Azure SQL Server ADS Vulnerability Assessment (VA) 'Send scan reports to' is not configured

Description

Configure 'Send scan reports to' with email ids of concerned data owners/stakeholders for a critical SQL servers. Vulnerability Assessment (VA) scan reports and alerts will be sent to email ids configured at Send scan reports to. This may help in reducing time required for identifying risks and taking corrective measures.

Code Example

{
 "resource "azurerm_resource_group" "okExample" {
  name     = "okExample-resources"
  location = "West Europe"
}


resource "azurerm_sql_server" "okExample" {
  name                         = "mysqlserver"
  resource_group_name          = azurerm_resource_group.okExample.name
  location                     = azurerm_resource_group.okExample.location
  version                      = "12.0"
  administrator_login          = "4dm1n157r470r"
  administrator_login_password = "4-v3ry-53cr37-p455w0rd"
}


resource "azurerm_storage_account" "okExample" {
  name                     = "accteststorageaccount"
  resource_group_name      = azurerm_resource_group.okExample.name
  location                 = azurerm_resource_group.okExample.location
  account_tier             = "Standard"
  account_replication_type = "GRS"
}


resource "azurerm_storage_container" "okExample" {
  name                  = "accteststoragecontainer"
  storage_account_name  = azurerm_storage_account.okExample.name
  container_access_type = "private"
}


resource "azurerm_mssql_server_security_alert_policy" "okExample" {
  resource_group_name = azurerm_resource_group.okExample.name
  server_name         = azurerm_sql_server.okExample.name
  state               = "Enabled"
}


resource "azurerm_mssql_server_vulnerability_assessment" "okExample" {
  server_security_alert_policy_id = azurerm_mssql_server_security_alert_policy.okExample.id
  storage_container_path          = "${azurerm_storage_account.okExample.primary_blob_endpoint}${azurerm_storage_container.okExample.name}/"
  storage_account_access_key      = azurerm_storage_account.okExample.primary_access_key

  recurring_scans {
    enabled                   = true
    email_subscription_admins = true
    emails = [
      "[email protected]",
      "[email protected]"
    ]
  }

}
",
}

Remediation

Terraform

Resource: azurerm_resource_group, azurerm_sql_server, azurerm_storage_account, azurerm_storage_container, azurerm_mssql_server_security_alert_policy, azurerm_mssql_server_vulnerability_assessment

Rule Details

Field	Value
ID	IAC-0762
Severity	LOW
IaC Type	Terraform
Frameworks	Terraform, TerraformPlan
Checkov ID	CKV2_AZURE_4

References

Checkov Rule

Overview

SAST (Application Security)

SCA (Dependencies)

Secrets Detection

IaC Security

License Compliance

SAST Rules

IaC Rules

License Rules

Azure SQL Server ADS Vulnerability Assessment (VA) 'Send scan reports to' is not configured

Description

Code Example

Remediation

Rule Details

References

SAST Rules

IaC Rules

License Rules

Azure SQL Server ADS Vulnerability Assessment (VA) 'Send scan reports to' is not configured ​

Description ​

Code Example ​

Remediation ​

Rule Details ​

References ​

Azure SQL Server ADS Vulnerability Assessment (VA) 'Send scan reports to' is not configured

Description

Code Example

Remediation

Rule Details

References