feat(tf): Add initial StorageAccount support #158
Conversation
Dependency Review✅ No vulnerabilities or license issues or OpenSSF Scorecard issues found.Scanned FilesNone |
- Doesn't break compatibility
There was a problem hiding this comment.
Pull Request Overview
This PR adds initial support for Azure Storage Account resources to the codeql-hcl library, expanding beyond the existing managed disk and storage container coverage. The changes enable security analysis of Azure Storage Accounts by detecting public access configurations across different provider versions.
Key changes:
- Added Azure Storage Account support with comprehensive property parsing for v2 and v3 provider versions
- Refactored existing Azure resource definitions into modular, domain-specific files
- Enhanced the PublicStorage security query to detect insecure storage account configurations
Reviewed Changes
Copilot reviewed 14 out of 14 changed files in this pull request and generated 3 comments.
Show a summary per file
| File | Description |
|---|---|
| ql/lib/codeql/hcl/providers/azure/Storage.qll | New dedicated module containing all Azure storage-related resources including StorageAccount, StorageContainer, and ManagedDisk |
| ql/lib/codeql/hcl/security/PublicStorage.qll | New security library defining AzurePublicStorage class to detect public storage configurations |
| ql/src/security/Terraform/Azure/ManagedDisk/PublicAccess.ql | Updated query to use the new PublicStorage library for broader Azure storage security coverage |
| ql/lib/codeql/hcl/providers/Azure.qll | Refactored to import modular Azure service definitions instead of containing all classes directly |
| ql/lib/codeql/hcl/Terraform.qll | Added semantic version support for provider version comparison |
Tip: Customize your code reviews with copilot-instructions.md. Create the file or learn how to get started.
| account_kind = "BlobStorage" | ||
| account_tier = "Standard" | ||
| account_replication_type = "GRS" | ||
| resource_group_name = azurerm_resource_group.example |
There was a problem hiding this comment.
The resource_group_name attribute should reference azurerm_resource_group.example.name instead of the resource object itself.
| account_kind = "BlobStorage" | ||
| account_tier = "Standard" | ||
| account_replication_type = "GRS" | ||
| resource_group_name = azurerm_resource_group.example |
There was a problem hiding this comment.
The resource_group_name attribute should reference azurerm_resource_group.example.name instead of the resource object itself.
| account_kind = "BlobStorage" | ||
| account_tier = "Standard" | ||
| account_replication_type = "GRS" | ||
| resource_group_name = azurerm_resource_group.example |
There was a problem hiding this comment.
The resource_group_name attribute should reference azurerm_resource_group.example.name instead of the resource object itself.
allow_nested_items_to_be_publicshould be disabled #156