Skip to content

feat(scanner): add Azure enterprise resilience security packs#198

Open
TFT444 wants to merge 2 commits into
devfrom
feat/194-196-enterprise-resilience
Open

feat(scanner): add Azure enterprise resilience security packs#198
TFT444 wants to merge 2 commits into
devfrom
feat/194-196-enterprise-resilience

Conversation

@TFT444

@TFT444 TFT444 commented Jul 15, 2026

Copy link
Copy Markdown
Collaborator

Summary

Adds enterprise-focused Azure security coverage for issues #194, #195, and #196 in one reviewable PR:

  • 5 Azure Functions rules (AZ-FUNC-001 through 005)
  • 6 cross-service Private Endpoint rules (AZ-PE-001 through 006)
  • 4 Azure Backup ransomware-resilience rules (AZ-BAK-001, 002, 004, 006)
  • cached, secret-free Azure inventories with indeterminate failure handling
  • safe remediation playbooks, CIS placeholders, documentation, and focused tests

Security behavior

  • Function Apps are strictly selected by kind; application settings, keys, credentials, and source code are never requested.
  • Private Link rules evaluate public-network state independently from endpoint presence. Public access is still reported when an approved private endpoint exists.
  • Storage reports the blob endpoint group as the universal minimum and does not infer unused subresources.
  • Backup inventory reads only vault-level security configuration; it does not enumerate protected items, recovery points, keys, or customer data.
  • Missing properties and failed API calls are indeterminate and never become findings or false compliance claims.
  • Network isolation and irreversible backup controls are not automatically applied.

Deliberate first-phase boundary

AZ-BAK-003 (production vault not locked) and AZ-BAK-005 (LRS without exception) remain deferred because production classification and redundancy exceptions require organization policy. Immutability locking is irreversible and is detection/manual-review only.

Dependency Review

Adds official Microsoft package azure-mgmt-recoveryservices==4.1.0. Its wheel omits license metadata, so Dependency Review receives an exact-package exception; the upstream Azure SDK repository is MIT licensed.

Validation

  • 54 passed focused engine, rule, clean-scan, and CIS mapping tests
  • 409 passed, 2 skipped across tracked tests; one unrelated local Chroma vector-store test cannot run because the local persisted schema is stale
  • Python compilation, JSON/YAML parsing, and git diff --check pass

Closes #194
Closes #195
Closes #196

@github-actions

Copy link
Copy Markdown

Dependency Review

✅ No vulnerabilities or license issues or OpenSSF Scorecard issues found.

OpenSSF Scorecard

PackageVersionScoreDetails
pip/azure-mgmt-recoveryservices 4.1.0 UnknownUnknown

Scanned Files

  • requirements.txt

@TFT444
TFT444 requested review from m-khan-97 and removed request for SHAURYAKSHARMA24, parthrohit22 and ritiksah141 July 15, 2026 14:07
@TFT444 TFT444 self-assigned this Jul 16, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

1 participant