{"skill":{"slug":"auditclaw-azure","displayName":"AuditClaw Azure","summary":"Azure compliance evidence collection for auditclaw-grc. 12 read-only checks across storage, NSG, Key Vault, SQL, compute, App Service, and Defender for Cloud.","description":"---\nname: auditclaw-azure\ndescription: Azure compliance evidence collection for auditclaw-grc. 12 read-only checks across storage, NSG, Key Vault, SQL, compute, App Service, and Defender for Cloud.\nversion: 1.0.1\nuser-invocable: true\nhomepage: https://www.auditclaw.ai\nsource: https://github.com/avansaber/auditclaw-azure\nmetadata: {\"openclaw\":{\"type\":\"executable\",\"install\":{\"pip\":\"scripts/requirements.txt\"},\"requires\":{\"bins\":[\"python3\"],\"env\":[\"AZURE_SUBSCRIPTION_ID\",\"AZURE_CLIENT_ID\",\"AZURE_CLIENT_SECRET\",\"AZURE_TENANT_ID\"]}}}\n---\n# AuditClaw Azure\n\nCompanion skill for auditclaw-grc. Collects compliance evidence from Azure subscriptions using read-only API calls.\n\n**12 checks | Reader + Security Reader roles only | Evidence stored in shared GRC database**\n\n## Security Model\n- **Read-only access**: Requires only Reader + Security Reader roles (subscription-level). No write/modify permissions.\n- **Credentials**: Uses `DefaultAzureCredential` (service principal env vars, `az login`, or managed identity). No credentials stored by this skill.\n- **Dependencies**: Azure SDK packages (all pinned in requirements.txt)\n- **Data flow**: Check results stored as evidence in `~/.openclaw/grc/compliance.sqlite` via auditclaw-grc\n\n## Prerequisites\n- Azure credentials configured (service principal or `az login`)\n- `pip install -r scripts/requirements.txt`\n- auditclaw-grc skill installed and initialized\n\n## Commands\n- \"Run Azure evidence sweep\": Run all checks, store results in GRC database\n- \"Check Azure storage security\": Run storage-specific checks\n- \"Check Azure network security\": Run NSG checks\n- \"Check Azure Key Vault\": Run Key Vault checks\n- \"Check Azure SQL compliance\": Run SQL Server checks\n- \"Check Azure VM encryption\": Run compute checks\n- \"Check Azure App Service\": Run App Service checks\n- \"Check Azure Defender\": Run Defender for Cloud checks\n- \"Show Azure integration health\": Last sync, errors, evidence count\n\n## Usage\nAll evidence is stored in the shared GRC database at ~/.openclaw/grc/compliance.sqlite\nvia the auditclaw-grc skill's db_query.py script.\n\nTo run a full evidence sweep:\n```\npython3 scripts/azure_evidence.py --db-path ~/.openclaw/grc/compliance.sqlite --all\n```\n\nTo run specific checks:\n```\npython3 scripts/azure_evidence.py --db-path ~/.openclaw/grc/compliance.sqlite --checks storage,network,keyvault\n```\n\nTo list available checks:\n```\npython3 scripts/azure_evidence.py --list-checks\n```\n\n## Check Categories (7 files, 12 findings)\n\n| Check | What It Verifies |\n|-------|-----------------|\n| **storage** | HTTPS-only transfer, TLS 1.2+, public blob access disabled, network default deny |\n| **network** | NSG no unrestricted SSH (port 22), no unrestricted RDP (port 3389) |\n| **keyvault** | Soft delete + purge protection enabled |\n| **sql** | Server auditing enabled, TDE encryption on all databases |\n| **compute** | VM disk encryption (encryption at host) |\n| **appservice** | HTTPS-only + TLS 1.2+ |\n| **defender** | Defender plans enabled (Standard tier) for critical resource types |\n\n## Authentication\nUses `DefaultAzureCredential` from `azure-identity`. Supports:\n- Service principal: `AZURE_CLIENT_ID` + `AZURE_TENANT_ID` + `AZURE_CLIENT_SECRET`\n- Azure CLI: `az login`\n- Managed identity (when running in Azure)\n\nMinimum roles: **Reader** + **Security Reader** (subscription-level)\n\n## Evidence Storage\nEach check produces evidence items stored with:\n- `source: \"azure\"`\n- `type: \"automated\"`\n- `control_id`: Mapped to relevant SOC2/ISO/HIPAA controls\n- `description`: Human-readable finding summary\n- `file_content`: JSON details of the check result\n\n## Setup Guide\n\nWhen a user asks to set up Azure integration, guide them through these steps:\n\n### Step 1: Create Service Principal\n```\naz ad sp create-for-rbac --name auditclaw-scanner --role Reader --scopes /subscriptions/<SUBSCRIPTION_ID>\n```\n\n### Step 2: Add Security Reader Role\n```\naz role assignment create --assignee <APP_ID> --role \"Security Reader\" --scope /subscriptions/<SUBSCRIPTION_ID>\n```\n\nOnly 2 roles needed: **Reader** + **Security Reader** (subscription-level).\n\n### Step 3: Configure Credentials\nSet environment variables from the service principal output:\n- AZURE_CLIENT_ID (appId)\n- AZURE_CLIENT_SECRET (password)\n- AZURE_TENANT_ID (tenant)\n- AZURE_SUBSCRIPTION_ID\n\n### Step 4: Verify Connection\nRun: `python3 {baseDir}/scripts/azure_evidence.py --test-connection`\n\nThe exact roles are documented in `scripts/azure-roles.json`. Show with:\n  python3 {baseDir}/../auditclaw-grc/scripts/db_query.py --action show-policy --provider azure\n","tags":{"latest":"1.0.3"},"stats":{"comments":0,"downloads":207,"installsAllTime":0,"installsCurrent":0,"stars":0,"versions":4},"createdAt":1771204479240,"updatedAt":1778491552996},"latestVersion":{"version":"1.0.3","createdAt":1771212519247,"changelog":"- Added homepage and source links to skill metadata.\n- Expanded required environment variables in metadata to include `AZURE_CLIENT_ID`, `AZURE_CLIENT_SECRET`, and `AZURE_TENANT_ID`.\n- Added pip install requirements to skill metadata for easier setup.\n- No changes to core functionality or user commands.","license":null},"metadata":{"setup":[{"key":"AZURE_SUBSCRIPTION_ID","required":true},{"key":"AZURE_CLIENT_ID","required":true},{"key":"AZURE_CLIENT_SECRET","required":true},{"key":"AZURE_TENANT_ID","required":true}],"os":null,"systems":null},"owner":{"handle":"mailnike","userId":"s17ee5y8kxe1zfx1t7te9wcgzx83j215","displayName":"Nikhil Jathar","image":"https://avatars.githubusercontent.com/u/22786232?v=4"},"moderation":null}