Skip to content

IaC Security Scan: 17 Vulnerabilities Identified Across Infrastructure #7

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Draft
Copilot wants to merge 2 commits into
base: main
Choose a base branch
from
Draft

IaC Security Scan: 17 Vulnerabilities Identified Across Infrastructure #7

Copilot wants to merge 2 commits into from
+837 −0

Conversation

Copy link

Copilot AI commented Feb 9, 2026
edited
Loading

Comprehensive security scan of all IaC files (Bicep, Docker, Kubernetes) to identify misconfigurations and vulnerabilities. No remediations applied per requirement.

Findings Summary

17 vulnerabilities identified across 11 files:

  • 3 CRITICAL: SQL open to internet (0.0.0.1-255.255.255.254), privileged K8s container, hardcoded SA password in version control
  • 6 HIGH: Public SQL access, Key Vault missing soft delete/purge protection/network ACLs, containers running as root, missing SQL auditing
  • 5 MEDIUM: Legacy access policies vs RBAC, missing diagnostics, SQL auth vs Azure AD, no resource limits, exposed DB port
  • 3 LOW: Overly permissive permissions, short log retention, missing security labels

Critical Issues

SQL Server (infra/core/database/sqlserver/sqlserver.bicep)

resource firewall 'firewallRules' = {
  properties: {
    startIpAddress: '0.0.0.1'      // Entire internet
    endIpAddress: '255.255.255.254'  // PCI-DSS violation
  }
}

Hardcoded Credentials (docker-compose.yml)

environment:
  - SA_PASSWORD=@someThingComplicated1234  // In git history

Privileged Container (manifests/critical-double.yaml)

securityContext:
  privileged: true                    // Host escape vector
  allowPrivilegeEscalation: true

Scope

  • Bicep: 6 files, 8 findings
  • Dockerfiles: 2 files, 2 findings
  • Docker Compose: 2 files, 2 findings
  • Kubernetes: 2 files, 5 findings

Compliance Impact

Violations mapped to CIS Azure/Kubernetes/Docker, NIST 800-53, Azure Security Benchmark, PCI-DSS, HIPAA, SOC 2, GDPR.

Full report: IAC_SECURITY_FINDINGS.md (includes line numbers, control mappings, recommended MSDO analyzers for CI/CD)

💡 You can make Copilot smarter by setting up custom instructions, customizing its development environment and configuring Model Context Protocol (MCP) servers. Learn more Copilot coding agent tips in the docs.

@CalinL
Complete IaC security vulnerability scan - 17 findings identified
ce9a443 
Co-authored-by: CalinL <10718943+CalinL@users.noreply.github.com>
Copilot AI changed the title [WIP] Identify infrastructure as code vulnerabilities and issues IaC Security Scan: 17 Vulnerabilities Identified Across Infrastructure Feb 9, 2026
Copilot AI requested a review from CalinL February 9, 2026 23:47
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@CalinL CalinL Awaiting requested review from CalinL

Assignees

@CalinL CalinL

Copilot code review Copilot

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@CalinL