/claim #39

Summary

Improves azure-review so posture reports qualify tenant, management-group, subscription, and resource evidence before assigning broad Pass results.

Changes include:

• Adds AZ-SCOPE-01 through AZ-SCOPE-08 gates for evidence source, scope denominator, Conditional Access state/scope, Azure Policy assignment/exemption evidence, Defender plan coverage, diagnostic/private endpoint/network target scope, Not Evaluable reason codes, and exception/retest handling.
• Extends detailed findings with evidence source, capture identifier, scope coverage, and Not Evaluable reason fields.
• Adds vulnerable and benign fixtures for IaC-only tenant/subscription overclaiming versus verified live tenant, management-group, subscription, policy, Defender, and resource evidence.

Why

Azure CIS controls span tenant-level Entra ID settings, management-group policy assignments, subscription-scoped Defender plans, and resource-scoped controls. A report-only Conditional Access policy or one subscription Terraform resource should not become tenant-wide or enterprise-wide compliance evidence.

Validation

• git diff --check origin/main...HEAD
• git merge-tree --write-tree origin/main HEAD
• Markdown fence-balance check for skills/cloud/azure-review/SKILL.md
• Marker check for AZ-SCOPE-01 through AZ-SCOPE-08
• YAML parse check for both added fixtures
• Added-line sensitive/public-contact pattern scan

Bounty Info

• I have read and agree to CONTRIBUTING.md bounty terms.
• Requested tier: Improver Moderate ($100) if accepted/merged.