feat: add AZ-PQC-001 to AZ-PQC-003 post-quantum cryptography scanner rules

ai/knowledge/skills/post-quantum-cryptography-azure/SKILL.md

@@ -0,0 +1,89 @@
+---
+name: post-quantum-cryptography-azure
+description: Identifies and remediates non-quantum-safe cryptographic configurations in Azure including classical TLS key exchange, RSA and ECC keys in Key Vault, and classical certificate algorithms. Maps findings to NIST PQC standards FIPS 203, FIPS 204, and FIPS 205. Use when assessing quantum readiness of Azure infrastructure or building a Cryptographic Bill of Materials.
+domain: cybersecurity
+subdomain: post-quantum-cryptography
+tags:
+- post-quantum
+- pqc
+- azure
+- key-vault
+- tls
+- cryptography
+- cbom
+version: '1.0'
+author: openshield
+license: Apache-2.0
+nist_csf:
+- PR.DS-2
+- PR.DS-1
+---
+
+# Post-Quantum Cryptography Assessment for Azure
+
+## When to Use
+- When assessing an Azure environment for quantum readiness
+- When building a Cryptographic Bill of Materials for Azure resources
+- When identifying classical cryptographic algorithms that need migration
+- When planning post-quantum migration for Key Vault keys and certificates
+- When evaluating TLS configurations for quantum vulnerability
+
+## Key Concepts
+
+| Term | Definition |
+|------|------------|
+| Harvest Now Decrypt Later | Attack where adversaries collect encrypted traffic today and decrypt it when quantum computers become available |
+| Shor's Algorithm | Quantum algorithm that can break RSA and ECC by solving integer factorisation and discrete logarithm problems efficiently |
+| ML-KEM | Module Lattice Key Encapsulation Mechanism, NIST FIPS 203, post-quantum safe key exchange |
+| ML-DSA | Module Lattice Digital Signature Algorithm, NIST FIPS 204, post-quantum safe signing |
+| SLH-DSA | Stateless Hash-Based Digital Signature Algorithm, NIST FIPS 205, post-quantum safe signing |
+| CBOM | Cryptographic Bill of Materials, inventory of all cryptographic assets in a system |
+| PQMA | Post-Quantum Migration Analyser, tool for validating PQC migration paths |
+
+## OpenShield PQC Rules
+
+| Rule | Description | Severity |
+|------|-------------|----------|
+| AZ-PQC-001 | TLS below 1.3 on App Service | HIGH |
+| AZ-PQC-002 | Key Vault key using RSA or ECC algorithm | HIGH |
+| AZ-PQC-003 | Key Vault certificate using non-quantum-safe signature algorithm | MEDIUM |
+
+## Assessment Workflow
+
+### Step 1: Identify Classical Keys in Key Vault
+```bash
+az keyvault list --output table
+az keyvault key list --vault-name <vault-name> --output table
+az keyvault certificate list --vault-name <vault-name> --output table
+```
+
+### Step 2: Check TLS Configuration on App Services
+```bash
+az webapp list --output table
+az webapp config show --resource-group <rg> --name <app-name> --query minTlsVersion
+```
+
+### Step 3: Build Cryptographic Bill of Materials
+Document all findings with resource ID, algorithm type, key size, expiry date, and dependent services.
+
+### Step 4: Prioritise Migration
+1. Keys and certificates exposed to internet traffic first
+2. Long-lived keys with high blast radius second
+3. Internal service-to-service encryption third
+
+## NIST PQC Standards Reference
+
+| Standard | Algorithm | Use Case |
+|----------|-----------|----------|
+| FIPS 203 | ML-KEM | Key encapsulation, replacing RSA and ECDH key exchange |
+| FIPS 204 | ML-DSA | Digital signatures, replacing RSA-PSS and ECDSA |
+| FIPS 205 | SLH-DSA | Digital signatures, hash-based alternative |
+
+## Compliance Mapping
+
+| Framework | Control | Requirement |
+|-----------|---------|-------------|
+| NIST CSF | PR.DS-2 | Data in transit is protected using quantum-safe algorithms |
+| ISO 27001 | A.10.1.1 | Cryptographic controls policy must address quantum threats |
+| CIS Azure | 8.1 | Key management must include post-quantum migration planning |
+| SOC 2 | CC6.7 | Encryption protecting data in transit must be quantum-safe |

compliance/frameworks/cis_azure_benchmark.json

@@ -172,6 +172,21 @@
       "control_id": "6.4",
       "control_name": "Ensure that Azure Firewall is enabled on Virtual Networks",
       "description": "VNet peering connections with allowGatewayTransit or useRemoteGateways enabled allow traffic to route between network segments through shared gateways. This can break network segmentation and enable lateral movement between zones that should remain isolated. Peering connections should be reviewed and gateway transit disabled unless explicitly required and documented."
+    },
+    "AZ-PQC-001": {
+      "control_id": "9.1",
+      "control_name": "Ensure TLS is enforced with quantum-safe configuration",
+      "description": "App Services configured with TLS versions below 1.3 use classical key exchange algorithms vulnerable to Harvest Now Decrypt Later attacks. CIS 9.1 requires that data in transit is protected using current encryption standards. Enforcing TLS 1.3 minimum reduces exposure to quantum-enabled decryption of captured traffic."
+    },
+    "AZ-PQC-002": {
+      "control_id": "8.1",
+      "control_name": "Ensure Key Vault keys use quantum-safe algorithms",
+      "description": "Key Vault keys using RSA or ECC algorithms are vulnerable to Shor's algorithm on quantum computers. CIS 8.1 requires that cryptographic key management follows current standards. Keys should be inventoried in a Cryptographic Bill of Materials and migration to post-quantum safe algorithms planned."
+    },
+    "AZ-PQC-003": {
+      "control_id": "8.5",
+      "control_name": "Ensure certificates use quantum-safe signature algorithms",
+      "description": "Key Vault certificates signed with RSA or ECDSA are vulnerable to quantum attacks. CIS 8.5 requires that certificate management includes monitoring of algorithm strength. Certificates should be migrated to post-quantum safe signature algorithms such as ML-DSA when CA support is available."
     }
   }
 }

compliance/frameworks/iso27001.json

@@ -172,6 +172,21 @@
       "control_id": "A.13.1.1",
       "control_name": "Network controls",
       "description": "VNet peering connections with gateway transit enabled allow traffic to flow between network segments through shared gateways, potentially bypassing network controls. Networks should be managed and controlled to protect information in systems and applications. Gateway transit on peering connections should be disabled unless explicitly required."
+    },
+    "AZ-PQC-001": {
+      "control_id": "A.10.1.1",
+      "control_name": "Policy on the use of cryptographic controls",
+      "description": "TLS configurations using classical key exchange algorithms do not align with a forward-looking cryptographic controls policy. A.10.1.1 requires that the organisation defines rules for effective use of cryptography. The policy must address post-quantum threats and mandate migration to quantum-safe cipher suites when supported."
+    },
+    "AZ-PQC-002": {
+      "control_id": "A.10.1.1",
+      "control_name": "Policy on the use of cryptographic controls",
+      "description": "Key Vault keys using RSA or ECC do not meet the requirements of a cryptographic controls policy that accounts for quantum threats. A.10.1.1 requires that cryptographic controls are appropriate to the level of risk. Post-quantum safe algorithms must be adopted as part of the cryptographic policy when supported."
+    },
+    "AZ-PQC-003": {
+      "control_id": "A.10.1.1",
+      "control_name": "Policy on the use of cryptographic controls",
+      "description": "Certificates using classical signature algorithms expose the organisation to quantum-enabled signature forgery. A.10.1.1 requires that the cryptographic controls policy covers all cryptographic assets including certificates. Migration planning to post-quantum safe signature algorithms is required."
     }
   }
 }

compliance/frameworks/nist_csf.json

@@ -172,6 +172,21 @@
       "control_id": "PR.AC-5",
       "control_name": "Network integrity is protected",
       "description": "VNet peering with gateway transit enabled allows traffic to cross network boundaries through shared gateways, undermining network segmentation. PR.AC-5 requires that network integrity is protected. Disabling gateway transit on peering connections enforces boundary integrity between network zones."
+    },
+    "AZ-PQC-001": {
+      "control_id": "PR.DS-2",
+      "control_name": "Data in transit is protected",
+      "description": "TLS configurations using classical key exchange algorithms expose data in transit to Harvest Now Decrypt Later attacks. PR.DS-2 requires that data in transit is protected. Migrating to TLS 1.3 and post-quantum safe cipher suites when supported helps data remain protected against quantum-enabled adversaries."
+    },
+    "AZ-PQC-002": {
+      "control_id": "PR.DS-2",
+      "control_name": "Data in transit is protected",
+      "description": "Key Vault keys using RSA or ECC can be broken by Shor's algorithm on quantum computers, compromising protected data and signatures. PR.DS-2 requires that data protection mechanisms are maintained. Post-quantum safe key encapsulation algorithms such as ML-KEM should replace classical alternatives when supported."
+    },
+    "AZ-PQC-003": {
+      "control_id": "PR.DS-2",
+      "control_name": "Data in transit is protected",
+      "description": "Certificates using classical signature algorithms are vulnerable to quantum attacks, undermining authentication and integrity guarantees. PR.DS-2 requires that data protection includes integrity mechanisms. Migration to ML-DSA or SLH-DSA signature algorithms should be planned."
     }
   }
 }

compliance/frameworks/soc2.json

@@ -163,10 +163,25 @@
       "control_name": "Restricts Access from Outside the Network Boundary",
       "description": "A virtual network without an Azure Firewall relies on NSGs alone and lacks a centralized point to inspect, filter, and log traffic crossing the network boundary. CC6.6 requires that logical access from outside the network boundary is restricted and controlled. Deploying an Azure Firewall enforces inspected, logged perimeter access for the network."
     },
-     "AZ-NET-014": {
+    "AZ-NET-014": {
       "control_id": "CC6.6",
       "control_name": "Restricts Access from Outside the Network Boundary",
       "description": "VNet peering with allowGatewayTransit or useRemoteGateways enabled allows traffic to cross network boundaries through shared gateways, weakening the logical separation between network zones. CC6.6 requires that logical access from outside the network boundary is restricted and controlled. Gateway transit on peering connections should be disabled to enforce boundary separation."
+    },
+    "AZ-PQC-001": {
+      "control_id": "CC6.7",
+      "control_name": "Protects Data in Transit",
+      "description": "TLS configurations using classical key exchange algorithms expose data in transit to Harvest Now Decrypt Later attacks where adversaries collect traffic today and decrypt it with future quantum computers. CC6.7 requires that data transmitted over networks is protected using encryption. Enforcing TLS 1.3 minimum reduces this risk."
+    },
+    "AZ-PQC-002": {
+      "control_id": "CC6.7",
+      "control_name": "Protects Data in Transit",
+      "description": "Key Vault keys using RSA or ECC will be vulnerable to Shor's algorithm, compromising data encrypted or signed with these keys. CC6.7 requires that data is protected using encryption. Post-quantum safe key encapsulation algorithms should replace classical alternatives when supported to maintain this protection."
+    },
+    "AZ-PQC-003": {
+      "control_id": "CC6.7",
+      "control_name": "Protects Data in Transit",
+      "description": "Certificates using classical signature algorithms will be vulnerable to quantum-enabled forgery, undermining authentication and data integrity. CC6.7 requires that data integrity is maintained through encryption and signing. Migration to post-quantum safe certificate algorithms should be planned."
     }
   }
 }

playbooks/cli/fix_az_pqc_001.sh

@@ -0,0 +1,23 @@
+#!/bin/bash
+set -euo pipefail
+
+# Playbook: fix_az_pqc_001.sh
+# Rule: AZ-PQC-001 - TLS using classical key exchange algorithm
+
+if [[ $# -lt 2 ]]; then
+  echo "Usage: $0 <resource-group> <app-name>"
+  exit 1
+fi
+
+RESOURCE_GROUP="$1"
+APP_NAME="$2"
+
+echo "Enforcing TLS 1.3 minimum on App Service: $APP_NAME"
+az webapp config set \
+  --resource-group "$RESOURCE_GROUP" \
+  --name "$APP_NAME" \
+  --min-tls-version 1.3 \
+  --output none
+
+echo "Done. Verify with:"
+echo "  az webapp config show --resource-group $RESOURCE_GROUP --name $APP_NAME --query minTlsVersion"

playbooks/cli/fix_az_pqc_002.sh

@@ -0,0 +1,31 @@
+#!/bin/bash
+set -euo pipefail
+
+# Playbook: fix_az_pqc_002.sh
+# Rule: AZ-PQC-002 - Key Vault key using non-quantum-safe algorithm
+
+if [[ $# -lt 3 ]]; then
+  echo "Usage: $0 <resource-group> <vault-name> <key-name>"
+  exit 1
+fi
+
+RESOURCE_GROUP="$1"
+VAULT_NAME="$2"
+KEY_NAME="$3"
+
+echo "Listing current key properties for: $KEY_NAME in vault: $VAULT_NAME"
+az keyvault key show \
+  --vault-name "$VAULT_NAME" \
+  --name "$KEY_NAME" \
+  --output table
+
+echo ""
+echo "Next steps:"
+echo "  1. Review all workloads using this key and plan migration."
+echo "  2. Generate a new key using a post-quantum safe algorithm when supported."
+echo "  3. Document this key in your Cryptographic Bill of Materials (CBOM)."
+echo "  4. Update all dependent services to use the new key."
+echo "  5. Disable and schedule deletion of the old key after migration."
+echo ""
+echo "Verify existing keys with:"
+echo "  az keyvault key list --vault-name $VAULT_NAME --output table"

playbooks/cli/fix_az_pqc_003.sh

@@ -0,0 +1,31 @@
+#!/bin/bash
+set -euo pipefail
+
+# Playbook: fix_az_pqc_003.sh
+# Rule: AZ-PQC-003 - Key Vault certificate using non-quantum-safe algorithm
+
+if [[ $# -lt 3 ]]; then
+  echo "Usage: $0 <resource-group> <vault-name> <cert-name>"
+  exit 1
+fi
+
+RESOURCE_GROUP="$1"
+VAULT_NAME="$2"
+CERT_NAME="$3"
+
+echo "Listing current certificate properties for: $CERT_NAME in vault: $VAULT_NAME"
+az keyvault certificate show \
+  --vault-name "$VAULT_NAME" \
+  --name "$CERT_NAME" \
+  --output table
+
+echo ""
+echo "Next steps:"
+echo "  1. Identify the CA issuing this certificate."
+echo "  2. Check if the CA supports post-quantum safe signature algorithms."
+echo "  3. Document this certificate in your Cryptographic Bill of Materials."
+echo "  4. Plan certificate renewal with a post-quantum safe algorithm."
+echo "  5. Update all services using this certificate before expiry."
+echo ""
+echo "Verify existing certificates with:"
+echo "  az keyvault certificate list --vault-name $VAULT_NAME --output table"

requirements.txt

@@ -9,6 +9,7 @@ azure-mgmt-sql==3.0.1
 azure-mgmt-keyvault==10.3.0
 azure-mgmt-rdbms==10.1.0
 azure-mgmt-authorization==4.0.0
+azure-mgmt-web==7.3.1
 azure-monitor-ingestion==1.0.3
 azure-mgmt-monitor==6.0.0
 psycopg2-binary==2.9.9
@@ -21,5 +22,6 @@ cryptography==42.0.5
 msrest==0.7.1
 azure-mgmt-postgresqlflexibleservers==1.0.0b1
 azure-keyvault-certificates==4.8.0
+azure-keyvault-keys==4.9.0
 chromadb==0.4.24
 sentence-transformers==2.7.0

scanner/azure_client.py

@@ -298,6 +298,16 @@ def get_virtual_machines(self) -> List[Any]:
             logger.error("get_virtual_machines failed: %s", exc)
             return []
 
+    def get_web_apps(self) -> List[Any]:
+        """List all App Services in the subscription."""
+        try:
+            from azure.mgmt.web import WebSiteManagementClient
+            client = WebSiteManagementClient(self.credential, self.subscription_id)
+            return list(client.web_apps.list())
+        except Exception as exc:
+            logger.error("get_web_apps failed: %s", exc)
+            return []
+
     def get_vm_extensions(
         self, resource_group: str, vm_name: str
     ) -> Optional[List[Any]]:
@@ -387,6 +397,17 @@ def get_key_vault_certificates(self, vault_name: str) -> List[Any]:
             )
             return []
 
+    def get_key_vault_keys(self, vault_name: str) -> List[Any]:
+        """List all keys in a Key Vault using the Key Vault data plane API."""
+        try:
+            from azure.keyvault.keys import KeyClient
+            vault_url = f"https://{vault_name}.vault.azure.net"
+            client = KeyClient(vault_url=vault_url, credential=self.credential)
+            return list(client.list_properties_of_keys())
+        except Exception as exc:
+            logger.error("get_key_vault_keys(%s) failed: %s", vault_name, exc)
+            return []
+
     # ------------------------------------------------------------------ #
     # Monitoring                                                            #
     # ------------------------------------------------------------------ #
@@ -533,4 +554,4 @@ def get_network_watcher_regions(self) -> List[str]:
             return list(regions)
         except Exception as exc:
             logger.error("get_network_watcher_regions failed: %s", exc)
-            return []
+            return []