fix(build): enable SQL auditing and threat detection for Checkov compliance

emmanuelknafo · emmanuelknafo · commit 786cacff98d2 · 2026-04-23T12:51:20.000-04:00
- add auditing settings with 91-day retention on SQL server and database (CKV_AZURE_23, CKV_AZURE_24) - add threat detection policies on SQL server and database (CKV_AZURE_25) Relates to #51 🔒 - Generated by Copilot
diff --git a/blueprints/sample-web-app/bicep/main.bicep b/blueprints/sample-web-app/bicep/main.bicep
@@ -145,6 +145,26 @@ resource sqlServer 'Microsoft.Sql/servers@2023-08-01-preview' = {
   }
 }
 
+@description('SQL Server auditing policy — CKV_AZURE_23, CKV_AZURE_24.')
+resource sqlServerAudit 'Microsoft.Sql/servers/auditingSettings@2023-08-01-preview' = {
+  parent: sqlServer
+  name: 'default'
+  properties: {
+    state: 'Enabled'
+    isAzureMonitorTargetEnabled: true
+    retentionDays: 91
+  }
+}
+
+@description('SQL Server threat detection — CKV_AZURE_25.')
+resource sqlServerThreatDetection 'Microsoft.Sql/servers/securityAlertPolicies@2023-08-01-preview' = {
+  parent: sqlServer
+  name: 'default'
+  properties: {
+    state: 'Enabled'
+  }
+}
+
 /* ========================================================================== */
 /* SQL Database                                                                */
 /* ========================================================================== */
@@ -163,6 +183,26 @@ resource sqlDatabase 'Microsoft.Sql/servers/databases@2023-08-01-preview' = {
   }
 }
 
+@description('SQL Database auditing policy — CKV_AZURE_23, CKV_AZURE_24.')
+resource sqlDatabaseAudit 'Microsoft.Sql/servers/databases/auditingSettings@2023-08-01-preview' = {
+  parent: sqlDatabase
+  name: 'default'
+  properties: {
+    state: 'Enabled'
+    isAzureMonitorTargetEnabled: true
+    retentionDays: 91
+  }
+}
+
+@description('SQL Database threat detection — CKV_AZURE_25.')
+resource sqlDatabaseThreatDetection 'Microsoft.Sql/servers/databases/securityAlertPolicies@2023-08-01-preview' = {
+  parent: sqlDatabase
+  name: 'default'
+  properties: {
+    state: 'Enabled'
+  }
+}
+
 /* ========================================================================== */
 /* Key Vault Access for App Service                                            */
 /* ========================================================================== */
