Microsoft AzureOverview
Periodically, newer versions are released for Python software either due to security flaws or to include additional functionality. Using the latest Python version for web apps is recommended in order to take advantage of security fixes, if any, and/or new functionalities of the newer version.
Rationale
Newer versions may contain security enhancements and additional functionality. Using the latest version is recommended in order to take advantage of enhancements and new capabilities. With each software installation, organizations need to determine if a given update meets their requirements. They must also verify the compatibility and support provided for any additional software against the update revision that is selected.
Impact
If your app is written using version-dependent features or libraries, they may not be available on the latest version. If you wish to upgrade, research the impact thoroughly. Upgrading may have unforeseen consequences that could result in downtime.
Default value
You have to select a version during app creation.
Remediation guidance
From Azure Console
- Open the web app using the
Open in Azurebutton. - Select
Configuration - Go to
General settings - Under the
Stack settings, for Python, select forMajor versionandMinor versionthe latest stable and supported release
Using Azure Command Line Interface
To see the list of supported runtimes:
az webapp list-runtimes
To set the latest Python version for an existing app, run the following command:
az webapp config set --resource-group <resourceGroup> --name <applicationName> [--linux-fx-version <pythonRuntimeVersion>] [--windows-fx-version <pythonRuntimeVersion>]
Service-wide remediation
Recommended when many resources are affected: fix the platform baseline first so new resources inherit the secure setting, then remediate the existing flagged resources in batches.
Azure
Use management group or subscription Azure Policy assignments, remediation tasks where supported, landing-zone standards, and IaC modules so drift is prevented at scale.
Operational rollout
- Fix the baseline first at the account, subscription, project, cluster, or tenant scope that owns this control.
- Remediate the currently affected resources in batches, starting with internet-exposed and production assets.
- Re-scan and track approved exceptions with an owner and expiry date.
Query logic
These are the stored checks tied to this control.
Azure app services running unsupported Python versions
Connectors
Covered asset types
Expected check: eq []
{
sites(
where: { siteConfig: { NOT: { pythonVersion: "" }, isDeprecated: true } }
) {
...AssetFragment
}
}
