Skip to content

feat(scanner): propose enterprise Azure Functions security pack #194

Description

@TFT444

Problem

OpenShield has no Azure Functions-specific security rules. Function Apps are internet-facing serverless workloads built on App Service, and enterprise teams need visibility into transport security, deployment channels, debugging, and workload identity.

Proposed first-phase rules

Rule ID Check Severity
AZ-FUNC-001 HTTPS-only is disabled HIGH
AZ-FUNC-002 Minimum inbound TLS version is below the approved baseline HIGH
AZ-FUNC-003 FTP/FTPS deployment is not disabled MEDIUM
AZ-FUNC-004 Remote debugging is enabled HIGH
AZ-FUNC-005 Function App has no managed identity MEDIUM

Maintainers should approve the AZ-FUNC prefix, baseline TLS version, and severities before implementation.

Implementation scope

  • Reuse AzureClient.get_web_apps() but strictly filter Function Apps using the resource kind value.
  • Fetch full configuration only through a cached AzureClient accessor; do not instantiate SDK clients inside rules.
  • Support Windows, Linux, Consumption, Premium, Dedicated, and Flex Consumption property differences.
  • Treat missing properties and API failures as unknown rather than non-compliant.
  • Add safe playbooks, framework mappings, minimum permissions, and complete unit tests.
  • Do not read or return application settings, connection strings, function keys, deployment credentials, or source code.

Out of scope

Acceptance criteria

  • Maintainers approve rule prefix, scope, TLS baseline, and severities.
  • Existing App Service/PQC checks are not duplicated.
  • Function App detection is accurate and excludes ordinary Web Apps.
  • API and permission failures cannot produce false compliance or false findings.
  • Every rule tests compliant, non-compliant, missing-property, multi-app, and failure paths.
  • Remediation playbooks validate targets and warn about operational impact.
  • Full repository CI and security checks pass.
  • No implementation begins before approval.

References

Metadata

Metadata

Assignees

Labels

enhancementNew feature or request

Type

No type

Fields

No fields configured for issues without a type.

Projects

Status
🔨 In Progress

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions