search

hund030 / AiGallery

0 stars 0 forks source link

[Auto] AI Gallery Standard Validation FAILED #26

Open ai-apps-bot opened 5 days ago

ai-apps-bot commented 5 days ago

Failed/Total: 17/17 Failed Repos: agent-openai-python-prompty-langchain-pinecone agent-openai-python-prompty agent-python-openai-prompty-langchain azure-openai-assistant-javascript azure-openai-chat-frontend azure-search-openai-demo-csharp azure-search-openai-demo-java azure-search-openai-demo azure-search-openai-javascript contoso-chat llama-index-javascript openai-chat-app-quickstart openai-plugin-fastapi phoenix-on-azure rag-postgres-openai-python serverless-chat-langchainjs summarization-openai-python-promptflow

Repo: Azure-Samples/agent-openai-python-prompty-langchain-pinecone

AI Gallery Standard Validation: FAILED

Repository Management:

:x: README.md File. [How to fix?] - Error: ## Guidance is missing in README.md.
:heavy_check_mark: LICENSE.md File.
:x: SECURITY.md File. [How to fix?] - Error: SECURITY.md file is missing.
:heavy_check_mark: CODE_OF_CONDUCT.md File.
:heavy_check_mark: CONTRIBUTING.md File.
:heavy_check_mark: ISSUE_TEMPLATE.md File.
:x: Topics on repo contains ['azd-templates', 'ai-azd-templates']. [How to fix?] - Error: azd-templates is missing in topics. - Error: ai-azd-templates is missing in topics.

Source code structure and conventions:

:heavy_check_mark: azure-dev.yaml File.
:heavy_check_mark: azure.yaml File.
:heavy_check_mark: infra Folder.
:heavy_check_mark: .devcontainer Folder.

Functional Requirements:

:x: azd up. [How to fix?] Error: Downloading Bicep (✓) Done: Downloading Bicep Initialize bicep provider Packaging services (azd package) Packaging service chat Packaging service chat (Copying deployment package) (✓) Done: Packaging service chat Provisioning Azure resources (azd provision) Provisioning Azure resources can take some time. Initialize bicep provider Retrieving subscriptions... Reading subscription and location from environment... Subscription: Visual Studio Enterprise Subscription (6e41a27a-b56f-423c-b5d9-bb0b325733eb) Location: East US 2 Comparing deployment state Comparing deployment state Creating/Updating resources You can view detailed progress in the Azure Portal: https://portal.azure.com/#view/HubsExtension/DeploymentDetailsBlade/~/overview/id/%2Fsubscriptions%2F6e41a27a-b56f-423c-b5d9-bb0b325733eb%2Fproviders%2FMicrosoft.Resources%2Fdeployments%2Fdev-27076205827-1720170091 (✓) Done: Resource group: rg-dev-27076205827 (✓) Done: Log Analytics workspace: log-5qkyc7uowibmk (✓) Done: Container Registry: cr5qkyc7uowibmk (✓) Done: Key Vault: kv-5qkyc7uowibmk (✓) Done: Storage account: st5qkyc7uowibmk (✓) Done: Application Insights: appi-5qkyc7uowibmk ERROR: error executing step command 'provision': deployment failed: error deploying infrastructure: deploying to subscription: Deployment Error Details: UnmatchedPrincipalType: The PrincipalId '95959d96ca17490a877b63300e2f9187' has type 'ServicePrincipal' , which is different from specified PrinciaplType 'User'. UnmatchedPrincipalType: The PrincipalId '95959d96ca17490a877b63300e2f9187' has type 'ServicePrincipal' , which is different from specified PrinciaplType 'User'. UnmatchedPrincipalType: The PrincipalId '95959d96ca17490a877b63300e2f9187' has type 'ServicePrincipal' , which is different from specified PrinciaplType 'User'. InvalidTemplateDeployment: The template deployment 'cognitiveServices' is not valid according to the validation procedure. The tracking id is 'eee90232-8aa5-47c3-860d-6f4ec9b9c790'. See inner errors for details. InsufficientQuota: This operation require 20 new capacity in quota Tokens Per Minute (thousands) - GPT-35-Turbo, which is bigger than the current available capacity 0. The current quota usage is 300 and the quota limit is 300 for quota Tokens Per Minute (thousands) - GPT-35-Turbo. UnmatchedPrincipalType: The PrincipalId '95959d96ca17490a877b63300e2f9187' has type 'ServicePrincipal' , which is different from specified PrinciaplType 'User'. TraceID: 026139c6c935927b6667418299b4c11e
:heavy_check_mark: azd down.

Security Requirements:

:warning: microsoft/security-devops-action is integrated to the CI/CD pipeline. [How to fix?] Not found security check related actions in the CI/CD pipeline. - Error: microsoft/security-devops-action is missing in .github/workflows/azure-dev.yml. - Error: github/codeql-action/upload-sarif is missing in .github/workflows/azure-dev.yml.
:warning: Security scan. [How to fix?] - error: AZR-000202 - By default, storage accounts accept connections from clients on any network. To limit access to selected networks, you must first change the default action. After changing the default action from Allow to Deny, configure one or more rules to allow traffic. Traffic can be allowed from: - Azure services on the trusted service list. - IP address or CIDR range. - Private endpoint connections. - Azure virtual network subnets with a Service Endpoint. - error: AZR-000198 - Blob containers in Azure Storage Accounts can be configured for private or anonymous public access. By default, containers are private and only accessible with a credential or access token. When a container is configured with an access type other than private, anonymous access is permitted. Anonymous access to blobs or containers can be restricted by setting allowBlobPublicAccess to false. This enhanced security setting for a storage account overrides the individual settings for blob containers. When you disallow public access for a storage account, blobs are no longer accessible anonymously. - error: AZR-000355 - By default, Key Vault accept connections from clients on any network. To limit access to selected networks, you must first change the default action. After changing the default action from Allow to Deny, configure one or more rules to allow traffic. Traffic can be allowed from: - Azure services on the trusted service list. - IP address or CIDR range. - Private endpoint connections. - Azure virtual network subnets with a Service Endpoint. If any of the following options are enabled you must also enable Allow trusted Microsoft services to bypass this firewall: - enabledForDeployment - Azure Virtual Machines for deployment. - enabledForDiskEncryption - Azure Disk Encryption for volume encryption. - enabledForTemplateDeployment - Azure Resource Manager for template deployment. - error: AZR-000280 - By default, public network access is enabled for a Cognitive Service account. Service Endpoints and Private Link can be leveraged to restrict access to PaaS endpoints. When access is restricted, access by malicious actor is from an unauthorized virtual network is mitigated. Configure service endpoints and private links where appropriate. - error: AZR-000282 - To send requests to Cognitive Services endpoints, each request must include an authentication header. Cognitive Services endpoints supports authentication with keys or tokens. Using an Azure AD token instead of a cryptographic key has some additional security benefits. With Azure AD authentication, the identity is validated against Azure AD identity provider. Using Azure AD identities centralizes identity management and auditing. Once you decide to use Azure AD authentication, you can disable authentication using keys. - warning: AZR-000283 - By default, a public endpoint is enabled for Cognitive Services accounts. The public endpoint is used for all access except for requests that use a Private Endpoint. Access through the public endpoint can be disabled or restricted to authorized virtual networks. Data exfiltration is an attack where an malicious actor does an unauthorized data transfer. Private Endpoints help prevent data exfiltration by an internal or external malicious actor. They do this by providing clear separation between public and private endpoints. As a result, broad access to public endpoints which could be operated by a malicious actor are not required. - error: AZR-000291 - Every request to an Azure App Configuration resource must be authenticated. App Configuration supports authenticating requests using either Entra ID (previously Azure AD) identities or access keys. Using Entra ID identities: - Centralizes identity management and auditing. - Allows granting of permissions using role-based access control (RBAC). - Provides support for advanced security features such as conditional access and multi-factor authentication (MFA) when applicable. To require clients to use Entra ID to authenticate requests, you can disable the usage of access keys for an Azure App Configuration resource. When you disable access key authentication for an Azure App Configuration resource, any existing access keys for that resource are deleted. Any subsequent requests to the resource using the previously existing access keys will be rejected. Only requests that are authenticated using Entra ID will succeed. - error: AZR-000053 - API Management must authenticate to access Azure resources such as Key Vault. Use Key Vault to store certificates and secrets used within API Management. - error: AZR-000055 - API Management provides support for weak or deprecated ciphers. These older versions are provided for compatibility with clients and backends but are not consider secure. These many of these ciphers are enabled by default and need to be set to 'False'. The following ciphers are considered weak or deprecated: - TripleDes168 - TLS_RSA_WITH_AES_128_CBC_SHA - TLS_RSA_WITH_AES_256_CBC_SHA - TLS_RSA_WITH_AES_128_CBC_SHA256 - TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA - TLS_RSA_WITH_AES_256_CBC_SHA256 - TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA - TLS_RSA_WITH_AES_128_GCM_SHA256. - error: TA-000001 - Enable auditing of diagnostic logs on the app. This enables you to recreate activity trails for investigation purposes if a security incident occurs or your network is compromised. - error: AZR-000361 - Using managed identities have the following benefits: - Your app connects to resources with the managed identity. You don't need to manage credentials in your container app. - You can use role-based access control to grant specific permissions to a managed identity. - System-assigned identities are automatically created and managed. They're deleted when your container app is deleted. - You can add and delete user-assigned identities and assign them to multiple resources. They're independent of your container app's life cycle. - You can use managed identity to authenticate with a private Azure Container Registry without a username and password to pull containers for your Container App. - You can use managed identity to create connections for Dapr-enabled applications via Dapr components. - error: TA-000023 - To ensure that only applications from allowed networks, machines, or subnets can access your cluster, restrict access to your Kubernetes Service Management API server. It is recommended to limit access to authorized IP ranges to ensure that only applications from allowed networks can access the cluster. - error: AZR-000022 - To capture security-based audit logs from AKS clusters, the following diagnostic log categories should be enabled: - kube-audit or kube-audit-admin, or both. - kube-audit - Contains all audit log data for every audit event, including get, list, create, update, delete, patch, and post. - kube-audit-admin - Is a subset of the kube-audit log category. kube-audit-admin reduces the number of logs significantly by excluding the get and list audit events from the log. - guard - Contains logs for Azure Active Directory (AAD) authorization integration. For managed Azure AD, this includes token in and user info out. For Azure RBAC, this includes access reviews in and out. - error: AZR-000028 - AKS clusters support integration with Azure Policy using an Open Policy Agent (OPA). Azure Policy integration is provided by an optional add-on that can be enabled on AKS clusters. Once enabled and Azure policies assigned, AKS clusters will enforce the configured constraints. Examples of policies include: - Enforce HTTPS ingress in Kubernetes cluster. - Do not allow privileged containers in Kubernetes cluster. - Ensure container CPU and memory resource limits do not exceed the specified limits in Kubernetes cluster. - error: AZR-000029 - AKS-managed integration provides an easy way to use Azure AD authorization for AKS. Previous Azure AD integration with AKS required app registration and management within Azure AD. - error: AZR-000030 - In Kubernetes, the API server is the control plane of the cluster. Access to the API server is required by various cluster functions as well as all administrator activities. All activities performed against the cluster require authorization. To improve cluster security, the API server can be restricted to a limited set of IP address ranges. Restricting authorized IP addresses for the API server has the following limitations: - Requires AKS clusters configured with a Standard Load Balancer SKU. - This feature is not compatible with clusters that use Public IP per Node. - This feature is not compatible with AKS private clusters. When configuring this feature, you must specify the IP address ranges that will be authorized. To allow only the outbound public IP of the Standard SKU load balancer, use 0.0.0.0/32. You should add these ranges to the allow list: - Include output IP addresses for cluster nodes - Any range where administration will connect to the API server, including CI/CD systems, monitoring, and management systems. - error: AZR-000032 - Azure Kubernetes Service (AKS) supports Role-based Access Control (RBAC). RBAC is supported using Kubernetes RBAC and optionally Azure RBAC. - Using Kubernetes RBAC, you can grant users, groups, and service accounts access to cluster resources. - Additionally AKS supports granting Azure AD identities access to cluster resources using Azure RBAC. Using authorization provided by Azure RBAC simplifies and centralizes authorization of Azure AD principals. Access to Kubernetes resource can be managed using Azure Resource Manager (ARM). When Azure RBAC is enabled: - Azure AD principals will be validated exclusively by Azure RBAC. - Kubernetes users and service accounts are exclusively validated by Kubernetes RBAC. - error: AZR-000033 - AKS clusters may need to store and retrieve secrets, keys, and certificates. The Secrets Store CSI Driver provides cluster support to integrate with Key Vault. When enabled and configured secrets, keys, and certificates can be securely accessed from a pod. The Secrets Store CSI Driver can automatically refresh secrets and keys periodically from Key Vault. To enable this feature, enable Secrets Store CSI Driver autorotation. Avoid storing secrets to access Azure resources. Use a Managed Identity when possible instead of cryptographic keys or a regular service principal. - error: AZR-000363 - Container apps environments allows you to expose your container app to the Internet. Container apps environments deployed as external resources are available for public requests. External environments are deployed with a virtual IP on an external, public facing IP address. Disable public network access to improve security by exposing the Container Apps environment through an internal load balancer. This removes the need for a public IP address and prevents internet access to all Container Apps within the environment. To provide secure access, instead consider using an Application Gateway or Azure Front Door premium in front of your Container Apps on your private VNET. - error: TA-000001 - Enable auditing of diagnostic logs on the app. This enables you to recreate activity trails for investigation purposes if a security incident occurs or your network is compromised. - error: AZR-000363 - Container apps environments allows you to expose your container app to the Internet. Container apps environments deployed as external resources are available for public requests. External environments are deployed with a virtual IP on an external, public facing IP address. Disable public network access to improve security by exposing the Container Apps environment through an internal load balancer. This removes the need for a public IP address and prevents internet access to all Container Apps within the environment. To provide secure access, instead consider using an Application Gateway or Azure Front Door premium in front of your Container Apps on your private VNET. - warning: AZR-000388 - Azure RBAC is the recommended authorization system for the Azure Key Vault data plane. Azure RBAC allows users to manage key, secrets, and certificates permissions. It provides one place to manage all permissions across all Key Vaults. Azure RBAC for Key Vault also allows users to have separate permissions on individual keys, secrets, and certificates. The Azure RBAC permission model is not enabled by default. - warning: AZR-000406 - Disabling public network access improves security by ensuring that the Machine Learning Workspaces aren't exposed on the public internet. You can control exposure of your workspaces by creating private endpoints instead. By default, a public endpoint is enabled for Machine Learning workspaces. The public endpoint is used for all access except for requests that use a Private Endpoint. Access through the public endpoint can be disabled or restricted to authorized virtual networks. Data exfiltration is an attack where an malicious actor does an unauthorized data transfer. Private Endpoints help control exposure of a workspace to data exfiltration by an internal or external malicious actor. They do this by providing clear separation between public and private endpoints. As a result, broad access to public endpoints which could be operated by a malicious actor are not required. - warning: AZR-000407 - Manange access to Azure ML workspace and associated resources, Azure Container Registry, KeyVault, Storage, and App Insights using user-assigned managed identity. By default, system-assigned managed identity is used by Azure ML workspace to access the associated resources. User-assigned managed identity allows you to create the identity as an Azure resource and maintain the life cycle of that identity. - warning: AZR-000406 - Disabling public network access improves security by ensuring that the Machine Learning Workspaces aren't exposed on the public internet. You can control exposure of your workspaces by creating private endpoints instead. By default, a public endpoint is enabled for Machine Learning workspaces. The public endpoint is used for all access except for requests that use a Private Endpoint. Access through the public endpoint can be disabled or restricted to authorized virtual networks. Data exfiltration is an attack where an malicious actor does an unauthorized data transfer. Private Endpoints help control exposure of a workspace to data exfiltration by an internal or external malicious actor. They do this by providing clear separation between public and private endpoints. As a result, broad access to public endpoints which could be operated by a malicious actor are not required. - warning: AZR-000407 - Manange access to Azure ML workspace and associated resources, Azure Container Registry, KeyVault, Storage, and App Insights using user-assigned managed identity. By default, system-assigned managed identity is used by Azure ML workspace to access the associated resources. User-assigned managed identity allows you to create the identity as an Azure resource and maintain the life cycle of that identity. - warning: AZR-000031 - AKS clusters support Role-based Access Control (RBAC) authorization. RBAC allows users, groups, and service accounts to be granted access to resources on an as needed basis. Actions performed by each identity can be logged for auditing with Kubernetes audit policies. When a cluster is deployed, local accounts are enabled by default even when RBAC is enabled. These local accounts such as clusterAdmin and clusterUser are shared accounts that are not tied to an identity. If local account credentials are used, Kubernetes auditing logs the local account instead of named accounts. Who performed an action cannot be determined from the audit logs, creating an audit log gap for privileged actions. In an AKS cluster with local account disabled administrator will be unable to get the clusterAdmin credential. For example, using az aks get-credentials -g '' -n '' --admin will fail. - warning: AZR-000370 - To collect and provide data plane protections of Microsoft Defender for Containers some additional daemon set and deployments needs to be deployed to the AKS clusters. These components are installed when the Defender profile is enabled on the cluster. The Defender profile deployed to each node provides the runtime protections and collects signals from nodes.

How to fix?

The full Definition of Done of the AI-Gallery template and fix approached can be found HERE.

Repo: Azure-Samples/agent-openai-python-prompty

AI Gallery Standard Validation: FAILED

Repository Management:

:x: README.md File. [How to fix?] - Error: ## Getting Started is missing in README.md. - Error: ## Guidance is missing in README.md.
:heavy_check_mark: LICENSE.md File.
:x: SECURITY.md File. [How to fix?] - Error: SECURITY.md file is missing.
:heavy_check_mark: CODE_OF_CONDUCT.md File.
:heavy_check_mark: CONTRIBUTING.md File.
:heavy_check_mark: ISSUE_TEMPLATE.md File.
:x: Topics on repo contains ['azd-templates', 'ai-azd-templates']. [How to fix?] - Error: azd-templates is missing in topics. - Error: ai-azd-templates is missing in topics.

Source code structure and conventions:

:heavy_check_mark: azure-dev.yaml File.
:heavy_check_mark: azure.yaml File.
:heavy_check_mark: infra Folder.
:heavy_check_mark: .devcontainer Folder.

Functional Requirements:

:x: azd up. [How to fix?] Error: Packaging services (azd package) Packaging service api Packaging service api (Tagging container image) (✓) Done: Packaging service api - Image Hash: sha256:0d74dd6eb171c40061bf5333a4b2b95244bad24d2feae91bc2df8b38bc87a31d - Target Image: creativeagent/api-dev-27076204965:azd-deploy-1720170138 Packaging service web Packaging service web (Tagging container image) (✓) Done: Packaging service web - Image Hash: sha256:eaeeb1324972f9a2749fd5aaa78147a9626cb43e54b42979425f041d7797b16e - Target Image: creativeagent/web-dev-27076204965:azd-deploy-1720170162 Created and switched to workspace "azure"! You're now on a new, empty workspace. Workspaces isolate their state, so if you run "terraform plan" Terraform will not see any existing state for this configuration. Provisioning Azure resources (azd provision) Provisioning Azure resources can take some time. Retrieving subscriptions... Reading subscription and location from environment... Subscription: Visual Studio Enterprise Subscription (6e41a27a-b56f-423c-b5d9-bb0b325733eb) Location: East US 2 Locating plan file... Generating terraform backend config file... Initializing the backend... ERROR: error executing step command 'provision': deployment failed: error deploying infrastructure: terraform init failed: , err: failed running terraform init: (exit code: 1) TraceID: dc56bcb60e7088001198cb751c28a788
:x: azd down. [How to fix?] Error: Deleting all resources and deployed code on Azure (azd down) Local application code is not deleted when running 'azd down'. Locating parameters file... ERROR: deleting infrastructure: error deleting Azure resources: load terraform template output failed: reading deployment output failed: , err:failed running terraform output: ╷ │ Error: Backend initialization required, please run "terraform init" │  │ Reason: Initial configuration of the requested backend "azurerm" │  │ The "backend" is the interface that Terraform uses to store state, │ perform operations, etc. If this message is showing up, it means that the │ Terraform configuration you're using is using a custom configuration for │ the Terraform backend. │  │ Changes to backend configurations require reinitialization. This allows │ Terraform to set up the new configuration, copy existing state, etc. Please │ run │ "terraform init" with either the "-reconfigure" or "-migrate-state" flags │ to │ use the current configuration. │  │ If the change reason above is incorrect, please verify your configuration │ hasn't changed and try again. At this point, no changes to your existing │ configuration or state have been made. ╵ (exit code: 1, stdout: , stderr: ╷ │ Error: Backend initialization required, please run "terraform init" │  │ Reason: Initial configuration of the requested backend "azurerm" │  │ The "backend" is the interface that Terraform uses to store state, │ perform operations, etc. If this message is showing up, it means that the │ Terraform configuration you're using is using a custom configuration for │ the Terraform backend. │  │ Changes to backend configurations require reinitialization. This allows │ Terraform to set up the new configuration, copy existing state, etc. Please │ run │ "terraform init" with either the "-reconfigure" or "-migrate-state" flags │ to │ use the current configuration. │  │ If the change reason above is incorrect, please verify your configuration │ hasn't changed and try again. At this point, no changes to your existing │ configuration or state have been made. ╵ ) TraceID: 197117774f269928724f7f55aefe3183

Security Requirements:

:warning: microsoft/security-devops-action is integrated to the CI/CD pipeline. [How to fix?] Not found security check related actions in the CI/CD pipeline. - Error: microsoft/security-devops-action is missing in .github/workflows/azure-dev.yml. - Error: github/codeql-action/upload-sarif is missing in .github/workflows/azure-dev.yml. - Error: microsoft/security-devops-action is missing in .github/workflows/evaluate.yml. - Error: github/codeql-action/upload-sarif is missing in .github/workflows/evaluate.yml.
:heavy_check_mark: Security scan.

How to fix?

The full Definition of Done of the AI-Gallery template and fix approached can be found HERE.

Repo: Azure-Samples/agent-python-openai-prompty-langchain

AI Gallery Standard Validation: FAILED

Repository Management:

:x: README.md File. [How to fix?] - Error: ## Guidance is missing in README.md.
:heavy_check_mark: LICENSE.md File.
:x: SECURITY.md File. [How to fix?] - Error: SECURITY.md file is missing.
:heavy_check_mark: CODE_OF_CONDUCT.md File.
:heavy_check_mark: CONTRIBUTING.md File.
:heavy_check_mark: ISSUE_TEMPLATE.md File.
:x: Topics on repo contains ['azd-templates', 'ai-azd-templates']. [How to fix?] - Error: azd-templates is missing in topics. - Error: ai-azd-templates is missing in topics.

Source code structure and conventions:

:heavy_check_mark: azure-dev.yaml File.
:heavy_check_mark: azure.yaml File.
:heavy_check_mark: infra Folder.
:heavy_check_mark: .devcontainer Folder.

Functional Requirements:

:x: azd up. [How to fix?] Error: Downloading Bicep (✓) Done: Downloading Bicep Initialize bicep provider Packaging services (azd package) Packaging service chat Packaging service chat (Copying deployment package) (✓) Done: Packaging service chat Provisioning Azure resources (azd provision) Provisioning Azure resources can take some time. Initialize bicep provider Retrieving subscriptions... Reading subscription and location from environment... Subscription: Visual Studio Enterprise Subscription (6e41a27a-b56f-423c-b5d9-bb0b325733eb) Location: East US 2 Comparing deployment state Comparing deployment state Creating/Updating resources You can view detailed progress in the Azure Portal: https://portal.azure.com/#view/HubsExtension/DeploymentDetailsBlade/~/overview/id/%2Fsubscriptions%2F6e41a27a-b56f-423c-b5d9-bb0b325733eb%2Fproviders%2FMicrosoft.Resources%2Fdeployments%2Fdev-27076205654-1720170083 (✓) Done: Resource group: rg-dev-27076205654 (✓) Done: Log Analytics workspace: log-yzmh3ctouj54i (✓) Done: Key Vault: kv-yzmh3ctouj54i (✓) Done: Storage account: styzmh3ctouj54i (✓) Done: Cognitive Service: aoai-yzmh3ctouj54i (✓) Done: Container Registry: cryzmh3ctouj54i (✓) Done: Application Insights: appi-yzmh3ctouj54i ERROR: error executing step command 'provision': deployment failed: error deploying infrastructure: deploying to subscription: Deployment Error Details: InsufficientQuota: This operation require 20 new capacity in quota Tokens Per Minute (thousands) - GPT-35-Turbo, which is bigger than the current available capacity 0. The current quota usage is 300 and the quota limit is 300 for quota Tokens Per Minute (thousands) - GPT-35-Turbo. UnmatchedPrincipalType: The PrincipalId '95959d96ca17490a877b63300e2f9187' has type 'ServicePrincipal' , which is different from specified PrinciaplType 'User'. UnmatchedPrincipalType: The PrincipalId '95959d96ca17490a877b63300e2f9187' has type 'ServicePrincipal' , which is different from specified PrinciaplType 'User'. UnmatchedPrincipalType: The PrincipalId '95959d96ca17490a877b63300e2f9187' has type 'ServicePrincipal' , which is different from specified PrinciaplType 'User'. UnmatchedPrincipalType: The PrincipalId '95959d96ca17490a877b63300e2f9187' has type 'ServicePrincipal' , which is different from specified PrinciaplType 'User'. TraceID: 1b277508c03e0c832638aac27101a2fa
:heavy_check_mark: azd down.

Security Requirements:

:warning: microsoft/security-devops-action is integrated to the CI/CD pipeline. [How to fix?] Not found security check related actions in the CI/CD pipeline. - Error: microsoft/security-devops-action is missing in .github/workflows/azure-dev.yml. - Error: github/codeql-action/upload-sarif is missing in .github/workflows/azure-dev.yml.
:warning: Security scan. [How to fix?] - error: AZR-000202 - By default, storage accounts accept connections from clients on any network. To limit access to selected networks, you must first change the default action. After changing the default action from Allow to Deny, configure one or more rules to allow traffic. Traffic can be allowed from: - Azure services on the trusted service list. - IP address or CIDR range. - Private endpoint connections. - Azure virtual network subnets with a Service Endpoint. - error: AZR-000198 - Blob containers in Azure Storage Accounts can be configured for private or anonymous public access. By default, containers are private and only accessible with a credential or access token. When a container is configured with an access type other than private, anonymous access is permitted. Anonymous access to blobs or containers can be restricted by setting allowBlobPublicAccess to false. This enhanced security setting for a storage account overrides the individual settings for blob containers. When you disallow public access for a storage account, blobs are no longer accessible anonymously. - error: AZR-000355 - By default, Key Vault accept connections from clients on any network. To limit access to selected networks, you must first change the default action. After changing the default action from Allow to Deny, configure one or more rules to allow traffic. Traffic can be allowed from: - Azure services on the trusted service list. - IP address or CIDR range. - Private endpoint connections. - Azure virtual network subnets with a Service Endpoint. If any of the following options are enabled you must also enable Allow trusted Microsoft services to bypass this firewall: - enabledForDeployment - Azure Virtual Machines for deployment. - enabledForDiskEncryption - Azure Disk Encryption for volume encryption. - enabledForTemplateDeployment - Azure Resource Manager for template deployment. - error: AZR-000280 - By default, public network access is enabled for a Cognitive Service account. Service Endpoints and Private Link can be leveraged to restrict access to PaaS endpoints. When access is restricted, access by malicious actor is from an unauthorized virtual network is mitigated. Configure service endpoints and private links where appropriate. - error: AZR-000282 - To send requests to Cognitive Services endpoints, each request must include an authentication header. Cognitive Services endpoints supports authentication with keys or tokens. Using an Azure AD token instead of a cryptographic key has some additional security benefits. With Azure AD authentication, the identity is validated against Azure AD identity provider. Using Azure AD identities centralizes identity management and auditing. Once you decide to use Azure AD authentication, you can disable authentication using keys. - warning: AZR-000283 - By default, a public endpoint is enabled for Cognitive Services accounts. The public endpoint is used for all access except for requests that use a Private Endpoint. Access through the public endpoint can be disabled or restricted to authorized virtual networks. Data exfiltration is an attack where an malicious actor does an unauthorized data transfer. Private Endpoints help prevent data exfiltration by an internal or external malicious actor. They do this by providing clear separation between public and private endpoints. As a result, broad access to public endpoints which could be operated by a malicious actor are not required. - error: AZR-000291 - Every request to an Azure App Configuration resource must be authenticated. App Configuration supports authenticating requests using either Entra ID (previously Azure AD) identities or access keys. Using Entra ID identities: - Centralizes identity management and auditing. - Allows granting of permissions using role-based access control (RBAC). - Provides support for advanced security features such as conditional access and multi-factor authentication (MFA) when applicable. To require clients to use Entra ID to authenticate requests, you can disable the usage of access keys for an Azure App Configuration resource. When you disable access key authentication for an Azure App Configuration resource, any existing access keys for that resource are deleted. Any subsequent requests to the resource using the previously existing access keys will be rejected. Only requests that are authenticated using Entra ID will succeed. - error: AZR-000053 - API Management must authenticate to access Azure resources such as Key Vault. Use Key Vault to store certificates and secrets used within API Management. - error: AZR-000055 - API Management provides support for weak or deprecated ciphers. These older versions are provided for compatibility with clients and backends but are not consider secure. These many of these ciphers are enabled by default and need to be set to 'False'. The following ciphers are considered weak or deprecated: - TripleDes168 - TLS_RSA_WITH_AES_128_CBC_SHA - TLS_RSA_WITH_AES_256_CBC_SHA - TLS_RSA_WITH_AES_128_CBC_SHA256 - TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA - TLS_RSA_WITH_AES_256_CBC_SHA256 - TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA - TLS_RSA_WITH_AES_128_GCM_SHA256. - error: TA-000001 - Enable auditing of diagnostic logs on the app. This enables you to recreate activity trails for investigation purposes if a security incident occurs or your network is compromised. - error: AZR-000361 - Using managed identities have the following benefits: - Your app connects to resources with the managed identity. You don't need to manage credentials in your container app. - You can use role-based access control to grant specific permissions to a managed identity. - System-assigned identities are automatically created and managed. They're deleted when your container app is deleted. - You can add and delete user-assigned identities and assign them to multiple resources. They're independent of your container app's life cycle. - You can use managed identity to authenticate with a private Azure Container Registry without a username and password to pull containers for your Container App. - You can use managed identity to create connections for Dapr-enabled applications via Dapr components. - error: TA-000023 - To ensure that only applications from allowed networks, machines, or subnets can access your cluster, restrict access to your Kubernetes Service Management API server. It is recommended to limit access to authorized IP ranges to ensure that only applications from allowed networks can access the cluster. - error: AZR-000022 - To capture security-based audit logs from AKS clusters, the following diagnostic log categories should be enabled: - kube-audit or kube-audit-admin, or both. - kube-audit - Contains all audit log data for every audit event, including get, list, create, update, delete, patch, and post. - kube-audit-admin - Is a subset of the kube-audit log category. kube-audit-admin reduces the number of logs significantly by excluding the get and list audit events from the log. - guard - Contains logs for Azure Active Directory (AAD) authorization integration. For managed Azure AD, this includes token in and user info out. For Azure RBAC, this includes access reviews in and out. - error: AZR-000028 - AKS clusters support integration with Azure Policy using an Open Policy Agent (OPA). Azure Policy integration is provided by an optional add-on that can be enabled on AKS clusters. Once enabled and Azure policies assigned, AKS clusters will enforce the configured constraints. Examples of policies include: - Enforce HTTPS ingress in Kubernetes cluster. - Do not allow privileged containers in Kubernetes cluster. - Ensure container CPU and memory resource limits do not exceed the specified limits in Kubernetes cluster. - error: AZR-000029 - AKS-managed integration provides an easy way to use Azure AD authorization for AKS. Previous Azure AD integration with AKS required app registration and management within Azure AD. - error: AZR-000030 - In Kubernetes, the API server is the control plane of the cluster. Access to the API server is required by various cluster functions as well as all administrator activities. All activities performed against the cluster require authorization. To improve cluster security, the API server can be restricted to a limited set of IP address ranges. Restricting authorized IP addresses for the API server has the following limitations: - Requires AKS clusters configured with a Standard Load Balancer SKU. - This feature is not compatible with clusters that use Public IP per Node. - This feature is not compatible with AKS private clusters. When configuring this feature, you must specify the IP address ranges that will be authorized. To allow only the outbound public IP of the Standard SKU load balancer, use 0.0.0.0/32. You should add these ranges to the allow list: - Include output IP addresses for cluster nodes - Any range where administration will connect to the API server, including CI/CD systems, monitoring, and management systems. - error: AZR-000032 - Azure Kubernetes Service (AKS) supports Role-based Access Control (RBAC). RBAC is supported using Kubernetes RBAC and optionally Azure RBAC. - Using Kubernetes RBAC, you can grant users, groups, and service accounts access to cluster resources. - Additionally AKS supports granting Azure AD identities access to cluster resources using Azure RBAC. Using authorization provided by Azure RBAC simplifies and centralizes authorization of Azure AD principals. Access to Kubernetes resource can be managed using Azure Resource Manager (ARM). When Azure RBAC is enabled: - Azure AD principals will be validated exclusively by Azure RBAC. - Kubernetes users and service accounts are exclusively validated by Kubernetes RBAC. - error: AZR-000033 - AKS clusters may need to store and retrieve secrets, keys, and certificates. The Secrets Store CSI Driver provides cluster support to integrate with Key Vault. When enabled and configured secrets, keys, and certificates can be securely accessed from a pod. The Secrets Store CSI Driver can automatically refresh secrets and keys periodically from Key Vault. To enable this feature, enable Secrets Store CSI Driver autorotation. Avoid storing secrets to access Azure resources. Use a Managed Identity when possible instead of cryptographic keys or a regular service principal. - error: AZR-000363 - Container apps environments allows you to expose your container app to the Internet. Container apps environments deployed as external resources are available for public requests. External environments are deployed with a virtual IP on an external, public facing IP address. Disable public network access to improve security by exposing the Container Apps environment through an internal load balancer. This removes the need for a public IP address and prevents internet access to all Container Apps within the environment. To provide secure access, instead consider using an Application Gateway or Azure Front Door premium in front of your Container Apps on your private VNET. - error: TA-000001 - Enable auditing of diagnostic logs on the app. This enables you to recreate activity trails for investigation purposes if a security incident occurs or your network is compromised. - error: AZR-000363 - Container apps environments allows you to expose your container app to the Internet. Container apps environments deployed as external resources are available for public requests. External environments are deployed with a virtual IP on an external, public facing IP address. Disable public network access to improve security by exposing the Container Apps environment through an internal load balancer. This removes the need for a public IP address and prevents internet access to all Container Apps within the environment. To provide secure access, instead consider using an Application Gateway or Azure Front Door premium in front of your Container Apps on your private VNET. - warning: AZR-000388 - Azure RBAC is the recommended authorization system for the Azure Key Vault data plane. Azure RBAC allows users to manage key, secrets, and certificates permissions. It provides one place to manage all permissions across all Key Vaults. Azure RBAC for Key Vault also allows users to have separate permissions on individual keys, secrets, and certificates. The Azure RBAC permission model is not enabled by default. - warning: AZR-000406 - Disabling public network access improves security by ensuring that the Machine Learning Workspaces aren't exposed on the public internet. You can control exposure of your workspaces by creating private endpoints instead. By default, a public endpoint is enabled for Machine Learning workspaces. The public endpoint is used for all access except for requests that use a Private Endpoint. Access through the public endpoint can be disabled or restricted to authorized virtual networks. Data exfiltration is an attack where an malicious actor does an unauthorized data transfer. Private Endpoints help control exposure of a workspace to data exfiltration by an internal or external malicious actor. They do this by providing clear separation between public and private endpoints. As a result, broad access to public endpoints which could be operated by a malicious actor are not required. - warning: AZR-000407 - Manange access to Azure ML workspace and associated resources, Azure Container Registry, KeyVault, Storage, and App Insights using user-assigned managed identity. By default, system-assigned managed identity is used by Azure ML workspace to access the associated resources. User-assigned managed identity allows you to create the identity as an Azure resource and maintain the life cycle of that identity. - warning: AZR-000406 - Disabling public network access improves security by ensuring that the Machine Learning Workspaces aren't exposed on the public internet. You can control exposure of your workspaces by creating private endpoints instead. By default, a public endpoint is enabled for Machine Learning workspaces. The public endpoint is used for all access except for requests that use a Private Endpoint. Access through the public endpoint can be disabled or restricted to authorized virtual networks. Data exfiltration is an attack where an malicious actor does an unauthorized data transfer. Private Endpoints help control exposure of a workspace to data exfiltration by an internal or external malicious actor. They do this by providing clear separation between public and private endpoints. As a result, broad access to public endpoints which could be operated by a malicious actor are not required. - warning: AZR-000407 - Manange access to Azure ML workspace and associated resources, Azure Container Registry, KeyVault, Storage, and App Insights using user-assigned managed identity. By default, system-assigned managed identity is used by Azure ML workspace to access the associated resources. User-assigned managed identity allows you to create the identity as an Azure resource and maintain the life cycle of that identity. - warning: AZR-000031 - AKS clusters support Role-based Access Control (RBAC) authorization. RBAC allows users, groups, and service accounts to be granted access to resources on an as needed basis. Actions performed by each identity can be logged for auditing with Kubernetes audit policies. When a cluster is deployed, local accounts are enabled by default even when RBAC is enabled. These local accounts such as clusterAdmin and clusterUser are shared accounts that are not tied to an identity. If local account credentials are used, Kubernetes auditing logs the local account instead of named accounts. Who performed an action cannot be determined from the audit logs, creating an audit log gap for privileged actions. In an AKS cluster with local account disabled administrator will be unable to get the clusterAdmin credential. For example, using az aks get-credentials -g '' -n '' --admin will fail. - warning: AZR-000370 - To collect and provide data plane protections of Microsoft Defender for Containers some additional daemon set and deployments needs to be deployed to the AKS clusters. These components are installed when the Defender profile is enabled on the cluster. The Defender profile deployed to each node provides the runtime protections and collects signals from nodes.

How to fix?

The full Definition of Done of the AI-Gallery template and fix approached can be found HERE.

Repo: Azure-Samples/azure-openai-assistant-javascript

AI Gallery Standard Validation: FAILED

Repository Management:

:heavy_check_mark: README.md File.
:heavy_check_mark: LICENSE.md File.
:heavy_check_mark: SECURITY.md File.
:heavy_check_mark: CODE_OF_CONDUCT.md File.
:heavy_check_mark: CONTRIBUTING.md File.
:heavy_check_mark: ISSUE_TEMPLATE.md File.
:x: Topics on repo contains ['azd-templates', 'ai-azd-templates']. [How to fix?] - Error: azd-templates is missing in topics. - Error: ai-azd-templates is missing in topics.

Source code structure and conventions:

:heavy_check_mark: azure-dev.yaml File.
:heavy_check_mark: azure.yaml File.
:heavy_check_mark: infra Folder.
:heavy_check_mark: .devcontainer Folder.

Functional Requirements:

:x: azd up. [How to fix?] Error: Downloading Bicep (✓) Done: Downloading Bicep Initialize bicep provider Packaging services (azd package) Packaging service api Packaging service api (Installing NPM dependencies) Packaging service api (Running NPM package script) Packaging service api (Copying deployment package) Packaging service api (Compressing deployment artifacts) (✓) Done: Packaging service api - Package Output: /tmp/azure-openai-assistant-javascript@1.0.0-api-azddeploy-1720171064.zip Packaging service webapp Packaging service webapp (Installing NPM dependencies) Packaging service webapp (Running NPM package script) Packaging service webapp (Copying deployment package) (✓) Done: Packaging service webapp - Package Output: ../dist Provisioning Azure resources (azd provision) Provisioning Azure resources can take some time. Initialize bicep provider Retrieving subscriptions... Reading subscription and location from environment... Subscription: Visual Studio Enterprise Subscription (6e41a27a-b56f-423c-b5d9-bb0b325733eb) Location: East US 2 Comparing deployment state Comparing deployment state Creating/Updating resources You can view detailed progress in the Azure Portal: https://portal.azure.com/#view/HubsExtension/DeploymentDetailsBlade/~/overview/id/%2Fsubscriptions%2F6e41a27a-b56f-423c-b5d9-bb0b325733eb%2Fproviders%2FMicrosoft.Resources%2Fdeployments%2Fdev-27076207043-1720171083 (✓) Done: Resource group: rg-dev-27076207043 (✓) Done: App Service plan: plan-7cxmb37qi2n5c (✓) Done: Static Web App: webapp (✓) Done: Storage account: st7cxmb37qi2n5c (✓) Done: Azure OpenAI: cog-7cxmb37qi2n5c (✓) Done: Function App: func-api-7cxmb37qi2n5c ERROR: error executing step command 'provision': deployment failed: error deploying infrastructure: deploying to subscription: Deployment Error Details: UnmatchedPrincipalType: The PrincipalId '95959d96ca17490a877b63300e2f9187' has type 'ServicePrincipal' , which is different from specified PrinciaplType 'User'. TraceID: 3385682d2743e1938e132954accb9070
:heavy_check_mark: azd down.

Security Requirements:

:warning: microsoft/security-devops-action is integrated to the CI/CD pipeline. [How to fix?] Not found security check related actions in the CI/CD pipeline.
:warning: Security scan. [How to fix?] - error: AZR-000202 - By default, storage accounts accept connections from clients on any network. To limit access to selected networks, you must first change the default action. After changing the default action from Allow to Deny, configure one or more rules to allow traffic. Traffic can be allowed from: - Azure services on the trusted service list. - IP address or CIDR range. - Private endpoint connections. - Azure virtual network subnets with a Service Endpoint. - error: AZR-000198 - Blob containers in Azure Storage Accounts can be configured for private or anonymous public access. By default, containers are private and only accessible with a credential or access token. When a container is configured with an access type other than private, anonymous access is permitted. Anonymous access to blobs or containers can be restricted by setting allowBlobPublicAccess to false. This enhanced security setting for a storage account overrides the individual settings for blob containers. When you disallow public access for a storage account, blobs are no longer accessible anonymously. - error: AZR-000280 - By default, public network access is enabled for a Cognitive Service account. Service Endpoints and Private Link can be leveraged to restrict access to PaaS endpoints. When access is restricted, access by malicious actor is from an unauthorized virtual network is mitigated. Configure service endpoints and private links where appropriate. - error: AZR-000282 - To send requests to Cognitive Services endpoints, each request must include an authentication header. Cognitive Services endpoints supports authentication with keys or tokens. Using an Azure AD token instead of a cryptographic key has some additional security benefits. With Azure AD authentication, the identity is validated against Azure AD identity provider. Using Azure AD identities centralizes identity management and auditing. Once you decide to use Azure AD authentication, you can disable authentication using keys. - warning: AZR-000283 - By default, a public endpoint is enabled for Cognitive Services accounts. The public endpoint is used for all access except for requests that use a Private Endpoint. Access through the public endpoint can be disabled or restricted to authorized virtual networks. Data exfiltration is an attack where an malicious actor does an unauthorized data transfer. Private Endpoints help prevent data exfiltration by an internal or external malicious actor. They do this by providing clear separation between public and private endpoints. As a result, broad access to public endpoints which could be operated by a malicious actor are not required. - error: TA-000001 - Enable auditing of diagnostic logs on the app. This enables you to recreate activity trails for investigation purposes if a security incident occurs or your network is compromised. - error: TA-000001 - Enable auditing of diagnostic logs on the app. This enables you to recreate activity trails for investigation purposes if a security incident occurs or your network is compromised.

How to fix?

The full Definition of Done of the AI-Gallery template and fix approached can be found HERE.

Repo: Azure-Samples/azure-openai-chat-frontend

AI Gallery Standard Validation: FAILED

Repository Management:

:x: README.md File. [How to fix?] - Error: ## Features is missing in README.md. - Error: ## Getting Started is missing in README.md. - Error: ## Guidance is missing in README.md. - Error: ## Resources is missing in README.md.
:heavy_check_mark: LICENSE.md File.
:heavy_check_mark: SECURITY.md File.
:heavy_check_mark: CODE_OF_CONDUCT.md File.
:heavy_check_mark: CONTRIBUTING.md File.
:heavy_check_mark: ISSUE_TEMPLATE.md File.
:x: Topics on repo contains ['azd-templates', 'ai-azd-templates']. [How to fix?] - Error: azd-templates is missing in topics. - Error: ai-azd-templates is missing in topics.

Source code structure and conventions:

:x: azure-dev.yaml File. [How to fix?] - Error: azure-dev.yaml file is missing.
:heavy_check_mark: azure.yaml File.
:heavy_check_mark: infra Folder.
:heavy_check_mark: .devcontainer Folder.

Functional Requirements:

:x: azd up. [How to fix?] Error: Downloading Bicep (✓) Done: Downloading Bicep Initialize bicep provider Packaging services (azd package) Packaging service chatfrontendapp (x) Failed: Packaging service chatfrontendapp ERROR: error executing step command 'package --all': failed building service 'chatfrontendapp': swa build: exit code: 1, stdout: Welcome to Azure Static Web Apps CLI (1.1.8) Using configuration "azure-openai-chat-frontend" from file: /home/runner/work/_temp/template/swa-cli.config.json Build configuration: - App location: ./src - API location: - Output location: ./dist - App build command: npm run build --if-present - API build command: Building app with npm run build --if-present in ./src ... > azure-openai-chat-frontend@0.0.1 build > vite build , stderr: npm warn deprecated inflight@1.0.6: This module is not supported, and leaks memory. Do not use it. Check out lru-cache if you want a good and tested way to coalesce async requests by a key value, which is much more comprehensive and powerful. npm warn deprecated glob@7.2.3: Glob versions prior to v9 are no longer supported npm warn deprecated rimraf@3.0.2: Rimraf versions prior to v4 are no longer supported npm warn deprecated rimraf@2.7.1: Rimraf versions prior to v4 are no longer supported sh: 1: vite: not found Error: Command failed: npm run build --if-present at checkExecSyncError (node:child_process:890:11) at execSync (node:child_process:962:15) at runCommand (/home/runner/.npm/_npx/77a2eeeac940fe18/node_modules/@azure/static-web-apps-cli/src/core/utils/command.ts:5:11) at build (/home/runner/.npm/_npx/77a2eeeac940fe18/node_modules/@azure/static-web-apps-cli/src/cli/commands/build/build.ts:93:15) at Command. (/home/runner/.npm/_npx/77a2eeeac940fe18/node_modules/@azure/static-web-apps-cli/src/cli/commands/build/register.ts:30:7) at Command.parseAsync (/home/runner/.npm/_npx/77a2eeeac940fe18/node_modules/commander/lib/command.js:935:5) at run (/home/runner/.npm/_npx/77a2eeeac940fe18/node_modules/@azure/static-web-apps-cli/src/cli/index.ts:106:3)
:x: azd down. [How to fix?] Error: Deleting all resources and deployed code on Azure (azd down) Local application code is not deleted when running 'azd down'. Initialize bicep provider ERROR: deleting infrastructure: error deleting Azure resources: 'dev-27076207321': no deployments found

Security Requirements:

:warning: microsoft/security-devops-action is integrated to the CI/CD pipeline. [How to fix?] Not found security check related actions in the CI/CD pipeline.
:heavy_check_mark: Security scan.

How to fix?

The full Definition of Done of the AI-Gallery template and fix approached can be found HERE.

Repo: Azure-Samples/azure-search-openai-demo-csharp

AI Gallery Standard Validation: FAILED

Repository Management:

:x: README.md File. [How to fix?] - Error: ## Guidance is missing in README.md.
:heavy_check_mark: LICENSE.md File.
:x: SECURITY.md File. [How to fix?] - Error: SECURITY.md file is missing.
:heavy_check_mark: CODE_OF_CONDUCT.md File.
:heavy_check_mark: CONTRIBUTING.md File.
:heavy_check_mark: ISSUE_TEMPLATE.md File.
:x: Topics on repo contains ['azd-templates', 'ai-azd-templates']. [How to fix?] - Error: ai-azd-templates is missing in topics.

Source code structure and conventions:

:heavy_check_mark: azure-dev.yaml File.
:heavy_check_mark: azure.yaml File.
:heavy_check_mark: infra Folder.
:heavy_check_mark: .devcontainer Folder.

Functional Requirements:

:x: azd up. [How to fix?] Error: Downloading Bicep (✓) Done: Downloading Bicep Initialize bicep provider ERROR: prompting for value: no default response for prompt 'Enter a value for the 'openAIApiKey' infrastructure parameter:'
:x: azd down. [How to fix?] Error: Deleting all resources and deployed code on Azure (azd down) Local application code is not deleted when running 'azd down'. Initialize bicep provider Enter a value for the 'openAIApiKey' infrastructure parameter: ERROR: deleting infrastructure: error deleting Azure resources: 'dev-27076206024': no deployments found

Security Requirements:

:heavy_check_mark: microsoft/security-devops-action is integrated to the CI/CD pipeline.
:warning: Security scan. [How to fix?] - error: TA-000001 - Enable auditing of diagnostic logs on the app. This enables you to recreate activity trails for investigation purposes if a security incident occurs or your network is compromised. - error: AZR-000202 - By default, storage accounts accept connections from clients on any network. To limit access to selected networks, you must first change the default action. After changing the default action from Allow to Deny, configure one or more rules to allow traffic. Traffic can be allowed from: - Azure services on the trusted service list. - IP address or CIDR range. - Private endpoint connections. - Azure virtual network subnets with a Service Endpoint. - error: AZR-000198 - Blob containers in Azure Storage Accounts can be configured for private or anonymous public access. By default, containers are private and only accessible with a credential or access token. When a container is configured with an access type other than private, anonymous access is permitted. Anonymous access to blobs or containers can be restricted by setting allowBlobPublicAccess to false. This enhanced security setting for a storage account overrides the individual settings for blob containers. When you disallow public access for a storage account, blobs are no longer accessible anonymously. - error: AZR-000355 - By default, Key Vault accept connections from clients on any network. To limit access to selected networks, you must first change the default action. After changing the default action from Allow to Deny, configure one or more rules to allow traffic. Traffic can be allowed from: - Azure services on the trusted service list. - IP address or CIDR range. - Private endpoint connections. - Azure virtual network subnets with a Service Endpoint. If any of the following options are enabled you must also enable Allow trusted Microsoft services to bypass this firewall: - enabledForDeployment - Azure Virtual Machines for deployment. - enabledForDiskEncryption - Azure Disk Encryption for volume encryption. - enabledForTemplateDeployment - Azure Resource Manager for template deployment. - error: AZR-000280 - By default, public network access is enabled for a Cognitive Service account. Service Endpoints and Private Link can be leveraged to restrict access to PaaS endpoints. When access is restricted, access by malicious actor is from an unauthorized virtual network is mitigated. Configure service endpoints and private links where appropriate. - warning: AZR-000283 - By default, a public endpoint is enabled for Cognitive Services accounts. The public endpoint is used for all access except for requests that use a Private Endpoint. Access through the public endpoint can be disabled or restricted to authorized virtual networks. Data exfiltration is an attack where an malicious actor does an unauthorized data transfer. Private Endpoints help prevent data exfiltration by an internal or external malicious actor. They do this by providing clear separation between public and private endpoints. As a result, broad access to public endpoints which could be operated by a malicious actor are not required. - error: AZR-000361 - Using managed identities have the following benefits: - Your app connects to resources with the managed identity. You don't need to manage credentials in your container app. - You can use role-based access control to grant specific permissions to a managed identity. - System-assigned identities are automatically created and managed. They're deleted when your container app is deleted. - You can add and delete user-assigned identities and assign them to multiple resources. They're independent of your container app's life cycle. - You can use managed identity to authenticate with a private Azure Container Registry without a username and password to pull containers for your Container App. - You can use managed identity to create connections for Dapr-enabled applications via Dapr components. - error: AZR-000363 - Container apps environments allows you to expose your container app to the Internet. Container apps environments deployed as external resources are available for public requests. External environments are deployed with a virtual IP on an external, public facing IP address. Disable public network access to improve security by exposing the Container Apps environment through an internal load balancer. This removes the need for a public IP address and prevents internet access to all Container Apps within the environment. To provide secure access, instead consider using an Application Gateway or Azure Front Door premium in front of your Container Apps on your private VNET. - error: TA-000001 - Enable auditing of diagnostic logs on the app. This enables you to recreate activity trails for investigation purposes if a security incident occurs or your network is compromised. - error: AZR-000363 - Container apps environments allows you to expose your container app to the Internet. Container apps environments deployed as external resources are available for public requests. External environments are deployed with a virtual IP on an external, public facing IP address. Disable public network access to improve security by exposing the Container Apps environment through an internal load balancer. This removes the need for a public IP address and prevents internet access to all Container Apps within the environment. To provide secure access, instead consider using an Application Gateway or Azure Front Door premium in front of your Container Apps on your private VNET. - warning: AZR-000388 - Azure RBAC is the recommended authorization system for the Azure Key Vault data plane. Azure RBAC allows users to manage key, secrets, and certificates permissions. It provides one place to manage all permissions across all Key Vaults. Azure RBAC for Key Vault also allows users to have separate permissions on individual keys, secrets, and certificates. The Azure RBAC permission model is not enabled by default.

How to fix?

The full Definition of Done of the AI-Gallery template and fix approached can be found HERE.

Repo: Azure-Samples/azure-search-openai-demo-java

AI Gallery Standard Validation: FAILED

Repository Management:

:x: README.md File. [How to fix?] - Error: ## Features is missing in README.md. - Error: ## Getting Started is missing in README.md. - Error: ## Guidance is missing in README.md. - Error: ## Resources is missing in README.md.
:heavy_check_mark: LICENSE.md File.
:x: SECURITY.md File. [How to fix?] - Error: SECURITY.md file is missing.
:heavy_check_mark: CODE_OF_CONDUCT.md File.
:heavy_check_mark: CONTRIBUTING.md File.
:heavy_check_mark: ISSUE_TEMPLATE.md File.
:x: Topics on repo contains ['azd-templates', 'ai-azd-templates']. [How to fix?] - Error: azd-templates is missing in topics. - Error: ai-azd-templates is missing in topics.

Source code structure and conventions:

:x: azure-dev.yaml File. [How to fix?] - Error: azure-dev.yaml file is missing.
:x: azure.yaml File. [How to fix?] - Error: azure.yaml file is missing.
:x: infra Folder. [How to fix?] - Error: infra folder is missing.
:heavy_check_mark: .devcontainer Folder.

Functional Requirements:

:x: azd up. [How to fix?] Error: ERROR: no project exists; to create a new project, run `azd init`
:x: azd down. [How to fix?] Error: ERROR: no project exists; to create a new project, run `azd init`

Security Requirements:

:warning: microsoft/security-devops-action is integrated to the CI/CD pipeline. [How to fix?] Not found security check related actions in the CI/CD pipeline. - Error: microsoft/security-devops-action is missing in .github/workflows/stale-bot.yml. - Error: github/codeql-action/upload-sarif is missing in .github/workflows/stale-bot.yml.
:warning: Security scan. [How to fix?] - error: AZR-000202 - By default, storage accounts accept connections from clients on any network. To limit access to selected networks, you must first change the default action. After changing the default action from Allow to Deny, configure one or more rules to allow traffic. Traffic can be allowed from: - Azure services on the trusted service list. - IP address or CIDR range. - Private endpoint connections. - Azure virtual network subnets with a Service Endpoint. - error: AZR-000198 - Blob containers in Azure Storage Accounts can be configured for private or anonymous public access. By default, containers are private and only accessible with a credential or access token. When a container is configured with an access type other than private, anonymous access is permitted. Anonymous access to blobs or containers can be restricted by setting allowBlobPublicAccess to false. This enhanced security setting for a storage account overrides the individual settings for blob containers. When you disallow public access for a storage account, blobs are no longer accessible anonymously. - error: AZR-000178 - To publish or consume messages from Service Bus cryptographic keys, or Azure AD identities can be used. Cryptographic keys include Shared Access Policy keys or Shared Access Signature (SAS) tokens. With Azure AD authentication, the identity is validated against Azure AD. Using Azure AD identities centralizes identity management and auditing. Once you decide to use Azure AD authentication, you can disable authentication using keys or SAS tokens. - error: AZR-000355 - By default, Key Vault accept connections from clients on any network. To limit access to selected networks, you must first change the default action. After changing the default action from Allow to Deny, configure one or more rules to allow traffic. Traffic can be allowed from: - Azure services on the trusted service list. - IP address or CIDR range. - Private endpoint connections. - Azure virtual network subnets with a Service Endpoint. If any of the following options are enabled you must also enable Allow trusted Microsoft services to bypass this firewall: - enabledForDeployment - Azure Virtual Machines for deployment. - enabledForDiskEncryption - Azure Disk Encryption for volume encryption. - enabledForTemplateDeployment - Azure Resource Manager for template deployment. - error: AZR-000099 - When delivering events you can use Managed Identities to authenticate event delivery. You can enable either system-assigned identity or user-assigned identity but not both. You can have at most two user-assigned identities assigned to a topic or domain. - error: AZR-000280 - By default, public network access is enabled for a Cognitive Service account. Service Endpoints and Private Link can be leveraged to restrict access to PaaS endpoints. When access is restricted, access by malicious actor is from an unauthorized virtual network is mitigated. Configure service endpoints and private links where appropriate. - warning: AZR-000283 - By default, a public endpoint is enabled for Cognitive Services accounts. The public endpoint is used for all access except for requests that use a Private Endpoint. Access through the public endpoint can be disabled or restricted to authorized virtual networks. Data exfiltration is an attack where an malicious actor does an unauthorized data transfer. Private Endpoints help prevent data exfiltration by an internal or external malicious actor. They do this by providing clear separation between public and private endpoints. As a result, broad access to public endpoints which could be operated by a malicious actor are not required. - error: TA-000001 - Enable auditing of diagnostic logs on the app. This enables you to recreate activity trails for investigation purposes if a security incident occurs or your network is compromised. - error: AZR-000361 - Using managed identities have the following benefits: - Your app connects to resources with the managed identity. You don't need to manage credentials in your container app. - You can use role-based access control to grant specific permissions to a managed identity. - System-assigned identities are automatically created and managed. They're deleted when your container app is deleted. - You can add and delete user-assigned identities and assign them to multiple resources. They're independent of your container app's life cycle. - You can use managed identity to authenticate with a private Azure Container Registry without a username and password to pull containers for your Container App. - You can use managed identity to create connections for Dapr-enabled applications via Dapr components. - error: TA-000023 - To ensure that only applications from allowed networks, machines, or subnets can access your cluster, restrict access to your Kubernetes Service Management API server. It is recommended to limit access to authorized IP ranges to ensure that only applications from allowed networks can access the cluster. - error: AZR-000022 - To capture security-based audit logs from AKS clusters, the following diagnostic log categories should be enabled: - kube-audit or kube-audit-admin, or both. - kube-audit - Contains all audit log data for every audit event, including get, list, create, update, delete, patch, and post. - kube-audit-admin - Is a subset of the kube-audit log category. kube-audit-admin reduces the number of logs significantly by excluding the get and list audit events from the log. - guard - Contains logs for Azure Active Directory (AAD) authorization integration. For managed Azure AD, this includes token in and user info out. For Azure RBAC, this includes access reviews in and out. - error: AZR-000028 - AKS clusters support integration with Azure Policy using an Open Policy Agent (OPA). Azure Policy integration is provided by an optional add-on that can be enabled on AKS clusters. Once enabled and Azure policies assigned, AKS clusters will enforce the configured constraints. Examples of policies include: - Enforce HTTPS ingress in Kubernetes cluster. - Do not allow privileged containers in Kubernetes cluster. - Ensure container CPU and memory resource limits do not exceed the specified limits in Kubernetes cluster. - error: AZR-000029 - AKS-managed integration provides an easy way to use Azure AD authorization for AKS. Previous Azure AD integration with AKS required app registration and management within Azure AD. - error: AZR-000030 - In Kubernetes, the API server is the control plane of the cluster. Access to the API server is required by various cluster functions as well as all administrator activities. All activities performed against the cluster require authorization. To improve cluster security, the API server can be restricted to a limited set of IP address ranges. Restricting authorized IP addresses for the API server has the following limitations: - Requires AKS clusters configured with a Standard Load Balancer SKU. - This feature is not compatible with clusters that use Public IP per Node. - This feature is not compatible with AKS private clusters. When configuring this feature, you must specify the IP address ranges that will be authorized. To allow only the outbound public IP of the Standard SKU load balancer, use 0.0.0.0/32. You should add these ranges to the allow list: - Include output IP addresses for cluster nodes - Any range where administration will connect to the API server, including CI/CD systems, monitoring, and management systems. - error: AZR-000032 - Azure Kubernetes Service (AKS) supports Role-based Access Control (RBAC). RBAC is supported using Kubernetes RBAC and optionally Azure RBAC. - Using Kubernetes RBAC, you can grant users, groups, and service accounts access to cluster resources. - Additionally AKS supports granting Azure AD identities access to cluster resources using Azure RBAC. Using authorization provided by Azure RBAC simplifies and centralizes authorization of Azure AD principals. Access to Kubernetes resource can be managed using Azure Resource Manager (ARM). When Azure RBAC is enabled: - Azure AD principals will be validated exclusively by Azure RBAC. - Kubernetes users and service accounts are exclusively validated by Kubernetes RBAC. - error: AZR-000033 - AKS clusters may need to store and retrieve secrets, keys, and certificates. The Secrets Store CSI Driver provides cluster support to integrate with Key Vault. When enabled and configured secrets, keys, and certificates can be securely accessed from a pod. The Secrets Store CSI Driver can automatically refresh secrets and keys periodically from Key Vault. To enable this feature, enable Secrets Store CSI Driver autorotation. Avoid storing secrets to access Azure resources. Use a Managed Identity when possible instead of cryptographic keys or a regular service principal. - error: AZR-000363 - Container apps environments allows you to expose your container app to the Internet. Container apps environments deployed as external resources are available for public requests. External environments are deployed with a virtual IP on an external, public facing IP address. Disable public network access to improve security by exposing the Container Apps environment through an internal load balancer. This removes the need for a public IP address and prevents internet access to all Container Apps within the environment. To provide secure access, instead consider using an Application Gateway or Azure Front Door premium in front of your Container Apps on your private VNET. - error: TA-000001 - Enable auditing of diagnostic logs on the app. This enables you to recreate activity trails for investigation purposes if a security incident occurs or your network is compromised. - error: AZR-000363 - Container apps environments allows you to expose your container app to the Internet. Container apps environments deployed as external resources are available for public requests. External environments are deployed with a virtual IP on an external, public facing IP address. Disable public network access to improve security by exposing the Container Apps environment through an internal load balancer. This removes the need for a public IP address and prevents internet access to all Container Apps within the environment. To provide secure access, instead consider using an Application Gateway or Azure Front Door premium in front of your Container Apps on your private VNET. - warning: AZR-000388 - Azure RBAC is the recommended authorization system for the Azure Key Vault data plane. Azure RBAC allows users to manage key, secrets, and certificates permissions. It provides one place to manage all permissions across all Key Vaults. Azure RBAC for Key Vault also allows users to have separate permissions on individual keys, secrets, and certificates. The Azure RBAC permission model is not enabled by default. - warning: AZR-000031 - AKS clusters support Role-based Access Control (RBAC) authorization. RBAC allows users, groups, and service accounts to be granted access to resources on an as needed basis. Actions performed by each identity can be logged for auditing with Kubernetes audit policies. When a cluster is deployed, local accounts are enabled by default even when RBAC is enabled. These local accounts such as clusterAdmin and clusterUser are shared accounts that are not tied to an identity. If local account credentials are used, Kubernetes auditing logs the local account instead of named accounts. Who performed an action cannot be determined from the audit logs, creating an audit log gap for privileged actions. In an AKS cluster with local account disabled administrator will be unable to get the clusterAdmin credential. For example, using az aks get-credentials -g '' -n '' --admin will fail. - warning: AZR-000370 - To collect and provide data plane protections of Microsoft Defender for Containers some additional daemon set and deployments needs to be deployed to the AKS clusters. These components are installed when the Defender profile is enabled on the cluster. The Defender profile deployed to each node provides the runtime protections and collects signals from nodes.

How to fix?

The full Definition of Done of the AI-Gallery template and fix approached can be found HERE.

Repo: Azure-Samples/azure-search-openai-demo

AI Gallery Standard Validation: FAILED

Repository Management:

:x: README.md File. [How to fix?] - Error: ## Getting Started is missing in README.md. - Error: ## Guidance is missing in README.md.
:heavy_check_mark: LICENSE.md File.
:x: SECURITY.md File. [How to fix?] - Error: SECURITY.md file is missing.
:heavy_check_mark: CODE_OF_CONDUCT.md File.
:heavy_check_mark: CONTRIBUTING.md File.
:heavy_check_mark: ISSUE_TEMPLATE.md File.
:heavy_check_mark: Topics on repo contains ['azd-templates', 'ai-azd-templates'].

Source code structure and conventions:

:heavy_check_mark: azure-dev.yaml File.
:heavy_check_mark: azure.yaml File.
:heavy_check_mark: infra Folder.
:heavy_check_mark: .devcontainer Folder.

Functional Requirements:

:x: azd up. [How to fix?] Error: Downloading Bicep (✓) Done: Downloading Bicep Initialize bicep provider Retrieving locations... ERROR: prompting for value: prompting for location: no default response for prompt 'Enter a value for the 'documentIntelligenceResourceGroupLocation' infrastructure parameter:'
:x: azd down. [How to fix?] Error: Deleting all resources and deployed code on Azure (azd down) Local application code is not deleted when running 'azd down'. Initialize bicep provider Retrieving locations... Enter a value for the 'documentIntelligenceResourceGroupLocation' infrastructure parameter: ERROR: initializing provisioning manager: prompting for value: prompting for location: '' is not an allowed choice. allowed choices: 1. (Europe) West Europe (westeurope), 2. (US) East US (eastus), 3. (US) West US 2 (westus2)

Security Requirements:

:warning: microsoft/security-devops-action is integrated to the CI/CD pipeline. [How to fix?] Not found security check related actions in the CI/CD pipeline. - Error: microsoft/security-devops-action is missing in .github/workflows/azure-dev.yml. - Error: github/codeql-action/upload-sarif is missing in .github/workflows/azure-dev.yml. - Error: microsoft/security-devops-action is missing in .github/workflows/lint-markdown.yml. - Error: github/codeql-action/upload-sarif is missing in .github/workflows/lint-markdown.yml. - Error: microsoft/security-devops-action is missing in .github/workflows/stale-bot.yml. - Error: github/codeql-action/upload-sarif is missing in .github/workflows/stale-bot.yml. - Error: microsoft/security-devops-action is missing in .github/workflows/validate-markdown.yml. - Error: github/codeql-action/upload-sarif is missing in .github/workflows/validate-markdown.yml. - Error: microsoft/security-devops-action is missing in .github/workflows/validate-markdown.yml. - Error: github/codeql-action/upload-sarif is missing in .github/workflows/validate-markdown.yml. - Error: microsoft/security-devops-action is missing in .github/workflows/validate-markdown.yml. - Error: github/codeql-action/upload-sarif is missing in .github/workflows/validate-markdown.yml.
:warning: Security scan. [How to fix?] - error: AZR-000202 - By default, storage accounts accept connections from clients on any network. To limit access to selected networks, you must first change the default action. After changing the default action from Allow to Deny, configure one or more rules to allow traffic. Traffic can be allowed from: - Azure services on the trusted service list. - IP address or CIDR range. - Private endpoint connections. - Azure virtual network subnets with a Service Endpoint. - error: AZR-000198 - Blob containers in Azure Storage Accounts can be configured for private or anonymous public access. By default, containers are private and only accessible with a credential or access token. When a container is configured with an access type other than private, anonymous access is permitted. Anonymous access to blobs or containers can be restricted by setting allowBlobPublicAccess to false. This enhanced security setting for a storage account overrides the individual settings for blob containers. When you disallow public access for a storage account, blobs are no longer accessible anonymously. - error: AZR-000280 - By default, public network access is enabled for a Cognitive Service account. Service Endpoints and Private Link can be leveraged to restrict access to PaaS endpoints. When access is restricted, access by malicious actor is from an unauthorized virtual network is mitigated. Configure service endpoints and private links where appropriate. - error: AZR-000282 - To send requests to Cognitive Services endpoints, each request must include an authentication header. Cognitive Services endpoints supports authentication with keys or tokens. Using an Azure AD token instead of a cryptographic key has some additional security benefits. With Azure AD authentication, the identity is validated against Azure AD identity provider. Using Azure AD identities centralizes identity management and auditing. Once you decide to use Azure AD authentication, you can disable authentication using keys. - warning: AZR-000283 - By default, a public endpoint is enabled for Cognitive Services accounts. The public endpoint is used for all access except for requests that use a Private Endpoint. Access through the public endpoint can be disabled or restricted to authorized virtual networks. Data exfiltration is an attack where an malicious actor does an unauthorized data transfer. Private Endpoints help prevent data exfiltration by an internal or external malicious actor. They do this by providing clear separation between public and private endpoints. As a result, broad access to public endpoints which could be operated by a malicious actor are not required. - error: TA-000019 - For enhanced authentication security, use a managed identity. On Azure, managed identities eliminate the need for developers to have to manage credentials by providing an identity for the Azure resource in Azure AD and using it to obtain Azure Active Directory (Azure AD) tokens.

How to fix?

The full Definition of Done of the AI-Gallery template and fix approached can be found HERE.

Repo: Azure-Samples/azure-search-openai-javascript

AI Gallery Standard Validation: FAILED

Repository Management:

:x: README.md File. [How to fix?] - Error: ## Getting Started is missing in README.md. - Error: ## Guidance is missing in README.md.
:heavy_check_mark: LICENSE.md File.
:x: SECURITY.md File. [How to fix?] - Error: SECURITY.md file is missing.
:heavy_check_mark: CODE_OF_CONDUCT.md File.
:heavy_check_mark: CONTRIBUTING.md File.
:heavy_check_mark: ISSUE_TEMPLATE.md File.
:x: Topics on repo contains ['azd-templates', 'ai-azd-templates']. [How to fix?] - Error: ai-azd-templates is missing in topics.

Source code structure and conventions:

:heavy_check_mark: azure-dev.yaml File.
:heavy_check_mark: azure.yaml File.
:heavy_check_mark: infra Folder.
:heavy_check_mark: .devcontainer Folder.

Functional Requirements:

:x: azd up. [How to fix?] Error: Downloading Bicep (✓) Done: Downloading Bicep Initialize bicep provider Packaging services (azd package) Packaging service indexer Packaging service indexer (Tagging container image) (✓) Done: Packaging service indexer - Image Hash: sha256:5a7aeb8a0cb0b525e0512b1abc575d39b341ad426375b60ddf0d9e88a8e31406 - Target Image: azure-search-openai-javascript/indexer-dev-27076206412:azd-deploy-1720170523 Packaging service search Packaging service search (Tagging container image) (✓) Done: Packaging service search - Image Hash: sha256:17f8459bc897a0772e90d20d1abffb612b81093920d4eb7eb47ce8d5ef040e37 - Target Image: azure-search-openai-javascript/search-dev-27076206412:azd-deploy-1720170572 Packaging service webapp Packaging service webapp (Installing NPM dependencies) Packaging service webapp (Running NPM package script) Packaging service webapp (Copying deployment package) (✓) Done: Packaging service webapp - Package Output: dist Provisioning Azure resources (azd provision) Provisioning Azure resources can take some time. Initialize bicep provider Retrieving subscriptions... Reading subscription and location from environment... Subscription: Visual Studio Enterprise Subscription (6e41a27a-b56f-423c-b5d9-bb0b325733eb) Location: East US 2 Creating a deployment plan Comparing deployment state Creating/Updating resources You can view detailed progress in the Azure Portal: https://portal.azure.com/#view/HubsExtension/DeploymentDetailsBlade/~/overview/id/%2Fsubscriptions%2F6e41a27a-b56f-423c-b5d9-bb0b325733eb%2Fproviders%2FMicrosoft.Resources%2Fdeployments%2Fdev-27076206412-1720170605 (✓) Done: Resource group: rg-dev-27076206412 (✓) Done: Static Web App: webapp (✓) Done: Log Analytics workspace: log-jjvthf6kz5zhw (✓) Done: Storage account: stjjvthf6kz5zhw (✓) Done: Application Insights: appi-jjvthf6kz5zhw (✓) Done: Portal dashboard: dash-jjvthf6kz5zhw (✓) Done: Container Registry: crjjvthf6kz5zhw (✓) Done: Container Apps Environment: cae-jjvthf6kz5zhw (✓) Done: Search service: gptkb-jjvthf6kz5zhw ERROR: error executing step command 'provision': deployment failed: error deploying infrastructure: deploying to subscription: Deployment Error Details: InvalidTemplateDeployment: The template deployment 'openai' is not valid according to the validation procedure. The tracking id is '4d116ffe-6e24-4fe2-add6-181e76500fcf'. See inner errors for details. InsufficientQuota: This operation require 30 new capacity in quota Tokens Per Minute (thousands) - GPT-35-Turbo, which is bigger than the current available capacity 0. The current quota usage is 300 and the quota limit is 300 for quota Tokens Per Minute (thousands) - GPT-35-Turbo. TraceID: 3ecfe1b58dc52c24a56145529ac4d106
:heavy_check_mark: azd down.

Security Requirements:

:warning: microsoft/security-devops-action is integrated to the CI/CD pipeline. [How to fix?] Not found security check related actions in the CI/CD pipeline. - Error: microsoft/security-devops-action is missing in .github/workflows/stale-bot.yml. - Error: github/codeql-action/upload-sarif is missing in .github/workflows/stale-bot.yml. - Error: microsoft/security-devops-action is missing in .github/workflows/playwright.yml. - Error: github/codeql-action/upload-sarif is missing in .github/workflows/playwright.yml.
:warning: Security scan. [How to fix?] - error: AZR-000202 - By default, storage accounts accept connections from clients on any network. To limit access to selected networks, you must first change the default action. After changing the default action from Allow to Deny, configure one or more rules to allow traffic. Traffic can be allowed from: - Azure services on the trusted service list. - IP address or CIDR range. - Private endpoint connections. - Azure virtual network subnets with a Service Endpoint. - error: AZR-000198 - Blob containers in Azure Storage Accounts can be configured for private or anonymous public access. By default, containers are private and only accessible with a credential or access token. When a container is configured with an access type other than private, anonymous access is permitted. Anonymous access to blobs or containers can be restricted by setting allowBlobPublicAccess to false. This enhanced security setting for a storage account overrides the individual settings for blob containers. When you disallow public access for a storage account, blobs are no longer accessible anonymously. - error: AZR-000280 - By default, public network access is enabled for a Cognitive Service account. Service Endpoints and Private Link can be leveraged to restrict access to PaaS endpoints. When access is restricted, access by malicious actor is from an unauthorized virtual network is mitigated. Configure service endpoints and private links where appropriate. - error: AZR-000282 - To send requests to Cognitive Services endpoints, each request must include an authentication header. Cognitive Services endpoints supports authentication with keys or tokens. Using an Azure AD token instead of a cryptographic key has some additional security benefits. With Azure AD authentication, the identity is validated against Azure AD identity provider. Using Azure AD identities centralizes identity management and auditing. Once you decide to use Azure AD authentication, you can disable authentication using keys. - warning: AZR-000283 - By default, a public endpoint is enabled for Cognitive Services accounts. The public endpoint is used for all access except for requests that use a Private Endpoint. Access through the public endpoint can be disabled or restricted to authorized virtual networks. Data exfiltration is an attack where an malicious actor does an unauthorized data transfer. Private Endpoints help prevent data exfiltration by an internal or external malicious actor. They do this by providing clear separation between public and private endpoints. As a result, broad access to public endpoints which could be operated by a malicious actor are not required. - error: AZR-000361 - Using managed identities have the following benefits: - Your app connects to resources with the managed identity. You don't need to manage credentials in your container app. - You can use role-based access control to grant specific permissions to a managed identity. - System-assigned identities are automatically created and managed. They're deleted when your container app is deleted. - You can add and delete user-assigned identities and assign them to multiple resources. They're independent of your container app's life cycle. - You can use managed identity to authenticate with a private Azure Container Registry without a username and password to pull containers for your Container App. - You can use managed identity to create connections for Dapr-enabled applications via Dapr components. - error: AZR-000363 - Container apps environments allows you to expose your container app to the Internet. Container apps environments deployed as external resources are available for public requests. External environments are deployed with a virtual IP on an external, public facing IP address. Disable public network access to improve security by exposing the Container Apps environment through an internal load balancer. This removes the need for a public IP address and prevents internet access to all Container Apps within the environment. To provide secure access, instead consider using an Application Gateway or Azure Front Door premium in front of your Container Apps on your private VNET. - error: AZR-000363 - Container apps environments allows you to expose your container app to the Internet. Container apps environments deployed as external resources are available for public requests. External environments are deployed with a virtual IP on an external, public facing IP address. Disable public network access to improve security by exposing the Container Apps environment through an internal load balancer. This removes the need for a public IP address and prevents internet access to all Container Apps within the environment. To provide secure access, instead consider using an Application Gateway or Azure Front Door premium in front of your Container Apps on your private VNET.

How to fix?

The full Definition of Done of the AI-Gallery template and fix approached can be found HERE.

Repo: Azure-Samples/contoso-chat

AI Gallery Standard Validation: FAILED

Repository Management:

:heavy_check_mark: README.md File.
:heavy_check_mark: LICENSE.md File.
:heavy_check_mark: SECURITY.md File.
:heavy_check_mark: CODE_OF_CONDUCT.md File.
:heavy_check_mark: CONTRIBUTING.md File.
:x: ISSUE_TEMPLATE.md File. [How to fix?] - Error: ISSUE_TEMPLATE.md file is missing.
:x: Topics on repo contains ['azd-templates', 'ai-azd-templates']. [How to fix?] - Error: azd-templates is missing in topics. - Error: ai-azd-templates is missing in topics.

Source code structure and conventions:

:heavy_check_mark: azure-dev.yaml File.
:heavy_check_mark: azure.yaml File.
:heavy_check_mark: infra Folder.
:heavy_check_mark: .devcontainer Folder.

Functional Requirements:

:x: azd up. [How to fix?] Error: Downloading Bicep (✓) Done: Downloading Bicep Initialize bicep provider Note: Running custom 'up' workflow from azure.yaml Provisioning Azure resources (azd provision) Provisioning Azure resources can take some time. Initialize bicep provider Retrieving subscriptions... Reading subscription and location from environment... Subscription: Visual Studio Enterprise Subscription (6e41a27a-b56f-423c-b5d9-bb0b325733eb) Location: East US 2 Creating a deployment plan Comparing deployment state Creating/Updating resources You can view detailed progress in the Azure Portal: https://portal.azure.com/#view/HubsExtension/DeploymentDetailsBlade/~/overview/id/%2Fsubscriptions%2F6e41a27a-b56f-423c-b5d9-bb0b325733eb%2Fproviders%2FMicrosoft.Resources%2Fdeployments%2Fdev-27076205238-1720170098 (✓) Done: Resource group: rg-dev-27076205238 (✓) Done: Log Analytics workspace: log-isowavi7vxpaw (✓) Done: Key Vault: kv-isowavi7vxpaw (✓) Done: Storage account: stisowavi7vxpaw (✓) Done: Container Registry: crisowavi7vxpaw (✓) Done: Application Insights: appi-isowavi7vxpaw (✓) Done: Search service: srch-isowavi7vxpaw ERROR: error executing step command 'provision': deployment failed: error deploying infrastructure: deploying to subscription: Deployment Error Details: UnmatchedPrincipalType: The PrincipalId '95959d96ca17490a877b63300e2f9187' has type 'ServicePrincipal' , which is different from specified PrinciaplType 'User'. UnmatchedPrincipalType: The PrincipalId '95959d96ca17490a877b63300e2f9187' has type 'ServicePrincipal' , which is different from specified PrinciaplType 'User'. UnmatchedPrincipalType: The PrincipalId '95959d96ca17490a877b63300e2f9187' has type 'ServicePrincipal' , which is different from specified PrinciaplType 'User'. UnmatchedPrincipalType: The PrincipalId '95959d96ca17490a877b63300e2f9187' has type 'ServicePrincipal' , which is different from specified PrinciaplType 'User'. UnmatchedPrincipalType: The PrincipalId '95959d96ca17490a877b63300e2f9187' has type 'ServicePrincipal' , which is different from specified PrinciaplType 'User'. UnmatchedPrincipalType: The PrincipalId '95959d96ca17490a877b63300e2f9187' has type 'ServicePrincipal' , which is different from specified PrinciaplType 'User'. InvalidTemplateDeployment: The template deployment 'cognitiveServices' is not valid according to the validation procedure. The tracking id is 'bb3a9a4c-bc82-4c1e-9988-854fe9f01a1c'. See inner errors for details. InsufficientQuota: This operation require 20 new capacity in quota Tokens Per Minute (thousands) - GPT-35-Turbo, which is bigger than the current available capacity 0. The current quota usage is 300 and the quota limit is 300 for quota Tokens Per Minute (thousands) - GPT-35-Turbo. UnmatchedPrincipalType: The PrincipalId '95959d96ca17490a877b63300e2f9187' has type 'ServicePrincipal' , which is different from specified PrinciaplType 'User'. UnmatchedPrincipalType: The PrincipalId '95959d96ca17490a877b63300e2f9187' has type 'ServicePrincipal' , which is different from specified PrinciaplType 'User'. TraceID: 9a05cfe1811c1984f11cd4ce1a49ef98
:heavy_check_mark: azd down.

Security Requirements:

:warning: microsoft/security-devops-action is integrated to the CI/CD pipeline. [How to fix?] Not found security check related actions in the CI/CD pipeline. - Error: microsoft/security-devops-action is missing in .github/workflows/azure-dev.yml. - Error: github/codeql-action/upload-sarif is missing in .github/workflows/azure-dev.yml. - Error: microsoft/security-devops-action is missing in .github/workflows/bicep-audit.yml.
:warning: Security scan. [How to fix?] - error: AZR-000202 - By default, storage accounts accept connections from clients on any network. To limit access to selected networks, you must first change the default action. After changing the default action from Allow to Deny, configure one or more rules to allow traffic. Traffic can be allowed from: - Azure services on the trusted service list. - IP address or CIDR range. - Private endpoint connections. - Azure virtual network subnets with a Service Endpoint. - error: AZR-000198 - Blob containers in Azure Storage Accounts can be configured for private or anonymous public access. By default, containers are private and only accessible with a credential or access token. When a container is configured with an access type other than private, anonymous access is permitted. Anonymous access to blobs or containers can be restricted by setting allowBlobPublicAccess to false. This enhanced security setting for a storage account overrides the individual settings for blob containers. When you disallow public access for a storage account, blobs are no longer accessible anonymously. - error: AZR-000355 - By default, Key Vault accept connections from clients on any network. To limit access to selected networks, you must first change the default action. After changing the default action from Allow to Deny, configure one or more rules to allow traffic. Traffic can be allowed from: - Azure services on the trusted service list. - IP address or CIDR range. - Private endpoint connections. - Azure virtual network subnets with a Service Endpoint. If any of the following options are enabled you must also enable Allow trusted Microsoft services to bypass this firewall: - enabledForDeployment - Azure Virtual Machines for deployment. - enabledForDiskEncryption - Azure Disk Encryption for volume encryption. - enabledForTemplateDeployment - Azure Resource Manager for template deployment. - error: AZR-000280 - By default, public network access is enabled for a Cognitive Service account. Service Endpoints and Private Link can be leveraged to restrict access to PaaS endpoints. When access is restricted, access by malicious actor is from an unauthorized virtual network is mitigated. Configure service endpoints and private links where appropriate. - error: AZR-000282 - To send requests to Cognitive Services endpoints, each request must include an authentication header. Cognitive Services endpoints supports authentication with keys or tokens. Using an Azure AD token instead of a cryptographic key has some additional security benefits. With Azure AD authentication, the identity is validated against Azure AD identity provider. Using Azure AD identities centralizes identity management and auditing. Once you decide to use Azure AD authentication, you can disable authentication using keys. - warning: AZR-000283 - By default, a public endpoint is enabled for Cognitive Services accounts. The public endpoint is used for all access except for requests that use a Private Endpoint. Access through the public endpoint can be disabled or restricted to authorized virtual networks. Data exfiltration is an attack where an malicious actor does an unauthorized data transfer. Private Endpoints help prevent data exfiltration by an internal or external malicious actor. They do this by providing clear separation between public and private endpoints. As a result, broad access to public endpoints which could be operated by a malicious actor are not required. - error: AZR-000291 - Every request to an Azure App Configuration resource must be authenticated. App Configuration supports authenticating requests using either Entra ID (previously Azure AD) identities or access keys. Using Entra ID identities: - Centralizes identity management and auditing. - Allows granting of permissions using role-based access control (RBAC). - Provides support for advanced security features such as conditional access and multi-factor authentication (MFA) when applicable. To require clients to use Entra ID to authenticate requests, you can disable the usage of access keys for an Azure App Configuration resource. When you disable access key authentication for an Azure App Configuration resource, any existing access keys for that resource are deleted. Any subsequent requests to the resource using the previously existing access keys will be rejected. Only requests that are authenticated using Entra ID will succeed. - error: AZR-000053 - API Management must authenticate to access Azure resources such as Key Vault. Use Key Vault to store certificates and secrets used within API Management. - error: AZR-000055 - API Management provides support for weak or deprecated ciphers. These older versions are provided for compatibility with clients and backends but are not consider secure. These many of these ciphers are enabled by default and need to be set to 'False'. The following ciphers are considered weak or deprecated: - TripleDes168 - TLS_RSA_WITH_AES_128_CBC_SHA - TLS_RSA_WITH_AES_256_CBC_SHA - TLS_RSA_WITH_AES_128_CBC_SHA256 - TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA - TLS_RSA_WITH_AES_256_CBC_SHA256 - TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA - TLS_RSA_WITH_AES_128_GCM_SHA256. - error: TA-000001 - Enable auditing of diagnostic logs on the app. This enables you to recreate activity trails for investigation purposes if a security incident occurs or your network is compromised. - error: AZR-000361 - Using managed identities have the following benefits: - Your app connects to resources with the managed identity. You don't need to manage credentials in your container app. - You can use role-based access control to grant specific permissions to a managed identity. - System-assigned identities are automatically created and managed. They're deleted when your container app is deleted. - You can add and delete user-assigned identities and assign them to multiple resources. They're independent of your container app's life cycle. - You can use managed identity to authenticate with a private Azure Container Registry without a username and password to pull containers for your Container App. - You can use managed identity to create connections for Dapr-enabled applications via Dapr components. - error: TA-000023 - To ensure that only applications from allowed networks, machines, or subnets can access your cluster, restrict access to your Kubernetes Service Management API server. It is recommended to limit access to authorized IP ranges to ensure that only applications from allowed networks can access the cluster. - error: AZR-000022 - To capture security-based audit logs from AKS clusters, the following diagnostic log categories should be enabled: - kube-audit or kube-audit-admin, or both. - kube-audit - Contains all audit log data for every audit event, including get, list, create, update, delete, patch, and post. - kube-audit-admin - Is a subset of the kube-audit log category. kube-audit-admin reduces the number of logs significantly by excluding the get and list audit events from the log. - guard - Contains logs for Azure Active Directory (AAD) authorization integration. For managed Azure AD, this includes token in and user info out. For Azure RBAC, this includes access reviews in and out. - error: AZR-000028 - AKS clusters support integration with Azure Policy using an Open Policy Agent (OPA). Azure Policy integration is provided by an optional add-on that can be enabled on AKS clusters. Once enabled and Azure policies assigned, AKS clusters will enforce the configured constraints. Examples of policies include: - Enforce HTTPS ingress in Kubernetes cluster. - Do not allow privileged containers in Kubernetes cluster. - Ensure container CPU and memory resource limits do not exceed the specified limits in Kubernetes cluster. - error: AZR-000029 - AKS-managed integration provides an easy way to use Azure AD authorization for AKS. Previous Azure AD integration with AKS required app registration and management within Azure AD. - error: AZR-000030 - In Kubernetes, the API server is the control plane of the cluster. Access to the API server is required by various cluster functions as well as all administrator activities. All activities performed against the cluster require authorization. To improve cluster security, the API server can be restricted to a limited set of IP address ranges. Restricting authorized IP addresses for the API server has the following limitations: - Requires AKS clusters configured with a Standard Load Balancer SKU. - This feature is not compatible with clusters that use Public IP per Node. - This feature is not compatible with AKS private clusters. When configuring this feature, you must specify the IP address ranges that will be authorized. To allow only the outbound public IP of the Standard SKU load balancer, use 0.0.0.0/32. You should add these ranges to the allow list: - Include output IP addresses for cluster nodes - Any range where administration will connect to the API server, including CI/CD systems, monitoring, and management systems. - error: AZR-000032 - Azure Kubernetes Service (AKS) supports Role-based Access Control (RBAC). RBAC is supported using Kubernetes RBAC and optionally Azure RBAC. - Using Kubernetes RBAC, you can grant users, groups, and service accounts access to cluster resources. - Additionally AKS supports granting Azure AD identities access to cluster resources using Azure RBAC. Using authorization provided by Azure RBAC simplifies and centralizes authorization of Azure AD principals. Access to Kubernetes resource can be managed using Azure Resource Manager (ARM). When Azure RBAC is enabled: - Azure AD principals will be validated exclusively by Azure RBAC. - Kubernetes users and service accounts are exclusively validated by Kubernetes RBAC. - error: AZR-000033 - AKS clusters may need to store and retrieve secrets, keys, and certificates. The Secrets Store CSI Driver provides cluster support to integrate with Key Vault. When enabled and configured secrets, keys, and certificates can be securely accessed from a pod. The Secrets Store CSI Driver can automatically refresh secrets and keys periodically from Key Vault. To enable this feature, enable Secrets Store CSI Driver autorotation. Avoid storing secrets to access Azure resources. Use a Managed Identity when possible instead of cryptographic keys or a regular service principal. - error: AZR-000363 - Container apps environments allows you to expose your container app to the Internet. Container apps environments deployed as external resources are available for public requests. External environments are deployed with a virtual IP on an external, public facing IP address. Disable public network access to improve security by exposing the Container Apps environment through an internal load balancer. This removes the need for a public IP address and prevents internet access to all Container Apps within the environment. To provide secure access, instead consider using an Application Gateway or Azure Front Door premium in front of your Container Apps on your private VNET. - error: TA-000001 - Enable auditing of diagnostic logs on the app. This enables you to recreate activity trails for investigation purposes if a security incident occurs or your network is compromised. - error: AZR-000363 - Container apps environments allows you to expose your container app to the Internet. Container apps environments deployed as external resources are available for public requests. External environments are deployed with a virtual IP on an external, public facing IP address. Disable public network access to improve security by exposing the Container Apps environment through an internal load balancer. This removes the need for a public IP address and prevents internet access to all Container Apps within the environment. To provide secure access, instead consider using an Application Gateway or Azure Front Door premium in front of your Container Apps on your private VNET. - error: AZR-000095 - Cosmos DB provides two authorization options for interacting with the database: - Azure Active Directory identity (Azure AD). Can be used to authorize account and resource management operations. - Keys and resource tokens. Can be used to authorize resource management and data operations. Resource management operations include management of databases, indexes, and containers. By default, keys are permitted to perform resource management operations. You can restrict these operations to Azure Resource Manager (ARM) calls only. - error: AZR-000186 - Enable Microsoft Defender for Azure SQL logical server. - error: AZR-000187 - Auditing for Azure SQL Database tracks database events and writes them to an audit log. Audit logs help you find suspicious events, unusual activity, and trends. - error: AZR-000188 - Azure SQL Database offer two authentication models, Azure Active Directory (AAD) and SQL authentication. AAD authentication supports centralized identity management in addition to modern password protections. Some of the benefits of AAD authentication over SQL authentication including: - Support for Azure Multi-Factor Authentication (MFA). - Conditional-based access with Conditional Access. It is also possible to disable SQL authentication entirely and only use AAD authentication. - error: AZR-000316 - Azure Bicep and Azure Resource Manager (ARM) templates can be used to deploy resources to Azure. When deploying Azure resources, sensitive values such as passwords, certificates, and keys should be passed as secure parameters. Secure parameters use the secureString or secureObject type. Parameters that do not use secure types are recorded in logs and deployment history. These values can be retrieved by anyone with access to the deployment history. - error: AZR-000316 - Azure Bicep and Azure Resource Manager (ARM) templates can be used to deploy resources to Azure. When deploying Azure resources, sensitive values such as passwords, certificates, and keys should be passed as secure parameters. Secure parameters use the secureString or secureObject type. Parameters that do not use secure types are recorded in logs and deployment history. These values can be retrieved by anyone with access to the deployment history. - error: AZR-000316 - Azure Bicep and Azure Resource Manager (ARM) templates can be used to deploy resources to Azure. When deploying Azure resources, sensitive values such as passwords, certificates, and keys should be passed as secure parameters. Secure parameters use the secureString or secureObject type. Parameters that do not use secure types are recorded in logs and deployment history. These values can be retrieved by anyone with access to the deployment history. - error: AZR-000316 - Azure Bicep and Azure Resource Manager (ARM) templates can be used to deploy resources to Azure. When deploying Azure resources, sensitive values such as passwords, certificates, and keys should be passed as secure parameters. Secure parameters use the secureString or secureObject type. Parameters that do not use secure types are recorded in logs and deployment history. These values can be retrieved by anyone with access to the deployment history. - warning: AZR-000388 - Azure RBAC is the recommended authorization system for the Azure Key Vault data plane. Azure RBAC allows users to manage key, secrets, and certificates permissions. It provides one place to manage all permissions across all Key Vaults. Azure RBAC for Key Vault also allows users to have separate permissions on individual keys, secrets, and certificates. The Azure RBAC permission model is not enabled by default. - warning: AZR-000406 - Disabling public network access improves security by ensuring that the Machine Learning Workspaces aren't exposed on the public internet. You can control exposure of your workspaces by creating private endpoints instead. By default, a public endpoint is enabled for Machine Learning workspaces. The public endpoint is used for all access except for requests that use a Private Endpoint. Access through the public endpoint can be disabled or restricted to authorized virtual networks. Data exfiltration is an attack where an malicious actor does an unauthorized data transfer. Private Endpoints help control exposure of a workspace to data exfiltration by an internal or external malicious actor. They do this by providing clear separation between public and private endpoints. As a result, broad access to public endpoints which could be operated by a malicious actor are not required. - warning: AZR-000407 - Manange access to Azure ML workspace and associated resources, Azure Container Registry, KeyVault, Storage, and App Insights using user-assigned managed identity. By default, system-assigned managed identity is used by Azure ML workspace to access the associated resources. User-assigned managed identity allows you to create the identity as an Azure resource and maintain the life cycle of that identity. - warning: AZR-000406 - Disabling public network access improves security by ensuring that the Machine Learning Workspaces aren't exposed on the public internet. You can control exposure of your workspaces by creating private endpoints instead. By default, a public endpoint is enabled for Machine Learning workspaces. The public endpoint is used for all access except for requests that use a Private Endpoint. Access through the public endpoint can be disabled or restricted to authorized virtual networks. Data exfiltration is an attack where an malicious actor does an unauthorized data transfer. Private Endpoints help control exposure of a workspace to data exfiltration by an internal or external malicious actor. They do this by providing clear separation between public and private endpoints. As a result, broad access to public endpoints which could be operated by a malicious actor are not required. - warning: AZR-000407 - Manange access to Azure ML workspace and associated resources, Azure Container Registry, KeyVault, Storage, and App Insights using user-assigned managed identity. By default, system-assigned managed identity is used by Azure ML workspace to access the associated resources. User-assigned managed identity allows you to create the identity as an Azure resource and maintain the life cycle of that identity. - warning: AZR-000031 - AKS clusters support Role-based Access Control (RBAC) authorization. RBAC allows users, groups, and service accounts to be granted access to resources on an as needed basis. Actions performed by each identity can be logged for auditing with Kubernetes audit policies. When a cluster is deployed, local accounts are enabled by default even when RBAC is enabled. These local accounts such as clusterAdmin and clusterUser are shared accounts that are not tied to an identity. If local account credentials are used, Kubernetes auditing logs the local account instead of named accounts. Who performed an action cannot be determined from the audit logs, creating an audit log gap for privileged actions. In an AKS cluster with local account disabled administrator will be unable to get the clusterAdmin credential. For example, using az aks get-credentials -g '' -n '' --admin will fail. - warning: AZR-000370 - To collect and provide data plane protections of Microsoft Defender for Containers some additional daemon set and deployments needs to be deployed to the AKS clusters. These components are installed when the Defender profile is enabled on the cluster. The Defender profile deployed to each node provides the runtime protections and collects signals from nodes. - warning: AZR-000390 - Azure Database for PostgreSQL supports authentication with PostgreSQL logins and Azure AD authentication. By default, authentication with PostgreSQL logins is enabled. PostgreSQL logins are unable to provide sufficient protection for identities. Azure AD authentication provides strong protection controls including conditional access, identity governance, and privileged identity management. Once you decide to use Azure AD authentication, you can disable authentication with PostgreSQL logins. Azure AD-only authentication is only supported for the flexible server deployment model.

How to fix?

The full Definition of Done of the AI-Gallery template and fix approached can be found HERE.

Repo: Azure-Samples/llama-index-javascript

AI Gallery Standard Validation: FAILED

Repository Management:

:heavy_check_mark: README.md File.
:heavy_check_mark: LICENSE.md File.
:heavy_check_mark: SECURITY.md File.
:heavy_check_mark: CODE_OF_CONDUCT.md File.
:heavy_check_mark: CONTRIBUTING.md File.
:x: ISSUE_TEMPLATE.md File. [How to fix?] - Error: ISSUE_TEMPLATE.md file is missing.
:x: Topics on repo contains ['azd-templates', 'ai-azd-templates']. [How to fix?] - Error: azd-templates is missing in topics. - Error: ai-azd-templates is missing in topics.

Source code structure and conventions:

:heavy_check_mark: azure-dev.yaml File.
:heavy_check_mark: azure.yaml File.
:heavy_check_mark: infra Folder.
:heavy_check_mark: .devcontainer Folder.

Functional Requirements:

:x: azd up. [How to fix?] Error: Downloading Bicep (✓) Done: Downloading Bicep Initialize bicep provider Packaging services (azd package) Packaging service llama-index-nextjs Packaging service llama-index-nextjs (Tagging container image) (✓) Done: Packaging service llama-index-nextjs - Image Hash: sha256:941780bacf03e3518e5e681ca49c9dd51720e577c6a5a3837f372f67a4067014 - Target Image: llama-index-nextjs/llama-index-nextjs-dev-27076208363:azd-deploy-1720171740 Provisioning Azure resources (azd provision) Provisioning Azure resources can take some time. Initialize bicep provider Retrieving subscriptions... Reading subscription and location from environment... Subscription: Visual Studio Enterprise Subscription (6e41a27a-b56f-423c-b5d9-bb0b325733eb) Location: East US 2 Comparing deployment state Comparing deployment state Creating/Updating resources You can view detailed progress in the Azure Portal: https://portal.azure.com/#view/HubsExtension/DeploymentDetailsBlade/~/overview/id/%2Fsubscriptions%2F6e41a27a-b56f-423c-b5d9-bb0b325733eb%2Fproviders%2FMicrosoft.Resources%2Fdeployments%2Fdev-27076208363-1720171746 (✓) Done: Resource group: rg-dev-27076208363 (✓) Done: Log Analytics workspace: log-olyjdxajzb6he (✓) Done: Application Insights: appi-olyjdxajzb6he (✓) Done: Container Registry: crolyjdxajzb6he (✓) Done: Key Vault: kv-olyjdxajzb6he (✓) Done: Azure OpenAI: cog-olyjdxajzb6he (✓) Done: Portal dashboard: dash-olyjdxajzb6he (✓) Done: Container Apps Environment: cae-olyjdxajzb6he ERROR: error executing step command 'provision': deployment failed: error deploying infrastructure: deploying to subscription: Deployment Error Details: BadRequestFormat: The request was incorrectly formatted. TraceID: 4f2780b2b7cd27eaaee981fbd3961d00
:heavy_check_mark: azd down.

Security Requirements:

:warning: microsoft/security-devops-action is integrated to the CI/CD pipeline. [How to fix?] Not found security check related actions in the CI/CD pipeline. - Error: microsoft/security-devops-action is missing in .github/workflows/azure-dev.yml. - Error: github/codeql-action/upload-sarif is missing in .github/workflows/azure-dev.yml.
:warning: Security scan. [How to fix?] - error: AZR-000363 - Container apps environments allows you to expose your container app to the Internet. Container apps environments deployed as external resources are available for public requests. External environments are deployed with a virtual IP on an external, public facing IP address. Disable public network access to improve security by exposing the Container Apps environment through an internal load balancer. This removes the need for a public IP address and prevents internet access to all Container Apps within the environment. To provide secure access, instead consider using an Application Gateway or Azure Front Door premium in front of your Container Apps on your private VNET. - error: AZR-000280 - By default, public network access is enabled for a Cognitive Service account. Service Endpoints and Private Link can be leveraged to restrict access to PaaS endpoints. When access is restricted, access by malicious actor is from an unauthorized virtual network is mitigated. Configure service endpoints and private links where appropriate. - error: AZR-000282 - To send requests to Cognitive Services endpoints, each request must include an authentication header. Cognitive Services endpoints supports authentication with keys or tokens. Using an Azure AD token instead of a cryptographic key has some additional security benefits. With Azure AD authentication, the identity is validated against Azure AD identity provider. Using Azure AD identities centralizes identity management and auditing. Once you decide to use Azure AD authentication, you can disable authentication using keys. - warning: AZR-000283 - By default, a public endpoint is enabled for Cognitive Services accounts. The public endpoint is used for all access except for requests that use a Private Endpoint. Access through the public endpoint can be disabled or restricted to authorized virtual networks. Data exfiltration is an attack where an malicious actor does an unauthorized data transfer. Private Endpoints help prevent data exfiltration by an internal or external malicious actor. They do this by providing clear separation between public and private endpoints. As a result, broad access to public endpoints which could be operated by a malicious actor are not required. - error: AZR-000355 - By default, Key Vault accept connections from clients on any network. To limit access to selected networks, you must first change the default action. After changing the default action from Allow to Deny, configure one or more rules to allow traffic. Traffic can be allowed from: - Azure services on the trusted service list. - IP address or CIDR range. - Private endpoint connections. - Azure virtual network subnets with a Service Endpoint. If any of the following options are enabled you must also enable Allow trusted Microsoft services to bypass this firewall: - enabledForDeployment - Azure Virtual Machines for deployment. - enabledForDiskEncryption - Azure Disk Encryption for volume encryption. - enabledForTemplateDeployment - Azure Resource Manager for template deployment. - error: AZR-000005 - Azure Container Registry (ACR) includes a built-in local admin user account. The admin user account is a single user account with administrative access to the registry. This account provides single user access for early test and development. The admin user account is not intended for use with production container registries. Instead of using the admin user account, consider using Entra ID (previously Azure AD) identities. Entra ID provides a centralized identity and authentication system for Azure. This provides a number of benefits including: - Strong account protection controls with conditional access, identity governance, and privileged identity management. - Auditing and reporting of account activity. - Granular access control with role-based access control (RBAC). - Separation of account types for users and applications. - error: AZR-000355 - By default, Key Vault accept connections from clients on any network. To limit access to selected networks, you must first change the default action. After changing the default action from Allow to Deny, configure one or more rules to allow traffic. Traffic can be allowed from: - Azure services on the trusted service list. - IP address or CIDR range. - Private endpoint connections. - Azure virtual network subnets with a Service Endpoint. If any of the following options are enabled you must also enable Allow trusted Microsoft services to bypass this firewall: - enabledForDeployment - Azure Virtual Machines for deployment. - enabledForDiskEncryption - Azure Disk Encryption for volume encryption. - enabledForTemplateDeployment - Azure Resource Manager for template deployment. - error: AZR-000005 - Azure Container Registry (ACR) includes a built-in local admin user account. The admin user account is a single user account with administrative access to the registry. This account provides single user access for early test and development. The admin user account is not intended for use with production container registries. Instead of using the admin user account, consider using Entra ID (previously Azure AD) identities. Entra ID provides a centralized identity and authentication system for Azure. This provides a number of benefits including: - Strong account protection controls with conditional access, identity governance, and privileged identity management. - Auditing and reporting of account activity. - Granular access control with role-based access control (RBAC). - Separation of account types for users and applications. - error: AZR-000280 - By default, public network access is enabled for a Cognitive Service account. Service Endpoints and Private Link can be leveraged to restrict access to PaaS endpoints. When access is restricted, access by malicious actor is from an unauthorized virtual network is mitigated. Configure service endpoints and private links where appropriate. - error: AZR-000282 - To send requests to Cognitive Services endpoints, each request must include an authentication header. Cognitive Services endpoints supports authentication with keys or tokens. Using an Azure AD token instead of a cryptographic key has some additional security benefits. With Azure AD authentication, the identity is validated against Azure AD identity provider. Using Azure AD identities centralizes identity management and auditing. Once you decide to use Azure AD authentication, you can disable authentication using keys. - warning: AZR-000283 - By default, a public endpoint is enabled for Cognitive Services accounts. The public endpoint is used for all access except for requests that use a Private Endpoint. Access through the public endpoint can be disabled or restricted to authorized virtual networks. Data exfiltration is an attack where an malicious actor does an unauthorized data transfer. Private Endpoints help prevent data exfiltration by an internal or external malicious actor. They do this by providing clear separation between public and private endpoints. As a result, broad access to public endpoints which could be operated by a malicious actor are not required. - error: AZR-000363 - Container apps environments allows you to expose your container app to the Internet. Container apps environments deployed as external resources are available for public requests. External environments are deployed with a virtual IP on an external, public facing IP address. Disable public network access to improve security by exposing the Container Apps environment through an internal load balancer. This removes the need for a public IP address and prevents internet access to all Container Apps within the environment. To provide secure access, instead consider using an Application Gateway or Azure Front Door premium in front of your Container Apps on your private VNET. - warning: AZR-000388 - Azure RBAC is the recommended authorization system for the Azure Key Vault data plane. Azure RBAC allows users to manage key, secrets, and certificates permissions. It provides one place to manage all permissions across all Key Vaults. Azure RBAC for Key Vault also allows users to have separate permissions on individual keys, secrets, and certificates. The Azure RBAC permission model is not enabled by default. - warning: AZR-000388 - Azure RBAC is the recommended authorization system for the Azure Key Vault data plane. Azure RBAC allows users to manage key, secrets, and certificates permissions. It provides one place to manage all permissions across all Key Vaults. Azure RBAC for Key Vault also allows users to have separate permissions on individual keys, secrets, and certificates. The Azure RBAC permission model is not enabled by default.

How to fix?

The full Definition of Done of the AI-Gallery template and fix approached can be found HERE.

Repo: Azure-Samples/openai-chat-app-quickstart

AI Gallery Standard Validation: FAILED

Repository Management:

:x: README.md File. [How to fix?] - Error: ## Getting Started is missing in README.md. - Error: ## Guidance is missing in README.md.
:heavy_check_mark: LICENSE.md File.
:heavy_check_mark: SECURITY.md File.
:heavy_check_mark: CODE_OF_CONDUCT.md File.
:heavy_check_mark: CONTRIBUTING.md File.
:heavy_check_mark: ISSUE_TEMPLATE.md File.
:heavy_check_mark: Topics on repo contains ['azd-templates', 'ai-azd-templates'].

Source code structure and conventions:

:heavy_check_mark: azure-dev.yaml File.
:heavy_check_mark: azure.yaml File.
:heavy_check_mark: infra Folder.
:heavy_check_mark: .devcontainer Folder.

Functional Requirements:

:x: azd up. [How to fix?] Error: Downloading Bicep (✓) Done: Downloading Bicep Initialize bicep provider Packaging services (azd package) Packaging service aca Packaging service aca (Tagging container image) (✓) Done: Packaging service aca - Image Hash: sha256:6f1a8eeeaea21b383985b1182faded285d2257b05c3d8e51c31fbad6cb8ceda4 - Target Image: simple-chatgpt-python/aca-dev-27076207777:azd-deploy-1720171503 Provisioning Azure resources (azd provision) Provisioning Azure resources can take some time. Initialize bicep provider Retrieving subscriptions... Reading subscription and location from environment... Subscription: Visual Studio Enterprise Subscription (6e41a27a-b56f-423c-b5d9-bb0b325733eb) Location: East US 2 Comparing deployment state Comparing deployment state Creating/Updating resources You can view detailed progress in the Azure Portal: https://portal.azure.com/#view/HubsExtension/DeploymentDetailsBlade/~/overview/id/%2Fsubscriptions%2F6e41a27a-b56f-423c-b5d9-bb0b325733eb%2Fproviders%2FMicrosoft.Resources%2Fdeployments%2Fdev-27076207777-1720171508 (✓) Done: Resource group: dev-27076207777-rg (✓) Done: Log Analytics workspace: dev-27076207777-fvgurmcntsl7a-loganalytics (✓) Done: Azure OpenAI: fvgurmcntsl7a-cog (✓) Done: Container Registry: dev27076207777fvgurmcntsl7aregistry (✓) Done: Container Apps Environment: dev-27076207777-fvgurmcntsl7a-containerapps-env (✓) Done: Container App: dev-27076207777-fvg-ca ERROR: error executing step command 'provision': deployment failed: error deploying infrastructure: deploying to subscription: Deployment Error Details: UnmatchedPrincipalType: The PrincipalId '95959d96ca17490a877b63300e2f9187' has type 'ServicePrincipal' , which is different from specified PrinciaplType 'User'. TraceID: d66c5c8eef254696e0a8512a5c33d173
:heavy_check_mark: azd down.

Security Requirements:

:warning: microsoft/security-devops-action is integrated to the CI/CD pipeline. [How to fix?] Not found security check related actions in the CI/CD pipeline.
:warning: Security scan. [How to fix?] - error: AZR-000280 - By default, public network access is enabled for a Cognitive Service account. Service Endpoints and Private Link can be leveraged to restrict access to PaaS endpoints. When access is restricted, access by malicious actor is from an unauthorized virtual network is mitigated. Configure service endpoints and private links where appropriate. - error: AZR-000282 - To send requests to Cognitive Services endpoints, each request must include an authentication header. Cognitive Services endpoints supports authentication with keys or tokens. Using an Azure AD token instead of a cryptographic key has some additional security benefits. With Azure AD authentication, the identity is validated against Azure AD identity provider. Using Azure AD identities centralizes identity management and auditing. Once you decide to use Azure AD authentication, you can disable authentication using keys. - warning: AZR-000283 - By default, a public endpoint is enabled for Cognitive Services accounts. The public endpoint is used for all access except for requests that use a Private Endpoint. Access through the public endpoint can be disabled or restricted to authorized virtual networks. Data exfiltration is an attack where an malicious actor does an unauthorized data transfer. Private Endpoints help prevent data exfiltration by an internal or external malicious actor. They do this by providing clear separation between public and private endpoints. As a result, broad access to public endpoints which could be operated by a malicious actor are not required. - error: AZR-000361 - Using managed identities have the following benefits: - Your app connects to resources with the managed identity. You don't need to manage credentials in your container app. - You can use role-based access control to grant specific permissions to a managed identity. - System-assigned identities are automatically created and managed. They're deleted when your container app is deleted. - You can add and delete user-assigned identities and assign them to multiple resources. They're independent of your container app's life cycle. - You can use managed identity to authenticate with a private Azure Container Registry without a username and password to pull containers for your Container App. - You can use managed identity to create connections for Dapr-enabled applications via Dapr components. - error: AZR-000363 - Container apps environments allows you to expose your container app to the Internet. Container apps environments deployed as external resources are available for public requests. External environments are deployed with a virtual IP on an external, public facing IP address. Disable public network access to improve security by exposing the Container Apps environment through an internal load balancer. This removes the need for a public IP address and prevents internet access to all Container Apps within the environment. To provide secure access, instead consider using an Application Gateway or Azure Front Door premium in front of your Container Apps on your private VNET. - error: AZR-000363 - Container apps environments allows you to expose your container app to the Internet. Container apps environments deployed as external resources are available for public requests. External environments are deployed with a virtual IP on an external, public facing IP address. Disable public network access to improve security by exposing the Container Apps environment through an internal load balancer. This removes the need for a public IP address and prevents internet access to all Container Apps within the environment. To provide secure access, instead consider using an Application Gateway or Azure Front Door premium in front of your Container Apps on your private VNET.

How to fix?

The full Definition of Done of the AI-Gallery template and fix approached can be found HERE.

Repo: Azure-Samples/openai-plugin-fastapi

AI Gallery Standard Validation: FAILED

Repository Management:

:x: README.md File. [How to fix?] - Error: ## Features is missing in README.md. - Error: ## Getting Started is missing in README.md. - Error: ## Guidance is missing in README.md. - Error: ## Resources is missing in README.md.
:heavy_check_mark: LICENSE.md File.
:x: SECURITY.md File. [How to fix?] - Error: SECURITY.md file is missing.
:x: CODE_OF_CONDUCT.md File. [How to fix?] - Error: CODE_OF_CONDUCT.md file is missing.
:x: CONTRIBUTING.md File. [How to fix?] - Error: CONTRIBUTING.md file is missing.
:x: ISSUE_TEMPLATE.md File. [How to fix?] - Error: ISSUE_TEMPLATE.md file is missing.
:x: Topics on repo contains ['azd-templates', 'ai-azd-templates']. [How to fix?] - Error: ai-azd-templates is missing in topics.

Source code structure and conventions:

:heavy_check_mark: azure-dev.yaml File.
:heavy_check_mark: azure.yaml File.
:heavy_check_mark: infra Folder.
:heavy_check_mark: .devcontainer Folder.

Functional Requirements:

:x: azd up. [How to fix?] Error: Downloading Bicep (✓) Done: Downloading Bicep Initialize bicep provider Packaging services (azd package) Packaging service api Packaging service api (Tagging container image) (✓) Done: Packaging service api - Image Hash: sha256:0fb68f2a405a1fe4b1a9d80fbc229ac38c6deb566b525a615e90e42395adf77e - Target Image: openai-plugin-fastapi/api-dev-27076207545:azd-deploy-1720171273 Provisioning Azure resources (azd provision) Provisioning Azure resources can take some time. Initialize bicep provider Retrieving subscriptions... Reading subscription and location from environment... Subscription: Visual Studio Enterprise Subscription (6e41a27a-b56f-423c-b5d9-bb0b325733eb) Location: East US 2 Comparing deployment state Comparing deployment state Creating/Updating resources You can view detailed progress in the Azure Portal: https://portal.azure.com/#view/HubsExtension/DeploymentDetailsBlade/~/overview/id/%2Fsubscriptions%2F6e41a27a-b56f-423c-b5d9-bb0b325733eb%2Fproviders%2FMicrosoft.Resources%2Fdeployments%2Fdev-27076207545-1720171279 (✓) Done: Resource group: rg-dev-27076207545 (✓) Done: Log Analytics workspace: log-urwn5gv2dqdzq (✓) Done: Application Insights: appi-urwn5gv2dqdzq (✓) Done: Portal dashboard: dash-urwn5gv2dqdzq (✓) Done: Container Registry: crurwn5gv2dqdzq (✓) Done: Container Apps Environment: cae-urwn5gv2dqdzq ERROR: error executing step command 'provision': deployment failed: error deploying infrastructure: deploying to subscription: Deployment Error Details: ResourceNotFound: The Resource 'Microsoft.App/containerApps/ca-api-urwn5gv2dqdzq' under resource group 'rg-dev-27076207545' was not found. For more details please go to https://aka.ms/ARMResourceNotFoundFix TraceID: 457d4f936a657c52f2506fa565491c99
:heavy_check_mark: azd down.

Security Requirements:

:warning: microsoft/security-devops-action is integrated to the CI/CD pipeline. [How to fix?] Not found security check related actions in the CI/CD pipeline. - Error: microsoft/security-devops-action is missing in .github/workflows/azure-dev.yml. - Error: github/codeql-action/upload-sarif is missing in .github/workflows/azure-dev.yml.
:warning: Security scan. [How to fix?] - error: AZR-000363 - Container apps environments allows you to expose your container app to the Internet. Container apps environments deployed as external resources are available for public requests. External environments are deployed with a virtual IP on an external, public facing IP address. Disable public network access to improve security by exposing the Container Apps environment through an internal load balancer. This removes the need for a public IP address and prevents internet access to all Container Apps within the environment. To provide secure access, instead consider using an Application Gateway or Azure Front Door premium in front of your Container Apps on your private VNET. - error: AZR-000005 - Azure Container Registry (ACR) includes a built-in local admin user account. The admin user account is a single user account with administrative access to the registry. This account provides single user access for early test and development. The admin user account is not intended for use with production container registries. Instead of using the admin user account, consider using Entra ID (previously Azure AD) identities. Entra ID provides a centralized identity and authentication system for Azure. This provides a number of benefits including: - Strong account protection controls with conditional access, identity governance, and privileged identity management. - Auditing and reporting of account activity. - Granular access control with role-based access control (RBAC). - Separation of account types for users and applications. - error: AZR-000363 - Container apps environments allows you to expose your container app to the Internet. Container apps environments deployed as external resources are available for public requests. External environments are deployed with a virtual IP on an external, public facing IP address. Disable public network access to improve security by exposing the Container Apps environment through an internal load balancer. This removes the need for a public IP address and prevents internet access to all Container Apps within the environment. To provide secure access, instead consider using an Application Gateway or Azure Front Door premium in front of your Container Apps on your private VNET.

How to fix?

The full Definition of Done of the AI-Gallery template and fix approached can be found HERE.

Repo: Arize-ai/phoenix-on-azure

AI Gallery Standard Validation: FAILED

Repository Management:

:x: README.md File. [How to fix?] - Error: ## Features is missing in README.md. - Error: ## Resources is missing in README.md.
:heavy_check_mark: LICENSE.md File.
:x: SECURITY.md File. [How to fix?] - Error: SECURITY.md file is missing.
:x: CODE_OF_CONDUCT.md File. [How to fix?] - Error: CODE_OF_CONDUCT.md file is missing.
:x: CONTRIBUTING.md File. [How to fix?] - Error: CONTRIBUTING.md file is missing.
:x: ISSUE_TEMPLATE.md File. [How to fix?] - Error: ISSUE_TEMPLATE.md file is missing.
:x: Topics on repo contains ['azd-templates', 'ai-azd-templates']. [How to fix?] - Error: azd-templates is missing in topics. - Error: ai-azd-templates is missing in topics.

Source code structure and conventions:

:x: azure-dev.yaml File. [How to fix?] - Error: azure-dev.yaml file is missing.
:heavy_check_mark: azure.yaml File.
:heavy_check_mark: infra Folder.
:heavy_check_mark: .devcontainer Folder.

Functional Requirements:

:x: azd up. [How to fix?] Error: Downloading Bicep (✓) Done: Downloading Bicep Initialize bicep provider
:x: azd down. [How to fix?] Error: Deleting all resources and deployed code on Azure (azd down) Local application code is not deleted when running 'azd down'. Initialize bicep provider Enter a value for the 'databasePassword' infrastructure secured parameter:Enter a value for the 'htpasswd' infrastructure parameter: ERROR: initializing provisioning manager: resource group scoped deployments are currently under alpha support and need to be explicitly enabled. Run `azd config set alpha.resourceGroupDeployments on` to enable this feature.

Security Requirements:

:warning: microsoft/security-devops-action is integrated to the CI/CD pipeline. [How to fix?] Not found security check related actions in the CI/CD pipeline.
:warning: Security scan. [How to fix?] - error: AZR-000363 - Container apps environments allows you to expose your container app to the Internet. Container apps environments deployed as external resources are available for public requests. External environments are deployed with a virtual IP on an external, public facing IP address. Disable public network access to improve security by exposing the Container Apps environment through an internal load balancer. This removes the need for a public IP address and prevents internet access to all Container Apps within the environment. To provide secure access, instead consider using an Application Gateway or Azure Front Door premium in front of your Container Apps on your private VNET. - error: AZR-000361 - Using managed identities have the following benefits: - Your app connects to resources with the managed identity. You don't need to manage credentials in your container app. - You can use role-based access control to grant specific permissions to a managed identity. - System-assigned identities are automatically created and managed. They're deleted when your container app is deleted. - You can add and delete user-assigned identities and assign them to multiple resources. They're independent of your container app's life cycle. - You can use managed identity to authenticate with a private Azure Container Registry without a username and password to pull containers for your Container App. - You can use managed identity to create connections for Dapr-enabled applications via Dapr components. - warning: AZR-000390 - Azure Database for PostgreSQL supports authentication with PostgreSQL logins and Azure AD authentication. By default, authentication with PostgreSQL logins is enabled. PostgreSQL logins are unable to provide sufficient protection for identities. Azure AD authentication provides strong protection controls including conditional access, identity governance, and privileged identity management. Once you decide to use Azure AD authentication, you can disable authentication with PostgreSQL logins. Azure AD-only authentication is only supported for the flexible server deployment model.

How to fix?

The full Definition of Done of the AI-Gallery template and fix approached can be found HERE.

Repo: Azure-Samples/rag-postgres-openai-python

AI Gallery Standard Validation: FAILED

Repository Management:

:x: README.md File. [How to fix?] - Error: ## Getting Started is missing in README.md. - Error: ## Guidance is missing in README.md.
:heavy_check_mark: LICENSE.md File.
:x: SECURITY.md File. [How to fix?] - Error: SECURITY.md file is missing.
:heavy_check_mark: CODE_OF_CONDUCT.md File.
:heavy_check_mark: CONTRIBUTING.md File.
:heavy_check_mark: ISSUE_TEMPLATE.md File.
:heavy_check_mark: Topics on repo contains ['azd-templates', 'ai-azd-templates'].

Source code structure and conventions:

:heavy_check_mark: azure-dev.yaml File.
:heavy_check_mark: azure.yaml File.
:heavy_check_mark: infra Folder.
:heavy_check_mark: .devcontainer Folder.

Functional Requirements:

:x: azd up. [How to fix?] Error: Downloading Bicep (✓) Done: Downloading Bicep Initialize bicep provider Retrieving locations... ERROR: prompting for value: prompting for location: no default response for prompt 'Enter a value for the 'openAILocation' infrastructure parameter:'
:x: azd down. [How to fix?] Error: Deleting all resources and deployed code on Azure (azd down) Local application code is not deleted when running 'azd down'. Initialize bicep provider Retrieving locations... Enter a value for the 'openAILocation' infrastructure parameter: ERROR: initializing provisioning manager: prompting for value: prompting for location: '' is not an allowed choice. allowed choices: 1. (Canada) Canada East (canadaeast), 2. (US) North Central US (northcentralus), 3. (US) South Central US (southcentralus)

Security Requirements:

:warning: microsoft/security-devops-action is integrated to the CI/CD pipeline. [How to fix?] Not found security check related actions in the CI/CD pipeline.
:warning: Security scan. [How to fix?] - error: AZR-000280 - By default, public network access is enabled for a Cognitive Service account. Service Endpoints and Private Link can be leveraged to restrict access to PaaS endpoints. When access is restricted, access by malicious actor is from an unauthorized virtual network is mitigated. Configure service endpoints and private links where appropriate. - error: AZR-000282 - To send requests to Cognitive Services endpoints, each request must include an authentication header. Cognitive Services endpoints supports authentication with keys or tokens. Using an Azure AD token instead of a cryptographic key has some additional security benefits. With Azure AD authentication, the identity is validated against Azure AD identity provider. Using Azure AD identities centralizes identity management and auditing. Once you decide to use Azure AD authentication, you can disable authentication using keys. - warning: AZR-000283 - By default, a public endpoint is enabled for Cognitive Services accounts. The public endpoint is used for all access except for requests that use a Private Endpoint. Access through the public endpoint can be disabled or restricted to authorized virtual networks. Data exfiltration is an attack where an malicious actor does an unauthorized data transfer. Private Endpoints help prevent data exfiltration by an internal or external malicious actor. They do this by providing clear separation between public and private endpoints. As a result, broad access to public endpoints which could be operated by a malicious actor are not required. - error: AZR-000361 - Using managed identities have the following benefits: - Your app connects to resources with the managed identity. You don't need to manage credentials in your container app. - You can use role-based access control to grant specific permissions to a managed identity. - System-assigned identities are automatically created and managed. They're deleted when your container app is deleted. - You can add and delete user-assigned identities and assign them to multiple resources. They're independent of your container app's life cycle. - You can use managed identity to authenticate with a private Azure Container Registry without a username and password to pull containers for your Container App. - You can use managed identity to create connections for Dapr-enabled applications via Dapr components. - error: AZR-000363 - Container apps environments allows you to expose your container app to the Internet. Container apps environments deployed as external resources are available for public requests. External environments are deployed with a virtual IP on an external, public facing IP address. Disable public network access to improve security by exposing the Container Apps environment through an internal load balancer. This removes the need for a public IP address and prevents internet access to all Container Apps within the environment. To provide secure access, instead consider using an Application Gateway or Azure Front Door premium in front of your Container Apps on your private VNET. - error: AZR-000363 - Container apps environments allows you to expose your container app to the Internet. Container apps environments deployed as external resources are available for public requests. External environments are deployed with a virtual IP on an external, public facing IP address. Disable public network access to improve security by exposing the Container Apps environment through an internal load balancer. This removes the need for a public IP address and prevents internet access to all Container Apps within the environment. To provide secure access, instead consider using an Application Gateway or Azure Front Door premium in front of your Container Apps on your private VNET.

How to fix?

The full Definition of Done of the AI-Gallery template and fix approached can be found HERE.

Repo: Azure-Samples/serverless-chat-langchainjs

AI Gallery Standard Validation: FAILED

Repository Management:

:x: README.md File. [How to fix?] - Error: ## Features is missing in README.md. - Error: ## Getting Started is missing in README.md. - Error: ## Guidance is missing in README.md.
:heavy_check_mark: LICENSE.md File.
:heavy_check_mark: SECURITY.md File.
:heavy_check_mark: CODE_OF_CONDUCT.md File.
:heavy_check_mark: CONTRIBUTING.md File.
:heavy_check_mark: ISSUE_TEMPLATE.md File.
:x: Topics on repo contains ['azd-templates', 'ai-azd-templates']. [How to fix?] - Error: ai-azd-templates is missing in topics.

Source code structure and conventions:

:x: azure-dev.yaml File. [How to fix?] - Error: azure-dev.yaml file is missing.
:heavy_check_mark: azure.yaml File.
:heavy_check_mark: infra Folder.
:heavy_check_mark: .devcontainer Folder.

Functional Requirements:

:x: azd up. [How to fix?] Error: Downloading Bicep (✓) Done: Downloading Bicep Initialize bicep provider Packaging services (azd package) Packaging service api Packaging service api (Installing NPM dependencies) Packaging service api (Running NPM package script) Packaging service api (Copying deployment package) Packaging service api (Compressing deployment artifacts) (✓) Done: Packaging service api - Package Output: /tmp/serverless-chat-langchainjs-api-azddeploy-1720171069.zip Packaging service webapp Packaging service webapp (Installing NPM dependencies) Packaging service webapp (Running NPM package script) Packaging service webapp (Copying deployment package) (✓) Done: Packaging service webapp - Package Output: dist Provisioning Azure resources (azd provision) Provisioning Azure resources can take some time. Initialize bicep provider Retrieving subscriptions... Reading subscription and location from environment... Subscription: Visual Studio Enterprise Subscription (6e41a27a-b56f-423c-b5d9-bb0b325733eb) Location: East US 2 Comparing deployment state Comparing deployment state Creating/Updating resources You can view detailed progress in the Azure Portal: https://portal.azure.com/#view/HubsExtension/DeploymentDetailsBlade/~/overview/id/%2Fsubscriptions%2F6e41a27a-b56f-423c-b5d9-bb0b325733eb%2Fproviders%2FMicrosoft.Resources%2Fdeployments%2Fdev-27076206797-1720171078 (✓) Done: Resource group: rg-dev-27076206797 (✓) Done: Static Web App: webapp (✓) Done: App Service plan: plan-y4a7soldt2vn4 (✓) Done: Azure OpenAI: cog-y4a7soldt2vn4 (✓) Done: Storage account: sty4a7soldt2vn4 (✓) Done: Search service: srch-y4a7soldt2vn4 (✓) Done: Function App: func-api-y4a7soldt2vn4 ERROR: error executing step command 'provision': deployment failed: error deploying infrastructure: deploying to subscription: Deployment Error Details: UnmatchedPrincipalType: The PrincipalId '95959d96ca17490a877b63300e2f9187' has type 'ServicePrincipal' , which is different from specified PrinciaplType 'User'. UnmatchedPrincipalType: The PrincipalId '95959d96ca17490a877b63300e2f9187' has type 'ServicePrincipal' , which is different from specified PrinciaplType 'User'. TraceID: 61e19077185b10b80fe3a931bcb35c82
:heavy_check_mark: azd down.

Security Requirements:

:warning: microsoft/security-devops-action is integrated to the CI/CD pipeline. [How to fix?] Not found security check related actions in the CI/CD pipeline. - Error: microsoft/security-devops-action is missing in .github/workflows/stale-bot.yml. - Error: github/codeql-action/upload-sarif is missing in .github/workflows/stale-bot.yml.
:warning: Security scan. [How to fix?] - error: AZR-000202 - By default, storage accounts accept connections from clients on any network. To limit access to selected networks, you must first change the default action. After changing the default action from Allow to Deny, configure one or more rules to allow traffic. Traffic can be allowed from: - Azure services on the trusted service list. - IP address or CIDR range. - Private endpoint connections. - Azure virtual network subnets with a Service Endpoint. - error: AZR-000198 - Blob containers in Azure Storage Accounts can be configured for private or anonymous public access. By default, containers are private and only accessible with a credential or access token. When a container is configured with an access type other than private, anonymous access is permitted. Anonymous access to blobs or containers can be restricted by setting allowBlobPublicAccess to false. This enhanced security setting for a storage account overrides the individual settings for blob containers. When you disallow public access for a storage account, blobs are no longer accessible anonymously. - error: AZR-000280 - By default, public network access is enabled for a Cognitive Service account. Service Endpoints and Private Link can be leveraged to restrict access to PaaS endpoints. When access is restricted, access by malicious actor is from an unauthorized virtual network is mitigated. Configure service endpoints and private links where appropriate. - error: AZR-000282 - To send requests to Cognitive Services endpoints, each request must include an authentication header. Cognitive Services endpoints supports authentication with keys or tokens. Using an Azure AD token instead of a cryptographic key has some additional security benefits. With Azure AD authentication, the identity is validated against Azure AD identity provider. Using Azure AD identities centralizes identity management and auditing. Once you decide to use Azure AD authentication, you can disable authentication using keys. - warning: AZR-000283 - By default, a public endpoint is enabled for Cognitive Services accounts. The public endpoint is used for all access except for requests that use a Private Endpoint. Access through the public endpoint can be disabled or restricted to authorized virtual networks. Data exfiltration is an attack where an malicious actor does an unauthorized data transfer. Private Endpoints help prevent data exfiltration by an internal or external malicious actor. They do this by providing clear separation between public and private endpoints. As a result, broad access to public endpoints which could be operated by a malicious actor are not required. - error: TA-000001 - Enable auditing of diagnostic logs on the app. This enables you to recreate activity trails for investigation purposes if a security incident occurs or your network is compromised. - error: TA-000001 - Enable auditing of diagnostic logs on the app. This enables you to recreate activity trails for investigation purposes if a security incident occurs or your network is compromised.

How to fix?

The full Definition of Done of the AI-Gallery template and fix approached can be found HERE.

Repo: Azure-Samples/summarization-openai-python-promptflow

AI Gallery Standard Validation: FAILED

Repository Management:

:x: README.md File. [How to fix?] - Error: ## Getting Started is missing in README.md. - Error: ## Guidance is missing in README.md.
:heavy_check_mark: LICENSE.md File.
:x: SECURITY.md File. [How to fix?] - Error: SECURITY.md file is missing.
:heavy_check_mark: CODE_OF_CONDUCT.md File.
:heavy_check_mark: CONTRIBUTING.md File.
:heavy_check_mark: ISSUE_TEMPLATE.md File.
:x: Topics on repo contains ['azd-templates', 'ai-azd-templates']. [How to fix?] - Error: azd-templates is missing in topics. - Error: ai-azd-templates is missing in topics.

Source code structure and conventions:

:heavy_check_mark: azure-dev.yaml File.
:heavy_check_mark: azure.yaml File.
:heavy_check_mark: infra Folder.
:heavy_check_mark: .devcontainer Folder.

Functional Requirements:

:heavy_check_mark: azd up.
:heavy_check_mark: azd down.

Security Requirements:

:warning: microsoft/security-devops-action is integrated to the CI/CD pipeline. [How to fix?] Not found security check related actions in the CI/CD pipeline. - Error: microsoft/security-devops-action is missing in .github/workflows/azure-dev.yml. - Error: github/codeql-action/upload-sarif is missing in .github/workflows/azure-dev.yml.
:warning: Security scan. [How to fix?] - error: AZR-000355 - By default, Key Vault accept connections from clients on any network. To limit access to selected networks, you must first change the default action. After changing the default action from Allow to Deny, configure one or more rules to allow traffic. Traffic can be allowed from: - Azure services on the trusted service list. - IP address or CIDR range. - Private endpoint connections. - Azure virtual network subnets with a Service Endpoint. If any of the following options are enabled you must also enable Allow trusted Microsoft services to bypass this firewall: - enabledForDeployment - Azure Virtual Machines for deployment. - enabledForDiskEncryption - Azure Disk Encryption for volume encryption. - enabledForTemplateDeployment - Azure Resource Manager for template deployment. - error: AZR-000280 - By default, public network access is enabled for a Cognitive Service account. Service Endpoints and Private Link can be leveraged to restrict access to PaaS endpoints. When access is restricted, access by malicious actor is from an unauthorized virtual network is mitigated. Configure service endpoints and private links where appropriate. - error: AZR-000282 - To send requests to Cognitive Services endpoints, each request must include an authentication header. Cognitive Services endpoints supports authentication with keys or tokens. Using an Azure AD token instead of a cryptographic key has some additional security benefits. With Azure AD authentication, the identity is validated against Azure AD identity provider. Using Azure AD identities centralizes identity management and auditing. Once you decide to use Azure AD authentication, you can disable authentication using keys. - warning: AZR-000283 - By default, a public endpoint is enabled for Cognitive Services accounts. The public endpoint is used for all access except for requests that use a Private Endpoint. Access through the public endpoint can be disabled or restricted to authorized virtual networks. Data exfiltration is an attack where an malicious actor does an unauthorized data transfer. Private Endpoints help prevent data exfiltration by an internal or external malicious actor. They do this by providing clear separation between public and private endpoints. As a result, broad access to public endpoints which could be operated by a malicious actor are not required. - error: AZR-000361 - Using managed identities have the following benefits: - Your app connects to resources with the managed identity. You don't need to manage credentials in your container app. - You can use role-based access control to grant specific permissions to a managed identity. - System-assigned identities are automatically created and managed. They're deleted when your container app is deleted. - You can add and delete user-assigned identities and assign them to multiple resources. They're independent of your container app's life cycle. - You can use managed identity to authenticate with a private Azure Container Registry without a username and password to pull containers for your Container App. - You can use managed identity to create connections for Dapr-enabled applications via Dapr components. - error: AZR-000363 - Container apps environments allows you to expose your container app to the Internet. Container apps environments deployed as external resources are available for public requests. External environments are deployed with a virtual IP on an external, public facing IP address. Disable public network access to improve security by exposing the Container Apps environment through an internal load balancer. This removes the need for a public IP address and prevents internet access to all Container Apps within the environment. To provide secure access, instead consider using an Application Gateway or Azure Front Door premium in front of your Container Apps on your private VNET. - error: AZR-000363 - Container apps environments allows you to expose your container app to the Internet. Container apps environments deployed as external resources are available for public requests. External environments are deployed with a virtual IP on an external, public facing IP address. Disable public network access to improve security by exposing the Container Apps environment through an internal load balancer. This removes the need for a public IP address and prevents internet access to all Container Apps within the environment. To provide secure access, instead consider using an Application Gateway or Azure Front Door premium in front of your Container Apps on your private VNET. - error: AZR-000095 - Cosmos DB provides two authorization options for interacting with the database: - Azure Active Directory identity (Azure AD). Can be used to authorize account and resource management operations. - Keys and resource tokens. Can be used to authorize resource management and data operations. Resource management operations include management of databases, indexes, and containers. By default, keys are permitted to perform resource management operations. You can restrict these operations to Azure Resource Manager (ARM) calls only. - warning: AZR-000388 - Azure RBAC is the recommended authorization system for the Azure Key Vault data plane. Azure RBAC allows users to manage key, secrets, and certificates permissions. It provides one place to manage all permissions across all Key Vaults. Azure RBAC for Key Vault also allows users to have separate permissions on individual keys, secrets, and certificates. The Azure RBAC permission model is not enabled by default.

How to fix?

The full Definition of Done of the AI-Gallery template and fix approached can be found HERE.