Checkmarx · cx-andre-pereira · Oct 13, 2025 · Sep 29, 2025 · Sep 29, 2025 · Sep 29, 2025
@@ -17,7 +17,6 @@ CxPolicy[result] {
 
 	common_lib.is_allow_effect(statement)
 	ilegal_action := is_ilegal(statement.Action)
-	ilegal_action != "none"
 
 	result := {
 		"documentId": input.document[i].id,
@@ -42,7 +41,6 @@ CxPolicy[result] {
 
 	common_lib.is_allow_effect(statement)
 	ilegal_action := is_ilegal(statement.Action)
-	ilegal_action != "none"
 
 	result := {
 		"documentId": input.document[i].id,
@@ -67,4 +65,4 @@ is_ilegal(Action) = Action {
 	]
 	res := concat(", ", illegal_actions_list)
 	res != ""
-} else = "none"
+}
@@ -26,7 +26,6 @@ get_results(resource,doc,name) = results {
 	results := does_not_have_valid_stage_name(resource,doc,name)
 } else = results {
 	r2 := does_not_have_valid_stage_name(resource,doc,name)
-	r2 != ""
 	results := does_not_have_valid_destination_arn(resource,doc,name)
 }
 

@@ -5,7 +5,6 @@ import data.generic.terraform as tf_lib
 
 CxPolicy[result] {
     load_balancer := get_load_balancer(input.document[i].resource)
-    load_balancer != ""
     resource := input.document[i].resource[load_balancer][name]
 
     not common_lib.valid_key(resource, "access_logs")

@@ -14,7 +14,6 @@ CxPolicy[result] { # resources
 	statement := st[st_index]
 	common_lib.is_allow_effect(statement)
     illegal_action := is_illegal(statement.Action)
-	illegal_action != "none"
 
 	result := {
 		"documentId": input.document[i].id,
@@ -38,7 +37,6 @@ CxPolicy[result] { # modules
 	statement := st[st_index]
 	common_lib.is_allow_effect(statement)
 	illegal_action := is_illegal(statement.Action)
-	illegal_action != "none"
 
 	result := {
 		"documentId": input.document[i].id,
@@ -76,7 +74,6 @@ prepare_issue_data_source(statement, name, index, is_unique_element) = res {
 	not is_unique_element
 	common_lib.is_allow_effect(statement)
     illegal_action := is_illegal(statement.actions)
-	illegal_action != "none"
 
 	res := {
 		"sk": sprintf("aws_iam_policy_document[%s].statement[%d].actions", [name, index]),
@@ -89,7 +86,6 @@ prepare_issue_data_source(statement, name, index, is_unique_element) = res {
 	is_unique_element
 	common_lib.is_allow_effect(statement)
 	illegal_action := is_illegal(statement.actions)
-	illegal_action != "none"
 
 	res := {
 		"sk": sprintf("aws_iam_policy_document[%s].statement.actions", [name]),
@@ -124,4 +120,4 @@ is_illegal(Action) = Action {
 	]
 	res := concat(", ", illegal_actions_list)
 	res != ""
-} else = "none"
+}
@@ -8,7 +8,6 @@ CxPolicy[result] {
 	resource := input.document[i].resource.aws_db_parameter_group[name]
 
     undefined_parameters_message = get_undefined_parameters(resource)
-    undefined_parameters_message != "none"
 
 	result := {
 		"documentId": input.document[i].id,
@@ -70,7 +69,7 @@ get_undefined_parameters(resource) = "log_statement and log_min_duration_stateme
     not log_statement_defined(resource.parameter) 
 } else = "log_min_duration_statement is" {
     not log_min_duration_statement_defined(resource.parameter)
-} else = "none"
+}
 
 log_statement_defined(parameters) {
     parameters[_].name == "log_statement"
@@ -92,7 +91,7 @@ get_wrong_values(parameters) = "both"{
 } else = "log_min_duration_statement has" {
     parameters[i2].name == "log_min_duration_statement"
     parameters[i2].value != "1"
-} else = "none"
+}
 
 
 get_extra_path(statement,parameters) = path {

@@ -31,7 +31,6 @@ CxPolicy[result] { # 1.3 is the latest tls
 	app := input.document[i].resource[types[t]][name]
 
 	results := minimum_tls_undefined_or_not_latest(app,types[t],name)
-	results != ""
 
 	result := {
 		"documentId": input.document[i].id,
@@ -87,4 +86,4 @@ minimum_tls_undefined_or_not_latest(app,type,name) = results {
 		}),
 		"remediationType" : "replacement",
 	}
-} else = ""
+}
@@ -10,7 +10,6 @@ CxPolicy[result] {
 
 	not resource.site_config.http2_enabled  
 	results := client_certificate_is_undefined_or_false(resource,name,types[t])
-	results != ""
 
 	result := {
 		"documentId": input.document[i].id,
@@ -74,7 +73,7 @@ client_certificate_is_undefined_or_false(resource,name,type) = results { # case
 		}),
 		"remediationType": "replacement",
 	}
-} else = ""
+}
 
 get_field("azurerm_app_service")     = "client_cert_enabled" 
 get_field("azurerm_linux_web_app")   = "client_certificate_enabled"

@@ -3,43 +3,94 @@ package Cx
 import data.generic.common as common_lib
 import data.generic.terraform as tf_lib
 
+types := {"azurerm_function_app", "azurerm_linux_function_app", "azurerm_windows_function_app"}
+
 CxPolicy[result] {
-	function := input.document[i].resource.azurerm_function_app[name]
+	doc := input.document[i]
+	resource := doc.resource[types[t]][name]
 
-	not common_lib.valid_key(function, "auth_settings")
+	res := prepare_issues(resource, types[t], name)
 
 	result := {
-		"documentId": input.document[i].id,
-		"resourceType": "azurerm_function_app",
-		"resourceName": tf_lib.get_resource_name(function, name),
-		"searchKey": sprintf("azurerm_function_app[%s]", [name]),
-		"issueType": "MissingAttribute",
-		"keyExpectedValue": sprintf("'azurerm_function_app[%s].auth_settings' should be defined and not null", [name]),
-		"keyActualValue": sprintf("'azurerm_function_app[%s].auth_settings' is undefined or null", [name]),
-		"searchLine": common_lib.build_search_line(["resource", "azurerm_function_app", name], []),
-		"remediation": "\nauth_settings {\n\t\tenabled = true\n\t}\n",
-		"remediationType": "addition",
+		"documentId": doc.id,
+		"resourceType": types[t],
+		"resourceName": tf_lib.get_resource_name(resource, name),
+		"searchKey": res["sk"],
+		"searchLine": res["sl"],
+		"issueType": res["it"],
+		"keyExpectedValue": res["kev"],
+		"keyActualValue": res["kav"],
+		"remediation": res["rem"],
+		"remediationType": res["rt"],
 	}
 }
 
-CxPolicy[result] {
-	function := input.document[i].resource.azurerm_function_app[name]
-
-	function.auth_settings.enabled != true
-
-	result := {
-		"documentId": input.document[i].id,
-		"resourceType": "azurerm_function_app",
-		"resourceName": tf_lib.get_resource_name(function, name),
-		"searchKey": sprintf("azurerm_function_app[%s].auth_settings.enabled", [name]),
-		"issueType": "IncorrectValue",
-		"keyExpectedValue": sprintf("'azurerm_function_app[%s].auth_settings.enabled' should be set to true", [name]),
-		"keyActualValue": sprintf("'azurerm_function_app[%s].auth_settings.enabled' is not set to true", [name]),
-		"searchLine": common_lib.build_search_line(["resource", "azurerm_function_app", name, "auth_settings", "enabled"], []),
-		"remediation": json.marshal({
+prepare_issues(resource, type, name) = res { # auth_settings not defined for azurerm_function_app (legacy)
+	not common_lib.valid_key(resource, "auth_settings")
+	type == "azurerm_function_app"
+	res := {
+		"sk": sprintf("%s[%s]", [type, name]),
+		"sl": common_lib.build_search_line(["resource", type, name], []),
+		"it": "MissingAttribute",
+		"kev": sprintf("'%s[%s].auth_settings' should be defined", [type, name]),
+		"kav": sprintf("'%s[%s].auth_settings' is not defined", [type, name]),
+		"rem": "auth_settings {\n\t\tenabled = true\n\t}",
+		"rt": "addition", 
+	}
+} else = res{ # auth_settings and auth_settings_v2 not defined
+	not common_lib.valid_key(resource, "auth_settings")
+	not common_lib.valid_key(resource, "auth_settings_v2")
+	res := {
+		"sk": sprintf("%s[%s]", [type, name]),
+		"sl": common_lib.build_search_line(["resource", type, name], []),
+		"it": "MissingAttribute",
+		"kev": sprintf("'%s[%s].auth_settings' or '%s[%s].auth_settings_v2' should be defined", [type, name, type, name]),
+		"kav": sprintf("'%s[%s].auth_settings' and '%s[%s].auth_settings_v2' are not defined", [type, name, type, name]),
+		"rem": "auth_settings {\n\t\tenabled = true\n\t}",
+		"rt": "addition", 
+	}
+} else = res { # auth_settings field defined and auth_settings.enabled defined to false
+	not common_lib.valid_key(resource, "auth_settings_v2")
+	common_lib.valid_key(resource, "auth_settings")
+	resource.auth_settings.enabled == false
+	res := {
+		"sk": sprintf("'%s[%s].auth_settings.enabled'", [type, name]),
+		"sl": common_lib.build_search_line(["resource", type, name, "auth_settings", "enabled"], []),
+		"it": "IncorrectValue",
+		"kev": sprintf("'%s[%s].auth_settings.enabled' should be defined to 'true'", [type, name]),
+		"kav": sprintf("'%s[%s].auth_settings.enabled' is defined to 'false'", [type, name]),
+		"rem": json.marshal({
 			"before": "false",
 			"after": "true"
 		}),
-		"remediationType": "replacement",
+		"rt": "replacement",
 	}
-}
+}  else = res { # auth_settings_v2 field defined with the field auth_enabled defined to false
+	common_lib.valid_key(resource, "auth_settings_v2")
+	common_lib.valid_key(resource.auth_settings_v2, "auth_enabled")
+	resource.auth_settings_v2.auth_enabled == false 
+	res := {
+		"sk": sprintf("%s[%s].auth_settings_v2.auth_enabled", [type, name]),
+		"sl": common_lib.build_search_line(["resource", type, name, "auth_settings_v2", "auth_enabled"], []),
+		"it": "IncorrectValue",
+		"kev": sprintf("'%s[%s].auth_settings_v2.auth_enabled' should be defined to 'true'", [type, name]),
+		"kav": sprintf("'%s[%s].auth_settings_v2.auth_enabled' is defined to 'false'", [type, name]),
+		"rem": json.marshal({
+			"before": "false",
+			"after": "true"
+		}),
+		"rt": "replacement",
+	}
+} else = res { # auth_settings_v2 field defined but without the field auth_enabled defined
+	common_lib.valid_key(resource, "auth_settings_v2")
+	not common_lib.valid_key(resource.auth_settings_v2, "auth_enabled")
+	res := {
+		"sk": sprintf("%s[%s].auth_settings_v2", [type, name]),
+		"sl": common_lib.build_search_line(["resource", type, name, "auth_settings_v2"], []),
+		"it": "MissingAttribute",
+		"kev": sprintf("'%s[%s].auth_settings_v2.auth_enabled' should be defined (default value is 'false')", [type, name]),
+		"kav": sprintf("'%s[%s].auth_settings_v2.auth_enabled' is not defined", [type, name]),
+		"rem": "auth_enabled = true",
+		"rt": "addition",
+	}
+} 
@@ -0,0 +1,11 @@
+resource "azurerm_function_app" "negative1" {
+  name                = "example-app-service"
+  location            = azurerm_resource_group.example.location
+  resource_group_name = azurerm_resource_group.example.name
+  app_service_plan_id = azurerm_app_service_plan.example.id
+
+  auth_settings {
+    enabled = true
+  }
+}
+
@@ -0,0 +1,37 @@
+resource "azurerm_linux_function_app" "negative2-1" {
+  name                = "example-app-service"
+  resource_group_name = azurerm_resource_group.example.name
+  location            = azurerm_service_plan.example.location
+  service_plan_id     = azurerm_service_plan.example.id
+  auth_settings {
+    enabled = true
+  }
+  site_config {}
+}
+
+resource "azurerm_linux_function_app" "negative2-2" {
+  name                = "example-app-service"
+  resource_group_name = azurerm_resource_group.example.name
+  location            = azurerm_service_plan.example.location
+  service_plan_id     = azurerm_service_plan.example.id
+  auth_settings_v2 {
+    login {}
+    auth_enabled = true
+  }
+  site_config {}
+}
+
+resource "azurerm_linux_function_app" "negative2-3" {
+  name                = "example-app-service"
+  resource_group_name = azurerm_resource_group.example.name
+  location            = azurerm_service_plan.example.location
+  service_plan_id     = azurerm_service_plan.example.id
+  auth_settings {
+    enabled = false
+  }
+  auth_settings_v2 {
+    login {}
+    auth_enabled = true
+  }
+  site_config {}
+}
@@ -0,0 +1,37 @@
+resource "azurerm_windows_function_app" "negative3-1" {
+  name                = "example-app-service"
+  resource_group_name = azurerm_resource_group.example.name
+  location            = azurerm_service_plan.example.location
+  service_plan_id     = azurerm_service_plan.example.id
+  auth_settings {
+    enabled = true
+  }
+  site_config {}
+}
+
+resource "azurerm_windows_function_app" "negative3-2" {
+  name                = "example-app-service"
+  resource_group_name = azurerm_resource_group.example.name
+  location            = azurerm_service_plan.example.location
+  service_plan_id     = azurerm_service_plan.example.id
+  auth_settings_v2 {
+    login {}
+    auth_enabled = true
+  }
+  site_config {}
+}
+
+resource "azurerm_windows_function_app" "negative3-3" {
+  name                = "example-app-service"
+  resource_group_name = azurerm_resource_group.example.name
+  location            = azurerm_service_plan.example.location
+  service_plan_id     = azurerm_service_plan.example.id
+  auth_settings {
+    enabled = false
+  }
+  auth_settings_v2 {
+    login {}
+    auth_enabled = true
+  }
+  site_config {}
+}
@@ -1,8 +1,27 @@
-resource "azurerm_function_app" "positive1" {
-  name                       = "test-azure-functions"
-  location                   = azurerm_resource_group.example.location
-  resource_group_name        = azurerm_resource_group.example.name
-  app_service_plan_id        = azurerm_app_service_plan.example.id
-  storage_account_name       = azurerm_storage_account.example.name
-  storage_account_access_key = azurerm_storage_account.example.primary_access_key
+resource "azurerm_function_app" "positive1-1" {
+  name                = "example-app-service"
+  location            = azurerm_resource_group.example.location
+  resource_group_name = azurerm_resource_group.example.name
+  app_service_plan_id = azurerm_app_service_plan.example.id
+
+  site_config {
+    dotnet_framework_version = "v4.0"
+    scm_type                 = "LocalGit"
+  }
+}
+
+resource "azurerm_function_app" "positive1-2" {
+  name                = "example-app-service"
+  location            = azurerm_resource_group.example.location
+  resource_group_name = azurerm_resource_group.example.name
+  app_service_plan_id = azurerm_app_service_plan.example.id
+
+  site_config {
+    dotnet_framework_version = "v4.0"
+    scm_type                 = "LocalGit"
+  }
+
+  auth_settings {
+    enabled = false
+  }
 }