Merge pull request #9 from GitHubSecurityLab/container-reg-updates

feat: Container class updates

Author: GeekMasher

ql/lib/codeql/bicep/frameworks/Microsoft/Containers.qll

@@ -2,7 +2,7 @@ private import bicep
 
 module Containers {
   /**
-   * Represents a Microsoft.ContainerApp/containerApps resource.
+   * Represents a Microsoft.ContainerApp/containerApps resource (2025-02-02-preview).
    * See: https://learn.microsoft.com/en-us/azure/templates/microsoft.app/containerapps
    */
   class ContainerResource extends Resource {
@@ -11,6 +11,31 @@ module Containers {
      */
     ContainerResource() { this.getResourceType().regexpMatch("^Microsoft.App/containerApps@.*") }
 
+    /**
+     * Returns the extendedLocation property.
+     */
+    Expr getExtendedLocation() { result = this.getProperty("extendedLocation") }
+
+    /**
+     * Returns the identity property.
+     */
+    Expr getIdentity() { result = this.getProperty("identity") }
+
+    /**
+     * Returns the kind property.
+     */
+    StringLiteral getKind() { result = this.getProperty("kind") }
+
+    /**
+     * Returns the managedBy property.
+     */
+    StringLiteral getManagedBy() { result = this.getProperty("managedBy") }
+
+    /**
+     * Returns the name property (overrides base Resource).
+     */
+    override string getName() { result = super.getName() }
+
     /**
      * Returns the properties object for the container app resource.
      */
@@ -44,23 +69,44 @@ module Containers {
       result = this.getTemplate().getContainer(index)
     }
 
-    Network::Ingress getNetworkIngress() {
-      result = this.getConfiguration().getNetworkIngress()
-    }
+    Network::Ingress getNetworkIngress() { result = this.getConfiguration().getNetworkIngress() }
 
-    Network::CorsPolicy getCorsPolicy() {
-      result = this.getNetworkIngress().getCorsPolicy()
-    }
+    Network::CorsPolicy getCorsPolicy() { result = this.getNetworkIngress().getCorsPolicy() }
+
+    /**
+     * Returns the SKU object for the container registry resource.
+     */
+    Sku getSku() { result = this.getProperty("sku") }
+
+    Tags getTags() { result = this.getProperty("tags") }
 
     /**
      * Returns a string representation of the container app resource.
      */
     override string toString() { result = "ContainerResource" }
   }
 
+  class ContainerRegistry extends Resource {
+    /**
+     * Constructs a ContainerRegistry for Microsoft.ContainerRegistry/containerRegistries resources (2025-02-02-preview).
+     */
+    ContainerRegistry() {
+      this.getResourceType().regexpMatch("^Microsoft.ContainerRegistry/registries@.*$")
+    }
+
+    /**
+     * Returns the SKU object for the container registry resource.
+     */
+    Sku getSku() { result = this.getProperty("sku") }
+
+    Tags getTags() { result = this.getProperty("tags") }
+
+    override string toString() { result = "ContainerRegistry" }
+  }
+
   module ContainerProperties {
     /**
-     * Represents the properties object for a container app resource.
+     * Represents the properties object for a container app resource (2025-02-02-preview).
      */
     class Properties extends Object {
       private ContainerResource containerResource;
@@ -80,11 +126,31 @@ module Containers {
        */
       ContainerConfiguration getConfiguration() { result = this.getProperty("configuration") }
 
+      /**
+       * Returns the environmentId property.
+       */
+      StringLiteral getEnvironmentId() { result = this.getProperty("environmentId") }
+
+      /**
+       * Returns the managedEnvironmentId property.
+       */
+      StringLiteral getManagedEnvironmentId() { result = this.getProperty("managedEnvironmentId") }
+
+      /**
+       * Returns the patchingConfiguration property.
+       */
+      Expr getPatchingConfiguration() { result = this.getProperty("patchingConfiguration") }
+
       /**
        * Returns the template property.
        */
       ContainerTemplate getTemplate() { result = this.getProperty("template") }
 
+      /**
+       * Returns the workloadProfileName property.
+       */
+      StringLiteral getWorkloadProfileName() { result = this.getProperty("workloadProfileName") }
+
       string toString() { result = "ContainerProperties" }
     }
 
@@ -109,6 +175,15 @@ module Containers {
        */
       ContainerSecret getSecrets() { result = this.getProperty("secrets").(Array).getElements() }
 
+      ContainerSecret getSecret(string name) {
+        exists(ContainerSecret secret |
+          secret = this.getSecrets() and
+          secret.getName().getValue() = name
+        |
+          result = secret
+        )
+      }
+
       /**
        * Returns the active revisions mode as a StringLiteral.
        */
@@ -124,6 +199,67 @@ module Containers {
        */
       Expr getTemplate() { result = this.getProperty("template") }
 
+      /**
+       * Returns the Dapr configuration object, if present.
+       *
+       * @return The Dapr configuration expression.
+       */
+      Expr getDapr() { result = this.getProperty("dapr") }
+
+      /**
+       * Returns the identity settings object, if present.
+       *
+       * @return The identity settings expression.
+       */
+      Expr getIdentitySettings() { result = this.getProperty("identitySettings") }
+
+      /**
+       * Returns the ingress configuration object, if present.
+       *
+       * @return The ingress configuration expression.
+       */
+      Expr getIngress() { result = this.getProperty("ingress") }
+
+      /**
+       * Returns all container registries defined in the configuration.
+       *
+       * @return The container registry objects as an array.
+       */
+      ContainerRegistry getRegistries() {
+        result = this.getProperty("registries").(Array).getElements()
+      }
+
+      /**
+       * Returns a specific container registry by index.
+       *
+       * @param index The index of the registry.
+       * @return The container registry at the specified index.
+       */
+      ContainerRegistry getRegistry(int index) {
+        result = this.getProperty("registries").(Array).getElement(index)
+      }
+
+      /**
+       * Returns the runtime configuration object, if present.
+       *
+       * @return The runtime configuration expression.
+       */
+      Expr getRuntime() { result = this.getProperty("runtime") }
+
+      /**
+       * Returns the service configuration object, if present.
+       *
+       * @return The service configuration expression.
+       */
+      Expr getService() { result = this.getProperty("service") }
+
+      /**
+       * Returns the target label property, if present.
+       *
+       * @return The target label string literal.
+       */
+      StringLiteral getTargetLabel() { result = this.getProperty("targetLabel") }
+
       string toString() { result = "ContainerConfiguration" }
     }
 
@@ -172,6 +308,38 @@ module Containers {
        */
       ContainerApp getContainers() { result = this.getProperty("containers").(Array).getElements() }
 
+      /**
+       * Returns the initContainers defined in the template.
+       */
+      Expr getInitContainers() { result = this.getProperty("initContainers") }
+
+      /**
+       * Returns the revisionSuffix property.
+       */
+      StringLiteral getRevisionSuffix() { result = this.getProperty("revisionSuffix") }
+
+      /**
+       * Returns the scale property.
+       */
+      Expr getScale() { result = this.getProperty("scale") }
+
+      /**
+       * Returns the serviceBinds property.
+       */
+      Expr getServiceBinds() { result = this.getProperty("serviceBinds") }
+
+      /**
+       * Returns the terminationGracePeriodSeconds property.
+       */
+      Expr getTerminationGracePeriodSeconds() {
+        result = this.getProperty("terminationGracePeriodSeconds")
+      }
+
+      /**
+       * Returns the volumes property.
+       */
+      Expr getVolumes() { result = this.getProperty("volumes") }
+
       /**
        * Returns a specific container by index from the template.
        */
@@ -292,5 +460,37 @@ module Containers {
 
       string toString() { result = "ContainerEnv" }
     }
+
+    class ContainerRegistry extends Object {
+      private ContainerConfiguration configuration;
+
+      /**
+       * Constructs a ContainerRegistry for the given configuration.
+       */
+      ContainerRegistry() { this = configuration.getProperty("registries").(Array).getElements() }
+
+      /**
+       * Returns the registry server URL.
+       */
+      StringLiteral getServer() { result = this.getProperty("server") }
+
+      /**
+       * Returns the username for the registry.
+       */
+      StringLiteral getUsername() { result = this.getProperty("username") }
+
+      /**
+       * Returns the password for the registry.
+       */
+      StringLiteral getPassword() {
+        exists(StringLiteral ref | ref = this.getProperty("passwordSecretRef") |
+          result = configuration.getSecret(ref.getValue()).getValue()
+        )
+        or
+        result = this.getProperty("password")
+      }
+
+      string toString() { result = "ContainerRegistry" }
+    }
   }
 }

ql/lib/codeql/bicep/frameworks/Microsoft/General.qll

@@ -11,18 +11,28 @@ class Sku extends Object {
   /**
    * Returns the SKU name (e.g., Basic, Standard, Premium).
    */
-  string getName() {
-    result = this.getProperty("name").(StringLiteral).getValue()
-  }
+  string getName() { result = this.getProperty("name").(StringLiteral).getValue() }
 
   /**
    * Returns the SKU tier (e.g., Basic, Standard, Premium).
    */
-  string getTier() {
-    result = this.getProperty("tier").(StringLiteral).getValue()
-  }
+  string getTier() { result = this.getProperty("tier").(StringLiteral).getValue() }
 
-  string toString() {
-    result = "SKU"
-  }
+  string toString() { result = "SKU" }
+}
+
+class Tags extends Object {
+  private Resource resource;
+
+  /**
+   * Constructs a Tags object for the given resource.
+   */
+  Tags() { this = resource.getProperty("tags") }
+
+  /**
+   * Returns the value of a tag by its key.
+   */
+  Literals getTag(string key) { result = this.getProperty(key) }
+
+  string toString() { result = "Tags" }
 }

ql/test/library-tests/frameworks/containers/Containers.expected

@@ -1 +1,11 @@
-| app.bicep:2:1:78:1 | ContainerResource |
+containers
+| app.bicep:14:1:101:1 | ContainerResource |
+containerConfig
+| app.bicep:14:1:101:1 | ContainerResource | app.bicep:19:20:63:5 | ContainerConfiguration |
+containerIngress
+| app.bicep:14:1:101:1 | ContainerResource | app.bicep:20:16:44:7 | NetworkIngress |
+containerSecrets
+| app.bicep:14:1:101:1 | ContainerResource | app.bicep:46:9:49:9 | ContainerSecret |
+| app.bicep:14:1:101:1 | ContainerResource | app.bicep:50:9:53:9 | ContainerSecret |
+containerReg
+| app.bicep:14:1:101:1 | ContainerResource | app.bicep:56:9:60:9 | ContainerRegistry |

ql/test/library-tests/frameworks/containers/Containers.ql

@@ -1,3 +1,26 @@
 import bicep
 
 query predicate containers(Containers::ContainerResource container) { any() }
+
+query predicate containerConfig(
+  Containers::ContainerResource container,
+  Containers::ContainerProperties::ContainerConfiguration config
+) {
+  container.getConfiguration() = config
+}
+
+query predicate containerIngress(Containers::ContainerResource container, Network::Ingress ingress) {
+  container.getNetworkIngress() = ingress
+}
+
+query predicate containerSecrets(
+  Containers::ContainerResource container, Containers::ContainerProperties::ContainerSecret secrets
+) {
+  container.getConfiguration().getSecrets() = secrets
+}
+
+query predicate containerReg(
+  Containers::ContainerResource container, Containers::ContainerProperties::ContainerRegistry reg
+) {
+  reg = container.getConfiguration().getRegistries()
+}

ql/test/library-tests/frameworks/containers/app.bicep

@@ -1,3 +1,15 @@
+resource myRegistry 'Microsoft.ContainerRegistry/registries@2025-04-01' = {
+  name: 'myregistry'
+  location: 'eastus'
+  sku: {
+    name: 'Standard'
+  }
+  adminUserEnabled: true
+  tags: {
+    environment: 'dev'
+  }
+}
+
 // Example Bicep file for a Container App with various settings
 resource myContainerApp 'Microsoft.App/containerApps@2022-03-01' = {
   name: 'my-container-app'
@@ -35,6 +47,17 @@ resource myContainerApp 'Microsoft.App/containerApps@2022-03-01' = {
           name: 'my-secret'
           value: 'supersecretvalue'
         }
+        {
+          name: 'acr-password'
+          value: 'myacrpassword'
+        }
+      ]
+      registries: [
+        {
+          server: 'myregistry.azurecr.io'
+          username: 'myacrusername'
+          passwordSecretRef: 'acr-password'
+        }
       ]
       activeRevisionsMode: 'Multiple'
     }