Skip to main content
ClaudeWave
Skill210 repo starsupdated 2d ago

azure-compliance

**ANALYSIS SKILL** — Azure compliance and security auditing: best practices, Key Vault expiration monitoring, resource validation. WHEN: "compliance scan", "security audit", "Key Vault expiration check", "expired certificates", "orphaned resources". DO NOT USE FOR: cost analysis (azure-cost-optimization), governance discovery (azure-governance-discovery).

View sourceRepository: apex
Install in Claude Code
Copy
git clone --depth 1 https://github.com/jonathan-vella/apex /tmp/azure-compliance && cp -r /tmp/azure-compliance/.github/skills/azure-compliance ~/.claude/skills/azure-compliance
Then start a new Claude Code session; the skill loads automatically.
Definition

SKILL.md

# Azure Compliance & Security Auditing

## Quick Reference

| Property             | Details                                                                  |
| -------------------- | ------------------------------------------------------------------------ |
| Best for             | Compliance scans, security audits, Key Vault expiration checks           |
| Primary capabilities | Comprehensive Resources Assessment, Key Vault Expiration Monitoring      |
| MCP tools            | azqr, subscription and resource group listing, Key Vault item inspection |

## When to Use This Skill

- Run azqr or Azure Quick Review for compliance assessment
- Validate Azure resource configuration against best practices
- Identify orphaned or misconfigured resources
- Audit Key Vault keys, secrets, and certificates for expiration

## Skill Activation Triggers

Activate this skill when user wants to:

- Check Azure compliance or best practices
- Assess Azure resources for configuration issues
- Run azqr or Azure Quick Review
- Identify orphaned or misconfigured resources
- Review Azure security posture
- "Show me expired certificates/keys/secrets in my Key Vault"
- "Check what's expiring in the next 30 days"
- "Audit my Key Vault for compliance"
- "Find secrets without expiration dates"
- "Check certificate expiration dates"

## Prerequisites

- Authentication: user is logged in to Azure via `az login`
- Permissions to read resource configuration and Key Vault metadata

## Assessments

| Assessment                      | Reference                                                                                      |
| ------------------------------- | ---------------------------------------------------------------------------------------------- |
| Comprehensive Compliance (azqr) | [references/azure-quick-review.md](references/azure-quick-review.md)                           |
| Key Vault Expiration            | [references/azure-keyvault-expiration-audit.md](references/azure-keyvault-expiration-audit.md) |
| Resource Graph Queries          | [references/azure-resource-graph.md](references/azure-resource-graph.md)                       |

## MCP Tools

| Tool                              | Purpose                                      |
| --------------------------------- | -------------------------------------------- |
| `mcp_azure-mcp_extension_azqr`    | Run azqr compliance scans                    |
| `mcp_azure-mcp_subscription_list` | List available subscriptions                 |
| `mcp_azure-mcp_group_list`        | List resource groups                         |
| `keyvault_key_list`               | List all keys in vault                       |
| `keyvault_key_get`                | Get key details including expiration         |
| `keyvault_secret_list`            | List all secrets in vault                    |
| `keyvault_secret_get`             | Get secret details including expiration      |
| `keyvault_certificate_list`       | List all certificates in vault               |
| `keyvault_certificate_get`        | Get certificate details including expiration |

## Steps

1. Select scope (subscription or resource group) for Comprehensive Resources Assessment.
2. Run azqr and capture output artifacts.
3. Analyze Scan Results and summarize findings and recommendations.
4. Review Key Vault Expiration Monitoring output for keys, secrets, and certificates.
5. Classify issues and propose remediation or fix steps for each finding.

### Priority Classification

| Priority | Guidance                                                |
| -------- | ------------------------------------------------------- |
| Critical | Immediate remediation required for high-impact exposure |
| High     | Resolve within days to reduce risk                      |
| Medium   | Plan a resolution in the next sprint                    |
| Low      | Track and fix during regular maintenance                |

## Error Handling

| Error                   | Message        | Remediation                                      |
| ----------------------- | -------------- | ------------------------------------------------ |
| Authentication required | "Please login" | Run `az login` and retry                         |
| Access denied           | "Forbidden"    | Confirm permissions and fix role assignments     |
| Missing resource        | "Not found"    | Verify subscription and resource group selection |

## Rules

- Run compliance scans on a regular schedule (weekly or monthly)
- Track findings over time and verify remediation effectiveness
- Separate compliance reporting from remediation execution
- Keep Key Vault expiration policies documented and enforced

## SDK Quick References

For programmatic Key Vault access, see the condensed SDK guides:

- **Key Vault (Python)**: [Secrets/Keys/Certs](references/sdk/azure-keyvault-py.md)
- **Secrets**: [TypeScript](references/sdk/azure-keyvault-secrets-ts.md) | [Rust](references/sdk/azure-keyvault-secrets-rust.md) | [Java](references/sdk/azure-security-keyvault-secrets-java.md)
- **Keys**: [.NET](references/sdk/azure-security-keyvault-keys-dotnet.md) | [Java](references/sdk/azure-security-keyvault-keys-java.md) | [TypeScript](references/sdk/azure-keyvault-keys-ts.md) | [Rust](references/sdk/azure-keyvault-keys-rust.md)
- **Certificates**: [Rust](references/sdk/azure-keyvault-certificates-rust.md)

## Reference Index

Load these on demand — do NOT read all at once:

| Reference                                       | When to Load                    |
| ----------------------------------------------- | ------------------------------- |
| `references/auth-best-practices.md`             | Auth Best Practices             |
| `references/azqr-recommendations.md`            | Azqr Recommendations            |
| `references/azqr-remediation-patterns.md`       | Azqr Remediation Patterns       |
| `references/azure-keyvault-expiration-audit.md` | Azure Keyvault Expiration Audit |
| `references/azure-quick-r
More from this repository
appinsights-instrumentationSkill

Guidance for instrumenting webapps with Azure Application Insights. Provides telemetry patterns, SDK setup, and configuration references. WHEN: how to instrument app, App Insights SDK, telemetry patterns, what is App Insights, Application Insights guidance, instrumentation examples, APM best practices.

azure-aiSkill

Use for Azure AI: Search, Speech, OpenAI, Document Intelligence. Helps with search, vector/hybrid search, speech-to-text, text-to-speech, transcription, OCR. WHEN: AI Search, query search, vector search, hybrid search, semantic search, speech-to-text, text-to-speech, transcribe, OCR, convert text to speech.

azure-aigatewaySkill

Configure Azure API Management as an AI Gateway for AI models, MCP tools, and agents. WHEN: semantic caching, token limit, content safety, load balancing, AI model governance, MCP rate limiting, jailbreak detection, add Azure OpenAI backend, add AI Foundry model, test AI gateway, LLM policies, configure AI backend, token metrics, AI cost control, convert API to MCP, import OpenAPI to gateway.

azure-diagramsSkill

ROUTING SKILL — delegates to specialized diagram skills. USE FOR: any diagram request when the caller does not know which tool to use. Routes to drawio, python-diagrams, or mermaid based on diagram type.

azure-hosted-copilot-sdkSkill

Build and deploy GitHub Copilot SDK apps to Azure. WHEN: build copilot app, create copilot app, copilot SDK, @github/copilot-sdk, scaffold copilot project, copilot-powered app, deploy copilot app, host on azure, azure model, BYOM, bring your own model, use my own model, azure openai model, DefaultAzureCredential, self-hosted model, copilot SDK service, chat app with copilot, copilot-sdk-service template, azd init copilot, CopilotClient, createSession, sendAndWait, GitHub Models API.

azure-messagingSkill

Troubleshoot and resolve issues with Azure Messaging SDKs for Event Hubs and Service Bus. Covers connection failures, authentication errors, message processing issues, and SDK configuration problems. WHEN: event hub SDK error, service bus SDK issue, messaging connection failure, AMQP error, event processor host issue, message lock lost, send timeout, receiver disconnected, SDK troubleshooting, azure messaging SDK, event hub consumer, service bus queue issue, topic subscription error, enable logging event hub, service bus logging, eventhub python, servicebus java, eventhub javascript, servicebus dotnet, event hub checkpoint, event hub not receiving messages, service bus dead letter.

copilot-customizationSkill

Authoritative reference for VS Code Copilot customization mechanisms: instructions, prompt files, custom agents, agent skills, MCP servers, hooks, and plugins. Use when deciding which customization type to use, creating new .instructions.md/.prompt.md/.agent.md/SKILL.md/mcp.json files from scratch, or debugging why a customization is not loading. DO NOT USE FOR: routine file edits where the format is already known.

count-registrySkill

Provides canonical entity counts from count-manifest.json. Use when agents need to reference how many agents, skills, instructions, or validators exist. Prevents hard-coded counts. WHEN: agent count, skill count, how many agents, how many skills, entity inventory, project statistics.