aquasecurity · alphadev4 · Nov 11, 2024 · Nov 6, 2024 · Nov 7, 2024 · Nov 8, 2024
diff --git a/plugins/azure/keyvaults/keyVaultSecretExpiry.js b/plugins/azure/keyvaults/keyVaultSecretExpiry.js
@@ -2,7 +2,7 @@ var async = require('async');
 var helpers = require('../../../helpers/azure');
 
 module.exports = {
-    title: 'Key Vault Secret Expiry',
+    title: 'Key Vault Secret Expiry RBAC',
     category: 'Key Vaults',
     domain: 'Application Integration',
     severity: 'High',
@@ -46,6 +46,13 @@ module.exports = {
             }
 
             vaults.data.forEach(function(vault) {
+                // Check if vault is RBAC-enabled
+                if (!vault.properties || !vault.properties.enableRbacAuthorization) {
+                    helpers.addResult(results, 0,
+                        'Key Vault is not RBAC-enabled', location, vault.id);
+                    return;
+                }
+
                 var secrets = helpers.addSource(cache, source,
                     ['vaults', 'getSecrets', location, vault.id]);
 

diff --git a/plugins/azure/keyvaults/keyVaultSecretExpiry.spec.js b/plugins/azure/keyvaults/keyVaultSecretExpiry.spec.js
@@ -20,6 +20,9 @@ const listKeyVaults = [
         "sku": {
             "family": "A",
             "name": "Standard"
+        },
+        "properties": {
+            "enableRbacAuthorization": true
         }
     },
     {
@@ -31,6 +34,9 @@ const listKeyVaults = [
         "sku": {
             "family": "A",
             "name": "Standard"
+        },
+        "properties": {
+            "enableRbacAuthorization": false
         }
     }
 ];
@@ -152,7 +158,19 @@ describe('keyVaultSecretExpiry', function() {
             auth.run(createCache(null, [], {}), {}, callback);
         });
 
-        it('should give passing result if secret expiration is not enabled', function(done) {
+        it('should give passing result if vault is not RBAC-enabled', function(done) {
+            const callback = (err, results) => {
+                expect(results.length).to.equal(1);
+                expect(results[0].status).to.equal(0);
+                expect(results[0].message).to.include('Key Vault is not RBAC-enabled');
+                expect(results[0].region).to.equal('eastus');
+                done()
+            };
+
+            auth.run(createCache(null, [listKeyVaults[1]], {}), {}, callback);
+        });
+
+        it('should give passing result if secret expiration is not enabled in RBAC vault', function(done) {
             const callback = (err, results) => {
                 expect(results.length).to.equal(1);
                 expect(results[0].status).to.equal(0);
@@ -164,7 +182,7 @@ describe('keyVaultSecretExpiry', function() {
             auth.run(createCache(null, [listKeyVaults[0]], getSecrets[0]), {}, callback);
         });
 
-        it('should give passing result if secret expiry is not yet reached', function(done) {
+        it('should give passing result if secret expiry is not yet reached in RBAC vault', function(done) {
             const callback = (err, results) => {
                 expect(results.length).to.equal(1);
                 expect(results[0].status).to.equal(0);