fix(scanner): improve AZ-NET-008 with SOC2 mapping and azure_client abstraction#108
fix(scanner): improve AZ-NET-008 with SOC2 mapping and azure_client abstraction#108aav-wh wants to merge 1 commit into
Conversation
m-khan-97
left a comment
m-khan-97
left a comment
There was a problem hiding this comment.
Thanks for the contribution. I am requesting changes because this appears to duplicate the existing AZ-NET-008 rule, which already covers load balancers without backend pools.
Please do not merge this as a separate AZ-NET-016 rule in its current form. A better direction would be one of these:
- improve the existing AZ-NET-008 implementation if it has gaps
- add regression tests for the existing load-balancer backend-pool detection
- improve the existing remediation playbook
- refocus this PR on a clearly distinct lifecycle/resource-hygiene case that AZ-NET-008 does not already cover
This branch is also currently conflicting with dev, so it would need to be rebased before any revised version can be reviewed.
|
Thanks for the review @m-khan-97. Confirmed — AZ-NET-008 already covers this check. Rather than closing, I'll refocus this branch to improve the existing rule: Add the missing SOC2: CC8.1 mapping to the FRAMEWORKS dict (it's already in soc2.json but missing from the Python file) Will also rebase against dev to clear the conflicts and update the PR title/description. |
aav-wh
changed the title
|
@m-khan-97 Changes addressed — duplicate az_net_016.py and its playbook removed, az_net_008.py improved with SOC2 mapping, azure_client.get_load_balancers() abstraction, and resource_group added to metadata. JSON files restored to dev state. CI is passing and conflicts are resolved. Ready for re-review. |
|
@m-khan-97 @parthrohit22 , can you please revisit this PR. |
m-khan-97
left a comment
m-khan-97
left a comment
There was a problem hiding this comment.
Thanks for refocusing this away from a separate AZ-NET-016. The final tree no longer adds scanner/rules/az_net_016.py, and the AZ-NET-008 improvement direction is right.
I am keeping this in changes requested for now because the PR is still not merge-ready against current dev:
- GitHub marks the branch as conflicting (
mergeStateStatus: DIRTY). Please rebase or merge currentdevand resolve the conflicts. - The current PR diff still includes out-of-scope framework JSON changes for
AZ-IDN-005throughAZ-IDN-009andAZ-PQC-001throughAZ-PQC-003, plus a deletion offrontend/.gitkeep. Those are unrelated to improving AZ-NET-008 and should be restored to the currentdevstate. - Please keep the final diff scoped to the AZ-NET-008 improvement:
scanner/rules/az_net_008.py,scanner/azure_client.py, and only the SOC2 mapping alignment if it is still missing after rebasing.
Once the branch is conflict-free and the diff is scoped, this can go to the Network review pair (@emon22-ts + @safidnadaf) for final review.
|
@aav-wh , can u please revisit the PR |
|
Hi @m-khan-97, all three points addressed:
scanner/rules/az_net_008.py — SOC2 mapping added, migrated to azure_client.get_load_balancers() abstraction, resource_group added to metadata No JSON framework files, no frontend/.gitkeep deletion — those have all been cleaned out. |
There was a problem hiding this comment.
Re-reviewed commit 58c04c6. The previous blockers are resolved: the branch is rebased onto current dev, the duplicate AZ-NET-016 work is gone, and the diff is now limited to scanner/azure_client.py and scanner/rules/az_net_008.py. CI is green, tests/test_rules_network.py passes, and a focused behavior check confirmed the AZ-NET-008 finding, resource_group metadata, and SOC2 CC8.1 mapping.
Approved from my side. Per our review-pair policy, final merge should still wait for the Network reviewers @emon22-ts and @safidnadaf. Non-blocking follow-up: add explicit AZ-NET-008 regression coverage, since the current network test module only exercises AZ-NET-001 and AZ-NET-002.
m-khan-97
requested review from
ritiksah141 and
safidnadaf
and removed request for
safidnadaf
3 participants
What does this PR do?
Improves the existing AZ-NET-008 rule rather than adding a duplicate AZ-NET-016 rule, as identified in review.
Changes
Adds missing SOC2: CC8.1 to the FRAMEWORKS dict in az_net_008.py (the entry already existed in soc2.json but was absent from the Python rule)
Refactors the scan function to use azure_client.get_load_balancers() for consistency with the project's abstraction pattern
Adds resource_group to the metadata output
Removes the duplicate az_net_016.py rule and its playbook
Type of change
Bug fix / improvement to existing rule
Testing
Returns correct JSON output
All seven CI checks pass
No hardcoded credentials or secrets