Skip to content

Enhance compliance rules, integrations, and CI/CD pipeline#181

Merged
Vishnu2707 merged 125 commits into
mainfrom
dev
Jul 13, 2026
Merged

Enhance compliance rules, integrations, and CI/CD pipeline#181
Vishnu2707 merged 125 commits into
mainfrom
dev

Conversation

@Vishnu2707

Copy link
Copy Markdown
Member

What does this PR do?

Type of change

  • New scan rule
  • Remediation playbook
  • Bug fix
  • Dashboard/front-end work
  • API endpoint
  • Documentation
  • Compliance mapping

Rule details (if applicable)

  • Rule ID: AZ-XXX-000
  • Severity: HIGH / MEDIUM / LOW
  • Category: Storage / Network / Identity / Database / Compute / Key Vault
  • Frameworks mapped: CIS / NIST / ISO 27001 / SOC 2

Testing

  • Tested against a real Azure free trial subscription
  • Returns correct JSON output
  • All seven CI checks pass
  • No hardcoded credentials or secrets

Related issue

Closes #

Checklist

  • My code follows the rule template in CONTRIBUTING.md
  • I added or updated the matching CLI playbook
  • I added or updated all four compliance framework mappings
  • I have not committed any real Azure credentials
  • My branch name follows the convention: feat/description

Vishnu2707 and others added 30 commits April 25, 2026 15:07
* feat: add sentinel/ingest.py — Log Analytics ingestion via HMAC-SHA256

* feat: add sentinel/__init__.py

* feat: add KQL rule — HIGH severity finding detected

* feat: add KQL rule — misconfiguration wave detection

* feat: add KQL rule — new resource type critical detection

* Delete sentinel/rules directory

* Create rules

* Delete sentinel/rules

* Add KQL rule for high severity findings

* Add Misconfiguration Wave detection rule

* Add KQL rule for persistent misconfiguration detection

* Add KQL rule for new critical resource types

This rule identifies new resource types with critical findings that have occurred in the last 24 hours, excluding known types from the last 30 days.

* Add script to generate test findings in JSON format

This script generates test findings related to security compliance and saves them in a JSON file.

* Add Sentinel integration test plan and results

Added a comprehensive test plan for Sentinel integration, detailing test objectives, results, and acceptance criteria for various KQL rules and data ingestion.

* docs: add sentinel integration setup guide

Added a comprehensive setup guide for integrating Sentinel with Azure, covering prerequisites, workspace creation, activation, environment variable setup, ingestion, log verification, KQL rules deployment, and incident verification.
* Add az_net_003.py to check NSG rules for port 443

This script detects Network Security Groups (NSGs) with unrestricted inbound access on port 443 and provides remediation guidance.

* Add AZ-NET-004 rule for empty NSG detection

This script detects Network Security Groups (NSGs) that have no custom security rules configured, providing details for remediation.

* Add AZ-NET-005 rule for DDoS protection check

This script detects virtual networks in Azure that do not have DDoS protection enabled and provides remediation steps.

* feat: add rule AZ-NET-006 — public IP unassociated with any resource

This rule detects public IP addresses that are not associated with any resource, providing details for remediation.

* feat: add rule AZ-NET-007 — Application Gateway without WAF enabled

This rule detects Application Gateways that do not have WAF enabled, logging findings and providing remediation steps.

* feat: add rule AZ-NET-008 — load balancer with no backend pool

This rule detects load balancers in Azure that are not configured with a backend pool, indicating potential misconfiguration or unnecessary costs.

* feat: add rule AZ-NET-009 — VPN gateway using outdated IKE version

This script detects VPN gateways using the outdated IKEv1 protocol and provides remediation steps to migrate to IKEv2.

* feat: add rule AZ-NET-010 — subnet with no NSG attached

This script detects subnets in Azure that do not have a Network Security Group (NSG) attached, logging findings and providing remediation guidance.

* feat: add playbook fix_az_net_003.sh

This script updates the NSG rule to restrict inbound traffic on port 443 to a specified IP range.

* feat: add playbook fix_az_net_004.sh

This script adds a default deny-all inbound rule to a specified NSG.

* feat: add playbook fix_az_net_005.sh

This script enables DDoS protection on a specified virtual network in Azure. It checks for required parameters and provides usage instructions if they are missing.

* feat: add playbook fix_az_net_006.sh

This script deletes unassociated public IP addresses in Azure.

* feat: add playbook fix_az_net_007.sh

This script enables WAF on an Application Gateway, ensuring compliance with the AZ-NET-007 rule.

* feat: add playbook fix_az_net_008.sh

Script to remediate AZ-NET-008 by deleting empty load balancers.

* feat:add script to update VPN connection to IKEv2

This script updates a VPN connection to use IKEv2, ensuring compliance with the AZ-NET-009 rule.

* feat: add playbook fix_az_net_010.sh

This script attaches a specified network security group to a given subnet in a virtual network, ensuring compliance with the AZ-NET-010 rule.

* Clarify description and add note for public-facing services

Updated the description to clarify the risk of exposing port 443 and added a note regarding public-facing services.

* Change severity level from MEDIUM to HIGH

* fix: AZ-NET-005 severity changed to LOW — DDoS Standard high cost on small subscriptions

* Add note about NetworkManagementClient usage

Added a note regarding the creation of NetworkManagementClient directly and suggested a follow-up for consistency.

* Add note about NetworkManagementClient usage

Added a note regarding the use of NetworkManagementClient and suggested a follow-up for consistency.

* Add additional security controls to CIS Azure benchmark

* Refine control descriptions in nist_csf.json

Updated descriptions for various controls to enhance clarity and specificity regarding remote access management, data protection, and security measures.

* fix: add AZ-NET-003 to AZ-NET-010 to ISO27001 compliance framework

Updated descriptions for various controls to clarify compliance requirements and improve security guidance.

---------

Co-authored-by: Vishnu Ajith <86302373+Vishnu2707@users.noreply.github.com>
* feat: add rule AZ-STOR-003 storage lifecycle policy check

* feat: add rule AZ-STOR-003 storage lifecycle policy check
* docs: add SOC 2 Type II compliance framework mapping for all 20 rules

Added SOC 2 Type II framework with detailed controls for security measures and compliance requirements.

* feat: add soc2 to FRAMEWORK_FILE_MAP in finding.py

add soc2.json to FRAMEWORK_FILE_MAP in finding.py

* feat: add soc2 to SUPPORTED_FRAMEWORKS in compliance.py

Added 'soc2' to the list of supported compliance frameworks.

* Add SOC 2 controls for data protection and management
* refactor: add get_virtual_networks() and get_public_ip_addresses() to AzureClient

* Refactor DDoS protection check to use azure_client

* refactor: AZ-NET-006 now uses azure_client.get_public_ip_addresses()
- Python syntax check on all rule files
  - Rule structure validation (RULE_ID, SEVERITY, FRAMEWORKS) + RULE_ID uniqueness
  - Hardcoded credential scan
  - Playbook existence + bash syntax check for every rule
  - Compliance JSON validation for all four framework files (inc. soc2.json)
  - API syntax check
  - Compliance vs rule cross-reference check
  - CI summary step with per-check pass/fail table (if: always)
  - Fix duplicate DESCRIPTION assignment in az_net_003.py
  - Add pyyaml to requirements.txt for local YAML validation
  - Add docs/ci-pipeline.md with local run commands and design rationale
  - Update CI_PIPELINE_GUIDE.md with final PR description

Closes #30
parthrohit22 and others added 19 commits July 8, 2026 01:27
* feat(db): implement Alembic migrations (#158)

* ci: validate Alembic migrations in backend tests
…d-safe rate limit (#162)

* fix(reliability): score endpoint 500, DB pooling, async CVE enrichment, thread-safe rate limit

Closes #150.

- REL-001: remove duplicate GROUP BY in get_score() that made /api/score always return 500
- REL-002: replace fragile INTERVAL '%s minutes' string substitution with make_interval(mins => %s)
- REL-003: DatabaseManager now borrows connections from a shared psycopg2 connection pool per DSN (DB_POOL_MAX_CONN, default 10) instead of opening a new connection per request
- REL-004: POST /api/scans/<id>/enrich now runs CVE enrichment in a background thread and returns 202 immediately, instead of blocking on synchronous NVD lookups until the request times out
- REL-005: lock-guard the NVD client's rate-limit check so concurrent callers can't fire requests closer together than the allowed gap
- Fix a bug found during review: a failed enrichment write could leave the connection in an aborted-transaction state, silently swallowing the follow-up FAILED status update and leaving the scan stuck at ENRICHING forever; now rolls back first

* fix(tests): consolidate duplicate module import style flagged by code-quality bot

Both test_database_manager_reliability.py and test_nvd_client.py imported
scanner/api modules with both 'import X as x' and 'from X import y' forms.
Consolidated to one form each; test_nvd_client.py switches to string-path
mock.patch() targets instead of importing the module object, avoiding the
need to touch ~15 pre-existing call sites.

* fix(scanner): encapsulate NVD rate limiter state to resolve unused-global false positive

Replaces the bare module-level _last_request_time global (mutated via the
global keyword) with a small _RateLimiter class holding the timestamp and
lock as instance state. Same behavior, but removes the pattern the
code-quality bot's static analysis was misreading as an unused global
(it couldn't see the value is read by the next invocation of the same
function via module state).

* style: apply ruff format to satisfy new CI lint gate

* fix(reliability): restore attempt-count check in recover_stale_scans

The "mark failed" query lost its COALESCE(attempt_count, 1) >= %s clause
during an earlier merge, while still passing 2 params to a query with
only 1 placeholder — this would raise at runtime against a real database
and would mark stale scans failed on their first timeout instead of
after max_attempts retries. Restore the clause to match the tested,
correct version. Also drop the now-superseded REL-002 test, whose
single-query assumptions predate the retry-attempt feature; equivalent
coverage now lives in tests/test_async_scan_persistence.py.

* fix: remove dead run_migrations() call from create_app()

A previous merge auto-resolved cleanly across files but left this call
site stranded: api/models/finding.py dropped run_migrations() (schema
is now Alembic-managed, applied via startup.sh) while api/app.py still
called it whenever DATABASE_URL was set. Git's merge saw no conflict
because the removal and the call site were in different files, but the
result crashed create_app() with AttributeError in any environment with
a real DATABASE_URL configured (e.g. CI's Postgres service), which is
exactly why this passed locally (no DATABASE_URL set) but failed in CI.
* test: add scanner rule and engine validation coverage

Expand scanner rule regression coverage so all 45 rules have dedicated
compliant and non-compliant cases (includes az_net_015). Add ScanEngine
integration tests for rule loading, score consistency, and rule-failure
isolation.

Extend MockAzureClient test support only; no production code is changed.

Full suite: 170 passed.
Rule regression slice: 92 passed.
Engine integration: 4 passed.

Note: AZ-NET-009 and AZ-NET-012 tests validate intended isolated rule
logic. The production integration defects discovered during validation are
documented separately in the validation report.

* docs: add comprehensive validation report

Document the full OpenShield validation pass across environment setup,
static checks, backend tests, scanner rules, engine integration, local API
smoke tests, frontend build, AI/RAG, CVE/NVD, Sentinel review, security
checks, documentation accuracy, and live deployment status.

The report records remaining follow-up issues including AZ-NET-009,
AZ-NET-012, AI chunker syntax failure, Sentinel field mapping mismatch,
stale documentation counts, dependency CVEs, and deferred Azure/Sentinel
live validation.

* test: relax engine rule-count assertions to >= 45

Future rule additions should not break the engine integration tests.
Assert at least the current 45-rule coverage exists rather than the
exact total (addresses reviewer feedback).

* test: finalize validation coverage for merge

* test: apply ruff format and line-length fixes to validation tests
…ials (#176)

* docs: add design spec for Terraform IaC + Azure OIDC (issue #160)

* docs: add implementation plan for Terraform IaC + Azure OIDC (issue #160)

* infra: add Terraform provider/backend skeleton for Render and Vercel

* infra: define Render Postgres, web service, and shared secrets env group

* infra: define Vercel projects for the dashboard and website

* infra: add Terraform outputs and module README

* ci: add Terraform fmt/validate/plan workflow for infra PRs

* ci: authenticate to Azure via OIDC instead of a long-lived client secret

* docs: document one-time Azure AD federated credential setup for OIDC

* docs: update secrets table for OIDC, add secrets inventory doc
…ing, playbook path traversal (#161)

* fix(security): body size limit, Gemini key in header, AI rate limiting, playbook path traversal guard

Closes #149.

- SEC-002: cap request bodies at 2MB with a JSON 413 handler
- SEC-003: send the Gemini API key via x-goog-api-key header instead of a URL query param, so it never leaks into logs
- SEC-004: add a lightweight in-memory rate limiter (20 req/min/IP) on all AI endpoints
- SEC-005: validate rule_id and confirm the resolved script path stays inside playbooks/cli/ before reading it
- SEC-001 was already fixed on dev via #144; added a regression test to lock it in

* fix(security): back rate limiter with Postgres, trust Render's proxy hop for client IP

- Merge latest dev (ruff lint/format CI gate) and reformat the one flagged file
- Replace the in-memory rate limiter with a Postgres-backed shared counter
  (rate_limit_hits table + advisory transaction lock) so all gunicorn worker
  processes enforce one real limit instead of each having its own counter
- Add ProxyFix so request.remote_addr reflects the real client behind
  Render's reverse proxy instead of collapsing every caller into one IP
- Reuse the existing g.db connection instead of a second untracked one, so
  it's closed by the app's existing teardown handler instead of leaking
- Refuse (503) instead of silently and permanently disabling rate limiting
  when DATABASE_URL is unset, and roll back on a mid-transaction error

* fix(tests): use single import style for api.rate_limit
…ervices (#172)

* infra: add deterministic Render deploy pipeline

* infra: make Render deploy workflow manual

* fix(deploy): coordinate API and worker releases

* fix(deploy): add resilient Render polling

* test(deploy): cover coordinated deployment failures

* docs(deploy): document dual-service Render releases

* fix(deploy): avoid logging dispatch input

* fix(deploy): correct rollback path and Render web configuration

* docs(deploy): retire obsolete Render deployment guide

---------

Co-authored-by: Vishnu Ajith <86302373+Vishnu2707@users.noreply.github.com>
@github-actions

Copy link
Copy Markdown

Dependency Review

The following issues were found:
  • ✅ 0 vulnerable package(s)
  • ✅ 0 package(s) with incompatible licenses
  • ✅ 0 package(s) with invalid SPDX license definitions
  • ⚠️ 1 package(s) with unknown licenses.
See the Details below.

License Issues

requirements.txt

PackageVersionLicenseIssue Type
alembic1.18.5NullUnknown License

OpenSSF Scorecard

PackageVersionScoreDetails
actions/actions/checkout 34e114876b0b11c390a56381ad16ebd13914f8d5 🟢 7
Details
CheckScoreReason
Dangerous-Workflow🟢 10no dangerous workflow patterns detected
Code-Review🟢 10all changesets reviewed
Maintained🟢 1018 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 10
CII-Best-Practices⚠️ 0no effort to earn an OpenSSF best practices badge detected
Binary-Artifacts🟢 10no binaries found in the repo
Token-Permissions⚠️ 0detected GitHub workflow tokens with excessive permissions
Packaging⚠️ -1packaging workflow not detected
Fuzzing⚠️ 0project is not fuzzed
License🟢 10license file detected
Pinned-Dependencies🟢 3dependency not pinned by hash detected -- score normalized to 3
Signed-Releases⚠️ -1no releases found
Security-Policy🟢 9security policy file detected
SAST🟢 10SAST tool is run on all commits
Branch-Protection🟢 6branch protection is not maximal on development and all release branches
actions/hashicorp/setup-terraform b9cd54a3c349d3f38e8881555d616ced269862dd 🟢 6.4
Details
CheckScoreReason
Maintained🟢 1013 commit(s) and 2 issue activity found in the last 90 days -- score normalized to 10
Code-Review🟢 6Found 6/10 approved changesets -- score normalized to 6
Binary-Artifacts🟢 10no binaries found in the repo
Packaging⚠️ -1packaging workflow not detected
CII-Best-Practices⚠️ 0no effort to earn an OpenSSF best practices badge detected
Dangerous-Workflow🟢 10no dangerous workflow patterns detected
Token-Permissions⚠️ 0detected GitHub workflow tokens with excessive permissions
Pinned-Dependencies🟢 10all dependencies are pinned
License🟢 10license file detected
Fuzzing⚠️ 0project is not fuzzed
Signed-Releases⚠️ -1no releases found
Security-Policy🟢 10security policy file detected
Branch-Protection🟢 6branch protection is not maximal on development and all release branches
SAST⚠️ 0SAST tool is not run on all commits -- score normalized to 0
pip/alembic 1.18.5 UnknownUnknown

Scanned Files

  • .github/workflows/terraform-plan.yml
  • requirements.txt

@Vishnu2707
Vishnu2707 requested review from TFT444 and removed request for parthrohit22 and ritiksah141 July 13, 2026 01:03

@TFT444 TFT444 left a comment

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

ready to merge

@Vishnu2707
Vishnu2707 merged commit 9e7c5c8 into main Jul 13, 2026
19 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

10 participants