Built-in scenario

azure/sample_azure_safe_plan.json

Safe Azure Storage Demo

Analyzed sample_azure_safe_plan.json with 4 normalized resources and 0 trust boundaries.

Analyze another plan

Active findings

0

Trust boundaries

0

Resources

4

Observations

0
High 0
Medium 0
Low 0

Analysis coverage

Audit trail for this run

Terraform resources 4
Unsupported 0
Enabled rules 94
Unresolved refs 0

Resource coverage

Provider resources considered
4
Normalized resources
4

No unsupported Azure resource types were encountered.

Rule coverage

Registered rules
94
Disabled rules
0

No enabled rules produced findings.

Findings

Severity bands

High

0

No high findings.

Medium

0

No medium findings.

Low

0

No low findings.

Observations

Controls and mitigating signals

No observations were recorded for this plan.

Trust boundaries

Crossings that drive the model

No trust boundaries were discovered.

Raw outputs

Stable contract and markdown

JSON report
{
  "kind": "tfstride-report",
  "version": "1.1",
  "tool": {
    "name": "tfstride",
    "version": "0.4.23"
  },
  "title": "Safe Azure Storage Demo",
  "analyzed_file": "sample_azure_safe_plan.json",
  "analyzed_path": "sample_azure_safe_plan.json",
  "summary": {
    "normalized_resources": 4,
    "unsupported_resources": 0,
    "trust_boundaries": 0,
    "active_findings": 0,
    "total_findings": 0,
    "suppressed_findings": 0,
    "baselined_findings": 0,
    "severity_counts": {
      "high": 0,
      "medium": 0,
      "low": 0
    }
  },
  "filtering": {
    "total_findings": 0,
    "active_findings": 0,
    "suppressed_findings": 0,
    "baselined_findings": 0,
    "suppressions_path": null,
    "baseline_path": null
  },
  "analysis_coverage": {
    "resources": {
      "total_resources": 4,
      "provider_resources": 4,
      "normalized_resources": 4,
      "unsupported_resources": 0,
      "unsupported_resource_types": {}
    },
    "rules": {
      "registered_rule_count": 94,
      "enabled_rules": [
        "azure-public-compute-broad-ingress",
        "azure-load-balancer-public-frontend",
        "azure-application-gateway-public-listener",
        "azure-public-application-gateway-waf-missing",
        "azure-nsg-flow-logs-not-configured",
        "azure-nsg-flow-log-disabled",
        "azure-nsg-flow-log-destination-missing",
        "azure-nsg-flow-log-retention-insufficient",
        "azure-storage-container-public-access",
        "azure-storage-account-nested-public-access-enabled",
        "azure-storage-account-shared-key-enabled",
        "azure-storage-account-minimum-tls-below-1-2",
        "azure-storage-account-public-network-unrestricted",
        "azure-storage-account-customer-managed-key-missing",
        "azure-storage-account-infrastructure-encryption-not-enabled",
        "azure-storage-account-blob-versioning-disabled",
        "azure-storage-account-blob-soft-delete-insufficient",
        "azure-storage-account-container-soft-delete-insufficient",
        "azure-storage-account-point-in-time-restore-missing",
        "azure-storage-account-missing-private-endpoint",
        "azure-service-bus-public-network-access-not-disabled",
        "azure-service-bus-minimum-tls-below-1-2",
        "azure-service-bus-minimum-tls-unknown",
        "azure-service-bus-local-auth-enabled",
        "azure-service-bus-customer-managed-key-missing",
        "azure-service-bus-missing-private-endpoint",
        "azure-container-registry-public-network-access-not-disabled",
        "azure-container-registry-admin-account-enabled",
        "azure-container-registry-anonymous-pull-enabled",
        "azure-container-registry-customer-managed-key-missing",
        "azure-container-registry-missing-private-endpoint",
        "azure-key-vault-public-network-access",
        "azure-key-vault-missing-private-endpoint",
        "azure-key-vault-privileged-access",
        "azure-key-vault-purge-protection-disabled",
        "azure-key-vault-secret-certificate-lifecycle-incomplete",
        "azure-key-vault-key-strength-weak",
        "azure-key-vault-key-rotation-policy-incomplete",
        "azure-custom-role-wildcard-management-plane",
        "azure-custom-role-authorization-management",
        "azure-custom-role-broad-management-plane",
        "azure-custom-role-broad-data-plane",
        "azure-custom-role-subscription-assignable-scope",
        "azure-custom-role-assignment-blast-radius",
        "azure-rbac-privileged-assignment",
        "azure-managed-identity-broad-rbac",
        "azure-federated-identity-privileged-access",
        "azure-public-workload-sensitive-resource-access",
        "azure-app-service-public-network-access-not-disabled",
        "azure-app-service-platform-authentication-disabled",
        "azure-app-service-anonymous-platform-access-allowed",
        "azure-app-service-minimum-tls-below-1-2",
        "azure-app-service-minimum-tls-unknown",
        "azure-app-service-managed-identity-missing",
        "azure-app-service-vnet-integration-missing",
        "azure-app-service-access-restrictions-not-default-deny",
        "azure-app-service-broad-access-restriction-allow",
        "azure-app-service-scm-access-unrestricted",
        "azure-app-service-image-not-digest-pinned",
        "azure-app-service-can-modify-image-repository",
        "azure-public-app-service-storage-mutation-access",
        "azure-public-app-service-service-bus-mutation-access",
        "azure-app-service-sensitive-app-setting-inline",
        "azure-app-service-key-vault-reference-identity-not-configured",
        "azure-app-service-key-vault-secret-access-overprivileged",
        "azure-diagnostic-settings-missing",
        "azure-diagnostic-setting-no-log-destination",
        "azure-diagnostic-setting-audit-logs-incomplete",
        "azure-defender-pricing-tier-not-standard",
        "azure-security-center-auto-provisioning-disabled",
        "azure-aks-api-server-public-unrestricted",
        "azure-aks-private-cluster-not-enabled",
        "azure-aks-local-accounts-not-disabled",
        "azure-aks-rbac-posture-weak",
        "azure-aks-network-policy-missing",
        "azure-aks-workload-identity-not-enabled",
        "azure-aks-key-management-service-not-configured",
        "azure-aks-monitoring-agent-not-enabled",
        "azure-aks-defender-not-enabled",
        "azure-aks-azure-policy-not-enabled",
        "azure-sql-public-network-access-enabled",
        "azure-sql-missing-private-endpoint",
        "azure-sql-firewall-broad-public-access",
        "azure-sql-minimum-tls-below-1-2",
        "azure-sql-security-alert-policy-disabled",
        "azure-sql-short-term-backup-retention-insufficient",
        "azure-sql-long-term-backup-retention-not-configured",
        "azure-sql-backup-geo-redundancy-not-enabled",
        "azure-private-endpoint-public-fallback",
        "azure-private-endpoint-dns-posture-incomplete",
        "azure-postgresql-public-network-access-enabled",
        "azure-postgresql-firewall-broad-public-access",
        "azure-postgresql-weak-tls-or-ssl",
        "azure-postgresql-geo-backup-disabled"
      ],
      "disabled_rules": [],
      "severity_overrides": {},
      "finding_counts_by_rule": {
        "azure-public-compute-broad-ingress": 0,
        "azure-load-balancer-public-frontend": 0,
        "azure-application-gateway-public-listener": 0,
        "azure-public-application-gateway-waf-missing": 0,
        "azure-nsg-flow-logs-not-configured": 0,
        "azure-nsg-flow-log-disabled": 0,
        "azure-nsg-flow-log-destination-missing": 0,
        "azure-nsg-flow-log-retention-insufficient": 0,
        "azure-storage-container-public-access": 0,
        "azure-storage-account-nested-public-access-enabled": 0,
        "azure-storage-account-shared-key-enabled": 0,
        "azure-storage-account-minimum-tls-below-1-2": 0,
        "azure-storage-account-public-network-unrestricted": 0,
        "azure-storage-account-customer-managed-key-missing": 0,
        "azure-storage-account-infrastructure-encryption-not-enabled": 0,
        "azure-storage-account-blob-versioning-disabled": 0,
        "azure-storage-account-blob-soft-delete-insufficient": 0,
        "azure-storage-account-container-soft-delete-insufficient": 0,
        "azure-storage-account-point-in-time-restore-missing": 0,
        "azure-storage-account-missing-private-endpoint": 0,
        "azure-service-bus-public-network-access-not-disabled": 0,
        "azure-service-bus-minimum-tls-below-1-2": 0,
        "azure-service-bus-minimum-tls-unknown": 0,
        "azure-service-bus-local-auth-enabled": 0,
        "azure-service-bus-customer-managed-key-missing": 0,
        "azure-service-bus-missing-private-endpoint": 0,
        "azure-container-registry-public-network-access-not-disabled": 0,
        "azure-container-registry-admin-account-enabled": 0,
        "azure-container-registry-anonymous-pull-enabled": 0,
        "azure-container-registry-customer-managed-key-missing": 0,
        "azure-container-registry-missing-private-endpoint": 0,
        "azure-key-vault-public-network-access": 0,
        "azure-key-vault-missing-private-endpoint": 0,
        "azure-key-vault-privileged-access": 0,
        "azure-key-vault-purge-protection-disabled": 0,
        "azure-key-vault-secret-certificate-lifecycle-incomplete": 0,
        "azure-key-vault-key-strength-weak": 0,
        "azure-key-vault-key-rotation-policy-incomplete": 0,
        "azure-custom-role-wildcard-management-plane": 0,
        "azure-custom-role-authorization-management": 0,
        "azure-custom-role-broad-management-plane": 0,
        "azure-custom-role-broad-data-plane": 0,
        "azure-custom-role-subscription-assignable-scope": 0,
        "azure-custom-role-assignment-blast-radius": 0,
        "azure-rbac-privileged-assignment": 0,
        "azure-managed-identity-broad-rbac": 0,
        "azure-federated-identity-privileged-access": 0,
        "azure-public-workload-sensitive-resource-access": 0,
        "azure-app-service-public-network-access-not-disabled": 0,
        "azure-app-service-platform-authentication-disabled": 0,
        "azure-app-service-anonymous-platform-access-allowed": 0,
        "azure-app-service-minimum-tls-below-1-2": 0,
        "azure-app-service-minimum-tls-unknown": 0,
        "azure-app-service-managed-identity-missing": 0,
        "azure-app-service-vnet-integration-missing": 0,
        "azure-app-service-access-restrictions-not-default-deny": 0,
        "azure-app-service-broad-access-restriction-allow": 0,
        "azure-app-service-scm-access-unrestricted": 0,
        "azure-app-service-image-not-digest-pinned": 0,
        "azure-app-service-can-modify-image-repository": 0,
        "azure-public-app-service-storage-mutation-access": 0,
        "azure-public-app-service-service-bus-mutation-access": 0,
        "azure-app-service-sensitive-app-setting-inline": 0,
        "azure-app-service-key-vault-reference-identity-not-configured": 0,
        "azure-app-service-key-vault-secret-access-overprivileged": 0,
        "azure-diagnostic-settings-missing": 0,
        "azure-diagnostic-setting-no-log-destination": 0,
        "azure-diagnostic-setting-audit-logs-incomplete": 0,
        "azure-defender-pricing-tier-not-standard": 0,
        "azure-security-center-auto-provisioning-disabled": 0,
        "azure-aks-api-server-public-unrestricted": 0,
        "azure-aks-private-cluster-not-enabled": 0,
        "azure-aks-local-accounts-not-disabled": 0,
        "azure-aks-rbac-posture-weak": 0,
        "azure-aks-network-policy-missing": 0,
        "azure-aks-workload-identity-not-enabled": 0,
        "azure-aks-key-management-service-not-configured": 0,
        "azure-aks-monitoring-agent-not-enabled": 0,
        "azure-aks-defender-not-enabled": 0,
        "azure-aks-azure-policy-not-enabled": 0,
        "azure-sql-public-network-access-enabled": 0,
        "azure-sql-missing-private-endpoint": 0,
        "azure-sql-firewall-broad-public-access": 0,
        "azure-sql-minimum-tls-below-1-2": 0,
        "azure-sql-security-alert-policy-disabled": 0,
        "azure-sql-short-term-backup-retention-insufficient": 0,
        "azure-sql-long-term-backup-retention-not-configured": 0,
        "azure-sql-backup-geo-redundancy-not-enabled": 0,
        "azure-private-endpoint-public-fallback": 0,
        "azure-private-endpoint-dns-posture-incomplete": 0,
        "azure-postgresql-public-network-access-enabled": 0,
        "azure-postgresql-firewall-broad-public-access": 0,
        "azure-postgresql-weak-tls-or-ssl": 0,
        "azure-postgresql-geo-backup-disabled": 0
      }
    },
    "references": {
      "unresolved_reference_count": 0,
      "unresolved_references": []
    }
  },
  "inventory": {
    "provider": "azure",
    "unsupported_resources": [],
    "metadata": {
      "supported_resource_types": [
        "azurerm_advanced_threat_protection",
        "azurerm_application_gateway",
        "azurerm_container_registry",
        "azurerm_federated_identity_credential",
        "azurerm_function_app",
        "azurerm_key_vault",
        "azurerm_key_vault_access_policy",
        "azurerm_key_vault_certificate",
        "azurerm_key_vault_key",
        "azurerm_key_vault_secret",
        "azurerm_kubernetes_cluster",
        "azurerm_lb",
        "azurerm_linux_function_app",
        "azurerm_linux_virtual_machine",
        "azurerm_linux_web_app",
        "azurerm_monitor_diagnostic_setting",
        "azurerm_mssql_database",
        "azurerm_mssql_firewall_rule",
        "azurerm_mssql_server",
        "azurerm_mssql_server_security_alert_policy",
        "azurerm_mssql_virtual_network_rule",
        "azurerm_network_interface",
        "azurerm_network_interface_security_group_association",
        "azurerm_network_security_group",
        "azurerm_network_security_rule",
        "azurerm_network_watcher_flow_log",
        "azurerm_postgresql_flexible_server",
        "azurerm_postgresql_flexible_server_configuration",
        "azurerm_postgresql_flexible_server_database",
        "azurerm_postgresql_flexible_server_firewall_rule",
        "azurerm_private_dns_zone",
        "azurerm_private_dns_zone_virtual_network_link",
        "azurerm_private_endpoint",
        "azurerm_public_ip",
        "azurerm_role_assignment",
        "azurerm_role_definition",
        "azurerm_security_center_auto_provisioning",
        "azurerm_security_center_contact",
        "azurerm_security_center_setting",
        "azurerm_security_center_subscription_pricing",
        "azurerm_security_center_workspace",
        "azurerm_servicebus_namespace",
        "azurerm_servicebus_namespace_customer_managed_key",
        "azurerm_servicebus_namespace_network_rule_set",
        "azurerm_servicebus_queue",
        "azurerm_servicebus_subscription",
        "azurerm_servicebus_topic",
        "azurerm_storage_account",
        "azurerm_storage_account_network_rules",
        "azurerm_storage_container",
        "azurerm_subnet",
        "azurerm_subnet_network_security_group_association",
        "azurerm_user_assigned_identity",
        "azurerm_virtual_network",
        "azurerm_windows_function_app",
        "azurerm_windows_virtual_machine",
        "azurerm_windows_web_app"
      ],
      "total_input_resources": 4,
      "provider_resource_count": 4,
      "normalized_resource_count": 4,
      "unsupported_resource_types": {}
    },
    "resources": [
      {
        "address": "azurerm_monitor_diagnostic_setting.logs",
        "provider": "azure",
        "resource_type": "azurerm_monitor_diagnostic_setting",
        "name": "logs",
        "category": "iam",
        "identifier": "logs-audit",
        "arn": null,
        "vpc_id": null,
        "subnet_ids": [],
        "security_group_ids": [],
        "attached_role_arns": [],
        "network_rules": [],
        "policy_statements": [],
        "public_access_configured": false,
        "public_exposure": false,
        "data_sensitivity": "standard",
        "metadata": {
          "name": "logs-audit",
          "diagnostic_setting_name": "logs-audit",
          "diagnostic_target_resource_id": "azurerm_storage_account.logs.id",
          "diagnostic_log_analytics_workspace_id": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/tfstride/providers/Microsoft.OperationalInsights/workspaces/tfstride-logs",
          "diagnostic_log_records": [
            {
              "category_group": "audit"
            }
          ],
          "diagnostic_metric_records": [
            {
              "category": "AllMetrics",
              "enabled": true
            }
          ],
          "diagnostic_enabled_log_categories": [],
          "diagnostic_enabled_log_category_groups": [
            "audit"
          ],
          "diagnostic_metric_categories": [
            "AllMetrics"
          ],
          "azure_security_posture_uncertainties": []
        }
      },
      {
        "address": "azurerm_storage_account.logs",
        "provider": "azure",
        "resource_type": "azurerm_storage_account",
        "name": "logs",
        "category": "data",
        "identifier": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/tfstride/providers/Microsoft.Storage/storageAccounts/tfstridesafelogs",
        "arn": null,
        "vpc_id": null,
        "subnet_ids": [],
        "security_group_ids": [],
        "attached_role_arns": [],
        "network_rules": [],
        "policy_statements": [],
        "public_access_configured": false,
        "public_exposure": false,
        "data_sensitivity": "sensitive",
        "metadata": {
          "name": "tfstridesafelogs",
          "storage_account_id": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/tfstride/providers/Microsoft.Storage/storageAccounts/tfstridesafelogs",
          "network_default_action": "Deny",
          "allow_nested_items_to_be_public": false,
          "shared_access_key_enabled": false,
          "storage_infrastructure_encryption_enabled": true,
          "storage_customer_managed_key_id": "azurerm_key_vault_key.storage.id",
          "storage_customer_managed_key_identity_id": "azurerm_user_assigned_identity.storage.id",
          "storage_blob_versioning_enabled": true,
          "storage_blob_delete_retention_days": 30,
          "storage_container_delete_retention_days": 14,
          "storage_blob_restore_policy_days": 7,
          "public_network_fallback_state": "disabled",
          "public_network_access_enabled": false,
          "min_tls_version": "TLS1_2",
          "storage_encrypted": true,
          "network_rule_source_address": "azurerm_storage_account_network_rules.logs",
          "direct_internet_reachable": false,
          "internet_ingress_capable": false,
          "public_access_reasons": [],
          "internet_ingress_reasons": []
        }
      },
      {
        "address": "azurerm_storage_account_network_rules.logs",
        "provider": "azure",
        "resource_type": "azurerm_storage_account_network_rules",
        "name": "logs",
        "category": "network",
        "identifier": "azurerm_storage_account.logs.id",
        "arn": null,
        "vpc_id": null,
        "subnet_ids": [],
        "security_group_ids": [],
        "attached_role_arns": [],
        "network_rules": [],
        "policy_statements": [],
        "public_access_configured": false,
        "public_exposure": false,
        "data_sensitivity": "standard",
        "metadata": {
          "storage_account_reference": "azurerm_storage_account.logs.id",
          "network_rule_source_address": "azurerm_storage_account_network_rules.logs",
          "network_default_action": "Deny",
          "resolved_storage_account_address": "azurerm_storage_account.logs"
        }
      },
      {
        "address": "azurerm_storage_container.private",
        "provider": "azure",
        "resource_type": "azurerm_storage_container",
        "name": "private",
        "category": "data",
        "identifier": "private",
        "arn": null,
        "vpc_id": null,
        "subnet_ids": [],
        "security_group_ids": [],
        "attached_role_arns": [],
        "network_rules": [],
        "policy_statements": [],
        "public_access_configured": false,
        "public_exposure": false,
        "data_sensitivity": "sensitive",
        "metadata": {
          "name": "private",
          "storage_account_reference": "azurerm_storage_account.logs.id",
          "container_access_type": "private",
          "storage_encrypted": true,
          "resolved_storage_account_address": "azurerm_storage_account.logs",
          "publicly_accessible": false,
          "direct_internet_reachable": false,
          "public_access_reasons": [],
          "public_exposure_reasons": []
        }
      }
    ]
  },
  "trust_boundaries": [],
  "findings": [],
  "suppressed_findings": [],
  "baselined_findings": [],
  "observations": [],
  "limitations": [
    "Azure support covers a curated AzureRM set including Storage, Service Bus, Container Registry, Key Vault, SQL/PostgreSQL, App Service/Function Apps, AKS, networking and public edge, Private Endpoint/DNS-zone-group, diagnostic/Defender, and RBAC/identity posture. Remaining limitations include full Private DNS record correctness, broader RBAC hierarchy, MySQL, runtime application authentication and routing, full AKS node/workload posture, and unsupported platform services; analysis remains plan-local.",
    "The engine reasons over Terraform planned values only and does not validate runtime drift, CloudTrail evidence, or post-deploy control-plane activity."
  ]
}
Markdown report
# Safe Azure Storage Demo

- Analyzed file: `sample_azure_safe_plan.json`
- Provider: `azure`
- Normalized resources: `4`
- Unsupported resources: `0`

## Summary

This run identified **0 trust boundaries** and **0 findings** across **4 normalized resources**.

- High severity findings: `0`
- Medium severity findings: `0`
- Low severity findings: `0`

## Analysis Coverage

- Terraform resources seen: `4`
- Provider resources considered: `4`
- Normalized resources: `4`
- Unsupported resources: `0`
- Registered provider rules (Azure): `94`
- Enabled provider rules (Azure): `94`
- Disabled rules: `0`
- Severity overrides: `0`
- Unresolved in-plan references: `0`

## Discovered Trust Boundaries

No trust boundaries were discovered.

## Findings

### High

No findings in this severity band.

### Medium

No findings in this severity band.

### Low

No findings in this severity band.

## Limitations / Unsupported Resources

- Azure support covers a curated AzureRM set including Storage, Service Bus, Container Registry, Key Vault, SQL/PostgreSQL, App Service/Function Apps, AKS, networking and public edge, Private Endpoint/DNS-zone-group, diagnostic/Defender, and RBAC/identity posture. Remaining limitations include full Private DNS record correctness, broader RBAC hierarchy, MySQL, runtime application authentication and routing, full AKS node/workload posture, and unsupported platform services; analysis remains plan-local.
- The engine reasons over Terraform planned values only and does not validate runtime drift, CloudTrail evidence, or post-deploy control-plane activity.

Limits

Unsupported or intentionally scoped areas

  • Azure support covers a curated AzureRM set including Storage, Service Bus, Container Registry, Key Vault, SQL/PostgreSQL, App Service/Function Apps, AKS, networking and public edge, Private Endpoint/DNS-zone-group, diagnostic/Defender, and RBAC/identity posture. Remaining limitations include full Private DNS record correctness, broader RBAC hierarchy, MySQL, runtime application authentication and routing, full AKS node/workload posture, and unsupported platform services; analysis remains plan-local.
  • The engine reasons over Terraform planned values only and does not validate runtime drift, CloudTrail evidence, or post-deploy control-plane activity.