Audit Azure Web App against NotLegit vulnerability

Have you seen this research NotLegit: Azure App Service vulnerability exposed hundreds of source code repositories from Wiz? So basically from their research, if you Azure App Service uses Local Git your source code may have been compromised.

As a SecOps analyst, you are responsible for auditing your Azure cloud environment to check if any App service is using Local Git. This article provides you a script and Azure Policy template to help you audit.

[Updated 12/25/2021] Added Azure Policy to deny Azure App service that is created or updated using Local Git.

[Updated 12/23/2021] Microsoft just released an article for this vulnerability here.

The audit script is uploaded here. Provide name of the report file and its location to store.

The script exports a CSV report to a given location:

Azure Policy

If you don’t like running script manually, Azure Policy would be a good approach for periodical audit. The sample policy below can help to audit Scm type.

{
  "properties": {
    "displayName": "Audit Web App Scm Type",
    "policyType": "Custom",
    "mode": "Indexed",
    "description": "This policy is used to audit if an Azure App Service is configured with Local Git",
    "parameters": {
      "policyEffect": {
        "type": "String",
        "metadata": {
          "displayName": "The policy effect mode",
          "description": "The policy effect mode"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ]
      }
    },
    "policyRule": {
      "if": {
        "field": "type",
        "equals": "Microsoft.Web/sites"
      },
      "then": {
        "effect": "[parameters('policyEffect')]",
        "details": {
          "type": "Microsoft.Web/sites/config",
          "name": "web",
          "existenceCondition": {
            "field": "Microsoft.Web/sites/config/scmType",
            "notEquals": "LocalGit"
          }
        }
      }
    }
  }
}

You can use the sample Azure Policy template here to test.

Prevention

If you think you should prevent people from creating or update an Azure web app to set Local Git you could try the following Azure Policy with a deny mode. Below is the sample one:

{
  "properties": {
    "displayName": "Deny Azure App Service that uses Local Git",
    "policyType": "Custom",
    "mode": "All",
    "parameters": {},
    "policyRule": {
      "if": {
        "anyOf": [
          {
            "allOf": [
              {
                "field": "type",
                "equals": "Microsoft.Web/sites/config"
              },
              {
                "field": "Microsoft.Web/sites/config/scmType",
                "equals": "LocalGit"
              }
            ]
          }
        ]
      },
      "then": {
        "effect": "deny"
      }
    }
  }
}

Sample ARM template to deploy Azure Policy with Deny mode can be found here.

If you have any feedback, please feel free to leave a comment in the Comment box or create a new GitHub issue.

This entry was posted in Governance & Compliance and tagged , . Bookmark the permalink.

3 Responses to Audit Azure Web App against NotLegit vulnerability

  1. ZhangZ says:

    This is a great article. It saved me bunch of time to be honest. Thanks a lot!

    Is it possible to prevent someone from creating or updating to use LocalGit?

  2. Alexmsft says:

    Another great article that helps me save a lot of time.

    Thank a lot for writing it. Merry Christmas and Happy New Year

Leave a Reply

Your email address will not be published.