Check for previous/existing GitHub issues

• I have checked for previous/existing GitHub issues

Description

Hi AVM team,

Currently, I am working within an organisation that has some high-security standards and I am trying to let them adopt Azure Verified Modules from the container registry (mcr.microsoft.com). The problem I am running into is that there are security concerns regarding using externally loaded modules on runtime to deploy their critical infrastructure. There is no control, or any security overview regarding this. The external source, in this case, a domain from *.microsoft.com is trusted and allowed to be used.

I know I am not the only one not being able to use AVM via the MCR due to security concerns, and this can cause other problems like using outdated AVM modules or having to clone AVM and having to figure out security scans and update mechanisms.

A solution could be automated security scans of the Bicep modules, which in the end will result in a security report. It might be a "simple" page on which the security status can be seen or a SARIF-formatted file... This can help answer security-based questions and elevate trust in using AVM using the container registry, and it will help with the adoption of AVM for larger organisations.

Is this something that's already on the radar?

I do not have experience with Defender for Resource Manager (yet) but this could also be useful: https://learn.microsoft.com/en-us/azure/defender-for-cloud/defender-for-resource-manager-introduction

@Azure/avm-core-team-technical-bicep, can you please take a look at this? Thanks!

@matebarabas Do you have any updates on this?

@johnlokerse, I just flagged it internally too for @Azure/avm-core-team-technical-bicep. Thank you for your patience!

Question for you @johnlokerse, would a report from say PSRule for Azure or the Microsoft Defender for Cloud for DevOps be sufficient to "unblock" your customers? Or is their concern actually more to do with the MCR and the module publishing process?

I suppose what I'm trying to work out is, is this a trust issue with the modules themselves and what they can deploy and how they configure resources OR is it it more to do with SBOM (Software Bill of Materials) types of concerns and the security of the MCR itself?

Let us know

#RR

Hey @jtracey93, Results from PSRule and/or Defender for DevOps would be great to have! For the customer(s) I am working for the MCR is not the problem, since this is coming from a microsoft.com domain. I do not have experience with SBOM so I don't know about that.

What I think is important is that having these "security reports" is that it is easier to get the conversation going on using the BCR modules from a public source. These modules are an abstraction and you are not sure what the module contains. So having a public report of the results from Defender for DevOps (and ARM?) and/or PSRule for Azure would be great to have.

I think you are right when you say that it is a trust issue and what the modules deploy to Azure environments. So, the combination of being open source, coming from a Microsoft domain and having "security reports" is a big plus and gets the conversation going.

Are there more requests like these? I cannot imagine I am the only one with this question. 😄

Thanks @johnlokerse for the response 👍

We are getting some similar asks on this, but mainly around MCR and how can they clone it internally as they dont want to pull from a public source, which me and you have chatted about before as being not a great idea unless you have the resources to maintain it properly.

The PSRule outputs are already displayed in all GH actions workflows, as an example heres a VM one https://github.com/Azure/bicep-registry-modules/actions/runs/9756800804#summary-26927920866

Could you ask your customer if these are sufficient and do they just need to be exposed more easily? Also would love your opinion too.

Let us know

#RR

Thanks @johnlokerse for the response 👍

We are getting some similar asks on this, but mainly around MCR and how can they clone it internally as they dont want to pull from a public source, which me and you have chatted about before as being not a great idea unless you have the resources to maintain it properly.

The PSRule outputs are already displayed in all GH actions workflows, as an example heres a VM one https://github.com/Azure/bicep-registry-modules/actions/runs/9756800804#summary-26927920866

Could you ask your customer if these are sufficient and do they just need to be exposed more easily? Also would love your opinion too.

Let us know

#RR

@jtracey93 The bot sends out great reminders... 😄️ Forgot to reply.

Building something that pulls AVM, scans the templates and then stores it in a private ACR would be okay, but how to deal with greenfield scenarios? Still in my opinion if you do this, why not just trust Microsoft if they can give us the "proof" that the templates are secure... Having to clone a public repository that is then stored in a private container is literally the same.

My question is not yet answered due to people being busy or being on holiday. I will come back on this! If you ask me a dedicated status page like status badges page on the AVM site would be nice. This page could help me support my case to security decision-makers (with mostly on-premises experience) to use AVM.

It can be simple: a brief explanation of what is being scanned by DfD/DfARM or being held against PSRule including and table with all statuses like this:

This is just my current brain dump... might think different later 😉

Thanks @johnlokerse, love the sketch up as well here 👍

Keep me posted on the outcome of the reply to question.