hund030
commented
2 days ago This issue is accidently created when testing. The validation workflow is still in progress. Sorry for any confusion.
Closed ai-apps-bot closed 2 days ago
hund030
commented
2 days ago This issue is accidently created when testing. The validation workflow is still in progress. Sorry for any confusion.
AI Gallery Standard Validation: FAILED
Repository Management:
:x: README.md File. [How to fix?]
- Error: ## Getting Started is missing in README.md. - Error: ## Guidance is missing in README.md.:heavy_check_mark: LICENSE File.
:x: SECURITY.md File. [How to fix?]
- Error: SECURITY.md file is missing.:heavy_check_mark: .github/CODE_OF_CONDUCT.md File.
:heavy_check_mark: CONTRIBUTING.md File.
:heavy_check_mark: .github/ISSUE_TEMPLATE.md File.
:heavy_check_mark: Topics on repo contains ['azd-templates', 'ai-azd-templates'].
Source code structure and conventions:
:heavy_check_mark: .github/workflows/azure-dev.yml File.
:x: .github/workflows/pr-gate.yml File. [How to fix?]
- Error: .github/workflows/pr-gate.yml file is missing.:heavy_check_mark: azure.yaml File.
:heavy_check_mark: infra Folder.
:heavy_check_mark: .devcontainer Folder.
Functional Requirements:
:x: azd up. [How to fix?]
Error: Downloading Bicep (✓) Done: Downloading Bicep Initialize bicep provider Retrieving locations... ERROR: prompting for value: prompting for location: no default response for prompt 'Enter a value for the 'documentIntelligenceResourceGroupLocation' infrastructure parameter:':x: azd down. [How to fix?]
Error: Deleting all resources and deployed code on Azure (azd down) Local application code is not deleted when running 'azd down'. Initialize bicep provider Retrieving locations... Enter a value for the 'documentIntelligenceResourceGroupLocation' infrastructure parameter: ERROR: initializing provisioning manager: prompting for value: prompting for location: '' is not an allowed choice. allowed choices: 1. (Europe) West Europe (westeurope), 2. (US) East US (eastus), 3. (US) West US 2 (westus2)Security Requirements:
:x: microsoft/security-devops-action is integrated to the CI/CD pipeline. [How to fix?]
- Error: microsoft/security-devops-action is missing in .github/workflows/azure-dev.yml. - Error: github/codeql-action/upload-sarif is missing in .github/workflows/azure-dev.yml. - Error: microsoft/security-devops-action is missing in .github/workflows/lint-markdown.yml. - Error: github/codeql-action/upload-sarif is missing in .github/workflows/lint-markdown.yml. - Error: microsoft/security-devops-action is missing in .github/workflows/stale-bot.yml. - Error: github/codeql-action/upload-sarif is missing in .github/workflows/stale-bot.yml. - Error: microsoft/security-devops-action is missing in .github/workflows/validate-markdown.yml. - Error: github/codeql-action/upload-sarif is missing in .github/workflows/validate-markdown.yml. - Error: microsoft/security-devops-action is missing in .github/workflows/validate-markdown.yml. - Error: github/codeql-action/upload-sarif is missing in .github/workflows/validate-markdown.yml. - Error: microsoft/security-devops-action is missing in .github/workflows/validate-markdown.yml. - Error: github/codeql-action/upload-sarif is missing in .github/workflows/validate-markdown.yml.:warning: Security scan. [How to fix?]
- error: AZR-000202 - By default, storage accounts accept connections from clients on any network. To limit access to selected networks, you must first change the default action. After changing the default action from Allow to Deny, configure one or more rules to allow traffic. Traffic can be allowed from: - Azure services on the trusted service list. - IP address or CIDR range. - Private endpoint connections. - Azure virtual network subnets with a Service Endpoint. - error: AZR-000198 - Blob containers in Azure Storage Accounts can be configured for private or anonymous public access. By default, containers are private and only accessible with a credential or access token. When a container is configured with an access type other than private, anonymous access is permitted. Anonymous access to blobs or containers can be restricted by setting allowBlobPublicAccess to false. This enhanced security setting for a storage account overrides the individual settings for blob containers. When you disallow public access for a storage account, blobs are no longer accessible anonymously. - error: AZR-000280 - By default, public network access is enabled for a Cognitive Service account. Service Endpoints and Private Link can be leveraged to restrict access to PaaS endpoints. When access is restricted, access by malicious actor is from an unauthorized virtual network is mitigated. Configure service endpoints and private links where appropriate. - error: AZR-000282 - To send requests to Cognitive Services endpoints, each request must include an authentication header. Cognitive Services endpoints supports authentication with keys or tokens. Using an Azure AD token instead of a cryptographic key has some additional security benefits. With Azure AD authentication, the identity is validated against Azure AD identity provider. Using Azure AD identities centralizes identity management and auditing. Once you decide to use Azure AD authentication, you can disable authentication using keys. - warning: AZR-000283 - By default, a public endpoint is enabled for Cognitive Services accounts. The public endpoint is used for all access except for requests that use a Private Endpoint. Access through the public endpoint can be disabled or restricted to authorized virtual networks. Data exfiltration is an attack where an malicious actor does an unauthorized data transfer. Private Endpoints help prevent data exfiltration by an internal or external malicious actor. They do this by providing clear separation between public and private endpoints. As a result, broad access to public endpoints which could be operated by a malicious actor are not required. - error: TA-000019 - For enhanced authentication security, use a managed identity. On Azure, managed identities eliminate the need for developers to have to manage credentials by providing an identity for the Azure resource in Azure AD and using it to obtain Azure Active Directory (Azure AD) tokens.How to fix?
The full Definition of Done of the AI-Gallery template and fix approached can be found HERE.