Description

Detects Azure App Service resources configured with outdated and insecure TLS versions (1.0 or 1.1). Using deprecated TLS versions exposes applications to known vulnerabilities and may violate security compliance requirements.

Detection Strategy

• Scan Terraform configuration files for Azure App Service resource blocks (like 'azurerm_app_service' or 'azurerm_linux_web_app')

• Look for 'site_config' block within these resources

• Check if 'minimum_tls_version' is set to '1.0' or '1.1'

• Report a security issue if an insecure TLS version is found

Vulnerable code example

resource "azurerm_linux_web_app" "example" {
  name                = "myapp"
  resource_group_name = "my-rg"
  service_plan_id     = "plan-id"
  location            = "westus"

  site_config {
    minimum_tls_version = "1.0"  # Vulnerable: Using obsolete TLS 1.0 which has known security weaknesses...

✅ Secure code example

resource "azurerm_linux_web_app" "example" {
  name                = "myapp"
  resource_group_name = "my-rg"
  service_plan_id     = "plan-id"
  location            = "westus"
  https_only          = true  # Enforce HTTPS-only communication

  site_config {...