Behavior change to Azure app tests

[khesterproton]

Hi folks,

I've some questions about Azure app tests that arose when updating my Prowler version.

In v4.2.4 the following tests were running against my Python function apps:

app_client_certificates_on
app_ensure_auth_is_set_up
app_ensure_http_is_redirected_to_https
app_ensure_python_version_is_latest
app_ensure_using_http20
app_ftp_deployment_disabled
app_minimum_tls_version_12
app_register_with_identity

In v4.3.0 (continuing through v5.5.1) there was a change that made a distinction between web vs function apps. The tests above no longer run, and are instead replaced with:

app_function_access_keys_configured 
app_function_app_insights_is_configured
app_function_identity_without_admin_privileges 
app_function_identity_is_configured
app_function_not_publicly_accessible
app_function_runtime_is_the_latest
app_function_vnet_integration_enabled
app_function_ftps_deployment_disabled

Some of these look like duplicates/equivalents to the first list of tests. But also, some coverage seems to be lost, e.g. Prowler no longer runs app_ensure_python_version_is_latest to report that my apps are an older version of Python.

• Q1. Was it intended-and-desired to stop running all the previous tests on function apps?

Additionally, none of the new tests run on locked apps. For locked tests I now see this error rather than get any results: ERROR: Subscription name: ... -- ResourceExistsError[87]: (ScopeLocked) The scope ... cannot perform write operation because following scope(s) are locked: ... Please remove the lock and try again.

• Q2. Have I missed a permission change, or does this look like a bug?

I'm more than happy to convert either of these questions to a bug report, I just didn't know if that was polite or appropriate!

Thanks very much for your time (and fantastic software)!

[puchy22]

Hi @khesterproton,
The change was intentional at the time in order to separate WebApps from Functions, as there are certain configurations that apply specifically to WebApps and not to Functions. Treating both the same way was causing issues during the audit process.
I don’t recall the exact checks that were producing false negatives, but in some cases, the API would return None for WebApps, while returning the expected value for Functions. That’s why the distinction was made.

For those specific checks, some additional permissions are now required as part of the Prowler Role, you can check all that information in our documentation. Please verify if whether those permissions resolve the issue. In the case that the problem persists, feel free to share the error messages with me here so I can investigate whether it’s a bug.

Here are the relevant references:

Prowler Role for Azure: https://github.com/prowler-cloud/prowler/blob/master/permissions/prowler-azure-custom-role.json

Checks requiring special permissions: https://docs.prowler.com/projects/prowler-open-source/en/latest/getting-started/requirements/#checks-that-require-prowlerrole

Let me know if I can assist further!

[khesterproton]

Hi @puchy22,

Thanks very much for your response and explanation!

Unfortunately, I am still having trouble with locked apps, i.e. where I have a Read-only lock to prevent accidental overwrite or deletion.

I have the "Prowler Role" added.

• When I have a "Delete" lock, or no lock at all, all the app_function_* tests run.
• When I have a "Read-only" lock none of the app_function_* tests run. Instead, I see this error:

2025-04-26 03:27:55,073 [File: app_service.py:176] [Module: app_service] ERROR: Subscription name: xxxxxxxxx -- ResourceExistsError[127]: (ScopeLocked) The scope '/subscriptions/xxxxxxxxxxxx/resourceGroups/xxxxxx/providers/Microsoft.Web/sites/xxxxxx/host/default' cannot perform write operation because following scope(s) are locked: '/subscriptions/xxxxxxxxxxxx/resourceGroups/xxxxxx/providers/Microsoft.Web/sites/xxxxxx'. Please remove the lock and try again.
Code: ScopeLocked

The "cannot perform write operation" message is a little worrying since I'd expect Prowler to operate as read-only.

The v4.2.4 set of tests ran successfully on locked function apps, so I assume this is not a fundamental problem. I.e. I hope there's a change where the new tests can run on locked apps too?

Unfortunately, I can't work around the problem by unlocking all apps because we run Prowler on third-parties.

If you're able to investigate that would be most appreciated. Thanks again!

[puchy22]

Hi @khesterproton,

You’re right, that’s not expected behavior. I’ve gone ahead and opened an issue (#7651) so we can properly track this. If you don’t mind, we’ll continue the conversation there so we can close this discussion. Thanks so much for reporting it! I’ll start working on it as soon as possible.

[khesterproton]

Thanks very much! I'll keep an eye on the new issue.