Objective
Add scanner rule AZ-STOR-006 to detect Azure Storage Accounts where blob soft delete is disabled.
Why this matters
Blob soft delete helps recover blob data after accidental deletion, malicious deletion, or destructive automation mistakes. Without it, deleted blobs may be permanently lost, which weakens recovery options during ransomware, insider-risk, and operational-error scenarios.
This is a good contributor task because OpenShield already has AZ-STOR-001 through AZ-STOR-005 and the new rule can follow the existing storage rule pattern.
Expected behavior
The rule should create a finding when a storage account has blob soft delete disabled or when the scanner cannot confirm that a valid blob delete retention policy is enabled.
A storage account should be treated as compliant when blob soft delete is enabled with a positive retention period.
Suggested implementation notes
- Add a new rule module for AZ-STOR-006 under scanner/rules/.
- Reuse the existing storage account enumeration pattern from AZ-STOR-001 through AZ-STOR-005.
- Fetch blob service properties for each storage account through the Azure client layer instead of calling Azure SDK clients directly inside the rule when possible.
- Include clear finding fields: rule_id, title, severity, resource_id, resource_name, description, remediation, category, and compliance mappings.
- Add or update remediation playbook/docs if the project pattern requires it for new rules.
Files likely involved
- scanner/rules/az_stor_006.py
- scanner/azure_client.py
- scanner/rules/init.py, only if required by the loader pattern
- docs/rules-reference.md
- docs/adding-a-rule.md, only if storage examples need updating
- compliance mapping files, if required by the existing rule metadata pattern
- tests/ for rule behavior once the rule test harness is available
Acceptance criteria
Contributor guidance
Please comment before starting so maintainers can confirm the approach and avoid duplicate work. This issue is intentionally unassigned and open for contributors.
Objective
Add scanner rule AZ-STOR-006 to detect Azure Storage Accounts where blob soft delete is disabled.
Why this matters
Blob soft delete helps recover blob data after accidental deletion, malicious deletion, or destructive automation mistakes. Without it, deleted blobs may be permanently lost, which weakens recovery options during ransomware, insider-risk, and operational-error scenarios.
This is a good contributor task because OpenShield already has AZ-STOR-001 through AZ-STOR-005 and the new rule can follow the existing storage rule pattern.
Expected behavior
The rule should create a finding when a storage account has blob soft delete disabled or when the scanner cannot confirm that a valid blob delete retention policy is enabled.
A storage account should be treated as compliant when blob soft delete is enabled with a positive retention period.
Suggested implementation notes
Files likely involved
Acceptance criteria
Contributor guidance
Please comment before starting so maintainers can confirm the approach and avoid duplicate work. This issue is intentionally unassigned and open for contributors.