Ensure that 'PHP version' is currently supported (if in use)

Overview

Periodically, older versions of PHP may be deprecated and no longer supported. Using a supported version of PHP for app services is recommended to avoid potential unpatched vulnerabilities.

Rationale

Deprecated and unsupported versions of programming and scripting languages can present vulnerabilities which may not be addressed or may not be addressable.

Impact

If your app is written using version-dependent features or libraries, they may not be available on more recent versions. If you wish to update, research the impact thoroughly.

Default Value

The version of PHP is whatever was selected upon App creation.

Additional Information

Currently supported versions can be confirmed here: https://www.php.net/supported-versions.php

Remediation guidance

Remediate from Azure Portal

Open the app using the Open in Azure button.
Under Settings section, click on Configuration
Click on the General settings pane, ensure that for a Stack of PHP the Major Version and Minor Version reflect a currently supported release.

###Remediate from Azure CLI

List the available PHP runtimes:

az webapp list-runtimes

To set a currently supported PHP version for an existing app, run the following command:

az webapp config set --resource-group  --name  [--linux-fx-version ][--php-version ]

Remediate from PowerShell

To set a currently supported PHP version for an existing app, run the following command:

Set-AzWebApp -ResourceGroupName  -Name  -phpVersion

NOTE: Currently there is no way to update an existing web app Linux FX Version setting using PowerShell, nor is there a way to create a new web app using PowerShell that configures the PHP runtime in the Linux FX Version setting.

Multiple Remediation Paths

Azure

SERVICE-WIDE (RECOMMENDED when many resources are affected): Assign Azure Policy initiatives at management group/subscription scope and trigger remediation tasks.

az policy assignment create --name <assignment-name> --scope /subscriptions/<subscription-id> --policy-set-definition <initiative-id>
az policy remediation create --name <remediation-name> --policy-assignment <assignment-id>

ASSET-LEVEL: Apply the resource-specific remediation steps above to the listed non-compliant resources.

PREVENTIVE: Embed Azure Policy checks into landing zones and IaC workflows to block or auto-remediate drift.

References for Service-Wide Patterns

Azure Policy overview: https://learn.microsoft.com/en-us/azure/governance/policy/overview
Azure Policy remediation: https://learn.microsoft.com/en-us/azure/governance/policy/how-to/remediate-resources
Azure Policy initiative structure: https://learn.microsoft.com/en-us/azure/governance/policy/concepts/initiative-definition-structure

Operational Rollout Workflow

Use this sequence to reduce risk and avoid repeated drift.

1. Contain at Service-Wide Scope First (Recommended)

Azure: assign policy initiatives at management group/subscription scope and run remediation tasks.

az policy assignment create --name <assignment-name> --scope /subscriptions/<subscription-id> --policy-set-definition <initiative-id>
az policy remediation create --name <remediation-name> --policy-assignment <assignment-id>

2. Remediate Existing Affected Assets

Execute the control-specific Console/CLI steps documented above for each flagged resource.
Prioritize internet-exposed and production assets first.

3. Validate and Prevent Recurrence

Re-scan after each remediation batch.
Track exceptions with owner and expiry date.
Add preventive checks in IaC/CI pipelines.

Query logic

These are the stored checks tied to this control.

Azure app services running unsupported PHP versions

Connectors

Microsoft Azure

Covered asset types

Site

Expected check: eq []

{
  sites(
    where: { siteConfig: { NOT: { phpVersion: "" }, isDeprecated: true } }
  ) {
    ...AssetFragment
  }
}