Framework/Core/SVT/Services/ContainerRegistry.ps1

Set-StrictMode -Version Latest 
class ContainerRegistry: AzSVTBase
{       
    hidden [PSObject] $ResourceObject;
    hidden [PSObject] $AccessList;

    ContainerRegistry([string] $subscriptionId, [SVTResource] $svtResource): 
        Base($subscriptionId, $svtResource) 
    { 
        $this.GetResourceObject();
    }

    hidden [PSObject] GetResourceObject()
    {
        if (-not $this.ResourceObject) 
        {
            $this.ResourceObject = Get-AzContainerRegistry -Name $this.ResourceContext.ResourceName -ResourceGroupName $this.ResourceContext.ResourceGroupName

            if(-not $this.ResourceObject)
            {
                throw ([SuppressedException]::new(("Resource '{0}' not found under Resource Group '{1}'" -f ($this.ResourceContext.ResourceName), ($this.ResourceContext.ResourceGroupName)), [SuppressedExceptionType]::InvalidOperation))
            }

            # Get RBAC data to avoid multiple calls
            $this.AccessList = [RoleAssignmentHelper]::GetAzSKRoleAssignmentByScope($this.ResourceId, $false, $true);
        }
        return $this.ResourceObject;
    }

    hidden [ControlResult] CheckAdminUserStatus([ControlResult] $controlResult)
    {
        $isAdminUserEnabled = $this.ResourceObject.AdminUserEnabled
        
        if($isAdminUserEnabled)
        {
            $controlResult.EnableFixControl = $true;
            $controlResult.VerificationResult = [VerificationResult]::Failed
        }
        else
        {
            $controlResult.VerificationResult = [VerificationResult]::Passed
        }
    
        return $controlResult;
    }

    hidden [ControlResult] CheckResourceRBACAccess([ControlResult] $controlResult)
    {
        return $this.CheckRBACAccess($controlResult, $this.AccessList)
    }

    hidden [ControlResult] CheckResourceAccess([ControlResult] $controlResult)
    {
        $nonSPIdentities = $this.AccessList | Where-Object { $_.Scope -eq $this.ResourceId -and $_.ObjectType -ne 'ServicePrincipal' };
        
        if(($nonSPIdentities | Measure-Object).Count -ne 0)
        {
            $controlResult.SetStateData("Non Service Principal identities having RBAC access at resource level", ($nonSPIdentities | Select-Object -Property ObjectId,RoleDefinitionId,RoleDefinitionName,Scope));
            
            $controlResult.AddMessage([VerificationResult]::Failed, 
                            [MessageData]::new("Validate that the following non Service Principal identities have explicitly provided with RBAC access to resource - ["+ $this.ResourceContext.ResourceName +"]"));

            $controlResult.AddMessage([MessageData]::new($nonSPIdentities));
        }
        else 
        {
            $controlResult.AddMessage([VerificationResult]::Verify, 
                            [MessageData]::new("Validate that the inherited non Service Principal identities should not be used to access the resource - ["+ $this.ResourceContext.ResourceName +"]"));
        }
  
        return $controlResult;
    }

    hidden [ControlResult] CheckContainerWebhooks([ControlResult] $controlResult)
    {

        $webhooks = Get-AzContainerRegistryWebhook -RegistryName $this.ResourceContext.ResourceName -ResourceGroupName $this.ResourceContext.ResourceGroupName -ErrorAction SilentlyContinue

        if(($webhooks | Measure-Object).Count -gt 0)
        {
            $controlResult.VerificationResult = [VerificationResult]::Verify; 
            $controlResult.SetStateData("Webhook configured to the Container Registry", ($webhooks | Select-Object -Property Actions, Config, Id, Scope, Status));
            $controlResult.AddMessage([MessageData]::new("Review that image vulnerability scan is configured for all the repositories through following webhook(s) to the Container Registry - ["+ $this.ResourceContext.ResourceName +"]", 
                                                $webhooks));
        }
        else
        {
            $controlResult.AddMessage([VerificationResult]::Failed, 
                            [MessageData]::new("Webhooks for image vulnerability scan is not configured for the Container Registry - ["+ $this.ResourceContext.ResourceName +"]"));
        }
  
        return $controlResult;
    }

    hidden [ControlResult] CheckContentTrust([ControlResult] $controlResult)
    {
        $result = $null;
        $ResourceAppIdURI = [WebRequestHelper]::GetResourceManagerUrl()
        $uri = [System.String]::Format("{0}subscriptions/{1}/resourceGroups/{2}/providers/Microsoft.ContainerRegistry/registries/{3}/listPolicies?api-version=2017-10-01", $ResourceAppIdURI, $this.SubscriptionContext.SubscriptionId, $this.ResourceContext.ResourceGroupName, $this.ResourceContext.ResourceName)
            
        try 
        {     
            $result = [WebRequestHelper]::InvokeGetWebRequest($uri) 
        } 
        catch
        { 
            return $controlResult;
        }
  
        $isPolicyEnabled = $false
        if($null -ne $result)
        {
            if([Helpers]::CheckMember($result,"trustPolicy.status"))
            {
                if($result.trustPolicy.status -eq "enabled")
                {
                    $isPolicyEnabled = $true
                }
            }
        }

        if($isPolicyEnabled -eq $true)
        {
            $controlResult.AddMessage([VerificationResult]::Verify, 
                            [MessageData]::new("Verify that all the images in the repository must be signed."));
        }
        else
        {
            $controlResult.AddMessage([VerificationResult]::Failed, 
                            [MessageData]::new("Content Trust is not enabled for the Container Registry - ["+ $this.ResourceContext.ResourceName +"]"));
        }
        
        return $controlResult;
    }
}