Problem
OpenShield has no Azure Functions-specific security rules. Function Apps are internet-facing serverless workloads built on App Service, and enterprise teams need visibility into transport security, deployment channels, debugging, and workload identity.
Proposed first-phase rules
| Rule ID |
Check |
Severity |
AZ-FUNC-001 |
HTTPS-only is disabled |
HIGH |
AZ-FUNC-002 |
Minimum inbound TLS version is below the approved baseline |
HIGH |
AZ-FUNC-003 |
FTP/FTPS deployment is not disabled |
MEDIUM |
AZ-FUNC-004 |
Remote debugging is enabled |
HIGH |
AZ-FUNC-005 |
Function App has no managed identity |
MEDIUM |
Maintainers should approve the AZ-FUNC prefix, baseline TLS version, and severities before implementation.
Implementation scope
- Reuse
AzureClient.get_web_apps() but strictly filter Function Apps using the resource kind value.
- Fetch full configuration only through a cached AzureClient accessor; do not instantiate SDK clients inside rules.
- Support Windows, Linux, Consumption, Premium, Dedicated, and Flex Consumption property differences.
- Treat missing properties and API failures as unknown rather than non-compliant.
- Add safe playbooks, framework mappings, minimum permissions, and complete unit tests.
- Do not read or return application settings, connection strings, function keys, deployment credentials, or source code.
Out of scope
Acceptance criteria
References
Problem
OpenShield has no Azure Functions-specific security rules. Function Apps are internet-facing serverless workloads built on App Service, and enterprise teams need visibility into transport security, deployment channels, debugging, and workload identity.
Proposed first-phase rules
AZ-FUNC-001AZ-FUNC-002AZ-FUNC-003AZ-FUNC-004AZ-FUNC-005Maintainers should approve the
AZ-FUNCprefix, baseline TLS version, and severities before implementation.Implementation scope
AzureClient.get_web_apps()but strictly filter Function Apps using the resourcekindvalue.Out of scope
Acceptance criteria
References