⭐ Expand Azure resources + scan additional Azure resources as their own platforms#6630
Merged
⭐ Expand Azure resources + scan additional Azure resources as their own platforms#6630
Conversation
This comment has been minimized.
This comment has been minimized.
Contributor
Test Results5 112 tests +9 5 108 ✅ +9 2m 0s ⏱️ -1s Results for commit e25a685. ± Comparison against base commit 51341f3. This pull request removes 1 and adds 10 tests. Note that renamed tests count towards both.♻️ This comment has been updated with latest results. |
tas50
force-pushed
the
tas50/new_azure_platforms
branch
from
5edeec0 to
9e8a400
Compare
tas50
commented
Feb 15, 2026
| cnquery shell azure <name> --client-id <your-client-id> --tenant-id <your-tenant-id> --client-secret <your-client-secret-value> | ||
| cnspec scan azure compute instance <instance-name> --client-id <your-client-id> --tenant-id <your-tenant-id> --client-secret <your-client-secret-value> | ||
| cnspec scan azure compute snapshot <snapshot-name> --client-id <your-client-id> --tenant-id <your-tenant-id> --client-secret <your-client-secret-value> | ||
| cnquery shell azure <subscription-name> --client-id <your-client-id> --tenant-id <your-tenant-id> --client-secret <your-client-secret-value> |
Member
Author
There was a problem hiding this comment.
Replaced a tab with the spaces so this renders correctly on the CLI
tas50
force-pushed
the
tas50/new_azure_platforms
branch
from
9e8a400 to
3e77cac
Compare
tas50
force-pushed
the
tas50/new_azure_platforms
branch
6 times, most recently
from
5e18c31 to
ae334cd
Compare
Member
|
/review |
|
Unable to complete the code review. Please try again or reduce the PR size. |
tas50
force-pushed
the
tas50/new_azure_platforms
branch
4 times, most recently
from
4492bff to
bc5a3be
Compare
![mondoo-code-review[bot]](https://avatars.githubusercontent.com/in/2834902?s=60&v=4){kind=small}
There was a problem hiding this comment.
Well-structured expansion following codebase patterns. Verify test helper exists.
Additional findings (file/line not in diff):
- 🔵
providers/azure/resources/redis.go:139— ThefirewallRules()method lacks 404 handling thatpatchSchedules()has (line 179). If firewall rules might return 404 when not configured, add the sameerrors.Ascheck for consistency.
| aadMode := armbatch.AuthenticationModeAAD | ||
| sharedKeyMode := armbatch.AuthenticationModeSharedKey | ||
|
|
||
| mockAccount := &armbatch.Account{ |
There was a problem hiding this comment.
🟡 warning — The ptr() helper function is used throughout but not imported. Verify it exists in package test utilities (e.g., common_test.go). If not, add: func ptr[T any](v T) *T { return &v }
tas50
force-pushed
the
tas50/new_azure_platforms
branch
from
bc5a3be to
4dbac6a
Compare
This commit adds discovery support for 5 additional Azure resource types as their own scannable platforms, and expands existing resources with new fields and sub-resources. New Asset Platforms (Discovery) These Azure resources can now be individually discovered and scanned as standalone assets: ┌────────────────────────────────┬───────────────────────┬────────────────────────────┐ │ Title │ Discovery Target │ Platform ID │ ├────────────────────────────────┼───────────────────────┼────────────────────────────┤ │ Azure AKS Cluster │ aks-clusters │ azure-aks-cluster │ ├────────────────────────────────┼───────────────────────┼────────────────────────────┤ │ Azure App Service App │ app-service-webapps │ azure-app-service-webapp │ ├────────────────────────────────┼───────────────────────┼────────────────────────────┤ │ Azure Cache for Redis Instance │ cache-redis-instances │ azure-cache-redis-instance │ ├────────────────────────────────┼───────────────────────┼────────────────────────────┤ │ Azure Batch Account │ batch-accounts │ azure-batch-account │ ├────────────────────────────────┼───────────────────────┼────────────────────────────┤ │ Azure Cosmos DB Account │ cosmosdb │ azure-cosmosdb │ └────────────────────────────────┴───────────────────────┴────────────────────────────┘ Resources Made Public (no longer private) 4 resources were changed from private to public, enabling them to be used as top-level scan targets: - azure.subscription.webService.appsite - azure.subscription.cosmosDbService.account - azure.subscription.aksService.cluster - azure.subscription.cacheService.redisInstance Each of these also gained an init function that resolves by asset ID, enabling platform-level scanning. New Resources (8) Web/App Service: - azure.subscription.webService.appServicePlan — App Service plans with SKU, zone redundancy, scaling settings (15 fields) - azure.subscription.webService.certificate — App Service certificates with thumbprint, issuer, expiration, validity (12 fields) - azure.subscription.webService.appsite.hostNameBinding — Hostname bindings with SSL state and thumbprint (6 fields) - azure.subscription.webService.appsite.virtualNetworkConnection — VNet connections with Swift/resync status (5 fields) Cache for Redis: - azure.subscription.cacheService.redisInstance.firewallRule — Firewall rules with IP range (5 fields) - azure.subscription.cacheService.redisInstance.patchSchedule — Patch schedules with entries (4 fields) - azure.subscription.cacheService.redisInstance.privateEndpointConnection — Private endpoint connections with status (6 fields) New Fields on Existing Resources azure.subscription.webService (2 new fields): - appServicePlans() — list of App Service plans - certificates() — list of certificates azure.subscription.webService.appsite (2 new fields): - hostNameBindings() — hostname bindings for the app - virtualNetworkConnections() — VNet connections for the app azure.subscription.cacheService.redisInstance (12 new fields): - minimumTlsVersion — minimum TLS version - redisConfiguration — configuration settings dict - shardCount — number of shards (Premium) - staticIp — static IP for VNet-injected caches - subnetId — subnet ID for VNet - zones — availability zones - identity — managed identity info - privateEndpointConnections — private endpoint connections - firewallRules() — firewall rules - patchSchedules() — patch schedules Also fixes inconsistent spacing between discovery blocks in Discover() and adds version entries for all new resources. Signed-off-by: Tim Smith <tsmith84@gmail.com> Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
tas50
force-pushed
the
tas50/new_azure_platforms
branch
from
4dbac6a to
8e4ed33
Compare
…D lookup
P1: Replace bare type assertions in init functions with comma-ok pattern
to prevent panics when Value is nil (aks.go, batch.go, cosmosdb.go,
redis.go, web.go).
P2: Guard nil runtime in redis.go createRedisInstanceRawData PEC loop
to prevent panic when called without a plugin runtime.
P2: Normalize resourceID path keys to lowercase at parse-time for
deterministic Component() lookups (O(1) map access instead of O(n)
linear scan).
P3: Replace fmt.Errorf with errors.New for static error strings in
redis.go; remove unused fmt import.
syrull
approved these changes
Feb 25, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This commit adds discovery support for 6 additional Azure resource types as their own scannable platforms, and expands existing resources with new fields and sub-resources.
New Asset Platforms (Discovery)
These Azure resources can now be individually discovered and scanned as standalone assets:
Resources Made Public (no longer private)
4 resources were changed from private to public, enabling them to be used as top-level scan targets:
Each of these also gained an init function that resolves by asset ID, enabling platform-level scanning.
New Resources (8)
Web/App Service:
Cache for Redis:
New Fields on Existing Resources
azure.subscription.webService (2 new fields):
azure.subscription.webService.appsite (2 new fields):
azure.subscription.cacheService.redisInstance (12 new fields):