Skip to content

Add Azure App Service publishing auth gates#1718

Open
yanziwei wants to merge 1 commit into
UnitOneAI:mainfrom
yanziwei:improve/azure-app-service-publishing-auth-gates
Open

Add Azure App Service publishing auth gates#1718
yanziwei wants to merge 1 commit into
UnitOneAI:mainfrom
yanziwei:improve/azure-app-service-publishing-auth-gates

Conversation

@yanziwei

@yanziwei yanziwei commented Jun 8, 2026

Copy link
Copy Markdown

Skill Improvement ($50-150 Bounty)

Skill

  • azure-review
  • Files changed:
    • skills/cloud/azure-review/SKILL.md
    • skills/cloud/azure-review/benchmark-checklist.md

What Was Wrong

The Azure review skill checked App Service runtime controls such as authentication, HTTPS, TLS, client certificates, HTTP/2, and FTP state, but it did not require evidence that deployment-plane basic publishing credentials are disabled for SCM/Kudu/WebDeploy and FTP publishing. Runtime authentication does not protect publish profiles, Local Git, ZipDeploy, WebDeploy, or Kudu/SCM basic-auth deployment endpoints.

What This PR Fixes

  • Bumps azure-review to version 1.0.1.
  • Adds App Service Deployment-Plane Basic Authentication Evidence to the main workflow.
  • Requires SCM/Kudu and FTP basic publishing credential policies to be disabled.
  • Adds coverage for web apps, Function Apps, and deployment slots.
  • Requires non-basic deployment replacement evidence, such as Entra ID/OIDC, managed identity, or federated service principal deployment.
  • Requires publish-profile and stored deployment credential rotation/invalidation evidence.
  • Adds an App Service output matrix for SCM/FTP basic auth, deployment method, publish profile exposure, policy evidence, and status.
  • Adds AzureRM and ARM/Bicep/AzAPI examples to the benchmark checklist.
  • Adds Microsoft references for disabling App Service deployment basic authentication and basicPublishingCredentialsPolicies.

Test Cases / Validation

  • git diff --check passed.
  • Markdown code fence balance passed:
    • SKILL.md fences: 4, balanced.
    • benchmark-checklist.md fences: 98, balanced.
  • Required marker checks passed for:
    • version: "1.0.1"
    • App Service Deployment-Plane Basic Authentication Evidence
    • basicPublishingCredentialsPolicies/scm
    • basicPublishingCredentialsPolicies/ftp
    • SCM Basic Auth
    • ftp_publish_basic_authentication_enabled
    • webdeploy_publish_basic_authentication_enabled
    • configure-basic-auth-disable

Bounty Tier

Moderate improver bounty requested: $100.

Closes #1717

@yanziwei yanziwei mentioned this pull request Jun 8, 2026
Open
@DENGXUELIN DENGXUELIN mentioned this pull request Jun 8, 2026
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

[REVIEW] azure-review: add App Service SCM/FTP publishing basic auth gates

1 participant

@yanziwei