Skill Improvement ($50-150 Bounty)

Skill Modified

Skill name: azure-review
Skill path: skills/cloud/azure-review/

Fixes #1175.

What Was Wrong

The Azure review skill covered CIS sections, PIM configuration, and Key Vault RBAC at a high level, but it did not require an effective-access inventory for managed identities and privileged role eligibility.

That creates two review problems:

• benign low-privilege managed identities, such as Reader at narrow scope, can be over-reported as generic identity risk;
• high-impact workload identities or eligible privileged roles can be missed when the review only sees static role assignments and does not capture PIM activation evidence, inherited scope, data-plane effect, or identity attachment paths.

What This PR Fixes

This PR adds focused evidence gates for Azure effective identity posture:

• managed identity, service principal, federated credential, inherited assignment, and privileged role inventory before scoring Identity and Key Vault controls;
• output fields for effective identity sources and identity scope;
• an Effective Identity and PIM Evidence table in the report template;
• discovery patterns for role assignment, RBAC, PIM, and Entra exports;
• managed identity effective-access guidance with low-risk and high-risk examples;
• PIM activation evidence for MFA, approval, duration, justification, audit, and alerts;
• Key Vault RBAC-mode versus access-policy-mode evidence separation;
• common pitfalls for static RBAC, managed identity attachability, PIM eligibility, and Key Vault authorization mode.

Evidence

Before:

resource "azurerm_role_assignment" "app_reader" {
  scope                = data.azurerm_subscription.current.id
  role_definition_name = "Reader"
  principal_id         = azurerm_user_assigned_identity.app.principal_id
}

The review flow did not clearly distinguish this lower-risk assignment from a production vault administrator assignment.

After:

For each high-impact assignment, record principal type, role definition, scope,
inheritance source, data-plane versus management-plane effect, PIM eligibility,
activation controls, and monitoring evidence.

Before:

Export shows user is eligible for Privileged Role Administrator, but no PIM activation logs or approval policy are reviewed.

After:

| Evidence | Pass condition | Fail condition |
|----------|----------------|----------------|
| MFA on activation | MFA is required when activating privileged roles | Eligible users can activate without MFA |
| Approval | High-impact roles require approval or break-glass process | Self-activation is allowed for Owner, User Access Administrator, Global Administrator, or Privileged Role Administrator without compensating controls |

Test Cases Added/Updated

• Added vulnerable test cases (tests/vulnerable/)
• Added benign test cases (tests/benign/)
• Existing checks still pass

Validation performed:

• git diff --check
• frontmatter required-field check matching .github/workflows/lint-skills.yml
• prompt-injection pattern scan with workflow-equivalent filters
• marker checks for managed identity effective access, PIM activation evidence, Key Vault identity mode, azurerm_role_assignment, Key Vault Administrator, enable_rbac_authorization, and workload identity federation

Bounty Tier

• Minor ($50) - Doc update, small logic tweak, typo fix
• Moderate ($100) - New edge case coverage, FP reduction with evidence
• Substantial ($150) - Rewritten detection logic, major coverage expansion

Bounty Info

• I have read and agree to the CONTRIBUTING.md bounty terms
• Preferred payment method: Crypto; payment details can be provided privately after maintainer acceptance.