azure-vm-unapproved-image: Azure VM Not Using Approved Image

id: azure-vm-unapproved-image
info:
  name: Azure VM Not Using Approved Image
  author: princechaddha
  severity: medium
  description: |
    Ensure that all the Azure virtual machine (VM) instances necessary for your application stack are launched from an approved base Azure machine image, known as golden machine image, in order to enforce application security best practices, consistency, and save time when scaling your application.
  impact: |
    Using unapproved machine images can lead to inconsistencies and potential security vulnerabilities in your application stack.
  remediation: |
    Ensure all Azure VM instances are launched from approved machine images. Update any instances that are not using the approved images.
  reference:
    - https://docs.microsoft.com/en-us/azure/virtual-machines/windows/overview
  tags: cloud,devops,azure,microsoft,virtual-machine,azure-cloud-config

flow: |
  code(1);
  for (let VMData of iterate(template.vmList)) {
    VMData = JSON.parse(VMData);
    set("name", VMData.Name);
    set("resourceGroup", VMData.ResourceGroup);
    code(2);
  }

self-contained: true
code:
  - engine:
      - sh
      - bash
    source: |
      az vm list --output json --query '[*].{"Name":name,"ResourceGroup":resourceGroup}'

    extractors:
      - type: json
        name: vmList
        internal: true
        json:
          - '.[]'

  - engine:
      - sh
      - bash
    source: |
      az vm show --name "$name" --resource-group "$resourceGroup" --query '{"ImageId": storageProfile.imageReference.id}'

    matchers-condition: and
    matchers:
      - type: word
        words:
          - '"ImageId": null'

    extractors:
      - type: dsl
        dsl:
          - 'name + " in " + resourceGroup + " is using an unapproved Azure machine image"'
# digest: 4a0a00473045022100a3fc1be6cd987d15f2b11480c2a5e5a9c97468035d43410e82b47bf0ec03bff102203036568b7b68a6eeeff07a587cb937f6482bb18bf0ea7c8e52314c21471803ba:922c64590222798bb761d5b6d8e72950