From fb7afb5271eb738ae1d2b13c98501329f73c5265 Mon Sep 17 00:00:00 2001
From: Vishnu Ajith <86302373+Vishnu2707@users.noreply.github.com>
Date: Thu, 4 Jun 2026 02:32:44 +0100
Subject: [PATCH 1/6] feat: add AZ-PQC-001 to AZ-PQC-003 post-quantum
 cryptography scanner rules (#121)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

* chore: add skeleton files and requirements

* fix: remove embedded git repo

* Core Structure Created

* feat: build complete core — scanner engine, 10 rules, API, playbooks, compliance mappings, docs

* docs: replace ASCII architecture with interactive Mermaid diagram

* feat: Sentinel integration — ingest.py, 4 KQL rules, setup guide (#12)

* feat: add sentinel/ingest.py — Log Analytics ingestion via HMAC-SHA256

* feat: add sentinel/__init__.py

* feat: add KQL rule — HIGH severity finding detected

* feat: add KQL rule — misconfiguration wave detection

* feat: add KQL rule — new resource type critical detection

* Delete sentinel/rules directory

* Create rules

* Delete sentinel/rules

* Add KQL rule for high severity findings

* Add Misconfiguration Wave detection rule

* Add KQL rule for persistent misconfiguration detection

* Add KQL rule for new critical resource types

This rule identifies new resource types with critical findings that have occurred in the last 24 hours, excluding known types from the last 30 days.

* Add script to generate test findings in JSON format

This script generates test findings related to security compliance and saves them in a JSON file.

* Add Sentinel integration test plan and results

Added a comprehensive test plan for Sentinel integration, detailing test objectives, results, and acceptance criteria for various KQL rules and data ingestion.

* docs: add sentinel integration setup guide

Added a comprehensive setup guide for integrating Sentinel with Azure, covering prerequisites, workspace creation, activation, environment variable setup, ingestion, log verification, KQL rules deployment, and incident verification.

* fix: add AZ-STOR-003 compliance mappings, correct NIST control to PR.DS-3

* docs: add real-world breach scenarios for all 10 starter rules (#15)

* feat: add AZ-KV-002 key vault public access rule and remediation playbook (#14)

* docs: update README with rule count, roadmap progress and contributors

* feat: add network security rules AZ-NET-003 to AZ-NET-010 (#16)

* Add az_net_003.py to check NSG rules for port 443

This script detects Network Security Groups (NSGs) with unrestricted inbound access on port 443 and provides remediation guidance.

* Add AZ-NET-004 rule for empty NSG detection

This script detects Network Security Groups (NSGs) that have no custom security rules configured, providing details for remediation.

* Add AZ-NET-005 rule for DDoS protection check

This script detects virtual networks in Azure that do not have DDoS protection enabled and provides remediation steps.

* feat: add rule AZ-NET-006 — public IP unassociated with any resource

This rule detects public IP addresses that are not associated with any resource, providing details for remediation.

* feat: add rule AZ-NET-007 — Application Gateway without WAF enabled

This rule detects Application Gateways that do not have WAF enabled, logging findings and providing remediation steps.

* feat: add rule AZ-NET-008 — load balancer with no backend pool

This rule detects load balancers in Azure that are not configured with a backend pool, indicating potential misconfiguration or unnecessary costs.

* feat: add rule AZ-NET-009 — VPN gateway using outdated IKE version

This script detects VPN gateways using the outdated IKEv1 protocol and provides remediation steps to migrate to IKEv2.

* feat: add rule AZ-NET-010 — subnet with no NSG attached

This script detects subnets in Azure that do not have a Network Security Group (NSG) attached, logging findings and providing remediation guidance.

* feat: add playbook fix_az_net_003.sh

This script updates the NSG rule to restrict inbound traffic on port 443 to a specified IP range.

* feat: add playbook fix_az_net_004.sh

This script adds a default deny-all inbound rule to a specified NSG.

* feat: add playbook fix_az_net_005.sh

This script enables DDoS protection on a specified virtual network in Azure. It checks for required parameters and provides usage instructions if they are missing.

* feat: add playbook fix_az_net_006.sh

This script deletes unassociated public IP addresses in Azure.

* feat: add playbook fix_az_net_007.sh

This script enables WAF on an Application Gateway, ensuring compliance with the AZ-NET-007 rule.

* feat: add playbook fix_az_net_008.sh

Script to remediate AZ-NET-008 by deleting empty load balancers.

* feat:add script to update VPN connection to IKEv2

This script updates a VPN connection to use IKEv2, ensuring compliance with the AZ-NET-009 rule.

* feat: add playbook fix_az_net_010.sh

This script attaches a specified network security group to a given subnet in a virtual network, ensuring compliance with the AZ-NET-010 rule.

* Clarify description and add note for public-facing services

Updated the description to clarify the risk of exposing port 443 and added a note regarding public-facing services.

* Change severity level from MEDIUM to HIGH

* fix: AZ-NET-005 severity changed to LOW — DDoS Standard high cost on small subscriptions

* Add note about NetworkManagementClient usage

Added a note regarding the creation of NetworkManagementClient directly and suggested a follow-up for consistency.

* Add note about NetworkManagementClient usage

Added a note regarding the use of NetworkManagementClient and suggested a follow-up for consistency.

* Add additional security controls to CIS Azure benchmark

* Refine control descriptions in nist_csf.json

Updated descriptions for various controls to enhance clarity and specificity regarding remote access management, data protection, and security measures.

* fix: add AZ-NET-003 to AZ-NET-010 to ISO27001 compliance framework

Updated descriptions for various controls to clarify compliance requirements and improve security guidance.

---------

Co-authored-by: Vishnu Ajith <86302373+Vishnu2707@users.noreply.github.com>

* Feat/az stor 003 (#21)

* feat: add rule AZ-STOR-003 storage lifecycle policy check

* feat: add rule AZ-STOR-003 storage lifecycle policy check

* docs: add SOC 2 Type II compliance framework mapping (#33)

* docs: add SOC 2 Type II compliance framework mapping for all 20 rules

Added SOC 2 Type II framework with detailed controls for security measures and compliance requirements.

* feat: add soc2 to FRAMEWORK_FILE_MAP in finding.py

add soc2.json to FRAMEWORK_FILE_MAP in finding.py

* feat: add soc2 to SUPPORTED_FRAMEWORKS in compliance.py

Added 'soc2' to the list of supported compliance frameworks.

* Add SOC 2 controls for data protection and management

* Refactor/azure client network methods (#22)

* refactor: add get_virtual_networks() and get_public_ip_addresses() to AzureClient

* Refactor DDoS protection check to use azure_client

* refactor: AZ-NET-006 now uses azure_client.get_public_ip_addresses()

* feat: add CI pipeline with 6 automated checks (#34)

- Python syntax check on all rule files
  - Rule structure validation (RULE_ID, SEVERITY, FRAMEWORKS) + RULE_ID uniqueness
  - Hardcoded credential scan
  - Playbook existence + bash syntax check for every rule
  - Compliance JSON validation for all four framework files (inc. soc2.json)
  - API syntax check
  - Compliance vs rule cross-reference check
  - CI summary step with per-check pass/fail table (if: always)
  - Fix duplicate DESCRIPTION assignment in az_net_003.py
  - Add pyyaml to requirements.txt for local YAML validation
  - Add docs/ci-pipeline.md with local run commands and design rationale
  - Update CI_PIPELINE_GUIDE.md with final PR description

Closes #30

* docs: update .github/ISSUE_TEMPLATE/new_rule.md to reflect current codebase state

* docs: update .github/PULL_REQUEST_TEMPLATE.md to reflect current codebase state

* docs: update CONTRIBUTING.md to reflect current codebase state

* docs: update README.md to reflect current codebase state

* docs: update compliance/frameworks/iso27001.json to reflect current codebase state

* docs: update compliance/frameworks/nist_csf.json to reflect current codebase state

* docs: update docs/adding-a-rule.md to reflect current codebase state

* docs: update docs/architecture.md to reflect current codebase state

* docs: update docs/az-stor-003-test-plan.md to reflect current codebase state

* docs: update docs/azure-setup.md to reflect current codebase state

* docs: update docs/ci-pipeline.md to reflect current codebase state

* docs: update docs/sentinel-setup.md to reflect current codebase state

* docs: update sentinel/TEST_PLAN.md to reflect current codebase state

* docs: update docs/api-reference.md to reflect current codebase state

* docs: update docs/rules-reference.md to reflect current codebase state

* docs: update README.md for professional open source style

* docs: update CONTRIBUTING.md for professional open source style

* docs: update docs/adding-a-rule.md for professional open source style

* docs: update deployment guide to use Render instead of Azure App Service

* feat: add rule AZ-STOR-004 storage account diagnostic logging check (#39)

* feat: add rule AZ-STOR-004 storage account diagnostic logging check

Detects Azure storage accounts where diagnostic logging is not fully
enabled on blob, queue, or table services. Emits one finding per
non-compliant service (StorageRead, StorageWrite, StorageDelete must
all be enabled). Adds get_storage_service_logging() to AzureClient
using MonitorManagementClient. Includes remediation playbook that
enables all three services in one run.

Frameworks: CIS 3.3, NIST DE.CM-7, ISO 27001 A.12.4.1

* chore: add AZ-STOR-004 compliance mappings

---------

Co-authored-by: Shaurya K Sharma <Sharma-SK@ulster.ac.uk>

* feat: add rule AZ-IDN-003 Adds scanner rule AZ-IDN-003 detecting Entra ID  (#48)

* feat: add scanner rule AZ-IDN-003 — guest user invitations not restricted to admins

* feat: add remediation playbook fix_az_idn_003.sh

This script restricts guest user invitations to only admins and users with the Guest Inviter role in Azure Active Directory.

* feat: add AZ-IDN-003 to CIS compliance framework

Added control for guest invite restrictions to enhance security.

* feat: add AZ-IDN-003 to NIST compliance framework

* feat: add AZ-IDN-003 to ISO27001 compliance framework

Added control AZ-IDN-003 for user registration and de-registration process.

* feat: add AZ-IDN-003 to SOC2 compliance framework

* feat: add rule AZ-CMP-002 — VM disk not protected by CMK or ADE (#47)

* feat: add scanner rule AZ-CMP-002 — VM disk not protected by CMK or ADE

This script detects virtual machines whose disks use platform-managed encryption only and provides findings for compliance with CIS 7.2.

* feat: add remediation playbook fix_az_cmp_002.sh

This script enables Azure Disk Encryption on a specified virtual machine using a Key Vault for the disk encryption key.

* feat: add AZ-CMP-002 to CIS compliance framework

Added a new control for OS disk encryption requirements.

* feat: add AZ-CMP-002 to NIST compliance framework

* feat: add AZ-CMP-002 to ISO27001 compliance framework

Added control AZ-CMP-002 regarding cryptographic controls policy and its requirements.

* feat: add AZ-CMP-002 to SOC2 compliance framework

* fix: correct indentation in CIS AZ-CMP-002 entry

* feat: add remediation playbook fix_az_cmp_002.sh to correct location

This script enables Azure Disk Encryption on a specified virtual machine using a provided Key Vault for disk encryption.

* Delete fix_az_cmp_002.sh

* Feat/api deployment (#46)

* feat: deploy API to Render with security hardening and CI/CD optimizations

* feat: finalize Render deployment with security hardening and Gunicorn import fix

* fix: GitHub Actions syntax and secret detection logic in deploy workflow

* ix: harden scan trigger route with detailed error handling and remove redundant DB initialization

* fix: implement global database connection management and harden all API routes

* ix: prevent insecure smoke tests on main branch by enforcing JWT_SECRET presence and prevent CI false negatives in playbook check by enforcing non-empty glob match

* fix: resolve Render startup crash and harden scan serialization against recursive objects

* fix: add missing six and cryptography dependencies for Azure SDK compatibility

* fix: increase CI wait time for Render build and add missing msrest dependencies

* feat: integrate real subscription ID into smoke tests and CI/CD pipeline

* feat: integrate real Azure_ ID's into smoke tests and CI/CD pipeline

* feat: add root welcome route to confirm API status

* fix: resolve specific CI credential flags in code and workflow while maintaining documentation standards

* fix: resolve IndentationError in CI compliance cross-reference check

* fix: resolve dependency issue and test on deployment

* fix: resolve somke test TC-21

* fix: RUN_REAL_SCAN not set → TC-13/TC-14 skip → 21/21 pass for new live API url test

* fix: scan.py deferred import from scanner.engine import ScanEngine was running before the subscription_id check

* fix: restrict deploy triggers to dev and main, enable RUN_REAL_SCAN for maintainer CI, and update test plan documentation

* feat: AZ-NET-011 Network Watcher not enabled in all regions (#42)

* feat: add AZ-NET-011 Network Watcher rule, playbook and compliance mappings

* fix: add missing AzureClient methods, SOC2 mapping and fix playbook region

* fix: add SOC2 CC7.2 to FRAMEWORKS in az_net_011.py

* feat: add AZ-DB-003 PostgreSQL Flexible Server SSL enforcement rule a… (#49)

* feat: add AZ-DB-003 PostgreSQL Flexible Server SSL enforcement rule and playbook

* fix: correct requirements.txt formatting for postgresqlflexibleserver

* fix: correct postgresqlflexibleservers package name and version

* fix: handle empty params gracefully and clean up playbook output

* [RULE] AZ-CMP-003: VM without endpoint protection installed (#57)

* feat: add scanner rule AZ-CMP-003 — VM without endpoint protection installed

This script scans Azure VMs to check for the presence of recognized endpoint protection extensions. It logs findings for VMs without the required protection.

* feat: add remediation playbook fix_az_cmp_003.sh

This script installs endpoint protection on Azure VMs based on the operating system specified. It supports both Linux and Windows VMs.

* feat: add AZ-CMP-003 to CIS compliance framework

* feat: add AZ-CMP-003 to NIST compliance framework

* feat: add AZ-CMP-003 to ISO27001 compliance framework

* feat: add AZ-CMP-003 to SOC2 compliance framework

* feat: add get_vm_extensions method to AzureClient

Add method to retrieve VM extensions for a given VM.

* fix: correct indentation and return type in get_vm_extensions

* Add  1 more space in the code

* add 4 space beofre def

Add method to retrieve VM extensions for a given VM.

* [DOCS] Add OpenShield learning and onboarding portal (#51)

* docs: add OpenShield learning portal

* Fix formatting for Learn OpenShield section

---------

Co-authored-by: Vishnu Ajith <86302373+Vishnu2707@users.noreply.github.com>

* refactor: reuse database connection per request using Flask g (#41)

* fix: improve scan routes error handling and database reuse

* fix: add database connection reuse and DATABASE_URL validation to score.py

* fix: add database connection reuse, DATABASE_URL validation, and FileNotFoundError handling to compliance.py

* fix: enforce JWT_SECRET environment variable, remove hardcoded default

* ci: trigger fresh CI run

* fix: all requirements - g.db naming, teardown, close() method

* docs: add security policy, issue template, and README badges (#64)

* feat: add rule AZ-KV-004 Key Vault purge protection disabled (#55)

* feat: add rule AZ-KV-004 Key Vault purge protection disabled

* fix: address PR review feedback for AZ-KV-004

- Add SOC2 CC9.1 mapping to FRAMEWORKS dict
- Add AZ-KV-004 entries to all four compliance framework JSON files
- Add set -euo pipefail to playbook
- Add resource_group to metadata dict

* feat: add AZ-STOR-005 geo-redundant storage rule (#74)

- scanner/rules/az_stor_005.py: detects storage accounts using LRS or ZRS
  (non-geo-redundant) replication; flags them as MEDIUM severity
- playbooks/cli/fix_az_stor_005.sh: CLI remediation to update storage account
  SKU to a geo-redundant option (Standard_GRS by default); validates target
  SKU against allowed geo-redundant values
- compliance/frameworks/*.json: adds AZ-STOR-005 entry to CIS Azure Benchmark
  (3.1), NIST CSF (PR.IP-4), ISO 27001 (A.17.2.1), and SOC 2 (A1.2)

Closes #71

Co-authored-by: Shaurya K Sharma <Sharma-SK@ulster.ac.uk>

* feat: add rule AZ-DB-004 SQL Server firewall allows all Azure services (#70)

* feat: add rule AZ-DB-004 SQL Server firewall allows all Azure services

- Add scanner rule az_db_004.py detecting SQL Servers with Allow Azure services firewall rule enabled
- Add remediation playbook fix_az_db_004.sh
- Add get_sql_server_firewall_rules method to AzureClient
- Add AZ-DB-004 entries to all four compliance framework JSON files

* fix: add get_sql_server_firewall_rules to AzureClient

* fix: remove duplicate import, fix indentation, add return None to auditing policy

* docs: add 6 README badges (#79)

* feat: add AZ-KV-005 Key Vault certificate expiring within 30 days (#75)

* Remove duplicate import of MonitorManagementClient

* Add method to get Key Vault certificates

Added a new method to list certificates in a Key Vault.

* Add AZ-KV-005 rule for expiring Key Vault certificates

This script scans Azure Key Vaults for certificates that are expiring within 30 days and do not have auto-renewal enabled. It logs findings and provides remediation steps.

* Add script to enable auto-renewal for Key Vault certificate

This script enables auto-renewal for an expiring Key Vault certificate by updating its policy.

* Add controls for Azure Key Vault security measures

* Add AZ-KV-005 control for certificate maintenance

* Add controls for key management and availability

* Add SOC 2 controls for Azure Key Vault risk mitigation

* Fix indentation in get_key_vaults method

* Add azure-keyvault-certificates dependency

* Enhance script error handling with pipefail option

* Refactor lifetime_actions assignment for clarity

* Add control for expiring certificate maintenance

Added a new control for certificate maintenance in Azure Key Vault.

* fix: add missing comma in soc2.json after AZ-KV-005 entry

* fix: add missing comma in iso27001.json after AZ-KV-005 entry

* [RULE] AZ-CMP-004: VM without automatic OS patching enabled (#73)

* Added az_cmp_004.py to check VM patching status

This script checks Azure VMs for automatic OS patching status and collects findings for those without it enabled.

* Added script to enable automatic OS patching for VMs

This script enables automatic OS patching for both Windows and Linux VMs in Azure. It requires a resource group and VM name as input, defaulting to Windows if the OS type is not specified.

* Add control for OS patching requirement in CIS benchmark

* Add vulnerability management control to NIST CSF

* Added control AZ-CMP-004 for vulnerability management

* Added SOC 2 controls for endpoint protection and OS patching

* Fix JSON formatting in cis_azure_benchmark.json

* Fix JSON formatting in nist_csf.json

* Improve error handling in fix_az_cmp_004.sh

Updated script to use 'set -euo pipefail' for better error handling.

* Update patching condition for Windows configuration

Refine condition for patching approval based on patch mode.

* Fix indentation and formatting in az_cmp_004.py

* feat: add AI provider abstraction layer for Anthropic, Groq and Gemini (#89)

* feat: initialise api/services package

* feat: add AI provider abstraction layer for Anthropic, Groq and Gemini

* fix: add module docstring to ai_provider.py

Added a docstring explaining the purpose of the AI provider abstraction layer.

* fix: make model configurable with sensible defaults per provider

* Smoke Test Alginment after the recent changes to the Repository causing the Deployment CI failure (#88)

* fix: test align smoke tests with API behavior and environment

* test: deploy.yml run after smoke test alginment

* fix: smoke test aligned after recent codebase changes

* feat: add AZ-IDN-004 PIM not configured for admin roles rule and play… (#77)

* feat: add AZ-IDN-004 PIM not configured for admin roles rule and playbook

* fix: fetch Graph API token once and reuse headers for both API calls

* fix: correct malformed JSON in cis_azure_benchmark.json for AZ-IDN-004 entry

---------

Co-authored-by: Vishnu Ajith <86302373+Vishnu2707@users.noreply.github.com>

* feat: add AI executive summary and remediation endpoint (#95)

* feat: add AI insights endpoint

* ci: scan only quoted-literal credential assignments

---------

Co-authored-by: Shaurya K Sharma <Sharma-SK@ulster.ac.uk>

* feat(scanner): add AZ-NET-014 VNet peering gateway transit rule (#94)

- Add scanner/rules/az_net_014.py to detect VNet peerings with
  allowGatewayTransit or useRemoteGateways enabled
- Add get_vnet_peerings() and get_azure_firewalls() to azure_client.py
- Add playbooks/cli/fix_az_net_014.sh remediation script
- Update all 4 compliance framework JSONs with AZ-NET-014 mappings

* feat: add AZ-NET-013 Azure Firewall VNet rule (#99)

Co-authored-by: Shaurya K Sharma <Sharma-SK@ulster.ac.uk>

* Implement AI Q&A over scan findings (#98)

Co-authored-by: Shaurya K Sharma <Sharma-SK@ulster.ac.uk>

* Feat/CVE correlation (#96)

* fix: smoke test aligned after recent codebase changes

* feat: add CVE correlation via MITRE NVD API

* fix: ensure the run migration logic handles edge cases

* fix: sync with dev after merged PRs, fix compliance duplication, indentaion and omttion of AZ-STOR-04

* fix: CVE prefix mappings, use legacy-only enrichment, clean up tests, and align CVE correlation docs.

* fix: findings DB cleanup, AI title fallback, and persist CVE enrichment

* feat: add RAG powered AI insights layer with Azure security skill embeddings (#97)

* Create __init__.py

* Implement OpenShield vector store builder

This script builds the OpenShield knowledge base vector store for RAG AI insights by collecting rules and compliance documents, then embedding them into a vector store.

* Add AI insights routes for summary, prioritisation, and Q&A

* Implement knowledge retrieval from vector store

This module retrieves relevant knowledge from the OpenShield vector store for retrieval-augmented generation (RAG). It includes error handling for missing vector stores and the chromadb dependency.

* Register AI blueprint in the Flask app

* Add chromadb version 0.4.24 to requirements

* feat: add Azure security skills into knowledge base for RAG embedding

* feat: wire Azure skill documents into embedding pipeline

* Add sentence-transformers version 2.7.0 to requirements

* ignore generated ai vectorstore directory

* Refactor AI insights routes for clarity and updates

* fix: deduplicate ai_bp and restore missing score_bp import in app.py

* Refactor severity handling and update prompts

* merge dev into feat/rag-ai-insights, resolve ai.py conflict

* trigger CI

* Remove AZ-CMP-003 and update AZ-NET-014 description

Removed control AZ-CMP-003 related to unauthorized software detection and updated control AZ-NET-014 description for clarity.

* feat: add AZ-NET-012 - NSG flow logs not enabled rule (#76)

* ci: trigger fresh CI run

* Dev (#50)

* chore: add skeleton files and requirements

* fix: remove embedded git repo

* Core Structure Created

* feat: build complete core — scanner engine, 10 rules, API, playbooks, compliance mappings, docs

* docs: replace ASCII architecture with interactive Mermaid diagram

* feat: Sentinel integration — ingest.py, 4 KQL rules, setup guide (#12)

* feat: add sentinel/ingest.py — Log Analytics ingestion via HMAC-SHA256

* feat: add sentinel/__init__.py

* feat: add KQL rule — HIGH severity finding detected

* feat: add KQL rule — misconfiguration wave detection

* feat: add KQL rule — new resource type critical detection

* Delete sentinel/rules directory

* Create rules

* Delete sentinel/rules

* Add KQL rule for high severity findings

* Add Misconfiguration Wave detection rule

* Add KQL rule for persistent misconfiguration detection

* Add KQL rule for new critical resource types

This rule identifies new resource types with critical findings that have occurred in the last 24 hours, excluding known types from the last 30 days.

* Add script to generate test findings in JSON format

This script generates test findings related to security compliance and saves them in a JSON file.

* Add Sentinel integration test plan and results

Added a comprehensive test plan for Sentinel integration, detailing test objectives, results, and acceptance criteria for various KQL rules and data ingestion.

* docs: add sentinel integration setup guide

Added a comprehensive setup guide for integrating Sentinel with Azure, covering prerequisites, workspace creation, activation, environment variable setup, ingestion, log verification, KQL rules deployment, and incident verification.

* fix: add AZ-STOR-003 compliance mappings, correct NIST control to PR.DS-3

* docs: add real-world breach scenarios for all 10 starter rules (#15)

* feat: add AZ-KV-002 key vault public access rule and remediation playbook (#14)

* docs: update README with rule count, roadmap progress and contributors

* feat: add network security rules AZ-NET-003 to AZ-NET-010 (#16)

* Add az_net_003.py to check NSG rules for port 443

This script detects Network Security Groups (NSGs) with unrestricted inbound access on port 443 and provides remediation guidance.

* Add AZ-NET-004 rule for empty NSG detection

This script detects Network Security Groups (NSGs) that have no custom security rules configured, providing details for remediation.

* Add AZ-NET-005 rule for DDoS protection check

This script detects virtual networks in Azure that do not have DDoS protection enabled and provides remediation steps.

* feat: add rule AZ-NET-006 — public IP unassociated with any resource

This rule detects public IP addresses that are not associated with any resource, providing details for remediation.

* feat: add rule AZ-NET-007 — Application Gateway without WAF enabled

This rule detects Application Gateways that do not have WAF enabled, logging findings and providing remediation steps.

* feat: add rule AZ-NET-008 — load balancer with no backend pool

This rule detects load balancers in Azure that are not configured with a backend pool, indicating potential misconfiguration or unnecessary costs.

* feat: add rule AZ-NET-009 — VPN gateway using outdated IKE version

This script detects VPN gateways using the outdated IKEv1 protocol and provides remediation steps to migrate to IKEv2.

* feat: add rule AZ-NET-010 — subnet with no NSG attached

This script detects subnets in Azure that do not have a Network Security Group (NSG) attached, logging findings and providing remediation guidance.

* feat: add playbook fix_az_net_003.sh

This script updates the NSG rule to restrict inbound traffic on port 443 to a specified IP range.

* feat: add playbook fix_az_net_004.sh

This script adds a default deny-all inbound rule to a specified NSG.

* feat: add playbook fix_az_net_005.sh

This script enables DDoS protection on a specified virtual network in Azure. It checks for required parameters and provides usage instructions if they are missing.

* feat: add playbook fix_az_net_006.sh

This script deletes unassociated public IP addresses in Azure.

* feat: add playbook fix_az_net_007.sh

This script enables WAF on an Application Gateway, ensuring compliance with the AZ-NET-007 rule.

* feat: add playbook fix_az_net_008.sh

Script to remediate AZ-NET-008 by deleting empty load balancers.

* feat:add script to update VPN connection to IKEv2

This script updates a VPN connection to use IKEv2, ensuring compliance with the AZ-NET-009 rule.

* feat: add playbook fix_az_net_010.sh

This script attaches a specified network security group to a given subnet in a virtual network, ensuring compliance with the AZ-NET-010 rule.

* Clarify description and add note for public-facing services

Updated the description to clarify the risk of exposing port 443 and added a note regarding public-facing services.

* Change severity level from MEDIUM to HIGH

* fix: AZ-NET-005 severity changed to LOW — DDoS Standard high cost on small subscriptions

* Add note about NetworkManagementClient usage

Added a note regarding the creation of NetworkManagementClient directly and suggested a follow-up for consistency.

* Add note about NetworkManagementClient usage

Added a note regarding the use of NetworkManagementClient and suggested a follow-up for consistency.

* Add additional security controls to CIS Azure benchmark

* Refine control descriptions in nist_csf.json

Updated descriptions for various controls to enhance clarity and specificity regarding remote access management, data protection, and security measures.

* fix: add AZ-NET-003 to AZ-NET-010 to ISO27001 compliance framework

Updated descriptions for various controls to clarify compliance requirements and improve security guidance.

---------

Co-authored-by: Vishnu Ajith <86302373+Vishnu2707@users.noreply.github.com>

* Feat/az stor 003 (#21)

* feat: add rule AZ-STOR-003 storage lifecycle policy check

* feat: add rule AZ-STOR-003 storage lifecycle policy check

* docs: add SOC 2 Type II compliance framework mapping (#33)

* docs: add SOC 2 Type II compliance framework mapping for all 20 rules

Added SOC 2 Type II framework with detailed controls for security measures and compliance requirements.

* feat: add soc2 to FRAMEWORK_FILE_MAP in finding.py

add soc2.json to FRAMEWORK_FILE_MAP in finding.py

* feat: add soc2 to SUPPORTED_FRAMEWORKS in compliance.py

Added 'soc2' to the list of supported compliance frameworks.

* Add SOC 2 controls for data protection and management

* Refactor/azure client network methods (#22)

* refactor: add get_virtual_networks() and get_public_ip_addresses() to AzureClient

* Refactor DDoS protection check to use azure_client

* refactor: AZ-NET-006 now uses azure_client.get_public_ip_addresses()

* feat: add CI pipeline with 6 automated checks (#34)

- Python syntax check on all rule files
  - Rule structure validation (RULE_ID, SEVERITY, FRAMEWORKS) + RULE_ID uniqueness
  - Hardcoded credential scan
  - Playbook existence + bash syntax check for every rule
  - Compliance JSON validation for all four framework files (inc. soc2.json)
  - API syntax check
  - Compliance vs rule cross-reference check
  - CI summary step with per-check pass/fail table (if: always)
  - Fix duplicate DESCRIPTION assignment in az_net_003.py
  - Add pyyaml to requirements.txt for local YAML validation
  - Add docs/ci-pipeline.md with local run commands and design rationale
  - Update CI_PIPELINE_GUIDE.md with final PR description

Closes #30

* docs: update .github/ISSUE_TEMPLATE/new_rule.md to reflect current codebase state

* docs: update .github/PULL_REQUEST_TEMPLATE.md to reflect current codebase state

* docs: update CONTRIBUTING.md to reflect current codebase state

* docs: update README.md to reflect current codebase state

* docs: update compliance/frameworks/iso27001.json to reflect current codebase state

* docs: update compliance/frameworks/nist_csf.json to reflect current codebase state

* docs: update docs/adding-a-rule.md to reflect current codebase state

* docs: update docs/architecture.md to reflect current codebase state

* docs: update docs/az-stor-003-test-plan.md to reflect current codebase state

* docs: update docs/azure-setup.md to reflect current codebase state

* docs: update docs/ci-pipeline.md to reflect current codebase state

* docs: update docs/sentinel-setup.md to reflect current codebase state

* docs: update sentinel/TEST_PLAN.md to reflect current codebase state

* docs: update docs/api-reference.md to reflect current codebase state

* docs: update docs/rules-reference.md to reflect current codebase state

* docs: update README.md for professional open source style

* docs: update CONTRIBUTING.md for professional open source style

* docs: update docs/adding-a-rule.md for professional open source style

* docs: update deployment guide to use Render instead of Azure App Service

* feat: add rule AZ-STOR-004 storage account diagnostic logging check (#39)

* feat: add rule AZ-STOR-004 storage account diagnostic logging check

Detects Azure storage accounts where diagnostic logging is not fully
enabled on blob, queue, or table services. Emits one finding per
non-compliant service (StorageRead, StorageWrite, StorageDelete must
all be enabled). Adds get_storage_service_logging() to AzureClient
using MonitorManagementClient. Includes remediation playbook that
enables all three services in one run.

Frameworks: CIS 3.3, NIST DE.CM-7, ISO 27001 A.12.4.1

* chore: add AZ-STOR-004 compliance mappings

---------

Co-authored-by: Shaurya K Sharma <Sharma-SK@ulster.ac.uk>

* feat: add rule AZ-IDN-003 Adds scanner rule AZ-IDN-003 detecting Entra ID  (#48)

* feat: add scanner rule AZ-IDN-003 — guest user invitations not restricted to admins

* feat: add remediation playbook fix_az_idn_003.sh

This script restricts guest user invitations to only admins and users with the Guest Inviter role in Azure Active Directory.

* feat: add AZ-IDN-003 to CIS compliance framework

Added control for guest invite restrictions to enhance security.

* feat: add AZ-IDN-003 to NIST compliance framework

* feat: add AZ-IDN-003 to ISO27001 compliance framework

Added control AZ-IDN-003 for user registration and de-registration process.

* feat: add AZ-IDN-003 to SOC2 compliance framework

* feat: add rule AZ-CMP-002 — VM disk not protected by CMK or ADE (#47)

* feat: add scanner rule AZ-CMP-002 — VM disk not protected by CMK or ADE

This script detects virtual machines whose disks use platform-managed encryption only and provides findings for compliance with CIS 7.2.

* feat: add remediation playbook fix_az_cmp_002.sh

This script enables Azure Disk Encryption on a specified virtual machine using a Key Vault for the disk encryption key.

* feat: add AZ-CMP-002 to CIS compliance framework

Added a new control for OS disk encryption requirements.

* feat: add AZ-CMP-002 to NIST compliance framework

* feat: add AZ-CMP-002 to ISO27001 compliance framework

Added control AZ-CMP-002 regarding cryptographic controls policy and its requirements.

* feat: add AZ-CMP-002 to SOC2 compliance framework

* fix: correct indentation in CIS AZ-CMP-002 entry

* feat: add remediation playbook fix_az_cmp_002.sh to correct location

This script enables Azure Disk Encryption on a specified virtual machine using a provided Key Vault for disk encryption.

* Delete fix_az_cmp_002.sh

* Feat/api deployment (#46)

* feat: deploy API to Render with security hardening and CI/CD optimizations

* feat: finalize Render deployment with security hardening and Gunicorn import fix

* fix: GitHub Actions syntax and secret detection logic in deploy workflow

* ix: harden scan trigger route with detailed error handling and remove redundant DB initialization

* fix: implement global database connection management and harden all API routes

* ix: prevent insecure smoke tests on main branch by enforcing JWT_SECRET presence and prevent CI false negatives in playbook check by enforcing non-empty glob match

* fix: resolve Render startup crash and harden scan serialization against recursive objects

* fix: add missing six and cryptography dependencies for Azure SDK compatibility

* fix: increase CI wait time for Render build and add missing msrest dependencies

* feat: integrate real subscription ID into smoke tests and CI/CD pipeline

* feat: integrate real Azure_ ID's into smoke tests and CI/CD pipeline

* feat: add root welcome route to confirm API status

* fix: resolve specific CI credential flags in code and workflow while maintaining documentation standards

* fix: resolve IndentationError in CI compliance cross-reference check

* fix: resolve dependency issue and test on deployment

* fix: resolve somke test TC-21

* fix: RUN_REAL_SCAN not set → TC-13/TC-14 skip → 21/21 pass for new live API url test

* fix: scan.py deferred import from scanner.engine import ScanEngine was running before the subscription_id check

* fix: restrict deploy triggers to dev and main, enable RUN_REAL_SCAN for maintainer CI, and update test plan documentation

* feat: AZ-NET-011 Network Watcher not enabled in all regions (#42)

* feat: add AZ-NET-011 Network Watcher rule, playbook and compliance mappings

* fix: add missing AzureClient methods, SOC2 mapping and fix playbook region

* fix: add SOC2 CC7.2 to FRAMEWORKS in az_net_011.py

* feat: add AZ-DB-003 PostgreSQL Flexible Server SSL enforcement rule a… (#49)

* feat: add AZ-DB-003 PostgreSQL Flexible Server SSL enforcement rule and playbook

* fix: correct requirements.txt formatting for postgresqlflexibleserver

* fix: correct postgresqlflexibleservers package name and version

* fix: handle empty params gracefully and clean up playbook output

---------

Co-authored-by: Tanvir Farhad <tamimtarafder12@gmail.com>
Co-authored-by: PARTH J ROHIT <parthrohit60@gmail.com>
Co-authored-by: Ritik Sah <ritiksah141@gmail.com>
Co-authored-by: Shaurya K Sharma <shauryaksharma24@gmail.com>
Co-authored-by: Shaurya K Sharma <Sharma-SK@ulster.ac.uk>
Co-authored-by: Mahfuzur Rahman Emon <mahfuzur.emon01@gmail.com>

* refactor: reuse database connection per request using Flask g (#41)

* fix: improve scan routes error handling and database reuse

* fix: add database connection reuse and DATABASE_URL validation to score.py

* fix: add database connection reuse, DATABASE_URL validation, and FileNotFoundError handling to compliance.py

* fix: enforce JWT_SECRET environment variable, remove hardcoded default

* ci: trigger fresh CI run

* fix: all requirements - g.db naming, teardown, close() method

* fix: update az_net_012.py to match az_cmp_003 pattern and add set -euo pipefail to bash script

* fix: correct az_net_012.py signature, add set -euo pipefail, add AZ-NET-012 to all compliance files

* fix: correct az_net_012.py to match az_cmp_003 pattern

---------

Co-authored-by: Vishnu Ajith <86302373+Vishnu2707@users.noreply.github.com>
Co-authored-by: Tanvir Farhad <tamimtarafder12@gmail.com>
Co-authored-by: PARTH J ROHIT <parthrohit60@gmail.com>
Co-authored-by: Ritik Sah <ritiksah141@gmail.com>
Co-authored-by: Shaurya K Sharma <shauryaksharma24@gmail.com>
Co-authored-by: Shaurya K Sharma <Sharma-SK@ulster.ac.uk>
Co-authored-by: Mahfuzur Rahman Emon <mahfuzur.emon01@gmail.com>

* fix: resolve CodeQL warnings in embed.py and test files

* feat(frontend): build complete 7-page security dashboard (#111)

* Basic components and pages with dummy data

* feat(frontend): build complete 7-page security dashboard

Complete React 18 + Vite frontend for OpenShield security platform.

Pages (7):
- Monitoring — security score gauge, trend chart, findings distribution,
  issues by resource group, category scores
- Discovery — resource table with issue counts, risk filters, category
  grouping, resource group filtering, clickable category cards
- Prioritization — risk vs effort matrix, ranked list with quick
  remediation preview, all 25 action items; click-to-select syncs
  matrix + action items + remediation panel
- Detailed Scan — findings list with playbook tabs (portal/CLI/validation),
  navigates from Prioritization with context banner
- Compliance — CIS/NIST/ISO27001/SOC2 framework cards, controls table,
  comparison trend chart, CSV/JSON export
- Drift — configuration change timeline, ADDED/REMOVED/MODIFIED events
  with before/after values, who changed it and when
- AI Assistant — 3-column layout (findings picker, chat, suggestions +
  CVE analysis + executive summary); AI chat wired to aiApi.js with
  smart mock responses; finding context passed from Scan page

API service layer (src/utils/api.js):
- Demo/Live mode toggle persisted in localStorage
- JWT token bootstrap in App.jsx
- Health check on startup with auto-fallback to demo mode
- Real fetch calls with mock fallback for every endpoint:
  /api/score, /api/findings, /api/findings/:id, /api/findings/:id/playbook,
  /api/resources, /api/prioritization, /api/drift, /api/scans,
  /api/scans/trigger, /api/scans/:id, /api/compliance/cis|nist|iso27001
- snake_case → camelCase normalisation for all backend responses
- Separate aiApi.js for AI endpoints with smart mock responses

Header features:
- Run Scan button with live polling (4s interval, 5-min timeout, elapsed timer)
- Demo/Live badge with connection test before switching
- Error popup if backend is unreachable

Design system:
- Tailwind CSS v3 with custom tokens (brand, severity, bg-dark, status)
- Dark mode via class strategy, persisted in localStorage
- Fully responsive — mobile hamburger drawer, stacked layouts on sm
- Dot-pattern background, soft shadows, consistent 4px grid

Mock data:
- 8 api.*.json files matching exact backend response schema
- API_ENDPOINTS.txt — backend contract document with implementation
  status, database schema, seed data, and endpoint ordering guide

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

* feat(frontend): wire live backend, fix JWT auth, add Vercel deployment config

- Fix JWT: read VITE_JWT_TOKEN env var so live API calls authenticate correctly
  (was sending plain string 'dev-demo-token' which backend rejected as invalid JWT)
- Add vercel.json with SPA rewrites so /monitoring, /scan etc don't 404
- Monitoring page now fetches real score + findings in live mode and computes
  stats/distribution/resource-group breakdown from actual backend data
- Run Scan button shows subscription ID input in live mode (optional — backend
  falls back to AZURE_SUBSCRIPTION_ID env var if blank)
- api.js: no silent localhost fallback in production builds (fails loudly if
  VITE_API_URL is not set)

---------

Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>

* Feat/jwt secret prod fail closed (#117)

* fix: smoke test aligned after recent codebase changes

* feat: fail closed on insecure JWT_SECRET in production

* fix: rename _DEFAULT_JWT_SECRET to avoid CI credential scanner false positive

* feat: AI-004 RAG Pipeline - Document Ingestion and Vector Store (#104)

* feat: add AZ-IDN-004 PIM not configured for admin roles rule and playbook

* feat: add RAG pipeline with document loader, chunker, embedder, ChromaDB vector store and Flask API routes

* fix: remove duplicate ai files, restore deleted compliance rules, revert requirements to chromadb 0.4.24

* fix: update gitignore to use ai/vectorstore/ and clean up README references

* fix: add missing newline at EOF in compliance JSON files

* Potential fix for pull request finding 'Unused import'

Co-authored-by: Copilot Autofix powered by AI <223894421+github-code-quality[bot]@users.noreply.github.com>

* feat: add PQC compliance mappings, azure client methods and dependencies

---------

Co-authored-by: Tanvir Farhad <tamimtarafder12@gmail.com>
Co-authored-by: PARTH J ROHIT <parthrohit60@gmail.com>
Co-authored-by: Ritik Sah <ritiksah141@gmail.com>
Co-authored-by: Shaurya K Sharma <shauryaksharma24@gmail.com>
Co-authored-by: Shaurya K Sharma <Sharma-SK@ulster.ac.uk>
Co-authored-by: Mahfuzur Rahman Emon <mahfuzur.emon01@gmail.com>
Co-authored-by: Safid Nadaf <137755124+safidnadaf@users.noreply.github.com>
Co-authored-by: Abdulbosit Abdurazzakov <2d9c6kh58x@privaterelay.appleid.com>
Co-authored-by: Mahfuzur Rahman Emon <Emon-MR@ulster.ac.uk>
Co-authored-by: Prayas Gautam <159550781+vogonPrayas@users.noreply.github.com>
Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
Co-authored-by: Copilot Autofix powered by AI <223894421+github-code-quality[bot]@users.noreply.github.com>
---
 .../post-quantum-cryptography-azure/SKILL.md  |  89 ++++++++++++
 .../frameworks/cis_azure_benchmark.json       |  15 ++
 compliance/frameworks/iso27001.json           |  15 ++
 compliance/frameworks/nist_csf.json           |  15 ++
 compliance/frameworks/soc2.json               |  17 ++-
 playbooks/cli/fix_az_pqc_001.sh               |  23 ++++
 playbooks/cli/fix_az_pqc_002.sh               |  31 +++++
 playbooks/cli/fix_az_pqc_003.sh               |  31 +++++
 requirements.txt                              |   2 +
 scanner/azure_client.py                       |  23 +++-
 scanner/rules/az_pqc_001.py                   |  78 +++++++++++
 scanner/rules/az_pqc_002.py                   |  88 ++++++++++++
 scanner/rules/az_pqc_003.py                   |  91 ++++++++++++
 tests/test_pqc_rules.py                       | 129 ++++++++++++++++++
 14 files changed, 645 insertions(+), 2 deletions(-)
 create mode 100644 ai/knowledge/skills/post-quantum-cryptography-azure/SKILL.md
 create mode 100755 playbooks/cli/fix_az_pqc_001.sh
 create mode 100755 playbooks/cli/fix_az_pqc_002.sh
 create mode 100755 playbooks/cli/fix_az_pqc_003.sh
 create mode 100644 scanner/rules/az_pqc_001.py
 create mode 100644 scanner/rules/az_pqc_002.py
 create mode 100644 scanner/rules/az_pqc_003.py
 create mode 100644 tests/test_pqc_rules.py

diff --git a/ai/knowledge/skills/post-quantum-cryptography-azure/SKILL.md b/ai/knowledge/skills/post-quantum-cryptography-azure/SKILL.md
new file mode 100644
index 0000000..9037fe8
--- /dev/null
+++ b/ai/knowledge/skills/post-quantum-cryptography-azure/SKILL.md
@@ -0,0 +1,89 @@
+---
+name: post-quantum-cryptography-azure
+description: Identifies and remediates non-quantum-safe cryptographic configurations in Azure including classical TLS key exchange, RSA and ECC keys in Key Vault, and classical certificate algorithms. Maps findings to NIST PQC standards FIPS 203, FIPS 204, and FIPS 205. Use when assessing quantum readiness of Azure infrastructure or building a Cryptographic Bill of Materials.
+domain: cybersecurity
+subdomain: post-quantum-cryptography
+tags:
+- post-quantum
+- pqc
+- azure
+- key-vault
+- tls
+- cryptography
+- cbom
+version: '1.0'
+author: openshield
+license: Apache-2.0
+nist_csf:
+- PR.DS-2
+- PR.DS-1
+---
+
+# Post-Quantum Cryptography Assessment for Azure
+
+## When to Use
+- When assessing an Azure environment for quantum readiness
+- When building a Cryptographic Bill of Materials for Azure resources
+- When identifying classical cryptographic algorithms that need migration
+- When planning post-quantum migration for Key Vault keys and certificates
+- When evaluating TLS configurations for quantum vulnerability
+
+## Key Concepts
+
+| Term | Definition |
+|------|------------|
+| Harvest Now Decrypt Later | Attack where adversaries collect encrypted traffic today and decrypt it when quantum computers become available |
+| Shor's Algorithm | Quantum algorithm that can break RSA and ECC by solving integer factorisation and discrete logarithm problems efficiently |
+| ML-KEM | Module Lattice Key Encapsulation Mechanism, NIST FIPS 203, post-quantum safe key exchange |
+| ML-DSA | Module Lattice Digital Signature Algorithm, NIST FIPS 204, post-quantum safe signing |
+| SLH-DSA | Stateless Hash-Based Digital Signature Algorithm, NIST FIPS 205, post-quantum safe signing |
+| CBOM | Cryptographic Bill of Materials, inventory of all cryptographic assets in a system |
+| PQMA | Post-Quantum Migration Analyser, tool for validating PQC migration paths |
+
+## OpenShield PQC Rules
+
+| Rule | Description | Severity |
+|------|-------------|----------|
+| AZ-PQC-001 | TLS below 1.3 on App Service | HIGH |
+| AZ-PQC-002 | Key Vault key using RSA or ECC algorithm | HIGH |
+| AZ-PQC-003 | Key Vault certificate using non-quantum-safe signature algorithm | MEDIUM |
+
+## Assessment Workflow
+
+### Step 1: Identify Classical Keys in Key Vault
+```bash
+az keyvault list --output table
+az keyvault key list --vault-name <vault-name> --output table
+az keyvault certificate list --vault-name <vault-name> --output table
+```
+
+### Step 2: Check TLS Configuration on App Services
+```bash
+az webapp list --output table
+az webapp config show --resource-group <rg> --name <app-name> --query minTlsVersion
+```
+
+### Step 3: Build Cryptographic Bill of Materials
+Document all findings with resource ID, algorithm type, key size, expiry date, and dependent services.
+
+### Step 4: Prioritise Migration
+1. Keys and certificates exposed to internet traffic first
+2. Long-lived keys with high blast radius second
+3. Internal service-to-service encryption third
+
+## NIST PQC Standards Reference
+
+| Standard | Algorithm | Use Case |
+|----------|-----------|----------|
+| FIPS 203 | ML-KEM | Key encapsulation, replacing RSA and ECDH key exchange |
+| FIPS 204 | ML-DSA | Digital signatures, replacing RSA-PSS and ECDSA |
+| FIPS 205 | SLH-DSA | Digital signatures, hash-based alternative |
+
+## Compliance Mapping
+
+| Framework | Control | Requirement |
+|-----------|---------|-------------|
+| NIST CSF | PR.DS-2 | Data in transit is protected using quantum-safe algorithms |
+| ISO 27001 | A.10.1.1 | Cryptographic controls policy must address quantum threats |
+| CIS Azure | 8.1 | Key management must include post-quantum migration planning |
+| SOC 2 | CC6.7 | Encryption protecting data in transit must be quantum-safe |
diff --git a/compliance/frameworks/cis_azure_benchmark.json b/compliance/frameworks/cis_azure_benchmark.json
index aedfde7..91661e8 100644
--- a/compliance/frameworks/cis_azure_benchmark.json
+++ b/compliance/frameworks/cis_azure_benchmark.json
@@ -172,6 +172,21 @@
       "control_id": "6.4",
       "control_name": "Ensure that Azure Firewall is enabled on Virtual Networks",
       "description": "VNet peering connections with allowGatewayTransit or useRemoteGateways enabled allow traffic to route between network segments through shared gateways. This can break network segmentation and enable lateral movement between zones that should remain isolated. Peering connections should be reviewed and gateway transit disabled unless explicitly required and documented."
+    },
+    "AZ-PQC-001": {
+      "control_id": "9.1",
+      "control_name": "Ensure TLS is enforced with quantum-safe configuration",
+      "description": "App Services configured with TLS versions below 1.3 use classical key exchange algorithms vulnerable to Harvest Now Decrypt Later attacks. CIS 9.1 requires that data in transit is protected using current encryption standards. Enforcing TLS 1.3 minimum reduces exposure to quantum-enabled decryption of captured traffic."
+    },
+    "AZ-PQC-002": {
+      "control_id": "8.1",
+      "control_name": "Ensure Key Vault keys use quantum-safe algorithms",
+      "description": "Key Vault keys using RSA or ECC algorithms are vulnerable to Shor's algorithm on quantum computers. CIS 8.1 requires that cryptographic key management follows current standards. Keys should be inventoried in a Cryptographic Bill of Materials and migration to post-quantum safe algorithms planned."
+    },
+    "AZ-PQC-003": {
+      "control_id": "8.5",
+      "control_name": "Ensure certificates use quantum-safe signature algorithms",
+      "description": "Key Vault certificates signed with RSA or ECDSA are vulnerable to quantum attacks. CIS 8.5 requires that certificate management includes monitoring of algorithm strength. Certificates should be migrated to post-quantum safe signature algorithms such as ML-DSA when CA support is available."
     }
   }
 }
diff --git a/compliance/frameworks/iso27001.json b/compliance/frameworks/iso27001.json
index f9e3f97..a777e39 100644
--- a/compliance/frameworks/iso27001.json
+++ b/compliance/frameworks/iso27001.json
@@ -172,6 +172,21 @@
       "control_id": "A.13.1.1",
       "control_name": "Network controls",
       "description": "VNet peering connections with gateway transit enabled allow traffic to flow between network segments through shared gateways, potentially bypassing network controls. Networks should be managed and controlled to protect information in systems and applications. Gateway transit on peering connections should be disabled unless explicitly required."
+    },
+    "AZ-PQC-001": {
+      "control_id": "A.10.1.1",
+      "control_name": "Policy on the use of cryptographic controls",
+      "description": "TLS configurations using classical key exchange algorithms do not align with a forward-looking cryptographic controls policy. A.10.1.1 requires that the organisation defines rules for effective use of cryptography. The policy must address post-quantum threats and mandate migration to quantum-safe cipher suites when supported."
+    },
+    "AZ-PQC-002": {
+      "control_id": "A.10.1.1",
+      "control_name": "Policy on the use of cryptographic controls",
+      "description": "Key Vault keys using RSA or ECC do not meet the requirements of a cryptographic controls policy that accounts for quantum threats. A.10.1.1 requires that cryptographic controls are appropriate to the level of risk. Post-quantum safe algorithms must be adopted as part of the cryptographic policy when supported."
+    },
+    "AZ-PQC-003": {
+      "control_id": "A.10.1.1",
+      "control_name": "Policy on the use of cryptographic controls",
+      "description": "Certificates using classical signature algorithms expose the organisation to quantum-enabled signature forgery. A.10.1.1 requires that the cryptographic controls policy covers all cryptographic assets including certificates. Migration planning to post-quantum safe signature algorithms is required."
     }
   }
 }
diff --git a/compliance/frameworks/nist_csf.json b/compliance/frameworks/nist_csf.json
index 30ae4b5..c592c21 100644
--- a/compliance/frameworks/nist_csf.json
+++ b/compliance/frameworks/nist_csf.json
@@ -172,6 +172,21 @@
       "control_id": "PR.AC-5",
       "control_name": "Network integrity is protected",
       "description": "VNet peering with gateway transit enabled allows traffic to cross network boundaries through shared gateways, undermining network segmentation. PR.AC-5 requires that network integrity is protected. Disabling gateway transit on peering connections enforces boundary integrity between network zones."
+    },
+    "AZ-PQC-001": {
+      "control_id": "PR.DS-2",
+      "control_name": "Data in transit is protected",
+      "description": "TLS configurations using classical key exchange algorithms expose data in transit to Harvest Now Decrypt Later attacks. PR.DS-2 requires that data in transit is protected. Migrating to TLS 1.3 and post-quantum safe cipher suites when supported helps data remain protected against quantum-enabled adversaries."
+    },
+    "AZ-PQC-002": {
+      "control_id": "PR.DS-2",
+      "control_name": "Data in transit is protected",
+      "description": "Key Vault keys using RSA or ECC can be broken by Shor's algorithm on quantum computers, compromising protected data and signatures. PR.DS-2 requires that data protection mechanisms are maintained. Post-quantum safe key encapsulation algorithms such as ML-KEM should replace classical alternatives when supported."
+    },
+    "AZ-PQC-003": {
+      "control_id": "PR.DS-2",
+      "control_name": "Data in transit is protected",
+      "description": "Certificates using classical signature algorithms are vulnerable to quantum attacks, undermining authentication and integrity guarantees. PR.DS-2 requires that data protection includes integrity mechanisms. Migration to ML-DSA or SLH-DSA signature algorithms should be planned."
     }
   }
 }
diff --git a/compliance/frameworks/soc2.json b/compliance/frameworks/soc2.json
index 3bf94d0..285fb41 100644
--- a/compliance/frameworks/soc2.json
+++ b/compliance/frameworks/soc2.json
@@ -163,10 +163,25 @@
       "control_name": "Restricts Access from Outside the Network Boundary",
       "description": "A virtual network without an Azure Firewall relies on NSGs alone and lacks a centralized point to inspect, filter, and log traffic crossing the network boundary. CC6.6 requires that logical access from outside the network boundary is restricted and controlled. Deploying an Azure Firewall enforces inspected, logged perimeter access for the network."
     },
-     "AZ-NET-014": {
+    "AZ-NET-014": {
       "control_id": "CC6.6",
       "control_name": "Restricts Access from Outside the Network Boundary",
       "description": "VNet peering with allowGatewayTransit or useRemoteGateways enabled allows traffic to cross network boundaries through shared gateways, weakening the logical separation between network zones. CC6.6 requires that logical access from outside the network boundary is restricted and controlled. Gateway transit on peering connections should be disabled to enforce boundary separation."
+    },
+    "AZ-PQC-001": {
+      "control_id": "CC6.7",
+      "control_name": "Protects Data in Transit",
+      "description": "TLS configurations using classical key exchange algorithms expose data in transit to Harvest Now Decrypt Later attacks where adversaries collect traffic today and decrypt it with future quantum computers. CC6.7 requires that data transmitted over networks is protected using encryption. Enforcing TLS 1.3 minimum reduces this risk."
+    },
+    "AZ-PQC-002": {
+      "control_id": "CC6.7",
+      "control_name": "Protects Data in Transit",
+      "description": "Key Vault keys using RSA or ECC will be vulnerable to Shor's algorithm, compromising data encrypted or signed with these keys. CC6.7 requires that data is protected using encryption. Post-quantum safe key encapsulation algorithms should replace classical alternatives when supported to maintain this protection."
+    },
+    "AZ-PQC-003": {
+      "control_id": "CC6.7",
+      "control_name": "Protects Data in Transit",
+      "description": "Certificates using classical signature algorithms will be vulnerable to quantum-enabled forgery, undermining authentication and data integrity. CC6.7 requires that data integrity is maintained through encryption and signing. Migration to post-quantum safe certificate algorithms should be planned."
     }
   }
 }
diff --git a/playbooks/cli/fix_az_pqc_001.sh b/playbooks/cli/fix_az_pqc_001.sh
new file mode 100755
index 0000000..7cff288
--- /dev/null
+++ b/playbooks/cli/fix_az_pqc_001.sh
@@ -0,0 +1,23 @@
+#!/bin/bash
+set -euo pipefail
+
+# Playbook: fix_az_pqc_001.sh
+# Rule: AZ-PQC-001 - TLS using classical key exchange algorithm
+
+if [[ $# -lt 2 ]]; then
+  echo "Usage: $0 <resource-group> <app-name>"
+  exit 1
+fi
+
+RESOURCE_GROUP="$1"
+APP_NAME="$2"
+
+echo "Enforcing TLS 1.3 minimum on App Service: $APP_NAME"
+az webapp config set \
+  --resource-group "$RESOURCE_GROUP" \
+  --name "$APP_NAME" \
+  --min-tls-version 1.3 \
+  --output none
+
+echo "Done. Verify with:"
+echo "  az webapp config show --resource-group $RESOURCE_GROUP --name $APP_NAME --query minTlsVersion"
diff --git a/playbooks/cli/fix_az_pqc_002.sh b/playbooks/cli/fix_az_pqc_002.sh
new file mode 100755
index 0000000..1d2099f
--- /dev/null
+++ b/playbooks/cli/fix_az_pqc_002.sh
@@ -0,0 +1,31 @@
+#!/bin/bash
+set -euo pipefail
+
+# Playbook: fix_az_pqc_002.sh
+# Rule: AZ-PQC-002 - Key Vault key using non-quantum-safe algorithm
+
+if [[ $# -lt 3 ]]; then
+  echo "Usage: $0 <resource-group> <vault-name> <key-name>"
+  exit 1
+fi
+
+RESOURCE_GROUP="$1"
+VAULT_NAME="$2"
+KEY_NAME="$3"
+
+echo "Listing current key properties for: $KEY_NAME in vault: $VAULT_NAME"
+az keyvault key show \
+  --vault-name "$VAULT_NAME" \
+  --name "$KEY_NAME" \
+  --output table
+
+echo ""
+echo "Next steps:"
+echo "  1. Review all workloads using this key and plan migration."
+echo "  2. Generate a new key using a post-quantum safe algorithm when supported."
+echo "  3. Document this key in your Cryptographic Bill of Materials (CBOM)."
+echo "  4. Update all dependent services to use the new key."
+echo "  5. Disable and schedule deletion of the old key after migration."
+echo ""
+echo "Verify existing keys with:"
+echo "  az keyvault key list --vault-name $VAULT_NAME --output table"
diff --git a/playbooks/cli/fix_az_pqc_003.sh b/playbooks/cli/fix_az_pqc_003.sh
new file mode 100755
index 0000000..9c1dce6
--- /dev/null
+++ b/playbooks/cli/fix_az_pqc_003.sh
@@ -0,0 +1,31 @@
+#!/bin/bash
+set -euo pipefail
+
+# Playbook: fix_az_pqc_003.sh
+# Rule: AZ-PQC-003 - Key Vault certificate using non-quantum-safe algorithm
+
+if [[ $# -lt 3 ]]; then
+  echo "Usage: $0 <resource-group> <vault-name> <cert-name>"
+  exit 1
+fi
+
+RESOURCE_GROUP="$1"
+VAULT_NAME="$2"
+CERT_NAME="$3"
+
+echo "Listing current certificate properties for: $CERT_NAME in vault: $VAULT_NAME"
+az keyvault certificate show \
+  --vault-name "$VAULT_NAME" \
+  --name "$CERT_NAME" \
+  --output table
+
+echo ""
+echo "Next steps:"
+echo "  1. Identify the CA issuing this certificate."
+echo "  2. Check if the CA supports post-quantum safe signature algorithms."
+echo "  3. Document this certificate in your Cryptographic Bill of Materials."
+echo "  4. Plan certificate renewal with a post-quantum safe algorithm."
+echo "  5. Update all services using this certificate before expiry."
+echo ""
+echo "Verify existing certificates with:"
+echo "  az keyvault certificate list --vault-name $VAULT_NAME --output table"
diff --git a/requirements.txt b/requirements.txt
index 43d9ede..5326224 100644
--- a/requirements.txt
+++ b/requirements.txt
@@ -9,6 +9,7 @@ azure-mgmt-sql==3.0.1
 azure-mgmt-keyvault==10.3.0
 azure-mgmt-rdbms==10.1.0
 azure-mgmt-authorization==4.0.0
+azure-mgmt-web==7.3.1
 azure-monitor-ingestion==1.0.3
 azure-mgmt-monitor==6.0.0
 psycopg2-binary==2.9.9
@@ -21,5 +22,6 @@ cryptography==42.0.5
 msrest==0.7.1
 azure-mgmt-postgresqlflexibleservers==1.0.0b1
 azure-keyvault-certificates==4.8.0
+azure-keyvault-keys==4.9.0
 chromadb==0.4.24
 sentence-transformers==2.7.0
diff --git a/scanner/azure_client.py b/scanner/azure_client.py
index ef331ea..069c80b 100644
--- a/scanner/azure_client.py
+++ b/scanner/azure_client.py
@@ -298,6 +298,16 @@ def get_virtual_machines(self) -> List[Any]:
             logger.error("get_virtual_machines failed: %s", exc)
             return []
 
+    def get_web_apps(self) -> List[Any]:
+        """List all App Services in the subscription."""
+        try:
+            from azure.mgmt.web import WebSiteManagementClient
+            client = WebSiteManagementClient(self.credential, self.subscription_id)
+            return list(client.web_apps.list())
+        except Exception as exc:
+            logger.error("get_web_apps failed: %s", exc)
+            return []
+
     def get_vm_extensions(
         self, resource_group: str, vm_name: str
     ) -> Optional[List[Any]]:
@@ -387,6 +397,17 @@ def get_key_vault_certificates(self, vault_name: str) -> List[Any]:
             )
             return []
 
+    def get_key_vault_keys(self, vault_name: str) -> List[Any]:
+        """List all keys in a Key Vault using the Key Vault data plane API."""
+        try:
+            from azure.keyvault.keys import KeyClient
+            vault_url = f"https://{vault_name}.vault.azure.net"
+            client = KeyClient(vault_url=vault_url, credential=self.credential)
+            return list(client.list_properties_of_keys())
+        except Exception as exc:
+            logger.error("get_key_vault_keys(%s) failed: %s", vault_name, exc)
+            return []
+
     # ------------------------------------------------------------------ #
     # Monitoring                                                            #
     # ------------------------------------------------------------------ #
@@ -533,4 +554,4 @@ def get_network_watcher_regions(self) -> List[str]:
             return list(regions)
         except Exception as exc:
             logger.error("get_network_watcher_regions failed: %s", exc)
-            return []
\ No newline at end of file
+            return []
diff --git a/scanner/rules/az_pqc_001.py b/scanner/rules/az_pqc_001.py
new file mode 100644
index 0000000..7010ef0
--- /dev/null
+++ b/scanner/rules/az_pqc_001.py
@@ -0,0 +1,78 @@
+"""AZ-PQC-001: App Service TLS below 1.3."""
+
+import logging
+from typing import Any, Dict, List
+
+RULE_ID = "AZ-PQC-001"
+RULE_NAME = "TLS Using Classical Key Exchange Algorithm"
+SEVERITY = "HIGH"
+CATEGORY = "PostQuantum"
+FRAMEWORKS = {
+    "CIS": "9.1",
+    "NIST": "PR.DS-2",
+    "ISO27001": "A.10.1.1",
+    "SOC2": "CC6.7",
+}
+DESCRIPTION = (
+    "The resource is configured with TLS using classical key exchange algorithms "
+    "such as RSA or ECDH. These algorithms are vulnerable to Harvest Now Decrypt "
+    "Later attacks where adversaries collect encrypted traffic today and decrypt "
+    "it once quantum computers are available. Post-quantum safe key exchange "
+    "algorithms should be used."
+)
+REMEDIATION = (
+    "Migrate TLS configuration to use post-quantum safe key exchange. Update App "
+    "Service TLS policies to enforce TLS 1.3 and plan adoption of quantum-safe "
+    "cipher suites when supported. See playbooks/cli/fix_az_pqc_001.sh for "
+    "remediation steps."
+)
+PLAYBOOK = "playbooks/cli/fix_az_pqc_001.sh"
+
+logger = logging.getLogger(__name__)
+
+
+def _tls_version_below_13(version: Any) -> bool:
+    if version is None:
+        return False
+    try:
+        major, minor = str(version).split(".", maxsplit=1)
+        return (int(major), int(minor)) < (1, 3)
+    except (TypeError, ValueError):
+        return str(version) < "1.3"
+
+
+def scan(azure_client: Any, subscription_id: str) -> List[Dict[str, Any]]:
+    """Scan App Services for TLS versions below 1.3."""
+    findings: List[Dict[str, Any]] = []
+
+    web_apps = azure_client.get_web_apps()
+    if web_apps is None:
+        logger.warning("AZ-PQC-001 skipped: unable to list web apps.")
+        return findings
+
+    for app in web_apps:
+        app_id = getattr(app, "id", "") or ""
+        parsed = azure_client.parse_resource_id(app_id)
+        site_config = getattr(app, "site_config", None)
+        min_tls = getattr(site_config, "min_tls_version", None) if site_config else None
+
+        if _tls_version_below_13(min_tls):
+            findings.append({
+                "rule_id": RULE_ID,
+                "rule_name": RULE_NAME,
+                "severity": SEVERITY,
+                "category": CATEGORY,
+                "resource_id": app_id,
+                "resource_name": getattr(app, "name", ""),
+                "resource_type": "Microsoft.Web/sites",
+                "description": DESCRIPTION,
+                "remediation": REMEDIATION,
+                "playbook": PLAYBOOK,
+                "frameworks": FRAMEWORKS,
+                "metadata": {
+                    "resource_group": parsed.get("resource_group", ""),
+                    "min_tls_version": str(min_tls),
+                },
+            })
+
+    return findings
diff --git a/scanner/rules/az_pqc_002.py b/scanner/rules/az_pqc_002.py
new file mode 100644
index 0000000..4b19af5
--- /dev/null
+++ b/scanner/rules/az_pqc_002.py
@@ -0,0 +1,88 @@
+"""AZ-PQC-002: Key Vault keys using RSA or ECC algorithms."""
+
+import logging
+from typing import Any, Dict, List
+
+RULE_ID = "AZ-PQC-002"
+RULE_NAME = "Key Vault Key Using Non-Quantum-Safe Algorithm"
+SEVERITY = "HIGH"
+CATEGORY = "PostQuantum"
+FRAMEWORKS = {
+    "CIS": "8.1",
+    "NIST": "PR.DS-2",
+    "ISO27001": "A.10.1.1",
+    "SOC2": "CC6.7",
+}
+DESCRIPTION = (
+    "The Key Vault contains keys using RSA or ECC algorithms which are vulnerable "
+    "to quantum attacks using Shor's algorithm. A sufficiently powerful quantum "
+    "computer can break RSA and ECC keys, compromising data encrypted or signed "
+    "with these keys. Keys should be migrated to post-quantum safe algorithms "
+    "such as those standardised by NIST in FIPS 203, FIPS 204, and FIPS 205."
+)
+REMEDIATION = (
+    "Identify all RSA and ECC keys in Key Vault and plan migration to "
+    "post-quantum safe alternatives. For signing use ML-DSA (FIPS 204). For key "
+    "encapsulation use ML-KEM (FIPS 203). Document all keys requiring migration "
+    "in a Cryptographic Bill of Materials (CBOM). See "
+    "playbooks/cli/fix_az_pqc_002.sh for remediation steps."
+)
+PLAYBOOK = "playbooks/cli/fix_az_pqc_002.sh"
+
+logger = logging.getLogger(__name__)
+
+_CLASSICAL_KEY_TYPES = {"RSA", "EC", "EC-HSM", "RSA-HSM"}
+
+
+def _key_type_value(key: Any) -> str:
+    key_type = getattr(key, "key_type", None)
+    return str(getattr(key_type, "value", None) or key_type or "")
+
+
+def scan(azure_client: Any, subscription_id: str) -> List[Dict[str, Any]]:
+    """Scan Key Vault keys for non-quantum-safe algorithm usage."""
+    findings: List[Dict[str, Any]] = []
+
+    vaults = azure_client.get_key_vaults()
+    if vaults is None:
+        logger.warning("AZ-PQC-002 skipped: unable to list Key Vaults.")
+        return findings
+
+    for vault in vaults:
+        vault_id = getattr(vault, "id", "") or ""
+        vault_name = getattr(vault, "name", "") or azure_client.parse_resource_id(
+            vault_id
+        ).get("name", "")
+        parsed = azure_client.parse_resource_id(vault_id)
+        resource_group = parsed.get("resource_group", "")
+
+        keys = azure_client.get_key_vault_keys(vault_name)
+        if keys is None:
+            logger.warning("AZ-PQC-002: unable to list keys for vault %s", vault_name)
+            continue
+
+        for key in keys:
+            key_type = _key_type_value(key)
+            if key_type.upper() in _CLASSICAL_KEY_TYPES:
+                key_id = getattr(key, "id", "") or f"{vault_id}/keys/{getattr(key, 'name', '')}"
+                key_name = getattr(key, "name", "") or key_id.rstrip("/").split("/")[-1]
+                findings.append({
+                    "rule_id": RULE_ID,
+                    "rule_name": RULE_NAME,
+                    "severity": SEVERITY,
+                    "category": CATEGORY,
+                    "resource_id": key_id,
+                    "resource_name": key_name,
+                    "resource_type": "Microsoft.KeyVault/vaults/keys",
+                    "description": DESCRIPTION,
+                    "remediation": REMEDIATION,
+                    "playbook": PLAYBOOK,
+                    "frameworks": FRAMEWORKS,
+                    "metadata": {
+                        "resource_group": resource_group,
+                        "vault_name": vault_name,
+                        "key_type": key_type,
+                    },
+                })
+
+    return findings
diff --git a/scanner/rules/az_pqc_003.py b/scanner/rules/az_pqc_003.py
new file mode 100644
index 0000000..3307d04
--- /dev/null
+++ b/scanner/rules/az_pqc_003.py
@@ -0,0 +1,91 @@
+"""AZ-PQC-003: Key Vault certificates using classical algorithms."""
+
+import logging
+from typing import Any, Dict, List
+
+RULE_ID = "AZ-PQC-003"
+RULE_NAME = "Key Vault Certificate Using Non-Quantum-Safe Signature Algorithm"
+SEVERITY = "MEDIUM"
+CATEGORY = "PostQuantum"
+FRAMEWORKS = {
+    "CIS": "8.5",
+    "NIST": "PR.DS-2",
+    "ISO27001": "A.10.1.1",
+    "SOC2": "CC6.7",
+}
+DESCRIPTION = (
+    "The Key Vault contains certificates signed using RSA or ECDSA algorithms. "
+    "These classical signature schemes are vulnerable to Shor's algorithm on "
+    "quantum computers. Certificates used for authentication, TLS, and code "
+    "signing must be migrated to post-quantum safe signature algorithms such "
+    "as ML-DSA (FIPS 204) or SLH-DSA (FIPS 205)."
+)
+REMEDIATION = (
+    "Audit all Key Vault certificates and identify those using RSA or ECDSA. "
+    "Plan migration to post-quantum safe certificate authorities and signature "
+    "algorithms. Include all certificates in your Cryptographic Bill of "
+    "Materials. See playbooks/cli/fix_az_pqc_003.sh for remediation steps."
+)
+PLAYBOOK = "playbooks/cli/fix_az_pqc_003.sh"
+
+logger = logging.getLogger(__name__)
+
+_CLASSICAL_KEY_TYPES = {"RSA", "EC", "EC-HSM", "RSA-HSM"}
+
+
+def _certificate_key_type(cert: Any) -> str:
+    policy = getattr(cert, "policy", None)
+    key_props = getattr(policy, "key_properties", None) if policy else None
+    key_type = getattr(key_props, "key_type", None) if key_props else None
+    return str(getattr(key_type, "value", None) or key_type or "")
+
+
+def scan(azure_client: Any, subscription_id: str) -> List[Dict[str, Any]]:
+    """Scan Key Vault certificates for non-quantum-safe algorithms."""
+    findings: List[Dict[str, Any]] = []
+
+    vaults = azure_client.get_key_vaults()
+    if vaults is None:
+        logger.warning("AZ-PQC-003 skipped: unable to list Key Vaults.")
+        return findings
+
+    for vault in vaults:
+        vault_id = getattr(vault, "id", "") or ""
+        vault_name = getattr(vault, "name", "") or azure_client.parse_resource_id(
+            vault_id
+        ).get("name", "")
+        parsed = azure_client.parse_resource_id(vault_id)
+        resource_group = parsed.get("resource_group", "")
+
+        certs = azure_client.get_key_vault_certificates(vault_name)
+        if certs is None:
+            logger.warning(
+                "AZ-PQC-003: unable to list certificates for vault %s", vault_name
+            )
+            continue
+
+        for cert in certs:
+            key_type = _certificate_key_type(cert)
+            if key_type.upper() in _CLASSICAL_KEY_TYPES:
+                cert_id = getattr(cert, "id", "") or f"{vault_id}/certificates/{getattr(cert, 'name', '')}"
+                cert_name = getattr(cert, "name", "") or cert_id.rstrip("/").split("/")[-1]
+                findings.append({
+                    "rule_id": RULE_ID,
+                    "rule_name": RULE_NAME,
+                    "severity": SEVERITY,
+                    "category": CATEGORY,
+                    "resource_id": cert_id,
+                    "resource_name": cert_name,
+                    "resource_type": "Microsoft.KeyVault/vaults/certificates",
+                    "description": DESCRIPTION,
+                    "remediation": REMEDIATION,
+                    "playbook": PLAYBOOK,
+                    "frameworks": FRAMEWORKS,
+                    "metadata": {
+                        "resource_group": resource_group,
+                        "vault_name": vault_name,
+                        "key_type": key_type,
+                    },
+                })
+
+    return findings
diff --git a/tests/test_pqc_rules.py b/tests/test_pqc_rules.py
new file mode 100644
index 0000000..4ffbcf3
--- /dev/null
+++ b/tests/test_pqc_rules.py
@@ -0,0 +1,129 @@
+"""Unit tests for post-quantum Azure rule modules."""
+
+from types import SimpleNamespace
+
+from scanner.rules import az_pqc_001, az_pqc_002, az_pqc_003
+
+
+_VAULT_ID = (
+    "/subscriptions/sub/resourceGroups/rg/providers/Microsoft.KeyVault/vaults/vault1"
+)
+
+
+class FakeAzureClient:
+    def __init__(self, web_apps=None, vaults=None, keys=None, certificates=None):
+        self._web_apps = web_apps if web_apps is not None else []
+        self._vaults = vaults if vaults is not None else []
+        self._keys = keys if keys is not None else []
+        self._certificates = certificates if certificates is not None else []
+
+    def get_web_apps(self):
+        return self._web_apps
+
+    def get_key_vaults(self):
+        return self._vaults
+
+    def get_key_vault_keys(self, vault_name):
+        return self._keys
+
+    def get_key_vault_certificates(self, vault_name):
+        return self._certificates
+
+    @staticmethod
+    def parse_resource_id(resource_id):
+        parts = resource_id.split("/")
+        result = {"name": parts[-1]}
+        if "resourceGroups" in parts:
+            result["resource_group"] = parts[parts.index("resourceGroups") + 1]
+        return result
+
+
+def _enum_value(value):
+    return SimpleNamespace(value=value)
+
+
+def test_pqc_001_flags_app_service_tls_below_13():
+    app = SimpleNamespace(
+        id="/subscriptions/sub/resourceGroups/rg/providers/Microsoft.Web/sites/app1",
+        name="app1",
+        site_config=SimpleNamespace(min_tls_version="1.2"),
+    )
+    client = FakeAzureClient(web_apps=[app])
+
+    findings = az_pqc_001.scan(client, "sub")
+
+    assert len(findings) == 1
+    assert findings[0]["rule_id"] == "AZ-PQC-001"
+    assert findings[0]["metadata"]["min_tls_version"] == "1.2"
+
+
+def test_pqc_001_ignores_tls_13():
+    app = SimpleNamespace(
+        id="/subscriptions/sub/resourceGroups/rg/providers/Microsoft.Web/sites/app1",
+        name="app1",
+        site_config=SimpleNamespace(min_tls_version="1.3"),
+    )
+    client = FakeAzureClient(web_apps=[app])
+
+    assert az_pqc_001.scan(client, "sub") == []
+
+
+def test_pqc_002_flags_rsa_key_vault_key():
+    vault = SimpleNamespace(id=_VAULT_ID, name="vault1")
+    key = SimpleNamespace(
+        id=f"{_VAULT_ID}/keys/key1",
+        name="key1",
+        key_type=_enum_value("RSA"),
+    )
+    client = FakeAzureClient(vaults=[vault], keys=[key])
+
+    findings = az_pqc_002.scan(client, "sub")
+
+    assert len(findings) == 1
+    assert findings[0]["rule_id"] == "AZ-PQC-002"
+    assert findings[0]["metadata"]["key_type"] == "RSA"
+    assert findings[0]["metadata"]["vault_name"] == "vault1"
+
+
+def test_pqc_002_ignores_non_classical_key_type():
+    vault = SimpleNamespace(id=_VAULT_ID, name="vault1")
+    key = SimpleNamespace(
+        id=f"{_VAULT_ID}/keys/key1",
+        name="key1",
+        key_type=_enum_value("oct-HSM"),
+    )
+    client = FakeAzureClient(vaults=[vault], keys=[key])
+
+    assert az_pqc_002.scan(client, "sub") == []
+
+
+def test_pqc_003_flags_classical_certificate_policy_key_type():
+    vault = SimpleNamespace(id=_VAULT_ID, name="vault1")
+    cert = SimpleNamespace(
+        id=f"{_VAULT_ID}/certificates/cert1",
+        name="cert1",
+        policy=SimpleNamespace(
+            key_properties=SimpleNamespace(key_type=_enum_value("EC"))
+        ),
+    )
+    client = FakeAzureClient(vaults=[vault], certificates=[cert])
+
+    findings = az_pqc_003.scan(client, "sub")
+
+    assert len(findings) == 1
+    assert findings[0]["rule_id"] == "AZ-PQC-003"
+    assert findings[0]["metadata"]["key_type"] == "EC"
+
+
+def test_pqc_003_ignores_certificate_without_classical_policy_key_type():
+    vault = SimpleNamespace(id=_VAULT_ID, name="vault1")
+    cert = SimpleNamespace(
+        id=f"{_VAULT_ID}/certificates/cert1",
+        name="cert1",
+        policy=SimpleNamespace(
+            key_properties=SimpleNamespace(key_type=_enum_value("ML-DSA"))
+        ),
+    )
+    client = FakeAzureClient(vaults=[vault], certificates=[cert])
+
+    assert az_pqc_003.scan(client, "sub") == []

From 8ce73332627199db3b3b8ee985d4dc6ca38e055e Mon Sep 17 00:00:00 2001
From: Parth Rohit <parthrohit60@gmail.com>
Date: Thu, 4 Jun 2026 19:45:51 +0100
Subject: [PATCH 2/6] docs: update OpenShield Learn portal

---
 docs/learn/index.html | 1034 +++++++++++++++++++++++++++++++----------
 1 file changed, 776 insertions(+), 258 deletions(-)

diff --git a/docs/learn/index.html b/docs/learn/index.html
index 93c5164..77f6a36 100644
--- a/docs/learn/index.html
+++ b/docs/learn/index.html
@@ -3,64 +3,199 @@
 <head>
   <meta charset="UTF-8" />
   <meta name="viewport" content="width=device-width, initial-scale=1.0" />
+  <meta name="description" content="OpenShield Learn - a practical learning portal for Azure CSPM, misconfiguration scanning, compliance mapping, CVE enrichment, remediation, Sentinel integration, and contributor onboarding." />
   <title>OpenShield Learn</title>
   <style>
     :root {
       --bg: #020617;
-      --panel: #0f172a;
-      --panel-2: #111827;
+      --bg-soft: #07111f;
+      --panel: rgba(15, 23, 42, 0.92);
+      --panel-strong: #0f172a;
+      --panel-2: rgba(17, 24, 39, 0.95);
       --text: #f8fafc;
       --muted: #94a3b8;
+      --muted-2: #cbd5e1;
       --accent: #38bdf8;
+      --accent-2: #60a5fa;
       --success: #22c55e;
       --warning: #f97316;
-      --border: #334155;
+      --danger: #ef4444;
+      --purple: #a78bfa;
+      --border: rgba(148, 163, 184, 0.28);
+      --shadow: 0 18px 60px rgba(0, 0, 0, 0.32);
+      --radius: 18px;
+      --max: 1180px;
     }
 
     * {
       box-sizing: border-box;
       margin: 0;
       padding: 0;
-      font-family: Arial, Helvetica, sans-serif;
+    }
+
+    html {
+      scroll-behavior: smooth;
     }
 
     body {
-      background: radial-gradient(circle at top left, #0f172a, #020617 55%);
+      min-height: 100vh;
+      background:
+        radial-gradient(circle at top left, rgba(56, 189, 248, 0.18), transparent 34%),
+        radial-gradient(circle at 80% 10%, rgba(34, 197, 94, 0.11), transparent 28%),
+        linear-gradient(135deg, #020617 0%, #08111f 48%, #020617 100%);
       color: var(--text);
+      font-family: Inter, ui-sans-serif, system-ui, -apple-system, BlinkMacSystemFont, "Segoe UI", Arial, sans-serif;
       line-height: 1.6;
-      min-height: 100vh;
+    }
+
+    body::before {
+      content: "";
+      position: fixed;
+      inset: 0;
+      pointer-events: none;
+      background-image: linear-gradient(rgba(148, 163, 184, 0.05) 1px, transparent 1px), linear-gradient(90deg, rgba(148, 163, 184, 0.05) 1px, transparent 1px);
+      background-size: 42px 42px;
+      mask-image: linear-gradient(to bottom, rgba(0,0,0,0.75), transparent 72%);
     }
 
     a {
       color: inherit;
     }
 
-    header {
-      padding: 56px 8% 40px;
+    .skip-link {
+      position: absolute;
+      left: -999px;
+      top: 12px;
+      z-index: 100;
+      background: var(--accent);
+      color: #020617;
+      padding: 10px 14px;
+      border-radius: 10px;
+      font-weight: 800;
+    }
+
+    .skip-link:focus {
+      left: 12px;
+    }
+
+    .nav-wrap {
+      position: sticky;
+      top: 0;
+      z-index: 50;
       border-bottom: 1px solid var(--border);
+      background: rgba(2, 6, 23, 0.82);
+      backdrop-filter: blur(16px);
     }
 
-    .badge {
-      display: inline-block;
-      padding: 6px 12px;
-      border: 1px solid var(--accent);
-      color: var(--accent);
+    nav {
+      max-width: var(--max);
+      margin: 0 auto;
+      padding: 13px 22px;
+      display: flex;
+      align-items: center;
+      justify-content: space-between;
+      gap: 18px;
+    }
+
+    .brand {
+      display: flex;
+      align-items: center;
+      gap: 10px;
+      text-decoration: none;
+      font-weight: 900;
+      letter-spacing: -0.02em;
+      white-space: nowrap;
+    }
+
+    .brand-mark {
+      display: grid;
+      place-items: center;
+      width: 34px;
+      height: 34px;
+      border-radius: 11px;
+      color: #020617;
+      background: linear-gradient(135deg, var(--accent), var(--success));
+      box-shadow: 0 0 30px rgba(56, 189, 248, 0.24);
+    }
+
+    .nav-links {
+      display: flex;
+      align-items: center;
+      justify-content: flex-end;
+      gap: 6px;
+      flex-wrap: wrap;
+    }
+
+    .nav-links a {
+      color: var(--muted-2);
+      text-decoration: none;
+      font-size: 13px;
+      padding: 8px 10px;
+      border-radius: 999px;
+      border: 1px solid transparent;
+    }
+
+    .nav-links a:hover,
+    .nav-links a:focus-visible {
+      color: var(--text);
+      border-color: var(--border);
+      background: rgba(148, 163, 184, 0.08);
+      outline: none;
+    }
+
+    header,
+    main,
+    footer {
+      max-width: var(--max);
+      margin: 0 auto;
+      padding-left: 22px;
+      padding-right: 22px;
+    }
+
+    header {
+      padding-top: 74px;
+      padding-bottom: 46px;
+    }
+
+    .hero {
+      display: grid;
+      grid-template-columns: minmax(0, 1.25fr) minmax(320px, 0.75fr);
+      gap: 32px;
+      align-items: center;
+    }
+
+    .eyebrow {
+      display: inline-flex;
+      align-items: center;
+      gap: 8px;
+      padding: 7px 12px;
+      border: 1px solid rgba(56, 189, 248, 0.52);
+      color: #bae6fd;
+      background: rgba(56, 189, 248, 0.08);
       border-radius: 999px;
       font-size: 13px;
-      margin-bottom: 18px;
-      letter-spacing: 0.3px;
+      margin-bottom: 20px;
+      letter-spacing: 0.02em;
     }
 
     h1 {
-      font-size: clamp(38px, 6vw, 70px);
-      line-height: 1.05;
-      margin-bottom: 18px;
+      font-size: clamp(42px, 7vw, 78px);
+      line-height: 0.98;
+      margin-bottom: 20px;
+      letter-spacing: -0.06em;
+    }
+
+    .gradient-text {
+      background: linear-gradient(135deg, #f8fafc, #7dd3fc 50%, #86efac);
+      -webkit-background-clip: text;
+      background-clip: text;
+      color: transparent;
     }
 
     .subtitle {
-      color: var(--muted);
-      max-width: 900px;
-      font-size: 19px;
+      color: var(--muted-2);
+      max-width: 760px;
+      font-size: clamp(17px, 2vw, 20px);
       margin-bottom: 26px;
     }
 
@@ -68,23 +203,31 @@
       display: flex;
       flex-wrap: wrap;
       gap: 12px;
+      margin-bottom: 24px;
     }
 
     .button {
-      display: inline-block;
+      display: inline-flex;
+      align-items: center;
+      justify-content: center;
+      gap: 8px;
+      min-height: 42px;
       text-decoration: none;
       color: #020617;
       background: var(--accent);
-      padding: 10px 15px;
-      border-radius: 10px;
-      font-weight: bold;
+      padding: 10px 16px;
+      border-radius: 12px;
+      font-weight: 850;
       font-size: 14px;
-      transition: transform 0.15s ease, opacity 0.15s ease;
+      border: 1px solid transparent;
+      transition: transform 0.15s ease, opacity 0.15s ease, border-color 0.15s ease;
     }
 
-    .button:hover {
+    .button:hover,
+    .button:focus-visible {
       transform: translateY(-1px);
-      opacity: 0.92;
+      opacity: 0.94;
+      outline: none;
     }
 
     .button.secondary {
@@ -92,49 +235,140 @@
     }
 
     .button.dark {
-      background: transparent;
+      background: rgba(15, 23, 42, 0.86);
       color: var(--text);
+      border-color: var(--border);
+    }
+
+    .button.small {
+      min-height: 36px;
+      padding: 8px 12px;
+      font-size: 13px;
+      border-radius: 10px;
+    }
+
+    .hero-note {
+      color: var(--muted);
+      font-size: 14px;
+    }
+
+    .hero-panel {
       border: 1px solid var(--border);
+      background: linear-gradient(180deg, rgba(15, 23, 42, 0.95), rgba(2, 6, 23, 0.78));
+      border-radius: 26px;
+      padding: 22px;
+      box-shadow: var(--shadow);
+    }
+
+    .terminal {
+      border: 1px solid rgba(148, 163, 184, 0.22);
+      border-radius: 18px;
+      overflow: hidden;
+      background: #020617;
+    }
+
+    .terminal-top {
+      display: flex;
+      gap: 7px;
+      padding: 12px;
+      border-bottom: 1px solid rgba(148, 163, 184, 0.18);
+      background: rgba(15, 23, 42, 0.9);
     }
 
+    .dot {
+      width: 10px;
+      height: 10px;
+      border-radius: 999px;
+      background: var(--danger);
+    }
+
+    .dot:nth-child(2) { background: var(--warning); }
+    .dot:nth-child(3) { background: var(--success); }
+
+    .terminal-body {
+      padding: 16px;
+      font-family: "SFMono-Regular", Consolas, "Liberation Mono", monospace;
+      font-size: 13px;
+      color: #dbeafe;
+    }
+
+    .terminal-body p {
+      margin-bottom: 8px;
+    }
+
+    .prompt { color: var(--success); }
+    .dim { color: var(--muted); }
+    .cyan { color: var(--accent); }
+
     main {
-      padding: 38px 8% 70px;
+      padding-bottom: 74px;
     }
 
     section {
-      margin-top: 44px;
+      scroll-margin-top: 86px;
+      margin-top: 58px;
+    }
+
+    .section-head {
+      display: flex;
+      align-items: end;
+      justify-content: space-between;
+      gap: 20px;
+      margin-bottom: 20px;
     }
 
     .section-title {
-      font-size: 28px;
-      margin-bottom: 12px;
-      border-left: 4px solid var(--accent);
-      padding-left: 12px;
+      font-size: clamp(26px, 3vw, 36px);
+      line-height: 1.15;
+      letter-spacing: -0.035em;
+    }
+
+    .section-kicker {
+      color: var(--accent);
+      text-transform: uppercase;
+      font-size: 12px;
+      font-weight: 900;
+      letter-spacing: 0.16em;
+      margin-bottom: 5px;
     }
 
     .section-intro {
       color: var(--muted);
-      max-width: 900px;
-      margin-bottom: 20px;
+      max-width: 880px;
+      margin-top: 10px;
+      font-size: 16px;
     }
 
     .grid {
       display: grid;
-      grid-template-columns: repeat(auto-fit, minmax(250px, 1fr));
-      gap: 18px;
+      grid-template-columns: repeat(auto-fit, minmax(240px, 1fr));
+      gap: 16px;
     }
 
-    .card {
-      background: rgba(15, 23, 42, 0.9);
+    .grid.two {
+      grid-template-columns: repeat(auto-fit, minmax(310px, 1fr));
+    }
+
+    .card,
+    .metric,
+    .roadmap-item,
+    .resource-item,
+    .notice,
+    .search-panel {
+      background: var(--panel);
       border: 1px solid var(--border);
-      border-radius: 18px;
-      padding: 22px;
-      box-shadow: 0 12px 30px rgba(0, 0, 0, 0.24);
+      border-radius: var(--radius);
+      box-shadow: 0 10px 34px rgba(0, 0, 0, 0.22);
+    }
+
+    .card {
+      padding: 21px;
     }
 
     .card h3 {
-      font-size: 20px;
-      margin-bottom: 9px;
+      font-size: 19px;
+      margin-bottom: 8px;
+      letter-spacing: -0.02em;
     }
 
     .card p,
@@ -149,44 +383,223 @@
       margin-top: 8px;
     }
 
+    .tag-row {
+      display: flex;
+      flex-wrap: wrap;
+      gap: 7px;
+      margin-top: 14px;
+    }
+
     .tag {
-      display: inline-block;
-      background: var(--panel-2);
-      border: 1px solid var(--border);
+      display: inline-flex;
+      align-items: center;
+      background: rgba(17, 24, 39, 0.92);
+      border: 1px solid rgba(148, 163, 184, 0.24);
       color: #cbd5e1;
       padding: 4px 9px;
       border-radius: 999px;
       font-size: 12px;
-      margin: 10px 4px 0 0;
+      font-weight: 700;
+    }
+
+    .metrics {
+      display: grid;
+      grid-template-columns: repeat(auto-fit, minmax(150px, 1fr));
+      gap: 14px;
+      margin-top: 22px;
+    }
+
+    .metric {
+      padding: 18px;
+    }
+
+    .metric strong {
+      display: block;
+      font-size: 30px;
+      line-height: 1;
+      letter-spacing: -0.04em;
+      color: #e0f2fe;
+      margin-bottom: 6px;
+    }
+
+    .metric span {
+      color: var(--muted);
+      font-size: 13px;
+      font-weight: 700;
     }
 
-    .flow {
+    .pipeline {
+      display: grid;
+      grid-template-columns: repeat(8, minmax(120px, 1fr));
+      gap: 10px;
+      overflow-x: auto;
+      padding-bottom: 6px;
+    }
+
+    .pipeline-step {
+      min-width: 130px;
+      background: rgba(17, 24, 39, 0.95);
+      border: 1px solid var(--border);
+      border-radius: 15px;
+      padding: 15px;
+      position: relative;
+    }
+
+    .pipeline-step:not(:last-child)::after {
+      content: "→";
+      position: absolute;
+      right: -11px;
+      top: 50%;
+      transform: translateY(-50%);
+      color: var(--accent);
+      font-weight: 900;
+    }
+
+    .pipeline-step strong {
+      display: block;
+      font-size: 14px;
+      margin-bottom: 4px;
+    }
+
+    .pipeline-step span {
+      color: var(--muted);
+      font-size: 12px;
+    }
+
+    .rule-chart {
       display: grid;
-      grid-template-columns: repeat(auto-fit, minmax(180px, 1fr));
       gap: 12px;
-      margin-top: 18px;
     }
 
-    .flow-step {
-      background: rgba(17, 24, 39, 0.9);
+    .bar-row {
+      display: grid;
+      grid-template-columns: 120px 1fr 42px;
+      gap: 10px;
+      align-items: center;
+      color: var(--muted-2);
+      font-size: 14px;
+      font-weight: 800;
+    }
+
+    .bar {
+      height: 12px;
+      border-radius: 999px;
+      background: rgba(148, 163, 184, 0.16);
+      overflow: hidden;
+      border: 1px solid rgba(148, 163, 184, 0.14);
+    }
+
+    .bar span {
+      display: block;
+      height: 100%;
+      border-radius: inherit;
+      background: linear-gradient(90deg, var(--accent), var(--success));
+    }
+
+    .severity {
+      display: grid;
+      grid-template-columns: repeat(3, 1fr);
+      gap: 12px;
+      margin-top: 16px;
+    }
+
+    .severity-box {
+      padding: 15px;
+      border-radius: 16px;
       border: 1px solid var(--border);
+      background: rgba(17, 24, 39, 0.82);
+    }
+
+    .severity-box strong {
+      display: block;
+      font-size: 26px;
+      line-height: 1;
+      margin-bottom: 6px;
+    }
+
+    .severity-box span {
+      color: var(--muted);
+      font-size: 12px;
+      font-weight: 900;
+    }
+
+    .high strong { color: #fecaca; }
+    .medium strong { color: #fed7aa; }
+    .low strong { color: #bbf7d0; }
+
+    .roadmap {
+      counter-reset: module;
+      display: grid;
+      grid-template-columns: repeat(auto-fit, minmax(260px, 1fr));
+      gap: 16px;
+    }
+
+    .roadmap-item {
+      padding: 20px;
+      position: relative;
+      overflow: hidden;
+    }
+
+    .roadmap-item::before {
+      counter-increment: module;
+      content: "0" counter(module);
+      display: inline-grid;
+      place-items: center;
+      width: 42px;
+      height: 42px;
       border-radius: 14px;
-      padding: 16px;
-      text-align: center;
-      color: #dbeafe;
-      font-weight: bold;
+      background: rgba(56, 189, 248, 0.12);
+      border: 1px solid rgba(56, 189, 248, 0.34);
+      color: var(--accent);
+      font-weight: 950;
+      margin-bottom: 14px;
+    }
+
+    .roadmap-item h3 {
+      margin-bottom: 7px;
+      font-size: 18px;
+    }
+
+    .roadmap-item p {
+      color: var(--muted);
+      font-size: 14px;
+    }
+
+    .search-panel {
+      padding: 18px;
+      margin-bottom: 18px;
+    }
+
+    .search-panel label {
+      display: block;
+      color: var(--muted-2);
+      font-weight: 850;
+      margin-bottom: 9px;
+    }
+
+    .search-input {
+      width: 100%;
+      border: 1px solid var(--border);
+      background: rgba(2, 6, 23, 0.75);
+      color: var(--text);
+      border-radius: 13px;
+      padding: 13px 14px;
+      font-size: 15px;
+      outline: none;
+    }
+
+    .search-input:focus {
+      border-color: rgba(56, 189, 248, 0.8);
+      box-shadow: 0 0 0 3px rgba(56, 189, 248, 0.14);
     }
 
     .resource-list {
       display: grid;
-      gap: 14px;
+      gap: 13px;
     }
 
     .resource-item {
-      background: rgba(17, 24, 39, 0.9);
-      border: 1px solid var(--border);
-      border-radius: 14px;
-      padding: 18px;
+      padding: 17px;
       display: flex;
       justify-content: space-between;
       gap: 18px;
@@ -204,28 +617,69 @@
       font-size: 14px;
     }
 
+    code {
+      font-family: "SFMono-Regular", Consolas, "Liberation Mono", monospace;
+      background: rgba(15, 23, 42, 0.95);
+      border: 1px solid rgba(148, 163, 184, 0.2);
+      color: #bae6fd;
+      padding: 2px 6px;
+      border-radius: 7px;
+      font-size: 0.9em;
+    }
+
     .notice {
-      background: rgba(249, 115, 22, 0.1);
-      border: 1px solid rgba(249, 115, 22, 0.5);
-      color: #fed7aa;
       padding: 18px;
-      border-radius: 14px;
-      margin-top: 34px;
+      color: #fed7aa;
+      border-color: rgba(249, 115, 22, 0.48);
+      background: rgba(249, 115, 22, 0.1);
+      margin-top: 32px;
     }
 
     footer {
-      padding: 28px 8%;
       border-top: 1px solid var(--border);
+      padding-top: 28px;
+      padding-bottom: 32px;
       color: var(--muted);
       font-size: 14px;
     }
 
+    .footer-grid {
+      display: flex;
+      align-items: center;
+      justify-content: space-between;
+      gap: 18px;
+      flex-wrap: wrap;
+    }
+
+    .hidden {
+      display: none !important;
+    }
+
+    @media (max-width: 900px) {
+      .hero {
+        grid-template-columns: 1fr;
+      }
+
+      .nav-links {
+        display: none;
+      }
+
+      .pipeline-step:not(:last-child)::after {
+        display: none;
+      }
+    }
+
     @media (max-width: 640px) {
-      header,
-      main,
-      footer {
-        padding-left: 6%;
-        padding-right: 6%;
+      header {
+        padding-top: 48px;
+      }
+
+      .severity {
+        grid-template-columns: 1fr;
+      }
+
+      .bar-row {
+        grid-template-columns: 96px 1fr 32px;
       }
 
       .resource-item {
@@ -235,245 +689,309 @@
   </style>
 </head>
 <body>
-  <header>
-    <div class="badge">Open Source Azure CSPM Platform</div>
-    <h1>OpenShield Learn</h1>
-    <p class="subtitle">
-      A practical learning hub for understanding OpenShield, Azure cloud security posture management,
-      misconfiguration detection, compliance mapping, drift detection, and remediation workflows.
-    </p>
-    <div class="hero-actions">
-      <a class="button" href="#architecture">Architecture</a>
-      <a class="button secondary" href="#cspm">Learn CSPM</a>
-      <a class="button dark" href="#contributing">Contributing</a>
-      <a class="button dark" href="#resources">Docs</a>
+  <a class="skip-link" href="#main">Skip to content</a>
+
+  <div class="nav-wrap">
+    <nav aria-label="Primary navigation">
+      <a class="brand" href="#top" aria-label="OpenShield Learn home">
+        <span class="brand-mark" aria-hidden="true">◆</span>
+        <span>OpenShield Learn</span>
+      </a>
+      <div class="nav-links">
+        <a href="#overview">Overview</a>
+        <a href="#architecture">Architecture</a>
+        <a href="#rules">Rules</a>
+        <a href="#roadmap">Roadmap</a>
+        <a href="#contributors">Contribute</a>
+        <a href="#resources">Docs</a>
+      </div>
+    </nav>
+  </div>
+
+  <header id="top">
+    <div class="hero">
+      <div>
+        <div class="eyebrow">Open-source Azure CSPM platform</div>
+        <h1><span class="gradient-text">Learn Azure security posture with OpenShield.</span></h1>
+        <p class="subtitle">
+          OpenShield scans Azure subscriptions for misconfigurations, enriches findings with CVE intelligence,
+          maps risks to compliance frameworks, stores scan history, exposes a Flask API, and presents results through
+          a React dashboard with demo and live modes.
+        </p>
+        <div class="hero-actions">
+          <a class="button" href="#roadmap">Start learning</a>
+          <a class="button secondary" href="#rules">View rule coverage</a>
+          <a class="button dark" href="#contributors">Contributor path</a>
+        </div>
+        <p class="hero-note">Static learning hub. No backend, no login, no fake upload flows.</p>
+      </div>
+
+      <aside class="hero-panel" aria-label="OpenShield scan pipeline summary">
+        <div class="terminal">
+          <div class="terminal-top" aria-hidden="true"><span class="dot"></span><span class="dot"></span><span class="dot"></span></div>
+          <div class="terminal-body">
+            <p><span class="prompt">openshield</span> scan --subscription Azure</p>
+            <p><span class="dim">loading rules:</span> <span class="cyan">39 dynamic checks</span></p>
+            <p><span class="dim">enrichment:</span> NVD / CVE intelligence</p>
+            <p><span class="dim">storage:</span> PostgreSQL scan history</p>
+            <p><span class="dim">api:</span> Flask + JWT + CORS</p>
+            <p><span class="dim">dashboard:</span> React live/demo modes</p>
+            <p><span class="dim">outputs:</span> findings, score, compliance, drift, remediation</p>
+          </div>
+        </div>
+      </aside>
+    </div>
+
+    <div class="metrics" aria-label="OpenShield project metrics">
+      <div class="metric"><strong>39</strong><span>Azure scan rules</span></div>
+      <div class="metric"><strong>39</strong><span>CLI remediation playbooks</span></div>
+      <div class="metric"><strong>4</strong><span>Compliance frameworks</span></div>
+      <div class="metric"><strong>8</strong><span>AI security skills</span></div>
+      <div class="metric"><strong>22</strong><span>High-severity checks</span></div>
     </div>
   </header>
 
-  <main>
-    <section id="overview">
-      <h2 class="section-title">What is OpenShield?</h2>
-      <p class="section-intro">
-        OpenShield is an open-source Azure CSPM platform designed to identify cloud misconfigurations,
-        map findings to compliance frameworks, monitor posture drift, and provide remediation guidance. It helps users understand
-        what is insecure, why it matters, and how to fix it.
-      </p>
-      <div class="grid">
-        <div class="card">
-          <h3>Misconfiguration Scanning</h3>
-          <p>Checks Azure resources for risky settings that can expose data, weaken access control, or reduce security visibility.</p>
-        </div>
-        <div class="card">
-          <h3>Compliance Mapping</h3>
-          <p>Connects security findings to frameworks such as CIS, NIST, and ISO so issues can be understood in a governance context.</p>
-        </div>
-        <div class="card">
-          <h3>Remediation Guidance</h3>
-          <p>Provides practical fix guidance using Azure CLI, ARM templates, Terraform, and validation checks where applicable.</p>
-        </div>
-        <div class="card">
-          <h3>Drift Detection</h3>
-          <p>Tracks changes in cloud security posture so teams can identify when previously safe configurations become risky.</p>
+  <main id="main">
+    <section id="overview" class="learn-section" data-search="overview cspm azure cloud security posture management misconfiguration scanner cve compliance remediation dashboard">
+      <div class="section-head">
+        <div>
+          <p class="section-kicker">Overview</p>
+          <h2 class="section-title">What OpenShield does</h2>
+          <p class="section-intro">
+            OpenShield is built to help users identify risky Azure configurations, understand the impact, connect findings
+            to compliance controls, and follow practical remediation guidance. It is not a cloud provider replacement or a SIEM;
+            it is a focused Azure CSPM platform for posture visibility and learning.
+          </p>
         </div>
       </div>
+
+      <div class="grid">
+        <article class="card">
+          <h3>Misconfiguration scanning</h3>
+          <p>Dynamic Python rule modules inspect Azure resources through Azure SDK clients and return normalized security findings.</p>
+          <div class="tag-row"><span class="tag">Scanner</span><span class="tag">Azure SDK</span><span class="tag">Rules</span></div>
+        </article>
+        <article class="card">
+          <h3>CVE enrichment</h3>
+          <p>Findings can be enriched with NVD/CVE context so security issues are easier to prioritize and explain.</p>
+          <div class="tag-row"><span class="tag">NVD</span><span class="tag">CVE</span><span class="tag">Risk context</span></div>
+        </article>
+        <article class="card">
+          <h3>Compliance mapping</h3>
+          <p>Technical findings are mapped to CIS Azure, NIST CSF, ISO 27001, and SOC 2 for governance-oriented reporting.</p>
+          <div class="tag-row"><span class="tag">CIS</span><span class="tag">NIST</span><span class="tag">ISO 27001</span><span class="tag">SOC 2</span></div>
+        </article>
+        <article class="card">
+          <h3>Remediation guidance</h3>
+          <p>Each rule is paired with a CLI playbook so contributors and users can move from detection to manual remediation.</p>
+          <div class="tag-row"><span class="tag">Azure CLI</span><span class="tag">Playbooks</span><span class="tag">Validation</span></div>
+        </article>
+      </div>
     </section>
 
-    <section id="workflow">
-      <h2 class="section-title">How OpenShield Works</h2>
+    <section id="architecture" class="learn-section" data-search="architecture scanner flask api postgresql react frontend sentinel ai rag chromadb jwt cors azure sdk database">
+      <p class="section-kicker">Architecture</p>
+      <h2 class="section-title">Production-shaped, MVP-friendly architecture</h2>
       <p class="section-intro">
-        OpenShield follows a simple scanning pipeline: collect Azure resource configuration, evaluate rules,
-        generate findings, map them to controls, and expose results through the platform.
+        The platform follows a simple pipeline: Azure credentials are resolved by <code>DefaultAzureCredential</code>, the scan engine loads
+        rule files from <code>scanner/rules/*.py</code>, findings are enriched and stored, then exposed through the API and dashboard.
       </p>
-      <div class="flow">
-        <div class="flow-step">Azure Subscription</div>
-        <div class="flow-step">Scanner Engine</div>
-        <div class="flow-step">Rule Evaluation</div>
-        <div class="flow-step">Findings</div>
-        <div class="flow-step">Compliance Mapping</div>
-        <div class="flow-step">Drift Detection</div>
-        <div class="flow-step">Dashboard & Reporting</div>
+
+      <div class="pipeline" aria-label="OpenShield platform pipeline">
+        <div class="pipeline-step"><strong>Azure Subscription</strong><span>Resources and configuration</span></div>
+        <div class="pipeline-step"><strong>Scanner Engine</strong><span>Python rule execution</span></div>
+        <div class="pipeline-step"><strong>Rule Evaluation</strong><span>39 dynamic checks</span></div>
+        <div class="pipeline-step"><strong>CVE Enrichment</strong><span>NVD risk context</span></div>
+        <div class="pipeline-step"><strong>PostgreSQL</strong><span>Findings and scan history</span></div>
+        <div class="pipeline-step"><strong>Flask API</strong><span>JWT-protected REST routes</span></div>
+        <div class="pipeline-step"><strong>React Dashboard</strong><span>Demo and live modes</span></div>
+        <div class="pipeline-step"><strong>Sentinel / AI</strong><span>KQL, RAG, insights</span></div>
+      </div>
+
+      <div class="grid" style="margin-top: 18px;">
+        <article class="card"><h3>Scanner</h3><p>Core engine, Azure SDK wrapper, NVD/CVE enrichment, and auto-loaded rule files.</p></article>
+        <article class="card"><h3>API</h3><p>Flask REST API with JWT authentication, CORS, migrations, scans, findings, score, compliance, and AI routes.</p></article>
+        <article class="card"><h3>Frontend</h3><p>Vite, React, and Tailwind dashboard covering monitoring, discovery, prioritization, compliance, drift, and AI.</p></article>
+        <article class="card"><h3>AI</h3><p>RAG knowledge pipeline, ChromaDB vector store builder, retriever, and cloud-security knowledge skills.</p></article>
+        <article class="card"><h3>Sentinel</h3><p>Optional Log Analytics ingestion plus KQL analytics rules for detection workflows.</p></article>
+        <article class="card"><h3>CI and docs</h3><p>Checks syntax, secrets, rule structure, playbooks, compliance JSON, API syntax, and cross-references.</p></article>
       </div>
     </section>
 
-    <section id="architecture">
-      <h2 class="section-title">Core Components</h2>
+    <section id="rules" class="learn-section" data-search="rules coverage network storage compute database identity key vault post quantum severity high medium low findings">
+      <p class="section-kicker">Rule coverage</p>
+      <h2 class="section-title">39 Azure security rules</h2>
       <p class="section-intro">
-        OpenShield is built with a simple MVP-friendly architecture: Python scanner, Flask API,
-        PostgreSQL storage, React frontend, compliance mapping, Sentinel integration, and supporting remediation playbooks.
+        OpenShield currently has 39 dynamic rules. The strongest contributor work improves rule accuracy, reduces false positives,
+        strengthens validation, or improves remediation quality.
       </p>
-      <div class="grid">
-        <div class="card">
-          <h3>Scanner Engine</h3>
-          <p>Python-based scanner that uses Azure SDK clients to inspect Azure resource configuration and evaluate security rules.</p>
-          <span class="tag">Python</span><span class="tag">Azure SDK</span>
-        </div>
-        <div class="card">
-          <h3>Flask API</h3>
-          <p>Backend API layer responsible for exposing scan results, findings, metadata, and platform data to the frontend.</p>
-          <span class="tag">Flask</span><span class="tag">REST API</span>
-        </div>
-        <div class="card">
-          <h3>PostgreSQL</h3>
-          <p>Stores scan findings, rule metadata, compliance mappings, and remediation-related information.</p>
-          <span class="tag">Database</span><span class="tag">Persistence</span>
-        </div>
-        <div class="card">
-          <h3>React Dashboard</h3>
-          <p>Frontend dashboard for viewing findings, severity, affected resources, and security posture information.</p>
-          <span class="tag">React</span><span class="tag">Dashboard</span>
-        </div>
-        <div class="card">
-          <h3>Playbooks</h3>
-          <p>Remediation documents that explain how to fix detected issues using CLI, ARM templates, Terraform, and validation steps.</p>
-          <span class="tag">Azure CLI</span><span class="tag">ARM</span><span class="tag">Terraform</span>
-        </div>
-        <div class="card">
-          <h3>Sentinel</h3>
-          <p>Supports security monitoring and SIEM-focused documentation where OpenShield findings connect with detection workflows.</p>
-          <span class="tag">SIEM</span><span class="tag">Detection</span>
-        </div>
+
+      <div class="grid two">
+        <article class="card">
+          <h3>Coverage by category</h3>
+          <div class="rule-chart" aria-label="Rule count by category">
+            <div class="bar-row"><span>Network</span><div class="bar"><span style="width: 100%;"></span></div><span>14</span></div>
+            <div class="bar-row"><span>Storage</span><div class="bar"><span style="width: 36%;"></span></div><span>5</span></div>
+            <div class="bar-row"><span>Key Vault</span><div class="bar"><span style="width: 36%;"></span></div><span>5</span></div>
+            <div class="bar-row"><span>Compute</span><div class="bar"><span style="width: 29%;"></span></div><span>4</span></div>
+            <div class="bar-row"><span>Database</span><div class="bar"><span style="width: 29%;"></span></div><span>4</span></div>
+            <div class="bar-row"><span>Identity</span><div class="bar"><span style="width: 29%;"></span></div><span>4</span></div>
+            <div class="bar-row"><span>PostQuantum</span><div class="bar"><span style="width: 21%;"></span></div><span>3</span></div>
+          </div>
+        </article>
+
+        <article class="card">
+          <h3>Severity distribution</h3>
+          <p>Most checks are high severity. That makes validation important: high-severity false positives damage trust quickly.</p>
+          <div class="severity" aria-label="Severity count summary">
+            <div class="severity-box high"><strong>22</strong><span>HIGH</span></div>
+            <div class="severity-box medium"><strong>13</strong><span>MEDIUM</span></div>
+            <div class="severity-box low"><strong>4</strong><span>LOW</span></div>
+          </div>
+          <p style="margin-top: 14px;">Known cleanup item: keep category names consistent, especially <code>KeyVault</code> vs <code>Key Vault</code>.</p>
+        </article>
       </div>
     </section>
 
-    <section id="cspm">
-      <h2 class="section-title">CSPM Basics</h2>
+    <section id="roadmap" class="learn-section" data-search="learning roadmap module azure fundamentals cspm architecture rule engineering compliance remediation sentinel ai">
+      <p class="section-kicker">Learning roadmap</p>
+      <h2 class="section-title">Recommended learning path</h2>
       <p class="section-intro">
-        Cloud Security Posture Management focuses on continuously identifying insecure cloud configurations.
-        In Azure, common examples include public storage exposure, weak network rules, missing logging,
-        overly permissive identities, and disabled security protections.
+        Follow this path if you are new to OpenShield or preparing to contribute. Learn the security problem before touching code.
       </p>
-      <div class="grid">
-        <div class="card">
-          <h3>Why It Matters</h3>
-          <p>Cloud breaches often happen because resources are misconfigured, not because the cloud provider itself failed.</p>
-        </div>
-        <div class="card">
-          <h3>Example Issues</h3>
-          <ul>
-            <li>Public blob access</li>
-            <li>Weak network security groups</li>
-            <li>Missing monitoring or logging</li>
-            <li>Over-permissive access policies</li>
-          </ul>
-        </div>
-        <div class="card">
-          <h3>OpenShield Role</h3>
-          <p>OpenShield helps surface these issues, explain their impact, and guide users toward safer Azure configurations.</p>
-        </div>
+
+      <div class="roadmap">
+        <article class="roadmap-item"><h3>Azure security fundamentals</h3><p>Understand subscriptions, identities, resources, networking, storage, Key Vault, and logging.</p></article>
+        <article class="roadmap-item"><h3>CSPM concepts</h3><p>Learn how posture tools detect insecure cloud configuration and why false positives matter.</p></article>
+        <article class="roadmap-item"><h3>OpenShield architecture</h3><p>Trace the flow from Azure SDK collection to scanner rules, enrichment, storage, API, and dashboard.</p></article>
+        <article class="roadmap-item"><h3>Rule engineering</h3><p>Study rule structure, metadata, severity, categories, and safe test scenarios.</p></article>
+        <article class="roadmap-item"><h3>Compliance mapping</h3><p>Map technical findings to CIS, NIST CSF, ISO 27001, and SOC 2 without forcing weak mappings.</p></article>
+        <article class="roadmap-item"><h3>Remediation playbooks</h3><p>Write CLI guidance that fixes the issue and includes validation commands.</p></article>
+        <article class="roadmap-item"><h3>Sentinel integration</h3><p>Understand optional Log Analytics ingestion and KQL analytics rules for security monitoring.</p></article>
+        <article class="roadmap-item"><h3>AI security features</h3><p>Review the RAG pipeline, knowledge loaders, retriever, and AI insight routes.</p></article>
       </div>
     </section>
 
-    <section id="compliance">
-      <h2 class="section-title">Compliance Mapping</h2>
-      <p class="section-intro">
-        A single security finding can map to multiple compliance controls. OpenShield uses mappings to connect
-        technical misconfigurations with security frameworks such as CIS Benchmarks, NIST CSF, ISO 27001, and SOC 2.
-      </p>
-      <div class="grid">
-        <div class="card"><h3>CIS</h3><p>Maps findings to cloud security benchmarks and configuration recommendations.</p></div>
-        <div class="card"><h3>NIST</h3><p>Connects findings to broader cybersecurity controls and risk management practices.</p></div>
-        <div class="card"><h3>ISO 27001</h3><p>Supports governance, information security controls, and audit-oriented reporting context.</p></div>
-        <div class="card"><h3>SOC 2</h3><p>Connects relevant findings to trust-service control areas such as security, availability, and confidentiality.</p></div>
+    <section id="search" class="learn-section" data-search="search filter learning sections modules docs resources">
+      <p class="section-kicker">Find topics</p>
+      <h2 class="section-title">Search this learning page</h2>
+      <div class="search-panel">
+        <label for="sectionSearch">Filter sections by keyword</label>
+        <input class="search-input" id="sectionSearch" type="search" placeholder="Try: CVE, Sentinel, compliance, rule, PostgreSQL, React, drift..." autocomplete="off" />
       </div>
     </section>
 
-    <section id="remediation">
-      <h2 class="section-title">Remediation Philosophy</h2>
+    <section id="contributors" class="learn-section" data-search="contributor path documentation rules playbooks compliance frontend backend ai sentinel testing pull request ci">
+      <p class="section-kicker">Contributors</p>
+      <h2 class="section-title">Where contributors can help</h2>
       <p class="section-intro">
-        Detection alone is not enough. A useful CSPM tool should explain the risk, provide fix guidance,
-        and help validate whether the issue has actually been resolved.
+        Good contributions should improve detection accuracy, correctness of findings, remediation quality, documentation clarity,
+        or system reliability. Cosmetic work is useful only when it supports those goals.
       </p>
+
       <div class="grid">
-        <div class="card"><h3>Detect</h3><p>Identify insecure Azure configuration accurately with minimal false positives.</p></div>
-        <div class="card"><h3>Explain</h3><p>Show why the finding matters, what resource is affected, and what the risk is.</p></div>
-        <div class="card"><h3>Fix</h3><p>Provide Azure CLI, ARM template, or Terraform-based remediation steps that users can apply safely.</p></div>
-        <div class="card"><h3>Validate</h3><p>Re-run checks or confirm settings to verify the misconfiguration is resolved.</p></div>
+        <article class="card"><h3>Rules</h3><p>Add or improve Azure checks with accurate metadata, safe SDK usage, realistic test cases, and clear findings.</p></article>
+        <article class="card"><h3>Playbooks</h3><p>Keep remediation scripts aligned with rules. Every fix should include validation and avoid unsafe blanket changes.</p></article>
+        <article class="card"><h3>Compliance</h3><p>Improve CIS, NIST, ISO 27001, and SOC 2 mappings. Do not map controls just to inflate coverage.</p></article>
+        <article class="card"><h3>Frontend</h3><p>Connect live API flows carefully. Do not leave mock-backed UI pretending to be production data.</p></article>
+        <article class="card"><h3>Backend</h3><p>Implement missing endpoints consistently with JWT auth, error handling, data contracts, and PostgreSQL models.</p></article>
+        <article class="card"><h3>AI and Sentinel</h3><p>Improve RAG quality, knowledge loading, KQL rules, and ingestion without exposing sensitive findings unnecessarily.</p></article>
       </div>
     </section>
 
-    <section id="contributing">
-      <h2 class="section-title">Contributor Learning Path</h2>
+    <section id="gaps" class="learn-section" data-search="gaps known issues readme docs python syntax mock endpoints api score category consistency">
+      <p class="section-kicker">Known gaps</p>
+      <h2 class="section-title">Current cleanup items</h2>
       <p class="section-intro">
-        New contributors should understand the security problem first, then the OpenShield architecture,
-        then the rule and remediation workflow.
+        These are not failures; they are useful follow-up targets. Documenting them prevents contributors from pretending the platform is more complete than it is.
       </p>
-      <div class="grid">
-        <div class="card">
-          <h3>Suggested Path</h3>
-          <ol>
-            <li>Understand CSPM fundamentals</li>
-            <li>Review the OpenShield architecture</li>
-            <li>Explore existing documentation and rules</li>
-            <li>Understand findings, mappings, and remediation playbooks</li>
-            <li>Add or improve rules and playbooks</li>
-            <li>Test changes against Azure safely</li>
-          </ol>
-        </div>
-        <div class="card">
-          <h3>Contribution Focus</h3>
-          <p>Good contributions improve detection accuracy, remediation quality, documentation clarity, or platform reliability.</p>
-        </div>
+
+      <div class="grid two">
+        <article class="card">
+          <h3>Documentation drift</h3>
+          <ul>
+            <li>Some README/docs references still mention 20 rules while the repo has 39.</li>
+            <li>Some startup commands assume <code>python</code>, but local environments may only expose <code>python3</code>.</li>
+            <li>API docs and implementation should stay aligned, especially score response shape.</li>
+          </ul>
+        </article>
+        <article class="card">
+          <h3>Implementation gaps</h3>
+          <ul>
+            <li>Some frontend live pages depend on endpoints that may still be mock-backed.</li>
+            <li>Examples include resources, drift, prioritization, and finding-specific playbook routes.</li>
+            <li>Fix syntax issues before claiming AI pipeline readiness.</li>
+          </ul>
+        </article>
       </div>
     </section>
 
-    <section id="resources">
-      <h2 class="section-title">Documentation Links</h2>
+    <section id="resources" class="learn-section" data-search="docs documentation architecture api reference azure setup rules adding rule cve sentinel ci readme">
+      <p class="section-kicker">Documentation</p>
+      <h2 class="section-title">Useful repo documents</h2>
       <p class="section-intro">
-        Use these links as the starting point for understanding and contributing to OpenShield.
+        These relative links are intentionally static-hosting friendly when this file is served from the docs learning folder.
+        Adjust paths if the Learn page is moved.
       </p>
+
       <div class="resource-list">
         <div class="resource-item">
-          <div><strong>Architecture</strong><span>System design, platform components, and scanning workflow.</span></div>
-          <a class="button" href="../architecture.md">Open</a>
+          <div><strong>Architecture</strong><span>System design, scanner flow, platform components, and storage/API structure.</span></div>
+          <a class="button small" href="../architecture.md">Open</a>
         </div>
         <div class="resource-item">
-          <div><strong>API Reference</strong><span>Backend API documentation for working with OpenShield data.</span></div>
-          <a class="button" href="../api-reference.md">Open</a>
+          <div><strong>API Reference</strong><span>Backend routes for scans, findings, score, compliance, and AI-related data.</span></div>
+          <a class="button small" href="../api-reference.md">Open</a>
         </div>
         <div class="resource-item">
-          <div><strong>Azure Setup</strong><span>Required Azure setup and configuration before running scans.</span></div>
-          <a class="button" href="../azure-setup.md">Open</a>
+          <div><strong>Azure Setup</strong><span>Environment variables, Azure credentials, and setup requirements for live scans.</span></div>
+          <a class="button small" href="../azure-setup.md">Open</a>
         </div>
         <div class="resource-item">
-          <div><strong>Rules Reference</strong><span>Rule documentation and expected structure for security checks.</span></div>
-          <a class="button" href="../rules-reference.md">Open</a>
+          <div><strong>Rules Reference</strong><span>Rule metadata, categories, severity, expected output, and implementation guidance.</span></div>
+          <a class="button small" href="../rules-reference.md">Open</a>
         </div>
         <div class="resource-item">
-          <div><strong>Adding a Rule</strong><span>Contributor guide for creating and testing new scan rules.</span></div>
-          <a class="button secondary" href="../adding-a-rule.md">Open</a>
+          <div><strong>Adding a Rule</strong><span>Contributor workflow for implementing, testing, and documenting a new check.</span></div>
+          <a class="button small secondary" href="../adding-a-rule.md">Open</a>
         </div>
       </div>
     </section>
 
-    <section id="goals">
-      <h2 class="section-title">Open Source Goals</h2>
-      <p class="section-intro">
-        OpenShield aims to make Azure security posture management easier to understand, easier to test,
-        and easier to improve through community contribution.
-      </p>
-      <div class="grid">
-        <div class="card"><h3>Security Research</h3><p>Encourage practical Azure misconfiguration research and rule development.</p></div>
-        <div class="card"><h3>Education</h3><p>Help learners understand CSPM, cloud controls, and secure Azure configuration.</p></div>
-        <div class="card"><h3>Community</h3><p>Build a contributor-friendly platform where improvements are clear and reviewable.</p></div>
-      </div>
-    </section>
-
-    <section id="future">
-      <h2 class="section-title">Future Scope</h2>
-      <p class="section-intro">
-        OpenShield can grow over time with richer dashboards, stronger compliance reports,
-        automated remediation workflows, and eventually broader cloud coverage.
-      </p>
-    </section>
-
-    <div class="notice">
-      <strong>Note:</strong> This page is a static documentation hub. Do not add fake file upload buttons here.
-      Real uploads require backend storage, authentication, authorization, file validation, and access control.
+    <div class="notice" role="note">
+      <strong>Deployment note:</strong> This page is static HTML/CSS/vanilla JavaScript. It should work by opening <code>index.html</code> directly
+      and can be hosted on GitHub Pages, Netlify, or Vercel without a build step. Do not add fake uploads, fake authentication,
+      or fake progress persistence to this page.
     </div>
   </main>
 
   <footer>
-    OpenShield — Open Source Azure CSPM Platform | Learn, Contribute, Improve Azure Security
+    <div class="footer-grid">
+      <p>OpenShield — Open Source Azure CSPM Platform | Learn, Contribute, Improve Azure Security</p>
+      <p>Static Learn Portal</p>
+    </div>
   </footer>
+
+  <script>
+    const searchInput = document.getElementById('sectionSearch');
+    const sections = Array.from(document.querySelectorAll('.learn-section'));
+
+    function normalize(value) {
+      return value.toLowerCase().trim();
+    }
+
+    searchInput.addEventListener('input', function () {
+      const query = normalize(searchInput.value);
+
+      sections.forEach(function (section) {
+        if (section.id === 'search') {
+          return;
+        }
+
+        const haystack = normalize(section.innerText + ' ' + (section.dataset.search || ''));
+        section.classList.toggle('hidden', query.length > 0 && !haystack.includes(query));
+      });
+    });
+  </script>
 </body>
 </html>

From 1389ade59b6e70eefeb5cd80171ab784c5628014 Mon Sep 17 00:00:00 2001
From: Parth Rohit <parthrohit60@gmail.com>
Date: Thu, 4 Jun 2026 20:02:34 +0100
Subject: [PATCH 3/6] docs: update OpenShield Learn portal

---
 docs/learn/index.html | 57 +++++++++++++++++++++++++++++++++++++------
 1 file changed, 49 insertions(+), 8 deletions(-)

diff --git a/docs/learn/index.html b/docs/learn/index.html
index 77f6a36..66fd3fe 100644
--- a/docs/learn/index.html
+++ b/docs/learn/index.html
@@ -535,9 +535,21 @@
     }
 
     .roadmap-item {
+      display: block;
       padding: 20px;
       position: relative;
       overflow: hidden;
+      color: inherit;
+      text-decoration: none;
+      transition: transform 0.15s ease, border-color 0.15s ease, background 0.15s ease;
+    }
+
+    .roadmap-item:hover,
+    .roadmap-item:focus-visible {
+      transform: translateY(-1px);
+      border-color: rgba(56, 189, 248, 0.52);
+      background: rgba(15, 23, 42, 0.98);
+      outline: none;
     }
 
     .roadmap-item::before {
@@ -565,6 +577,15 @@
       font-size: 14px;
     }
 
+    .card-action {
+      display: inline-flex;
+      align-items: center;
+      margin-top: 14px;
+      color: var(--accent);
+      font-size: 13px;
+      font-weight: 900;
+    }
+
     .search-panel {
       padding: 18px;
       margin-bottom: 18px;
@@ -861,14 +882,14 @@ <h2 class="section-title">Recommended learning path</h2>
       </p>
 
       <div class="roadmap">
-        <article class="roadmap-item"><h3>Azure security fundamentals</h3><p>Understand subscriptions, identities, resources, networking, storage, Key Vault, and logging.</p></article>
-        <article class="roadmap-item"><h3>CSPM concepts</h3><p>Learn how posture tools detect insecure cloud configuration and why false positives matter.</p></article>
-        <article class="roadmap-item"><h3>OpenShield architecture</h3><p>Trace the flow from Azure SDK collection to scanner rules, enrichment, storage, API, and dashboard.</p></article>
-        <article class="roadmap-item"><h3>Rule engineering</h3><p>Study rule structure, metadata, severity, categories, and safe test scenarios.</p></article>
-        <article class="roadmap-item"><h3>Compliance mapping</h3><p>Map technical findings to CIS, NIST CSF, ISO 27001, and SOC 2 without forcing weak mappings.</p></article>
-        <article class="roadmap-item"><h3>Remediation playbooks</h3><p>Write CLI guidance that fixes the issue and includes validation commands.</p></article>
-        <article class="roadmap-item"><h3>Sentinel integration</h3><p>Understand optional Log Analytics ingestion and KQL analytics rules for security monitoring.</p></article>
-        <article class="roadmap-item"><h3>AI security features</h3><p>Review the RAG pipeline, knowledge loaders, retriever, and AI insight routes.</p></article>
+        <a class="roadmap-item" href="../azure-setup.md"><h3>Azure security fundamentals</h3><p>Understand subscriptions, identities, resources, networking, storage, Key Vault, and logging.</p><span class="card-action">Read</span></a>
+        <a class="roadmap-item" href="../architecture.md"><h3>CSPM concepts</h3><p>Learn how posture tools detect insecure cloud configuration and why false positives matter.</p><span class="card-action">Read</span></a>
+        <a class="roadmap-item" href="../architecture.md"><h3>OpenShield architecture</h3><p>Trace the flow from Azure SDK collection to scanner rules, enrichment, storage, API, and dashboard.</p><span class="card-action">Read</span></a>
+        <a class="roadmap-item" href="../adding-a-rule.md"><h3>Rule engineering</h3><p>Study rule structure, metadata, severity, categories, and safe test scenarios.</p><span class="card-action">Read</span></a>
+        <a class="roadmap-item" href="../rules-reference.md"><h3>Compliance mapping</h3><p>Map technical findings to CIS, NIST CSF, ISO 27001, and SOC 2 without forcing weak mappings.</p><span class="card-action">Read</span></a>
+        <a class="roadmap-item" href="../adding-a-rule.md"><h3>Remediation playbooks</h3><p>Write CLI guidance that fixes the issue and includes validation commands.</p><span class="card-action">Read</span></a>
+        <a class="roadmap-item" href="../sentinel-setup.md"><h3>Sentinel integration</h3><p>Understand optional Log Analytics ingestion and KQL analytics rules for security monitoring.</p><span class="card-action">Read</span></a>
+        <a class="roadmap-item" href="../cve_correlation_feature.md"><h3>AI security features</h3><p>Review the RAG pipeline, knowledge loaders, retriever, and AI insight routes.</p><span class="card-action">Read</span></a>
       </div>
     </section>
 
@@ -955,6 +976,26 @@ <h2 class="section-title">Useful repo documents</h2>
           <div><strong>Adding a Rule</strong><span>Contributor workflow for implementing, testing, and documenting a new check.</span></div>
           <a class="button small secondary" href="../adding-a-rule.md">Open</a>
         </div>
+        <div class="resource-item">
+          <div><strong>CI Pipeline</strong><span>Local and GitHub Actions checks for rules, playbooks, compliance JSON, and API syntax.</span></div>
+          <a class="button small" href="../ci-pipeline.md">Open</a>
+        </div>
+        <div class="resource-item">
+          <div><strong>CVE Correlation</strong><span>NVD enrichment, CVSS scoring, exploit availability, and dashboard-ready CVE fields.</span></div>
+          <a class="button small" href="../cve_correlation_feature.md">Open</a>
+        </div>
+        <div class="resource-item">
+          <div><strong>Sentinel Setup</strong><span>Log Analytics ingestion, OpenShield findings table setup, and KQL analytics rules.</span></div>
+          <a class="button small" href="../sentinel-setup.md">Open</a>
+        </div>
+        <div class="resource-item">
+          <div><strong>API Render Deploy</strong><span>Render deployment test plan, smoke testing, and production JWT requirements.</span></div>
+          <a class="button small" href="../api-render-deploy.md">Open</a>
+        </div>
+        <div class="resource-item">
+          <div><strong>AZ-STOR-003 Test Plan</strong><span>Lifecycle management policy rule test setup, execution, remediation, and validation.</span></div>
+          <a class="button small" href="../az-stor-003-test-plan.md">Open</a>
+        </div>
       </div>
     </section>
 

From 1a35a10c437ef29648a5e4e18db55e0d962cf07b Mon Sep 17 00:00:00 2001
From: Parth Rohit <parthrohit60@gmail.com>
Date: Thu, 4 Jun 2026 20:42:57 +0100
Subject: [PATCH 4/6] docs: redirect Learn site root

---
 docs/_redirects | 1 +
 1 file changed, 1 insertion(+)
 create mode 100644 docs/_redirects

diff --git a/docs/_redirects b/docs/_redirects
new file mode 100644
index 0000000..fe0b625
--- /dev/null
+++ b/docs/_redirects
@@ -0,0 +1 @@
+/ /learn/ 302

From a8f20d8fe0e67d53aee531966cde0058c2650046 Mon Sep 17 00:00:00 2001
From: Parth Rohit <parthrohit60@gmail.com>
Date: Thu, 4 Jun 2026 20:47:35 +0100
Subject: [PATCH 5/6] docs: add OpenShield Learn link to README

---
 README.md | 5 ++---
 1 file changed, 2 insertions(+), 3 deletions(-)

diff --git a/README.md b/README.md
index 7ba9ae6..d89f7bc 100644
--- a/README.md
+++ b/README.md
@@ -205,7 +205,7 @@ MIT — free to use, modify, and distribute.
 
 ## Learn OpenShield
 
-Explore the OpenShield learning portal to understand:
+Learn OpenShield covers:
 
 - Azure CSPM fundamentals
 - OpenShield architecture
@@ -214,5 +214,4 @@ Explore the OpenShield learning portal to understand:
 - Contributor onboarding
 - Documentation navigation
 
-👉 [OpenShield Learn](docs/learn/index.html)
-> Built by security engineers and students who believe cloud security tooling should be accessible to everyone.
+Live Learning Portal: https://openshieldlearn.netlify.app/learn/

From 8497ec394a3c7a4a0d44d6d67dc6fdd683316ed8 Mon Sep 17 00:00:00 2001
From: Parth Rohit <parthrohit60@gmail.com>
Date: Thu, 4 Jun 2026 22:26:51 +0100
Subject: [PATCH 6/6] docs: update OpenShield Learn portal

---
 docs/learn/index.html | 6 ++----
 1 file changed, 2 insertions(+), 4 deletions(-)

diff --git a/docs/learn/index.html b/docs/learn/index.html
index 66fd3fe..7ca6219 100644
--- a/docs/learn/index.html
+++ b/docs/learn/index.html
@@ -1000,10 +1000,8 @@ <h2 class="section-title">Useful repo documents</h2>
     </section>
 
     <div class="notice" role="note">
-      <strong>Deployment note:</strong> This page is static HTML/CSS/vanilla JavaScript. It should work by opening <code>index.html</code> directly
-      and can be hosted on GitHub Pages, Netlify, or Vercel without a build step. Do not add fake uploads, fake authentication,
-      or fake progress persistence to this page.
-    </div>
+  <strong>Note:</strong> OpenShield Learn is a documentation and learning portal. Features such as authentication, file uploads, scan execution, and data persistence require backend services and are intentionally not implemented in this static site.
+</div>
   </main>
 
   <footer>