Control: Vulnerability assessment should be enabled on your Synapse workspaces

Description

Discover, track, and remediate potential vulnerabilities by configuring recurring SQL vulnerability assessment scans on your Synapse workspaces.

Usage

Run the control in your terminal:

powerpipe control run azure_compliance.control.synapse_workspace_vulnerability_assessment_enabled

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe control run azure_compliance.control.synapse_workspace_vulnerability_assessment_enabled --share

SQL

This control uses a named query:

with synapse_workspace as(
  select
    id,
    name,
    subscription_id,
    resource_group
  from
    azure_synapse_workspace,
    jsonb_array_elements(workspace_managed_sql_server_vulnerability_assessments) as w
  where
    w -> 'properties' -> 'recurringScans' ->> 'isEnabled' = 'true'
)
select
  a.id as resource,
  case
    when s.id is not null then 'ok'
    else 'alarm'
  end as status,
  case
    when s.id is not null then a.name || ' vulnerability assessment enabled.'
    else a.name || ' vulnerability assessment disabled.'
  end as reason
  
  , a.resource_group as resource_group
  , sub.display_name as subscription
from
  azure_synapse_workspace as a
  left join synapse_workspace as s on s.id = a.id
  left join  azure_subscription as sub on sub.subscription_id = a.subscription_id;

Control: Vulnerability assessment should be enabled on your Synapse workspaces

Description

Usage

SQL

Tags