feat: Add Network ACL support

GeekMasher · GeekMasher · commit 23eafa125464 · 2025-06-11T12:25:50.000+01:00
diff --git a/ql/lib/codeql/bicep/frameworks/Microsoft/KeyVault.qll b/ql/lib/codeql/bicep/frameworks/Microsoft/KeyVault.qll
@@ -1,5 +1,6 @@
 private import bicep
 private import codeql.bicep.Concepts
+private import Network
 
 module KeyVault {
   class VaultResource extends Resource {
@@ -16,6 +17,10 @@ module KeyVault {
       result = this.getProperties().getAccessPolicies()
     }
 
+    Network::NetworkAcl getNetworkAcls() {
+      result = this.getProperties().getNetworkAcls()
+    }
+
     override string toString() { result = "Key Vault Resource" }
   }
 
@@ -93,6 +98,10 @@ module KeyVault {
 
       string publicNetworkAccess() { result = this.getPublicNetworkAccess().getValue() }
 
+      Network::NetworkAcl getNetworkAcls() {
+        result = this.getProperty("networkAcls")
+      }
+
       AccessPolicy getAccessPolicies() {
         result = this.getProperty("accessPolicies").(Array).getElements()
       }
diff --git a/ql/lib/codeql/bicep/frameworks/Microsoft/Network.qll b/ql/lib/codeql/bicep/frameworks/Microsoft/Network.qll
@@ -112,6 +112,62 @@ module Network {
     }
   }
 
+
+  class NetworkAcl extends Object {
+    private Resource resource;
+
+    NetworkAcl() {
+      exists(Object props |
+        props = resource.getProperty("properties") and
+        this = props.getProperty(["networkAcl", "networkAcls"])
+      )
+    }
+
+    Resource getResource() { result = resource }
+
+    StringLiteral getBypass() {
+      result = this.getProperty("bypass")
+    }
+
+    string bypass() {
+      result = this.getBypass().getValue()
+    }
+
+    StringLiteral getDefaultAction() {
+      result = this.getProperty("defaultAction")
+    }
+
+    string defaultAction() {
+      result = this.getDefaultAction().getValue()
+    }
+
+    IpRule getIpRules() {
+      result = this.getProperty("ipRules").(Array).getElements()
+    }
+
+    string toString() {
+      result = "Network ACL"
+    }
+  }
+
+  class IpRule extends Object {
+    private NetworkAcl acl;
+
+    IpRule() {
+      this = acl.getProperty("ipRules").(Array).getElements()
+    }
+
+    NetworkAcl getNetworkAcl() { result = acl }
+
+    StringLiteral getValue() {
+      result = this.getProperty("value")
+    }
+
+    string toString() {
+      result = "IP Rule"
+    }
+  }
+
   module VirtualNetworkProperties {
     /**
      * The properties object for the Microsoft.Network/virtualNetworks/subnets type.
diff --git a/ql/test/library-tests/frameworks/vaults/Vaults.expected b/ql/test/library-tests/frameworks/vaults/Vaults.expected
@@ -1,5 +1,7 @@
 keyvault
-| app.bicep:1:1:37:1 | Key Vault Resource |
+| app.bicep:1:1:51:1 | Key Vault Resource |
 keyvaultPolicies
-| app.bicep:1:1:37:1 | Key Vault Resource | app.bicep:11:7:19:7 | AccessPolicy |
-| app.bicep:1:1:37:1 | Key Vault Resource | app.bicep:20:7:28:7 | AccessPolicy |
+| app.bicep:1:1:51:1 | Key Vault Resource | app.bicep:11:7:19:7 | AccessPolicy |
+| app.bicep:1:1:51:1 | Key Vault Resource | app.bicep:20:7:28:7 | AccessPolicy |
+keyvaultNetworkAcls
+| app.bicep:1:1:51:1 | Key Vault Resource | app.bicep:36:18:49:5 | Network ACL |
diff --git a/ql/test/library-tests/frameworks/vaults/Vaults.ql b/ql/test/library-tests/frameworks/vaults/Vaults.ql
@@ -1,10 +1,15 @@
 import bicep
 
-query predicate keyvault(KeyVault::VaultResource vault) {
-  any()
-}
+query predicate keyvault(KeyVault::VaultResource vault) { any() }
 
-query predicate keyvaultPolicies(KeyVault::VaultResource vault, KeyVault::KeyVaultProperties::AccessPolicy policy) {
+query predicate keyvaultPolicies(
+  KeyVault::VaultResource vault, KeyVault::KeyVaultProperties::AccessPolicy policy
+) {
   policy = vault.getAccessPolicies()
-  
+}
+
+query predicate keyvaultNetworkAcls(
+  KeyVault::VaultResource vault, Network::NetworkAcl networkAcl
+) {
+  networkAcl = vault.getNetworkAcls()
 }
diff --git a/ql/test/library-tests/frameworks/vaults/app.bicep b/ql/test/library-tests/frameworks/vaults/app.bicep
@@ -33,5 +33,19 @@ resource keyVault 'Microsoft.KeyVault/vaults@2021-06-01-preview' = {
     enableSoftDelete: true
     enablePurgeProtection: true
     publicNetworkAccess: 'Disabled' // Recommended: restrict public access
+    networkAcls: {
+      bypass: 'AzureServices'
+      defaultAction: 'Deny'
+      ipRules: [
+        {
+          value: '203.0.113.0/24'
+        }
+      ]
+      virtualNetworkRules: [
+        {
+          id: '/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/myrg/providers/Microsoft.Network/virtualNetworks/myvnet/subnets/mysubnet'
+        }
+      ]
+    }
   }
 }
