Skip to content

feat(scanner): add enterprise AKS security rule pack#189

Merged
Vishnu2707 merged 3 commits into
devfrom
feat/186-aks-security-rules
Jul 15, 2026
Merged

feat(scanner): add enterprise AKS security rule pack#189
Vishnu2707 merged 3 commits into
devfrom
feat/186-aks-security-rules

Conversation

@TFT444

@TFT444 TFT444 commented Jul 14, 2026

Copy link
Copy Markdown
Collaborator

What does this PR do?

Adds enterprise-focused Azure Kubernetes Service control-plane coverage with a cached, failure-aware AKS inventory accessor and six independently testable security rules.

Type of change

  • New scan rules
  • Remediation playbooks
  • Documentation
  • Compliance mapping

Rule details

Rule Severity Detection
AZ-AKS-001 HIGH Private cluster not enabled
AZ-AKS-002 HIGH Local Kubernetes accounts enabled
AZ-AKS-003 HIGH Managed identity not used
AZ-AKS-004 MEDIUM OIDC issuer or Workload Identity disabled
AZ-AKS-005 MEDIUM Azure Policy add-on disabled
AZ-AKS-006 HIGH Managed node OS security upgrades disabled

Category: Kubernetes

Design and safety

  • Uses ARM management-plane inspection only; it never requests kubeconfig or Kubernetes administrator credentials.
  • Pins azure-mgmt-containerservice==41.3.0.
  • Supports both flattened legacy SDK objects and the current nested properties model.
  • Caches AKS inventory so six rules perform one subscription-level API call per scan.
  • Preserves None as an indeterminate API/permission failure so an incomplete scan cannot be reported as compliant.
  • Validates resource identity and excludes credentials, tokens, kubeconfig, and secrets from finding metadata.
  • Remediation playbooks validate the Azure account and target, warn about operational impact, require an explicit APPLY, and verify the resulting state.

Compliance

Mappings were added for the repository's existing NIST CSF 1.1, ISO/IEC 27001:2013, and SOC 2 schemas. The repository currently models CIS Microsoft Azure Foundations 2.0.0, which does not directly contain these AKS checks. CIS values are therefore explicitly marked N/A-AKS-*; this PR does not claim CIS Kubernetes Benchmark coverage.

Testing

  • 370 tests passed from a clean checkout
  • 3 existing environment-dependent tests skipped
  • 39 AKS-specific tests passed
  • Compliant, non-compliant, unknown, multiple-cluster, nested-SDK, caching, HTTP-failure, and unexpected-failure paths covered
  • Ruff passed
  • Rule structure, uniqueness, playbook, JSON, and compliance cross-reference validation passed
  • All Bash playbooks passed syntax validation
  • Bandit passed at CI severity threshold
  • pip-audit found no known vulnerabilities using the CI exclusions
  • pip check found no broken requirements
  • No hardcoded credentials or secrets
  • Live Azure subscription validation (requires an approved non-production AKS environment)

Required permission

The scanner only requires:

Microsoft.ContainerService/managedClusters/read

This is included in Azure's built-in Reader role.

Related issue

Closes #186

@github-actions

github-actions Bot commented Jul 14, 2026

Copy link
Copy Markdown

Dependency Review

✅ No vulnerabilities or license issues or OpenSSF Scorecard issues found.

OpenSSF Scorecard

PackageVersionScoreDetails
pip/azure-mgmt-containerservice 41.3.0 UnknownUnknown

Scanned Files

  • requirements.txt

@TFT444

TFT444 commented Jul 14, 2026

Copy link
Copy Markdown
Collaborator Author

Resolved: the Dependency Review workflow now contains an exact-version license exception for azure-mgmt-containerservice 41.3.0, with Microsoft's upstream MIT license documented in the workflow. The rerun reports no vulnerabilities or license issues.

@Vishnu2707 @m-khan-97 Whenever you have time have a look please.

@TFT444
TFT444 requested review from m-khan-97 and removed request for SHAURYAKSHARMA24, parthrohit22 and ritiksah141 July 14, 2026 23:26

@Vishnu2707 Vishnu2707 left a comment

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

No blockers, approved.

LGTM.

@Vishnu2707
Vishnu2707 merged commit df873b6 into dev Jul 15, 2026
19 checks passed
@Vishnu2707
Vishnu2707 deleted the feat/186-aks-security-rules branch July 15, 2026 00:48
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

feat(scanner): propose enterprise AKS security rule pack

2 participants