agent-bom-discover-azure

Use this skill to collect Azure AI and workload inventory as schema-valid agent-bom inventory. Default to discover-only: write JSON to an operator-selected path and stop.

Guardrails

• Use only operator-approved Azure subscriptions and read-only identities.
• Do not request or display raw AZURE_CLIENT_SECRET, access tokens, or connection strings.
• Do not modify Azure resources. This workflow is discovery-only.
• Write inventory only to a path the operator chose.
• Treat AI-generated prose as non-authoritative; schema-validated inventory JSON is the evidence.

Workflow

python examples/operator_pull/azure_inventory_adapter.py \
  --subscription-id "$AZURE_SUBSCRIPTION_ID" \
  --source azure-skill-invoked \
  --discovery-method skill_invoked_pull \
  --output azure-inventory.json

Scan only when the operator asks for findings:

agent-bom agents --inventory azure-inventory.json --format json --output agent-bom-azure-findings.json

Evidence Contract

The emitted inventory carries discovery_provenance.source_type: skill_invoked_pull, observed_via: skill_invoked_pull, azure_sdk, sanitized metadata.permissions_used, and redacted credential material. If schema validation fails, stop and fix the inventory instead of scanning a best-effort summary.