BernieWhite
diff --git a/‎docs/CHANGELOG-v1.md
+3 b/‎docs/CHANGELOG-v1.md
+3
diff --git a/‎docs/en/rules/Azure.AppService.NodeJsVersion.md
+169 b/‎docs/en/rules/Azure.AppService.NodeJsVersion.md
+169
diff --git a/‎src/PSRule.Rules.Azure/rules/Azure.AppService.Rule.ps1
+85-18 b/‎src/PSRule.Rules.Azure/rules/Azure.AppService.Rule.ps1
+85-18
@@ -30,6 +30,9 @@ See [upgrade notes][1] for helpful information when upgrading from previous vers
 ## Unreleased
 
 - New rules:
+  - App Service:
+    - Check that applications uses supported Node.js runtime versions by @BenjaminEngeset.
+      [#2879](https://github.com/Azure/PSRule.Rules.Azure/issues/2879)
   - Azure Cache for Redis:
     - Verify that cache instances have Entra ID authentication enabled by @BenjaminEngeset.
       [#2899](https://github.com/Azure/PSRule.Rules.Azure/issues/2899)
 
@@ -0,0 +1,169 @@
+---
+severity: Important
+pillar: Security
+category: SE:02 Secured development lifecycle
+resource: App Service
+online version: https://azure.github.io/PSRule.Rules.Azure/en/rules/Azure.AppService.NodeJsVersion/
+---
+
+# Use a supported Node.js runtime version
+
+## SYNOPSIS
+
+Configure applications to use supported Node.js runtime versions.
+
+## DESCRIPTION
+
+In an App Service app, you can configure the Node.js runtime version used to run your application or site code.
+
+Extended support for Node.js 18 LTS will end on April 30, 2025. While apps hosted on App Service will continue to operate, security updates and customer support for Node.js 18 LTS will no longer be provided after this date.
+
+To avoid potential security vulnerabilities and minimize risks for your App Service apps, it is recommended to upgrade your apps to Node.js 20 LTS before April 30, 2025.
+
+## RECOMMENDATION
+
+Consider updating applications to use supported Node.js runtime versions to maintain security and support.
+
+## EXAMPLES
+
+### Configure with Azure template
+
+To deploy App Services that pass this rule:
+
+- For Linux-based apps and slots:
+  - Set the `properties.siteConfig.linuxFxVersion` property to `NODE|20-lts`.
+- For Windows-based apps and slots:
+  - Add an app setting within `properties.siteConfig.appSettings` by creating an object with the `name` and `value` properties.
+  - Set the `name` property to `WEBSITE_NODE_DEFAULT_VERSION`.
+  - Set the `value` property to `~20`.
+
+In addition to setting the `properties.siteConfig` property, you can also use a sub-resource.
+
+For example (Linux app):
+
+```json
+{
+  "type": "Microsoft.Web/sites",
+  "apiVersion": "2022-09-01",
+  "name": "[parameters('name')]",
+  "location": "[parameters('location')]",
+  "identity": {
+    "type": "SystemAssigned"
+  },
+  "kind": "web",
+  "properties": {
+    "serverFarmId": "[resourceId('Microsoft.Web/serverfarms', parameters('planName'))]",
+    "httpsOnly": true,
+    "siteConfig": {
+      "minTlsVersion": "1.2",
+      "linuxFxVersion": "NODE|20-lts"
+    }
+  },
+  "dependsOn": [
+    "[resourceId('Microsoft.Web/serverfarms', parameters('planName'))]"
+  ]
+}
+```
+
+For example (Windows app):
+
+```json
+{
+  "type": "Microsoft.Web/sites",
+  "apiVersion": "2022-09-01",
+  "name": "[parameters('name')]",
+  "location": "[parameters('location')]",
+  "identity": {
+    "type": "SystemAssigned"
+  },
+  "kind": "web",
+  "properties": {
+    "serverFarmId": "[resourceId('Microsoft.Web/serverfarms', parameters('planName'))]",
+    "httpsOnly": true,
+    "siteConfig": {
+      "minTlsVersion": "1.2",
+      "appSettings": [
+        {
+          "name": "WEBSITE_NODE_DEFAULT_VERSION",
+          "value": "~20"
+        }
+      ]
+    }
+  },
+  "dependsOn": [
+    "[resourceId('Microsoft.Web/serverfarms', parameters('planName'))]"
+  ]
+}
+```
+
+### Configure with Bicep
+
+To deploy App Services that pass this rule:
+
+- For Linux-based apps and slots:
+  - Set the `properties.siteConfig.linuxFxVersion` property to `NODE|20-lts`.
+- For Windows-based apps and slots:
+  - Add an app setting within `properties.siteConfig.appSettings` by creating an object with the `name` and `value` properties.
+  - Set the `name` property to `WEBSITE_NODE_DEFAULT_VERSION`.
+  - Set the `value` property to `~20`.
+
+In addition to setting the `properties.siteConfig` property, you can also use a sub-resource.
+
+For example (Linux app):
+
+```bicep
+resource linuxWeb 'Microsoft.Web/sites@2022-09-01' = {
+  name: name
+  location: location
+  identity: {
+    type: 'SystemAssigned'
+  }
+  kind: 'web'
+  properties: {
+    serverFarmId: plan.id
+    httpsOnly: true
+    siteConfig: {
+      minTlsVersion: '1.2'
+      linuxFxVersion: 'NODE|20-lts'
+    }
+  }
+}
+```
+
+For example (Windows app):
+
+```bicep
+resource windowsWeb 'Microsoft.Web/sites@2022-09-01' = {
+  name: name
+  location: location
+  identity: {
+    type: 'SystemAssigned'
+  }
+  kind: 'web'
+  properties: {
+    serverFarmId: plan.id
+    httpsOnly: true
+    siteConfig: {
+      minTlsVersion: '1.2'
+      appSettings: [
+        {
+          name: 'WEBSITE_NODE_DEFAULT_VERSION'
+          value: '~20'
+        }
+      ]
+    }
+  }
+}
+```
+
+## LINKS
+
+- [SE:02 Secured development lifecycle](https://learn.microsoft.com/azure/well-architected/security/secure-development-lifecycle)
+- [Upgrade your App Service apps to Node 20 LTS by 30 April 2025](https://azure.microsoft.com/updates/action-required-upgrade-your-app-service-apps-to-node-20-lts-by-30-april-2025/)
+- [Node.js on App Service](https://github.com/Azure/app-service-linux-docs/blob/master/Runtime_Support/node_support.md)
+- [Azure resource deployment](https://learn.microsoft.com/azure/templates/microsoft.web/sites)
+- [Azure resource deployment](https://learn.microsoft.com/azure/templates/microsoft.web/sites/slots)
+- [Azure resource deployment](https://learn.microsoft.com/azure/templates/microsoft.web/sites/config-web)
+- [Azure resource deployment](https://learn.microsoft.com/azure/templates/microsoft.web/sites/slots/config-web)
+- [Azure resource deployment](https://learn.microsoft.com/azure/templates/microsoft.web/sites/config-appsettings)
+- [Azure resource deployment](https://learn.microsoft.com/azure/templates/microsoft.web/sites/slots/config-appsettings)
@@ -15,14 +15,14 @@ Rule 'Azure.AppService.MinTLS' -Ref 'AZR-000073' -Type 'Microsoft.Web/sites', 'M
     $siteConfigs = @(GetWebSiteConfig);
     if ($siteConfigs.Length -eq 0) {
         return $Assert.
-            HasFieldValue($TargetObject, 'properties.siteConfig.minTlsVersion', '1.2').
-            ReasonFrom('properties.siteConfig.minTlsVersion', $LocalizedData.MinTLSVersion, $TargetObject.properties.siteConfig.minTlsVersion);
+        HasFieldValue($TargetObject, 'properties.siteConfig.minTlsVersion', '1.2').
+        ReasonFrom('properties.siteConfig.minTlsVersion', $LocalizedData.MinTLSVersion, $TargetObject.properties.siteConfig.minTlsVersion);
     }
     foreach ($siteConfig in $siteConfigs) {
         $path = $siteConfig._PSRule.path;
         $Assert.
-            HasFieldValue($siteConfig, 'properties.minTlsVersion', '1.2').
-            ReasonFrom('properties.minTlsVersion', $LocalizedData.MinTLSVersion, $siteConfig.properties.minTlsVersion).PathPrefix($path);
+        HasFieldValue($siteConfig, 'properties.minTlsVersion', '1.2').
+        ReasonFrom('properties.minTlsVersion', $LocalizedData.MinTLSVersion, $siteConfig.properties.minTlsVersion).PathPrefix($path);
     }
 }
 
@@ -129,8 +129,8 @@ Rule 'Azure.AppService.HTTP2' -Ref 'AZR-000078' -Type 'Microsoft.Web/sites', 'Mi
 # Synopsis: Configure and enable instance health probes.
 Rule 'Azure.AppService.WebProbe' -Ref 'AZR-000079' -With 'Azure.AppService.IsWebApp' -Tag @{ release = 'GA'; ruleSet = '2022_06'; 'Azure.WAF/pillar' = 'Reliability'; } {
     $siteConfigs = @(GetWebSiteConfig | Where-Object {
-        $Assert.HasField($_, 'Properties.healthCheckPath').Result
-    });
+            $Assert.HasField($_, 'Properties.healthCheckPath').Result
+        });
     if ($siteConfigs.Length -eq 0) {
         return $Assert.HasFieldValue($TargetObject, 'properties.siteConfig.healthCheckPath');
     }
@@ -142,8 +142,8 @@ Rule 'Azure.AppService.WebProbe' -Ref 'AZR-000079' -With 'Azure.AppService.IsWeb
 # Synopsis: Web apps should use a dedicated health check path.
 Rule 'Azure.AppService.WebProbePath' -Ref 'AZR-000080' -With 'Azure.AppService.IsWebApp' -Tag @{ release = 'GA'; ruleSet = '2022_06'; 'Azure.WAF/pillar' = 'Reliability'; } {
     $siteConfigs = @(GetWebSiteConfig | Where-Object {
-        $Assert.HasField($_, 'properties.healthCheckPath').Result
-    });
+            $Assert.HasField($_, 'properties.healthCheckPath').Result
+        });
     if ($siteConfigs.Length -eq 0) {
         return $Assert.Greater($TargetObject, 'properties.siteConfig.healthCheckPath', 1);
     }
@@ -155,19 +155,37 @@ Rule 'Azure.AppService.WebProbePath' -Ref 'AZR-000080' -With 'Azure.AppService.I
 # Synopsis: Web apps should disable insecure FTP and configure SFTP when required.
 Rule 'Azure.AppService.WebSecureFtp' -Ref 'AZR-000081' -With 'Azure.AppService.IsWebApp' -Tag @{ release = 'GA'; ruleSet = '2022_06'; 'Azure.WAF/pillar' = 'Security'; } -Labels @{ 'Azure.MCSB.v1/control' = 'DP-3' } {
     $siteConfigs = @(GetWebSiteConfig | Where-Object {
-        $Assert.HasField($_, 'Properties.ftpsState').Result
-    });
+            $Assert.HasField($_, 'Properties.ftpsState').Result
+        });
     if ($siteConfigs.Length -eq 0) {
         return $Assert.In($TargetObject, 'Properties.siteConfig.ftpsState', @(
-            'FtpsOnly'
-            'Disabled'
-        ));
+                'FtpsOnly'
+                'Disabled'
+            ));
     }
     foreach ($siteConfig in $siteConfigs) {
         $Assert.In($siteConfig, 'Properties.ftpsState', @(
-            'FtpsOnly'
-            'Disabled'
-        ));
+                'FtpsOnly'
+                'Disabled'
+            ));
+    }
+}
+
+# Synopsis: Configure applications to use supported Node.js runtime versions.
+Rule 'Azure.AppService.NodeJsVersion' -Ref 'AZR-000428' -Type 'Microsoft.Web/sites', 'Microsoft.Web/sites/config', 'Microsoft.Web/sites/slots', 'Microsoft.Web/sites/slots/config' -Tag @{ release = 'GA'; ruleSet = '2024_06'; 'Azure.WAF/pillar' = 'Security'; } {
+    $versions = Get-NodeVersions
+
+    $pass = $true
+    foreach ($version in $versions) {
+        if ($version -lt '20.0') {
+            $pass = $false
+            $Assert.Version($version.ToString(), '.', '>=20.0.0')
+        }
+    }
+
+    # Pass if the version is not defined or version is 20 or greater.
+    if ($pass) {
+        $Assert.Pass()
     }
 }
 
@@ -203,10 +221,59 @@ function global:GetWebSiteConfig {
     param ()
     process {
         $siteConfigs = @(GetSubResources -ResourceType 'Microsoft.Web/sites/config', 'Microsoft.Web/sites/slots/config' | Where-Object {
-            $_.Name -notlike "*/*" -or $_.Name -like "*/web" -or $_.Id -like "*/web"
-        })
+                $_.Name -notlike "*/*" -or $_.Name -like "*/web" -or $_.Id -like "*/web"
+            })
         $siteConfigs;
     }
 }
 
+function global:Get-NodeVersions {
+    <#
+    .SYNOPSIS
+        Get the Node.js versions for the App Service.
+
+    .DESCRIPTION
+        This function retrieves the Node.js versions for the App Service.
+
+    .OUTPUTS
+        Output is a list of Node.js versions used, except the 'NODE|lts' version as this is not version specific,
+        hence not parsable.
+    #>
+    [CmdletBinding()]
+    param ( )
+    
+    [Version[]]$versions = @(
+        # App Service on Linux. Works when main object equals Microsoft.Web/sites or Microsoft.Web/sites/slots
+        $TargetObject.properties.siteConfig.linuxFxVersion | Where-Object { $_ -like 'NODE|*' -and $_ -ne 'NODE|lts' }
+        # App Service on Linux. Works for when main object equals Microsoft.Web/sites/config 'web' or Microsoft.Web/sites/slots/config 'web'
+        $TargetObject.properties.linuxFxVersion | Where-Object { $_ -like 'NODE|*' -and $_ -ne 'NODE|lts' }
+        # App Service on Linux.
+        GetSubResources -ResourceType 'Microsoft.Web/sites/slots' | 
+        ForEach-Object { $_.properties.siteConfig.linuxFxVersion | Where-Object { $_ -like 'NODE|*' -and $_ -ne 'NODE|lts' } }
+        # App Service on Linux.
+        GetSubResources -ResourceType 'Microsoft.Web/sites/config', 'Microsoft.Web/sites/slots/config' |
+        Where-Object { $_.name -eq 'web' -or $_.name -like '*/web' } |
+        ForEach-Object { $_.properties.linuxFxVersion | Where-Object { $_ -like 'NODE|*' -and $_ -ne 'NODE|lts' } }
+        
+        # App Service on Windows. Works for when main object equals Microsoft.Web/sites or Microsoft.Web/sites/slots
+        $TargetObject.properties.siteConfig.appSettings | Where-Object name -eq 'WEBSITE_NODE_DEFAULT_VERSION' | ForEach-Object { $_.value }
+        # App Service on Windows. Works for when main object equals Microsoft.Web/sites/config 'appsettings' or Microsoft.Web/sites/slots/config 'appsettings'
+        $TargetObject.properties.WEBSITE_NODE_DEFAULT_VERSION
+        # App Service on Windows. Works for when main object equals Microsoft.Web/sites/config 'web' or Microsoft.Web/sites/slots/config 'web'
+        $TargetObject.properties.appSettings | Where-Object name -eq 'WEBSITE_NODE_DEFAULT_VERSION' | ForEach-Object { $_.value }
+        # App Service on Windows.
+        GetSubResources -ResourceType 'Microsoft.Web/sites/slots' |
+        ForEach-Object { $_.properties.siteConfig.appSettings | Where-Object name -eq 'WEBSITE_NODE_DEFAULT_VERSION' | ForEach-Object { $_.value } }
+        # App Service on Windows.
+        GetSubResources -ResourceType 'Microsoft.Web/sites/config', 'Microsoft.Web/sites/slots/config' |
+        Where-Object { $_.name -eq 'appsettings' -or $_.name -like '*/appsettings' } |
+        ForEach-Object { $_.properties.WEBSITE_NODE_DEFAULT_VERSION }
+        # App Service on Windows.
+        GetSubResources -ResourceType 'Microsoft.Web/sites/config', 'Microsoft.Web/sites/slots/config' |
+        Where-Object { $_.name -eq 'web' -or $_.name -like '*/web' } |
+        ForEach-Object { $_.properties.appSettings | Where-Object name -eq 'WEBSITE_NODE_DEFAULT_VERSION' | ForEach-Object { $_.value } }
+    ) -replace '[^\d.]' -match '.' -replace '^\d+$', '$0.0'
+    $versions
+}
+
 #endregion Helper functions