Skip to content

Improve Azure ACR evidence gates#1240

Open
lcwLcw123 wants to merge 1 commit into
UnitOneAI:mainfrom
lcwLcw123:improve/azure-acr-evidence-gates
Open

Improve Azure ACR evidence gates#1240
lcwLcw123 wants to merge 1 commit into
UnitOneAI:mainfrom
lcwLcw123:improve/azure-acr-evidence-gates

Conversation

@lcwLcw123
Copy link
Copy Markdown

@lcwLcw123 lcwLcw123 commented Jun 6, 2026

Summary

Fixes #1206.

This improves skills/cloud/azure-review by adding supplemental Azure Container Registry gates for admin account state, public/private network posture, Private Link/DNS evidence, identity/RBAC scope, repository-scoped tokens, Defender image scanning, and retention controls.

Changes included:

  • Add Azure Container Registry Evidence Gates as a supplemental Azure review step.
  • Add Azure Container Registry Evidence output fields for admin account, network access, private endpoint/DNS, identity/RBAC, token scope, scanning coverage, retention/export controls, and findings.
  • Add findings classification for enabled production admin account, unrestricted public access, broad AcrPush/AcrDelete, missing Defender scanning evidence, and missing private DNS/build-agent reachability evidence.
  • Extend benchmark-checklist.md with ACR-REG-1 through ACR-REG-5 checks.
  • Add fixtures for a benign private/admin-disabled registry with scoped AcrPull and a vulnerable public/admin-enabled registry with broad AcrPush.
  • Add official Microsoft references for ACR authentication, Private Link, selected networks, token permissions, and Defender image scanning.

Validation

  • Red-first marker check failed before edits for the new ACR gate terms.
  • rg -n "ACR Evidence|ACR-REG|azurerm_container_registry|admin_enabled|network_rule_bypass_option|repository-scoped token|Defender image scanning|Container Registry Private Link|AcrPush" skills/cloud/azure-review -S
  • git diff --check
  • git diff --cached --check
  • Required frontmatter sweep across skills/**/SKILL.md
  • Markdown fence balance check for azure-review markdown
  • ASCII byte scan for changed and untracked files
  • Prompt-injection phrase scan for changed azure-review files
  • Source URL checks returned 200 for ACR authentication, Private Link, selected networks, token permissions, and Defender image scanning docs

Bounty

  • Requested bounty tier: Improver Moderate ($100) if accepted.
  • Preferred payment method: GitHub Sponsors; PayPal can be provided privately if preferred.

@lcwLcw123 lcwLcw123 mentioned this pull request Jun 6, 2026
Open
4 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

[REVIEW] azure-review: add ACR admin and private-network evidence gates

1 participant

@lcwLcw123