Remove unnecessary Checkov suppressions and document remaining ones with comprehensive security guidance

[Copilot]

Summary

This PR addresses the security suppressions review requested in the issue by systematically removing unnecessary Checkov suppressions and providing comprehensive documentation for the remaining ones. The changes improve the security posture while maintaining the template's evaluation-friendly design.

Changes Made

✅ Suppressions Removed (7 total)

• 6 NSG suppressions (CKV2_AZURE_31): Removed from all subnet resources in main.network.tf as NSG associations are properly configured
• 1 Storage suppression (CKV_AZURE_190): Removed unnecessary suppression from main storage account

📝 Enhanced Documentation (29 remaining suppressions)

All remaining suppressions now include:

• Clear explanation of why the suppression is required
• Specific guidance on how to harden for production use
• Reference to the comprehensive security considerations document

📋 New Security Documentation

Created docs/security_considerations.md with:

• Detailed rationale for each category of suppressions
• Production hardening recommendations with code examples
• Network security, identity management, and data protection guidance
• Compliance and governance recommendations
• Incident response and maintenance procedures

Results

Security Improvements

• Passed checks increased: 42 → 48 (+6)
• Failed checks: 0 (maintained)
• Skipped checks reduced: 36 → 30 (-6)
• All remaining suppressions documented with security considerations

Example of Enhanced Documentation

Before:

# checkov:skip=CKV2_AZURE_22: Customer-managed keys should be added in production usage but are not included here for simplicity.

After:

# checkov:skip=CKV2_AZURE_22: This template uses default encryption for evaluation purposes. For production, implement customer-managed encryption keys. See docs/security_considerations.md for hardening guidance.

Categories of Remaining Suppressions

1. Azure AI Search (2): SLA requirements for evaluation vs production
2. Storage Accounts (16): Azure Deployment Scripts service requirements and AVM module configurations
3. AI/Cognitive Services (3): Power Platform connector requirements and evaluation setup
4. Container Registry (6): GitHub runner module requirements and cost optimization
5. Module Versioning (2): Terraform module version pinning for maintainability

Validation

• ✅ Checkov scan passes with 48 passed checks, 0 failed checks
• ✅ All suppressions properly documented with security considerations
• ✅ Security considerations document provides clear production hardening paths
• ✅ Template maintains evaluation-friendly design while improving security posture

Security Considerations

The remaining suppressions are all justified by specific technical requirements:

• Azure Deployment Scripts: Requires specific storage configurations that conflict with some security best practices
• Power Platform Integration: Requires specific authentication methods
• Evaluation Template Design: Optimized for cost and simplicity rather than maximum security

For production deployments, the security considerations document provides detailed guidance on hardening each area.

Fixes #229.

Warning

Firewall rules blocked me from connecting to one or more addresses

I tried to connect to the following addresses, but was blocked by firewall rules:

• api0.prismacloud.io
  • Triggering command: /usr/bin/python3 /home/REDACTED/.local/bin/checkov -d ./infra --quiet --framework terraform -o sarif --output-file ./checkov-results.sarif --soft-fail (dns block)

If you need me to access, download, or install something from one of these locations, you can either:

• Configure Actions setup steps to set up my environment, which run before the firewall is enabled
• Add the appropriate URLs or hosts to my firewall allow list

---

💬 Share your feedback on Copilot coding agent for the chance to win a $200 gift card! Click here to start the survey.

[mattdot]

@copilot resolve conflicts from main

[Copilot]

@copilot resolve conflicts from main

I'm unable to fetch the latest main branch due to authentication limitations in the current environment. I don't see any merge conflict markers in the current files, but conflicts may exist with recent changes to main that I can't access.

Could you either:

1. Provide the specific files/areas where conflicts exist, or
2. Merge main into this branch yourself, or
3. Let me know what specific changes from main are conflicting?

Without access to the latest main branch, I can't identify or resolve the conflicts directly.