Skip to content

Add azure-storage-account-investigation CodeBundle#689

Open
rw-codebundle-agent[bot] wants to merge 1 commit into
mainfrom
codebundle/azure-storage-account-investigation
Open

Add azure-storage-account-investigation CodeBundle#689
rw-codebundle-agent[bot] wants to merge 1 commit into
mainfrom
codebundle/azure-storage-account-investigation

Conversation

@rw-codebundle-agent

Copy link
Copy Markdown
Contributor

Summary

  • Adds azure-storage-account-investigation CodeBundle for issue automatic-index-update #127 (parent automatic-index-update #126)
  • Four read-only investigation tasks: RBAC assignments, Resource Graph dependencies, transaction metrics by authentication type, and StorageBlobLogs access analysis
  • Includes composite SLI scoring investigation completeness (account access, RBAC, metrics, diagnostic logs)
  • Terraform test infrastructure provisions storage account with public blob access, Log Analytics diagnostic settings, and sample RBAC

Design spec alignment

  • Resource-scoped SLX per azure_storage_accounts with AZURE_SUBSCRIPTION_ID, AZURE_RESOURCE_GROUP, and AZURE_STORAGE_ACCOUNT_NAME qualifiers
  • Each task emits JSON with issues array and risk_assessment (safe_to_disable_public_access, safe_to_disable_shared_key)
  • Task 4 short-circuits with severity 1 when StorageBlobLogs diagnostic settings are not enabled
  • Network-rule / authorization failures reported as findings (exit 0)

Scorer

python -m scorer.score codebundles/azure-storage-account-investigation
Score: 104/104 (passed)

Test plan

  • Deploy .test/terraform and run runbook against test storage account
  • Verify RBAC task lists role assignments and flags Owner/Contributor at resource scope
  • Verify dependency task returns Resource Graph results with blind-spot notes
  • Verify metrics task breaks down Transactions by Authentication dimension
  • Verify access logs task short-circuits when diagnostics disabled; queries StorageBlobLogs when enabled
  • Verify SLI produces 0-1 investigation completeness score

Made with Cursor

Investigate storage account RBAC, Resource Graph dependencies,
transaction metrics, and StorageBlobLogs to support safe remediation
of public blob access and shared key authentication.

Co-authored-by: Cursor <cursoragent@cursor.com>
@rw-codebundle-agent rw-codebundle-agent Bot requested a review from a team as a code owner June 25, 2026 15:39
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

0 participants