Skip to content

Add Azure App Service publishing auth fixtures#2110

Open
DENGXUELIN wants to merge 1 commit into
UnitOneAI:mainfrom
DENGXUELIN:improve/azure-appservice-publishing-auth-fixtures-1717
Open

Add Azure App Service publishing auth fixtures#2110
DENGXUELIN wants to merge 1 commit into
UnitOneAI:mainfrom
DENGXUELIN:improve/azure-appservice-publishing-auth-fixtures-1717

Conversation

@DENGXUELIN

@DENGXUELIN DENGXUELIN commented Jun 8, 2026

Copy link
Copy Markdown

/claim #1717

Summary

Adds fixture-backed App Service publishing-plane basic authentication evidence handling to azure-review.

Changes include:

  • adds AZ-APP-PUBLISH-01 through AZ-APP-PUBLISH-08 for App Service and slot inventory, SCM policy evidence, FTP policy evidence, slot parity, non-basic deployment replacement, credential invalidation, policy/audit coverage, and unsupported runtime-only evidence
  • adds a supplemental App Service publishing evidence output table
  • extends the Azure benchmark checklist with Terraform/AzAPI examples, Azure CLI evidence commands, review checks, and severity guidance for basicPublishingCredentialsPolicies/scm and basicPublishingCredentialsPolicies/ftp
  • adds benign/vulnerable Terraform fixtures for disabled SCM/FTP publishing basic auth with OIDC/audit/policy evidence versus runtime-auth-only hardening with SCM/FTP publishing basic auth still enabled

Why

The existing #1718 and #1721 PRs add useful skill/checklist guidance, but neither adds local regression fixtures. This PR keeps the fix skill-local and adds concrete benign and vulnerable Terraform examples so future reviews distinguish runtime App Service controls from SCM/Kudu/WebDeploy/ZipDeploy and FTP publishing credential exposure.

Validation

  • git diff --check origin/main...HEAD
  • Markdown fence-balance check for modified files
  • Marker check for AZ-APP-PUBLISH-01 through AZ-APP-PUBLISH-08, App Service Deployment-Plane Basic Authentication Evidence, basicPublishingCredentialsPolicies/scm, basicPublishingCredentialsPolicies/ftp, webdeploy_publish_basic_authentication_enabled, ftp_publish_basic_authentication_enabled, AppServiceAuditLogs, configure-basic-auth-disable, and version: "1.0.1"
  • Terraform fixture marker check for disabled/allowed publishing basic auth, slot parity, runtime auth, and audit evidence
  • Added-line ASCII scan
  • Added-line sensitive/public-contact pattern scan
  • git merge-tree --write-tree origin/main HEAD

Bounty

I have read and agree to the CONTRIBUTING.md bounty terms. Requested Improver Moderate tier if accepted.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@DENGXUELIN