Active findings
0Built-in scenario
azure/sample_azure_safe_plan.jsonSafe Azure Storage Demo
Analyzed sample_azure_safe_plan.json with 4 normalized resources and 0 trust boundaries.
Trust boundaries
0Resources
4Observations
0Analysis coverage
Audit trail for this run
Terraform resources
4
Unsupported
0
Enabled rules
94
Unresolved refs
0
Resource coverage
- Provider resources considered
- 4
- Normalized resources
- 4
No unsupported Azure resource types were encountered.
Rule coverage
- Registered rules
- 94
- Disabled rules
- 0
No enabled rules produced findings.
Findings
Severity bands
High
0No high findings.
Medium
0No medium findings.
Low
0No low findings.
Observations
Controls and mitigating signals
No observations were recorded for this plan.
Trust boundaries
Crossings that drive the model
No trust boundaries were discovered.
Raw outputs
Stable contract and markdown
JSON report
{
"kind": "tfstride-report",
"version": "1.1",
"tool": {
"name": "tfstride",
"version": "0.4.23"
},
"title": "Safe Azure Storage Demo",
"analyzed_file": "sample_azure_safe_plan.json",
"analyzed_path": "sample_azure_safe_plan.json",
"summary": {
"normalized_resources": 4,
"unsupported_resources": 0,
"trust_boundaries": 0,
"active_findings": 0,
"total_findings": 0,
"suppressed_findings": 0,
"baselined_findings": 0,
"severity_counts": {
"high": 0,
"medium": 0,
"low": 0
}
},
"filtering": {
"total_findings": 0,
"active_findings": 0,
"suppressed_findings": 0,
"baselined_findings": 0,
"suppressions_path": null,
"baseline_path": null
},
"analysis_coverage": {
"resources": {
"total_resources": 4,
"provider_resources": 4,
"normalized_resources": 4,
"unsupported_resources": 0,
"unsupported_resource_types": {}
},
"rules": {
"registered_rule_count": 94,
"enabled_rules": [
"azure-public-compute-broad-ingress",
"azure-load-balancer-public-frontend",
"azure-application-gateway-public-listener",
"azure-public-application-gateway-waf-missing",
"azure-nsg-flow-logs-not-configured",
"azure-nsg-flow-log-disabled",
"azure-nsg-flow-log-destination-missing",
"azure-nsg-flow-log-retention-insufficient",
"azure-storage-container-public-access",
"azure-storage-account-nested-public-access-enabled",
"azure-storage-account-shared-key-enabled",
"azure-storage-account-minimum-tls-below-1-2",
"azure-storage-account-public-network-unrestricted",
"azure-storage-account-customer-managed-key-missing",
"azure-storage-account-infrastructure-encryption-not-enabled",
"azure-storage-account-blob-versioning-disabled",
"azure-storage-account-blob-soft-delete-insufficient",
"azure-storage-account-container-soft-delete-insufficient",
"azure-storage-account-point-in-time-restore-missing",
"azure-storage-account-missing-private-endpoint",
"azure-service-bus-public-network-access-not-disabled",
"azure-service-bus-minimum-tls-below-1-2",
"azure-service-bus-minimum-tls-unknown",
"azure-service-bus-local-auth-enabled",
"azure-service-bus-customer-managed-key-missing",
"azure-service-bus-missing-private-endpoint",
"azure-container-registry-public-network-access-not-disabled",
"azure-container-registry-admin-account-enabled",
"azure-container-registry-anonymous-pull-enabled",
"azure-container-registry-customer-managed-key-missing",
"azure-container-registry-missing-private-endpoint",
"azure-key-vault-public-network-access",
"azure-key-vault-missing-private-endpoint",
"azure-key-vault-privileged-access",
"azure-key-vault-purge-protection-disabled",
"azure-key-vault-secret-certificate-lifecycle-incomplete",
"azure-key-vault-key-strength-weak",
"azure-key-vault-key-rotation-policy-incomplete",
"azure-custom-role-wildcard-management-plane",
"azure-custom-role-authorization-management",
"azure-custom-role-broad-management-plane",
"azure-custom-role-broad-data-plane",
"azure-custom-role-subscription-assignable-scope",
"azure-custom-role-assignment-blast-radius",
"azure-rbac-privileged-assignment",
"azure-managed-identity-broad-rbac",
"azure-federated-identity-privileged-access",
"azure-public-workload-sensitive-resource-access",
"azure-app-service-public-network-access-not-disabled",
"azure-app-service-platform-authentication-disabled",
"azure-app-service-anonymous-platform-access-allowed",
"azure-app-service-minimum-tls-below-1-2",
"azure-app-service-minimum-tls-unknown",
"azure-app-service-managed-identity-missing",
"azure-app-service-vnet-integration-missing",
"azure-app-service-access-restrictions-not-default-deny",
"azure-app-service-broad-access-restriction-allow",
"azure-app-service-scm-access-unrestricted",
"azure-app-service-image-not-digest-pinned",
"azure-app-service-can-modify-image-repository",
"azure-public-app-service-storage-mutation-access",
"azure-public-app-service-service-bus-mutation-access",
"azure-app-service-sensitive-app-setting-inline",
"azure-app-service-key-vault-reference-identity-not-configured",
"azure-app-service-key-vault-secret-access-overprivileged",
"azure-diagnostic-settings-missing",
"azure-diagnostic-setting-no-log-destination",
"azure-diagnostic-setting-audit-logs-incomplete",
"azure-defender-pricing-tier-not-standard",
"azure-security-center-auto-provisioning-disabled",
"azure-aks-api-server-public-unrestricted",
"azure-aks-private-cluster-not-enabled",
"azure-aks-local-accounts-not-disabled",
"azure-aks-rbac-posture-weak",
"azure-aks-network-policy-missing",
"azure-aks-workload-identity-not-enabled",
"azure-aks-key-management-service-not-configured",
"azure-aks-monitoring-agent-not-enabled",
"azure-aks-defender-not-enabled",
"azure-aks-azure-policy-not-enabled",
"azure-sql-public-network-access-enabled",
"azure-sql-missing-private-endpoint",
"azure-sql-firewall-broad-public-access",
"azure-sql-minimum-tls-below-1-2",
"azure-sql-security-alert-policy-disabled",
"azure-sql-short-term-backup-retention-insufficient",
"azure-sql-long-term-backup-retention-not-configured",
"azure-sql-backup-geo-redundancy-not-enabled",
"azure-private-endpoint-public-fallback",
"azure-private-endpoint-dns-posture-incomplete",
"azure-postgresql-public-network-access-enabled",
"azure-postgresql-firewall-broad-public-access",
"azure-postgresql-weak-tls-or-ssl",
"azure-postgresql-geo-backup-disabled"
],
"disabled_rules": [],
"severity_overrides": {},
"finding_counts_by_rule": {
"azure-public-compute-broad-ingress": 0,
"azure-load-balancer-public-frontend": 0,
"azure-application-gateway-public-listener": 0,
"azure-public-application-gateway-waf-missing": 0,
"azure-nsg-flow-logs-not-configured": 0,
"azure-nsg-flow-log-disabled": 0,
"azure-nsg-flow-log-destination-missing": 0,
"azure-nsg-flow-log-retention-insufficient": 0,
"azure-storage-container-public-access": 0,
"azure-storage-account-nested-public-access-enabled": 0,
"azure-storage-account-shared-key-enabled": 0,
"azure-storage-account-minimum-tls-below-1-2": 0,
"azure-storage-account-public-network-unrestricted": 0,
"azure-storage-account-customer-managed-key-missing": 0,
"azure-storage-account-infrastructure-encryption-not-enabled": 0,
"azure-storage-account-blob-versioning-disabled": 0,
"azure-storage-account-blob-soft-delete-insufficient": 0,
"azure-storage-account-container-soft-delete-insufficient": 0,
"azure-storage-account-point-in-time-restore-missing": 0,
"azure-storage-account-missing-private-endpoint": 0,
"azure-service-bus-public-network-access-not-disabled": 0,
"azure-service-bus-minimum-tls-below-1-2": 0,
"azure-service-bus-minimum-tls-unknown": 0,
"azure-service-bus-local-auth-enabled": 0,
"azure-service-bus-customer-managed-key-missing": 0,
"azure-service-bus-missing-private-endpoint": 0,
"azure-container-registry-public-network-access-not-disabled": 0,
"azure-container-registry-admin-account-enabled": 0,
"azure-container-registry-anonymous-pull-enabled": 0,
"azure-container-registry-customer-managed-key-missing": 0,
"azure-container-registry-missing-private-endpoint": 0,
"azure-key-vault-public-network-access": 0,
"azure-key-vault-missing-private-endpoint": 0,
"azure-key-vault-privileged-access": 0,
"azure-key-vault-purge-protection-disabled": 0,
"azure-key-vault-secret-certificate-lifecycle-incomplete": 0,
"azure-key-vault-key-strength-weak": 0,
"azure-key-vault-key-rotation-policy-incomplete": 0,
"azure-custom-role-wildcard-management-plane": 0,
"azure-custom-role-authorization-management": 0,
"azure-custom-role-broad-management-plane": 0,
"azure-custom-role-broad-data-plane": 0,
"azure-custom-role-subscription-assignable-scope": 0,
"azure-custom-role-assignment-blast-radius": 0,
"azure-rbac-privileged-assignment": 0,
"azure-managed-identity-broad-rbac": 0,
"azure-federated-identity-privileged-access": 0,
"azure-public-workload-sensitive-resource-access": 0,
"azure-app-service-public-network-access-not-disabled": 0,
"azure-app-service-platform-authentication-disabled": 0,
"azure-app-service-anonymous-platform-access-allowed": 0,
"azure-app-service-minimum-tls-below-1-2": 0,
"azure-app-service-minimum-tls-unknown": 0,
"azure-app-service-managed-identity-missing": 0,
"azure-app-service-vnet-integration-missing": 0,
"azure-app-service-access-restrictions-not-default-deny": 0,
"azure-app-service-broad-access-restriction-allow": 0,
"azure-app-service-scm-access-unrestricted": 0,
"azure-app-service-image-not-digest-pinned": 0,
"azure-app-service-can-modify-image-repository": 0,
"azure-public-app-service-storage-mutation-access": 0,
"azure-public-app-service-service-bus-mutation-access": 0,
"azure-app-service-sensitive-app-setting-inline": 0,
"azure-app-service-key-vault-reference-identity-not-configured": 0,
"azure-app-service-key-vault-secret-access-overprivileged": 0,
"azure-diagnostic-settings-missing": 0,
"azure-diagnostic-setting-no-log-destination": 0,
"azure-diagnostic-setting-audit-logs-incomplete": 0,
"azure-defender-pricing-tier-not-standard": 0,
"azure-security-center-auto-provisioning-disabled": 0,
"azure-aks-api-server-public-unrestricted": 0,
"azure-aks-private-cluster-not-enabled": 0,
"azure-aks-local-accounts-not-disabled": 0,
"azure-aks-rbac-posture-weak": 0,
"azure-aks-network-policy-missing": 0,
"azure-aks-workload-identity-not-enabled": 0,
"azure-aks-key-management-service-not-configured": 0,
"azure-aks-monitoring-agent-not-enabled": 0,
"azure-aks-defender-not-enabled": 0,
"azure-aks-azure-policy-not-enabled": 0,
"azure-sql-public-network-access-enabled": 0,
"azure-sql-missing-private-endpoint": 0,
"azure-sql-firewall-broad-public-access": 0,
"azure-sql-minimum-tls-below-1-2": 0,
"azure-sql-security-alert-policy-disabled": 0,
"azure-sql-short-term-backup-retention-insufficient": 0,
"azure-sql-long-term-backup-retention-not-configured": 0,
"azure-sql-backup-geo-redundancy-not-enabled": 0,
"azure-private-endpoint-public-fallback": 0,
"azure-private-endpoint-dns-posture-incomplete": 0,
"azure-postgresql-public-network-access-enabled": 0,
"azure-postgresql-firewall-broad-public-access": 0,
"azure-postgresql-weak-tls-or-ssl": 0,
"azure-postgresql-geo-backup-disabled": 0
}
},
"references": {
"unresolved_reference_count": 0,
"unresolved_references": []
}
},
"inventory": {
"provider": "azure",
"unsupported_resources": [],
"metadata": {
"supported_resource_types": [
"azurerm_advanced_threat_protection",
"azurerm_application_gateway",
"azurerm_container_registry",
"azurerm_federated_identity_credential",
"azurerm_function_app",
"azurerm_key_vault",
"azurerm_key_vault_access_policy",
"azurerm_key_vault_certificate",
"azurerm_key_vault_key",
"azurerm_key_vault_secret",
"azurerm_kubernetes_cluster",
"azurerm_lb",
"azurerm_linux_function_app",
"azurerm_linux_virtual_machine",
"azurerm_linux_web_app",
"azurerm_monitor_diagnostic_setting",
"azurerm_mssql_database",
"azurerm_mssql_firewall_rule",
"azurerm_mssql_server",
"azurerm_mssql_server_security_alert_policy",
"azurerm_mssql_virtual_network_rule",
"azurerm_network_interface",
"azurerm_network_interface_security_group_association",
"azurerm_network_security_group",
"azurerm_network_security_rule",
"azurerm_network_watcher_flow_log",
"azurerm_postgresql_flexible_server",
"azurerm_postgresql_flexible_server_configuration",
"azurerm_postgresql_flexible_server_database",
"azurerm_postgresql_flexible_server_firewall_rule",
"azurerm_private_dns_zone",
"azurerm_private_dns_zone_virtual_network_link",
"azurerm_private_endpoint",
"azurerm_public_ip",
"azurerm_role_assignment",
"azurerm_role_definition",
"azurerm_security_center_auto_provisioning",
"azurerm_security_center_contact",
"azurerm_security_center_setting",
"azurerm_security_center_subscription_pricing",
"azurerm_security_center_workspace",
"azurerm_servicebus_namespace",
"azurerm_servicebus_namespace_customer_managed_key",
"azurerm_servicebus_namespace_network_rule_set",
"azurerm_servicebus_queue",
"azurerm_servicebus_subscription",
"azurerm_servicebus_topic",
"azurerm_storage_account",
"azurerm_storage_account_network_rules",
"azurerm_storage_container",
"azurerm_subnet",
"azurerm_subnet_network_security_group_association",
"azurerm_user_assigned_identity",
"azurerm_virtual_network",
"azurerm_windows_function_app",
"azurerm_windows_virtual_machine",
"azurerm_windows_web_app"
],
"total_input_resources": 4,
"provider_resource_count": 4,
"normalized_resource_count": 4,
"unsupported_resource_types": {}
},
"resources": [
{
"address": "azurerm_monitor_diagnostic_setting.logs",
"provider": "azure",
"resource_type": "azurerm_monitor_diagnostic_setting",
"name": "logs",
"category": "iam",
"identifier": "logs-audit",
"arn": null,
"vpc_id": null,
"subnet_ids": [],
"security_group_ids": [],
"attached_role_arns": [],
"network_rules": [],
"policy_statements": [],
"public_access_configured": false,
"public_exposure": false,
"data_sensitivity": "standard",
"metadata": {
"name": "logs-audit",
"diagnostic_setting_name": "logs-audit",
"diagnostic_target_resource_id": "azurerm_storage_account.logs.id",
"diagnostic_log_analytics_workspace_id": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/tfstride/providers/Microsoft.OperationalInsights/workspaces/tfstride-logs",
"diagnostic_log_records": [
{
"category_group": "audit"
}
],
"diagnostic_metric_records": [
{
"category": "AllMetrics",
"enabled": true
}
],
"diagnostic_enabled_log_categories": [],
"diagnostic_enabled_log_category_groups": [
"audit"
],
"diagnostic_metric_categories": [
"AllMetrics"
],
"azure_security_posture_uncertainties": []
}
},
{
"address": "azurerm_storage_account.logs",
"provider": "azure",
"resource_type": "azurerm_storage_account",
"name": "logs",
"category": "data",
"identifier": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/tfstride/providers/Microsoft.Storage/storageAccounts/tfstridesafelogs",
"arn": null,
"vpc_id": null,
"subnet_ids": [],
"security_group_ids": [],
"attached_role_arns": [],
"network_rules": [],
"policy_statements": [],
"public_access_configured": false,
"public_exposure": false,
"data_sensitivity": "sensitive",
"metadata": {
"name": "tfstridesafelogs",
"storage_account_id": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/tfstride/providers/Microsoft.Storage/storageAccounts/tfstridesafelogs",
"network_default_action": "Deny",
"allow_nested_items_to_be_public": false,
"shared_access_key_enabled": false,
"storage_infrastructure_encryption_enabled": true,
"storage_customer_managed_key_id": "azurerm_key_vault_key.storage.id",
"storage_customer_managed_key_identity_id": "azurerm_user_assigned_identity.storage.id",
"storage_blob_versioning_enabled": true,
"storage_blob_delete_retention_days": 30,
"storage_container_delete_retention_days": 14,
"storage_blob_restore_policy_days": 7,
"public_network_fallback_state": "disabled",
"public_network_access_enabled": false,
"min_tls_version": "TLS1_2",
"storage_encrypted": true,
"network_rule_source_address": "azurerm_storage_account_network_rules.logs",
"direct_internet_reachable": false,
"internet_ingress_capable": false,
"public_access_reasons": [],
"internet_ingress_reasons": []
}
},
{
"address": "azurerm_storage_account_network_rules.logs",
"provider": "azure",
"resource_type": "azurerm_storage_account_network_rules",
"name": "logs",
"category": "network",
"identifier": "azurerm_storage_account.logs.id",
"arn": null,
"vpc_id": null,
"subnet_ids": [],
"security_group_ids": [],
"attached_role_arns": [],
"network_rules": [],
"policy_statements": [],
"public_access_configured": false,
"public_exposure": false,
"data_sensitivity": "standard",
"metadata": {
"storage_account_reference": "azurerm_storage_account.logs.id",
"network_rule_source_address": "azurerm_storage_account_network_rules.logs",
"network_default_action": "Deny",
"resolved_storage_account_address": "azurerm_storage_account.logs"
}
},
{
"address": "azurerm_storage_container.private",
"provider": "azure",
"resource_type": "azurerm_storage_container",
"name": "private",
"category": "data",
"identifier": "private",
"arn": null,
"vpc_id": null,
"subnet_ids": [],
"security_group_ids": [],
"attached_role_arns": [],
"network_rules": [],
"policy_statements": [],
"public_access_configured": false,
"public_exposure": false,
"data_sensitivity": "sensitive",
"metadata": {
"name": "private",
"storage_account_reference": "azurerm_storage_account.logs.id",
"container_access_type": "private",
"storage_encrypted": true,
"resolved_storage_account_address": "azurerm_storage_account.logs",
"publicly_accessible": false,
"direct_internet_reachable": false,
"public_access_reasons": [],
"public_exposure_reasons": []
}
}
]
},
"trust_boundaries": [],
"findings": [],
"suppressed_findings": [],
"baselined_findings": [],
"observations": [],
"limitations": [
"Azure support covers a curated AzureRM set including Storage, Service Bus, Container Registry, Key Vault, SQL/PostgreSQL, App Service/Function Apps, AKS, networking and public edge, Private Endpoint/DNS-zone-group, diagnostic/Defender, and RBAC/identity posture. Remaining limitations include full Private DNS record correctness, broader RBAC hierarchy, MySQL, runtime application authentication and routing, full AKS node/workload posture, and unsupported platform services; analysis remains plan-local.",
"The engine reasons over Terraform planned values only and does not validate runtime drift, CloudTrail evidence, or post-deploy control-plane activity."
]
}
Markdown report
# Safe Azure Storage Demo
- Analyzed file: `sample_azure_safe_plan.json`
- Provider: `azure`
- Normalized resources: `4`
- Unsupported resources: `0`
## Summary
This run identified **0 trust boundaries** and **0 findings** across **4 normalized resources**.
- High severity findings: `0`
- Medium severity findings: `0`
- Low severity findings: `0`
## Analysis Coverage
- Terraform resources seen: `4`
- Provider resources considered: `4`
- Normalized resources: `4`
- Unsupported resources: `0`
- Registered provider rules (Azure): `94`
- Enabled provider rules (Azure): `94`
- Disabled rules: `0`
- Severity overrides: `0`
- Unresolved in-plan references: `0`
## Discovered Trust Boundaries
No trust boundaries were discovered.
## Findings
### High
No findings in this severity band.
### Medium
No findings in this severity band.
### Low
No findings in this severity band.
## Limitations / Unsupported Resources
- Azure support covers a curated AzureRM set including Storage, Service Bus, Container Registry, Key Vault, SQL/PostgreSQL, App Service/Function Apps, AKS, networking and public edge, Private Endpoint/DNS-zone-group, diagnostic/Defender, and RBAC/identity posture. Remaining limitations include full Private DNS record correctness, broader RBAC hierarchy, MySQL, runtime application authentication and routing, full AKS node/workload posture, and unsupported platform services; analysis remains plan-local.
- The engine reasons over Terraform planned values only and does not validate runtime drift, CloudTrail evidence, or post-deploy control-plane activity.
Limits
Unsupported or intentionally scoped areas
- Azure support covers a curated AzureRM set including Storage, Service Bus, Container Registry, Key Vault, SQL/PostgreSQL, App Service/Function Apps, AKS, networking and public edge, Private Endpoint/DNS-zone-group, diagnostic/Defender, and RBAC/identity posture. Remaining limitations include full Private DNS record correctness, broader RBAC hierarchy, MySQL, runtime application authentication and routing, full AKS node/workload posture, and unsupported platform services; analysis remains plan-local.
- The engine reasons over Terraform planned values only and does not validate runtime drift, CloudTrail evidence, or post-deploy control-plane activity.