Skip to content

feat(scanner): add AZ-NET-016 load balancer no backend pool rule#108

Open
aav-wh wants to merge 1 commit into
openshield-org:devfrom
aav-wh:feat/az-net-016
Open

feat(scanner): add AZ-NET-016 load balancer no backend pool rule#108
aav-wh wants to merge 1 commit into
openshield-org:devfrom
aav-wh:feat/az-net-016

Conversation

@aav-wh
Copy link
Copy Markdown
Contributor

@aav-wh aav-wh commented Jun 1, 2026

What does this PR do?

Adds AZ-NET-016 scanner rule to detect Azure load balancers with no backend pool configured, which are either misconfigured or leftover resources from decommissioned workloads.

Type of change

  • New scan rule
  • Remediation playbook
  • Compliance mapping

Rule details

  • Rule ID: AZ-NET-016
  • Severity: LOW
  • Category: Network
  • Frameworks mapped: CIS 9.1 / NIST CM-7 / ISO A.13.1.1 / SOC 2 CC8.1

Testing

  • Returns correct JSON output
  • All seven CI checks pass
  • No hardcoded credentials or secrets

Related issue

Closes #107

Checklist

  • My code follows the rule template in CONTRIBUTING.md
  • I added or updated the matching CLI playbook
  • I added or updated all four compliance framework mappings
  • I have not committed any real Azure credentials
  • My branch name follows the convention: feat/description

@aav-wh
feat(scanner): add AZ-NET-016 load balancer no backend pool rule
23f215d 
- Add scanner/rules/az_net_016.py to detect load balancers with no backend pool
- Add get_load_balancers() to azure_client.py
- Add playbooks/cli/fix_az_net_016.sh remediation script
- Update all 4 compliance framework JSONs with AZ-NET-016 mappings
m-khan-97
m-khan-97 requested changes Jun 6, 2026
View reviewed changes
Copy link
Copy Markdown
Collaborator

@m-khan-97 m-khan-97 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for the contribution. I am requesting changes because this appears to duplicate the existing AZ-NET-008 rule, which already covers load balancers without backend pools.

Please do not merge this as a separate AZ-NET-016 rule in its current form. A better direction would be one of these:

  • improve the existing AZ-NET-008 implementation if it has gaps
  • add regression tests for the existing load-balancer backend-pool detection
  • improve the existing remediation playbook
  • refocus this PR on a clearly distinct lifecycle/resource-hygiene case that AZ-NET-008 does not already cover

This branch is also currently conflicting with dev, so it would need to be rebased before any revised version can be reviewed.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@m-khan-97 m-khan-97 m-khan-97 requested changes

Requested changes must be addressed to merge this pull request.

Assignees

@aav-wh aav-wh

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@aav-wh @m-khan-97