ARMChecker/ARMChecker.ps1

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
Set-StrictMode -Version Latest

function Get-AzSKARMTemplateSecurityStatus
{
    <#
    .SYNOPSIS
    This command would help in evaluating the ARM Templates for security issues
    .DESCRIPTION
    This command would help in evaluating the ARM Templates for security issues
     
    .PARAMETER ARMTemplatePath
        Path to ARM Template file or folder
 
    .PARAMETER Recurse
        Gets the ARM Temaplates in the specified locations and in all child folders of the locations
 
    .PARAMETER DoNotOpenOutputFolder
        Switch to specify whether to open output folder containing all security evaluation report or not
 
    .PARAMETER ExcludeFiles
        Comma-separated list of JSON files to be excluded from scan
 
    .PARAMETER SkipControlsFromFile
        Path to file containing list of controls to skip
 
    .LINK
    https://aka.ms/azskossdocs
 
    #>

    Param(
        [Parameter(Mandatory = $true, HelpMessage = "Path to ARM Template file or folder")]
        [string]        
        [Alias("atp")]
        $ARMTemplatePath,

        [Parameter(Mandatory = $false, HelpMessage = "Path to Template paramter file or folder")]
        [string]        
        [Alias("pfp")]
        $ParameterFilePath,

        [Parameter(Mandatory = $false, HelpMessage = "Gets the ARM Temaplates in the specified locations and in all child folders of the locations")]
        [switch]  
        [Alias("rcs")]
        $Recurse,

        [switch]
        [Parameter(Mandatory = $false, HelpMessage = "Switch to specify whether to open output folder containing all security evaluation report or not")]
        [Alias("dnof")]
        $DoNotOpenOutputFolder,

        [Parameter(Mandatory = $false, HelpMessage = "Comma-separated list of JSON files to be excluded from scan")]
        [string]  
        [Alias("ef")]
        $ExcludeFiles,
        
        [string] 
        [Parameter(Mandatory = $false, HelpMessage = "Comma-separated list of control ids to be excluded from scan")]        
        [Alias("xcids")]
        [AllowEmptyString()]
        $ExcludeControlIds,

        [string] 
        [Parameter(Mandatory = $false, HelpMessage="Comma separated control ids to filter the security controls. e.g.: Azure_Subscription_AuthZ_Limit_Admin_Owner_Count, Azure_Storage_DP_Encrypt_At_Rest_Blob etc.")]
        [Alias("cids")]
        [AllowEmptyString()]
        $ControlIds,
        
        [switch]
        [Parameter(Mandatory = $false)]
        [Alias("ubc")]
        $UseBaselineControls,

        [switch]
        [Parameter(Mandatory = $false)]
        [Alias("upbc")]
        $UsePreviewBaselineControls,

        [string] 
        [Parameter(Mandatory = $false, HelpMessage="Specify the severity of controls to be scanned. Example `"High, Medium`"")]
        [Alias("ControlSeverity")]
        $Severity,


        [Parameter(Mandatory = $false, HelpMessage = "Path to file containing list of controls to skip")]
        [string]  
        [Alias("scf")]
        $SkipControlsFromFile
    )

    Begin
    {
        [AIOrgTelemetryHelper]::PublishARMCheckerEvent("ARMChecker Command Started",@{}, $null)
    }

    Process
    {
        try 
        {
            $armStatus = [ARMCheckerStatus]::new($PSCmdlet.MyInvocation);
            if ($armStatus) 
            {
                return $armStatus.EvaluateStatus($ARMTemplatePath,$ParameterFilePath,$Recurse,$SkipControlsFromFile,$ExcludeFiles,$ExcludeControlIds,$ControlIds,$UseBaselineControls,$UsePreviewBaselineControls, $Severity);                
            }    
        }
        catch 
        {
            $formattedMessage = [Helpers]::ConvertObjectToString($_, $false);        
            Write-Host $formattedMessage -ForegroundColor Red
            [AIOrgTelemetryHelper]::PublishARMCheckerEvent("ARMChecker Command Error",@{"Exception"=$_}, $null)
        }  
    }
    End
    {
        
    }
}