Skip to content

aharwelik/azure-posture-scan

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

2 Commits
.github/workflows
.github/workflows
 
 
assets
assets
 
 
bash
bash
 
 
controls
controls
 
 
powershell
powershell
 
 
tests
tests
 
 
web
web
 
 
.gitignore
.gitignore
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 

Repository files navigation

azure-posture-scan

CI PowerShell 7+ Azure CIS MIT

azure-posture-scan

The core of a cloud security posture management (CSPM) tool, open and free. Collect a read-only snapshot of an Azure subscription, then score it against a CIS-style benchmark and get a graded, per-domain report card with remediation. No agents, no SaaS, nothing leaves your tenant.

Landing page: web/index.html (ready for GitHub Pages)

Why it exists

Commercial CSPM platforms are excellent — and expensive, opaque, and usually cloud-hosted. For a baseline ("are my storage accounts public? is MFA enforced? are SSH/RDP ports open to the world?") you shouldn't need a five-figure contract or to ship your config to a third party. This gives you that baseline in two commands, with logic you can read.

How it works

collect-azure-snapshot.sh  ──►  azure-snapshot.json  ──►  Invoke-AzurePostureScan.ps1  ──►  graded report
   (read-only `az`, once)            (portable)               (offline, repeatable)        (text / json / html)

# 1) Collect — read-only, needs `az login` + Reader on the subscription
./bash/collect-azure-snapshot.sh -o snap.json

# 2) Score — fully offline, produces a graded HTML report card
pwsh ./powershell/Invoke-AzurePostureScan.ps1 -SnapshotPath snap.json -Format html -OutFile report.html

Try the engine right now against the bundled sample (no Azure needed):

pwsh ./powershell/Invoke-AzurePostureScan.ps1 -SnapshotPath examples/azure-snapshot.json -Format text

Coverage

15+ controls across Identity, Defender for Cloud, Storage, Database (SQL), Logging, Network, and Key Vault, mapped to CIS Azure guidance. The benchmark lives in controls/azure-cis.json — each control is a dot-path + operator + remediation, so you extend it by editing JSON.

Requirements

  • PowerShell 7+ (pwsh) for the scoring engine.
  • Azure CLI (az) + jq for live collection (az login, Reader role).

Testing

bash tests/run-tests.sh    # 8 passed, 0 failed

Verification boundary (honest): the scoring engine is run for real in CI against the sample snapshot (parse + JSON/HTML rendering + grading all verified). collect-azure-snapshot.sh talks to a live subscription, so CI only syntax-checks it — review and extend the read-only az queries before relying on it. This is a transparent baseline, not a replacement for a managed CSPM's continuous monitoring and full control set.

Author

Anthony Harwelik — security & AI engineering aharwelik@gmail.com · github.com/aharwelik

© 2026 Anthony Harwelik · MIT License · Posture scoring without the price tag.

About

Free, read-only Azure CSPM core: collect a posture snapshot, score it against a CIS-style benchmark, get a graded report. Controls-as-data. PowerShell + Bash. Tested + CI.

Resources

Readme

License

MIT license
Activity

Stars

0 stars

Watchers

0 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

 
 
 

Contributors

Languages