Skip to content

Logical SQL Servers are not scanned for vulnerabilities#

Security · SQL Database · Rule · 2025_03 · Important

SQL Databases may have configuration vulnerabilities discovered after they are deployed.

Description#

Azure SQL Database supports vulnerability assessment scanning to identify potential security vulnerabilities in your database. When enabled through Microsoft Defender for Cloud, Defender for Databases periodically performs a scan of your database. The result of the scan can help you identify potential security vulnerabilities in your database configuration or your application.

Vulnerability assessment settings can be configured using Express or Classic configurations. The Express configuration is the portal default, and simplifies the configuration process because it does not require you to specify a storage account.

Recommendation#

Consider enabling vulnerability assessment scanning for logical SQL Servers.

Examples#

Configure with Bicep#

To deploy logical SQL Servers that pass this rule:

  • Create a Microsoft.Sql/servers/sqlVulnerabilityAssessments sub-resource.
  • On the sub-resource:
    • Set the properties.state property to Enabled.

For example:

Azure Bicep snippet
resource vulnerabilityAssessment 'Microsoft.Sql/servers/sqlVulnerabilityAssessments@2024-05-01-preview' = {
  parent: server
  name: 'default'
  properties: {
    state: 'Enabled'
  }
}

Configure with Azure template#

To deploy resource that pass this rule:

  • Create a Microsoft.Sql/servers/sqlVulnerabilityAssessments sub-resource.
  • On the sub-resource:
    • Set the properties.state property to Enabled.

For example:

Azure Template snippet
{
  "type": "Microsoft.Sql/servers/sqlVulnerabilityAssessments",
  "apiVersion": "2024-05-01-preview",
  "name": "[format('{0}/{1}', parameters('name'), 'default')]",
  "properties": {
    "state": "Enabled"
  },
  "dependsOn": [
    "[resourceId('Microsoft.Sql/servers', parameters('name'))]"
  ]
}

Notes#

If either the Express or Classic configuration is enabled, this rule will pass. The Classic configuration option is enabled by deploying the Microsoft.Sql/servers/vulnerabilityAssessments sub-resource.

Comments