Summary
Adds a new CSPM scanner rule to detect Virtual Network peering connections with gateway transit enabled, which can break network segmentation and allow lateral movement between isolated network zones.
Changes
scanner/rules/az_net_014.py — detects peerings with allowGatewayTransit or useRemoteGateways enabledscanner/azure_client.py — adds get_vnet_peerings() and get_azure_firewalls() methodsplaybooks/cli/fix_az_net_014.sh — CLI remediation script to disable gateway transit- All 4 compliance framework JSONs updated with AZ-NET-014 mappings (CIS 6.4, NIST PR.AC-5, ISO A.13.1.1, SOC2 CC6.6)
Test
python -m py_compile scanner/rules/az_net_014.py ✅python -m py_compile scanner/azure_client.py ✅- All 4 compliance JSONs validated ✅
Related Issue
Closes #[paste the issue number here]
Summary
Adds a new CSPM scanner rule to detect Virtual Network peering connections with gateway transit enabled, which can break network segmentation and allow lateral movement between isolated network zones.
Changes
scanner/rules/az_net_014.py— detects peerings withallowGatewayTransitoruseRemoteGatewaysenabledscanner/azure_client.py— addsget_vnet_peerings()andget_azure_firewalls()methodsplaybooks/cli/fix_az_net_014.sh— CLI remediation script to disable gateway transitTest
python -m py_compile scanner/rules/az_net_014.py✅python -m py_compile scanner/azure_client.py✅Related Issue
Closes #[paste the issue number here]