feat(queries): Add initial queries for Bicep

Author: GeekMasher

ql/src/security/Storage/PublicAccess.md

@@ -0,0 +1,27 @@
+# Azure Blob Container Public Access
+
+When using a Bicep template to create a storage account, you can specify the public access level for the blob container. The default value is set to `None` which means that the container is private and can only be accessed by the storage account owner. The other options are `Blob` and `Container` which allow anonymous read access to the blob or container respectively.
+
+## Examples
+
+### Bad Example
+
+```bicep
+resource containers 'Microsoft.Storage/storageAccounts/blobServices/containers@2019-06-01' = {
+  name: 'insecure'
+  properties: {
+    publicAccess: 'Blob'
+  }
+}
+```
+
+### Good Example
+
+```bicep
+resource containers 'Microsoft.Storage/storageAccounts/blobServices/containers@2019-06-01' = {
+  name: 'secure'
+  properties: {
+    publicAccess: 'None'
+  }
+}
+```

ql/src/security/Storage/PublicAccess.ql

@@ -0,0 +1,19 @@
+/**
+ * @name Azure Blob Container Public Access
+ * @description Azure Blob Container Public Access
+ * @kind problem
+ * @problem.severity error
+ * @security-severity 10.0
+ * @precision high
+ * @id bicep/azure/storage-publicly-accessible
+ * @tags security
+ *       bicep
+ *       azure
+ *       storage
+ */
+
+import bicep
+
+from Storage::BlobServiceContainers container
+where container.getPublicAccess() = ["Blob", "Container"]
+select container, "Public Blob Container resource."

ql/src/security/Storage/SupportHttpTraffic.md

@@ -0,0 +1,19 @@
+# Support for HTTP traffic
+
+## Overview
+
+Using HTTP for Azure Storage Accounts is insecure because HTTP transmits data in plaintext, making it vulnerable to interception and eavesdropping by malicious actors. This lack of encryption can expose sensitive information, such as authentication tokens, account keys, or data being transferred, to potential attacks like man-in-the-middle (MITM). Enforcing HTTPS ensures that data is encrypted in transit, providing a secure communication channel and protecting against unauthorized access or data breaches.
+
+## Enforcing HTTPS
+
+To enforce HTTPS for Azure Storage Accounts, you can either set the `supportsHttpsTrafficOnly` property to `true` in the Bicep template.
+
+```bicep
+resource storageAccount 'Microsoft.Storage/storageAccounts@2021-06-01' = {
+  // ...
+  properties: {
+    supportsHttpsTrafficOnly: true
+    // ...
+  }
+}
+```

ql/src/security/Storage/SupportHttpTraffic.ql

@@ -0,0 +1,20 @@
+/**
+ * @name Supports non-HTTPS traffic for storage accounts
+ * @description Supports non-HTTPS traffic for storage accounts
+ * @kind problem
+ * @severity warning
+ * @security-severity 9.0
+ * @precision very-high
+ * @id bicep/azure/storage-tls-disabled
+ * @tags security
+ *       bicep
+ *       azure
+ *       storage
+ */
+
+import bicep
+
+from Storage::StorageAccountsProperties properties
+where properties.getSupportsHttpsTrafficOnly() = false
+select properties.getProperty("supportsHttpsTrafficOnly"),
+  "Supports non-HTTPS traffic for storage accounts."

ql/test/queries-tests/security/Storage/PublicBucket/PublicBucket.expected

@@ -0,0 +1 @@
+| storage.bicep:11:1:16:1 | ResourceDeclaration | Public Blob Container resource. |

ql/test/queries-tests/security/Storage/PublicBucket/PublicBucket.qlref

@@ -0,0 +1 @@
+security/Storage/PublicAccess.ql

ql/test/queries-tests/security/Storage/PublicBucket/storage.bicep

@@ -0,0 +1,16 @@
+
+// Secure
+resource containers 'Microsoft.Storage/storageAccounts/blobServices/containers@2019-06-01' = {
+  name: 'secure'
+  properties: {
+    publicAccess: 'None'
+  }
+}
+
+// Insecure
+resource containers 'Microsoft.Storage/storageAccounts/blobServices/containers@2019-06-01' = {
+  name: 'insecure'
+  properties: {
+    publicAccess: 'Blob'
+  }
+}

ql/test/queries-tests/security/Storage/SupportHttpTraffic/SupportHttpTraffic.expected

@@ -0,0 +1 @@
+| http-traffic.bicep:35:31:35:35 | false | Supports non-HTTPS traffic for storage accounts. |

ql/test/queries-tests/security/Storage/SupportHttpTraffic/SupportHttpTraffic.qlref

@@ -0,0 +1 @@
+security/Storage/SupportHttpTraffic.ql

ql/test/queries-tests/security/Storage/SupportHttpTraffic/http-traffic.bicep

@@ -0,0 +1,46 @@
+
+param location string = resourceGroup().location
+param storageAccountName string = 'httpEnabledStorage'
+
+// Secure
+resource storageAccount 'Microsoft.Storage/storageAccounts@2021-06-01' = {
+  name: storageAccountName
+  location: location
+  sku: {
+    name: 'Standard_LRS'
+  }
+  kind: 'StorageV2'
+  properties: {
+    networkAcls: {
+      bypass: 'AzureServices'
+      defaultAction: 'Allow'
+      ipRules: [
+        {
+          ipAddressOrRange: '0.0.0.0/0'
+        }
+      ]
+    }
+  }
+}
+
+// In-Secure
+resource storageAccount2 'Microsoft.Storage/storageAccounts@2021-06-01' = {
+  name: storageAccountName
+  location: location
+  sku: {
+    name: 'Standard_LRS'
+  }
+  kind: 'StorageV2'
+  properties: {
+    supportsHttpsTrafficOnly: false
+    networkAcls: {
+      bypass: 'AzureServices'
+      defaultAction: 'Allow'
+      ipRules: [
+        {
+          ipAddressOrRange: '0.0.0.0/0'
+        }
+      ]
+    }
+  }
+}