.Sql/servers/databases.databaseDisabled'
+evaluated_keys:
+  - 'resource_type'
+  - 'properties/state'
+  - 'properties/disabledAlerts'

tests/bicep/graph/checks/resources/SQLServerThreatDetectionTypes/main.bicep

@@ -0,0 +1,224 @@
+// pass
+resource serverEnabled 'Microsoft.Sql/servers@2021-02-01-preview' = {
+  name: 'default'
+  location: location
+
+  properties: {
+    administratorLogin: sqlLogicalServer.userName
+    administratorLoginPassword: password
+    version: '12.0'
+    minimalTlsVersion: sqlLogicalServer.minimalTlsVersion
+    publicNetworkAccess: sqlLogicalServer.publicNetworkAccess
+  }
+
+  resource securityAlertPolicyEnabled 'securityAlertPolicies' = {
+    name: 'default'
+    properties: {
+      state: 'Enabled'
+      disabledAlerts: [
+      ]
+    }
+  }
+}
+
+resource serverEnabledWithoutAlertsAttribute 'Microsoft.Sql/servers@2021-02-01-preview' = {
+  name: 'default'
+  location: location
+
+  properties: {
+    administratorLogin: sqlLogicalServer.userName
+    administratorLoginPassword: password
+    version: '12.0'
+    minimalTlsVersion: sqlLogicalServer.minimalTlsVersion
+    publicNetworkAccess: sqlLogicalServer.publicNetworkAccess
+  }
+
+  resource securityAlertPolicyEnabled 'securityAlertPolicies' = {
+    name: 'default'
+    properties: {
+      state: 'Enabled'
+    }
+  }
+}
+
+resource databaseEnabled 'Microsoft.Sql/servers/databases@2023-08-01-preview' = {
+  name: '${server.name}/${sqlDBName}'
+  location: location
+  sku: {
+    name: 'GP_S_Gen5_2'
+    tier: 'GeneralPurpose'
+  }
+
+  resource securityAlertPolicyEnabled 'securityAlertPolicies' = {
+    name: 'default'
+    properties: {
+      state: 'Enabled'
+      disabledAlerts: [
+      ]
+    }
+  }
+}
+
+resource databaseEnabledWithoutAlertsAttribute 'Microsoft.Sql/servers/databases@2023-08-01-preview' = {
+  name: '${server.name}/${sqlDBName}'
+  location: location
+  sku: {
+    name: 'GP_S_Gen5_2'
+    tier: 'GeneralPurpose'
+  }
+
+  resource securityAlertPolicyEnabled 'securityAlertPolicies' = {
+    name: 'default'
+    properties: {
+      state: 'Enabled'
+    }
+  }
+}
+
+// fail
+resource serverWithoutSecurityPolicy 'Microsoft.Sql/servers@2021-02-01-preview' = {
+  name: 'default'
+  location: location
+
+  properties: {
+    administratorLogin: sqlLogicalServer.userName
+    administratorLoginPassword: password
+    version: '12.0'
+    minimalTlsVersion: sqlLogicalServer.minimalTlsVersion
+    publicNetworkAccess: sqlLogicalServer.publicNetworkAccess
+  }
+}
+
+resource serverDisabledState 'Microsoft.Sql/servers@2021-02-01-preview' = {
+  name: 'default'
+  location: location
+
+  properties: {
+    administratorLogin: sqlLogicalServer.userName
+    administratorLoginPassword: password
+    version: '12.0'
+    minimalTlsVersion: sqlLogicalServer.minimalTlsVersion
+    publicNetworkAccess: sqlLogicalServer.publicNetworkAccess
+  }
+
+  resource securityAlertPolicyEnabled 'securityAlertPolicies' = {
+    name: 'default'
+    properties: {
+      state: 'Disabled'
+      disabledAlerts: [
+      ]
+    }
+  }
+}
+
+resource serverDisabledAlerts 'Microsoft.Sql/servers@2021-02-01-preview' = {
+  name: 'default'
+  location: location
+
+  properties: {
+    administratorLogin: sqlLogicalServer.userName
+    administratorLoginPassword: password
+    version: '12.0'
+    minimalTlsVersion: sqlLogicalServer.minimalTlsVersion
+    publicNetworkAccess: sqlLogicalServer.publicNetworkAccess
+  }
+
+  resource securityAlertPolicyEnabled 'securityAlertPolicies' = {
+    name: 'default'
+    properties: {
+      state: 'Enabled'
+      disabledAlerts: [
+        'disabledAlert'
+      ]
+    }
+  }
+}
+
+resource serverDisabled 'Microsoft.Sql/servers@2021-02-01-preview' = {
+  name: 'default'
+  location: location
+
+  properties: {
+    administratorLogin: sqlLogicalServer.userName
+    administratorLoginPassword: password
+    version: '12.0'
+    minimalTlsVersion: sqlLogicalServer.minimalTlsVersion
+    publicNetworkAccess: sqlLogicalServer.publicNetworkAccess
+  }
+
+  resource securityAlertPolicyEnabled 'securityAlertPolicies' = {
+    name: 'default'
+    properties: {
+      state: 'Disabled'
+      disabledAlerts: [
+        'disabledAlert'
+      ]
+    }
+  }
+}
+
+resource databaseWithoutSecurityPolicy 'Microsoft.Sql/servers/databases@2023-08-01-preview' = {
+  name: '${server.name}/${sqlDBName}'
+  location: location
+  sku: {
+    name: 'GP_S_Gen5_2'
+    tier: 'GeneralPurpose'
+  }
+}
+
+resource databaseDisabledState 'Microsoft.Sql/servers/databases@2023-08-01-preview' = {
+  name: '${server.name}/${sqlDBName}'
+  location: location
+  sku: {
+    name: 'GP_S_Gen5_2'
+    tier: 'GeneralPurpose'
+  }
+
+  resource securityAlertPolicyDisabledAlerts 'securityAlertPolicies' = {
+    name: 'default'
+    properties: {
+      state: 'Disabled'
+      disabledAlerts: [
+      ]
+    }
+  }
+}
+
+resource databaseDisabledAlerts 'Microsoft.Sql/servers/databases@2023-08-01-preview' = {
+  name: '${server.name}/${sqlDBName}'
+  location: location
+  sku: {
+    name: 'GP_S_Gen5_2'
+    tier: 'GeneralPurpose'
+  }
+
+  resource securityAlertPolicyDisabledAlerts 'securityAlertPolicies' = {
+    name: 'default'
+    properties: {
+      state: 'Enabled'
+      disabledAlerts: [
+        'disabledAlert'
+      ]
+    }
+  }
+}
+
+resource databaseDisabled 'Microsoft.Sql/servers/databases@2023-08-01-preview' = {
+  name: '${server.name}/${sqlDBName}'
+  location: location
+  sku: {
+    name: 'GP_S_Gen5_2'
+    tier: 'GeneralPurpose'
+  }
+
+  resource securityAlertPolicy 'securityAlertPolicies' = {
+    name: 'default'
+    properties: {
+      state: 'Disabled'
+      disabledAlerts: [
+        'disabledAlert'
+      ]
+    }
+  }
+}
+

tests/bicep/graph/checks/test_yaml_policies.py

@@ -39,6 +39,9 @@ def test_SQLServerAuditingEnabled(self):
     def test_SQLServerAuditingRetention90Days(self):
         self.go("SQLServerAuditingRetention90Days")
 
+    def test_SQLServerThreatDetectionTypes(self):
+        self.go("SQLServerThreatDetectionTypes")
+
     def test_registry_load(self):
         registry = self.get_checks_registry()
         self.assertGreater(len(registry.checks), 0)