microsoft/labs/vm-cosmosdb/skills/compliance-drift-detection
labs/vm-cosmosdb/skills/compliance-drift-detection/SKILL.md
# Compliance Drift Detection You are an SRE Agent skill specialized in detecting and remediating configuration drift across Azure resources. You enforce organizational compliance policies for VMs, storage accounts, networking, and resource governance. ## When to Use This Skill Activate this skill when: - A scheduled compliance scan runs (every 30 minutes) - A user requests a compliance audit - An Activity Log shows manual resource modifications - A new resource is discovered without required
$ install --global
skillsauthnpx skillsauth add microsoft/sre-agent labs/vm-cosmosdb/skills/compliance-drift-detectionInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: Apr 16, 2026, 6:10 AM6.1s1 file scanned
SKILL.md
Compliance Drift Detection
You are an SRE Agent skill specialized in detecting and remediating configuration drift across Azure resources. You enforce organizational compliance policies for VMs, storage accounts, networking, and resource governance.
When to Use This Skill
Activate this skill when:
- A scheduled compliance scan runs (every 30 minutes)
- A user requests a compliance audit
- An Activity Log shows manual resource modifications
- A new resource is discovered without required tags
Compliance Policies
Policy 1: Required Tags
All resources MUST have the following tags:
environment— (demo, staging, production)cost-center— billing attributiondeployed-by— must bepipelinefor productioncompliance-required— must betrue
Detection query:
AzureActivity
| where TimeGenerated > ago(30m)
| where OperationNameValue has "write" and ActivityStatusValue == "Success"
| project TimeGenerated, ResourceId = _ResourceId, Caller, OperationNameValue
Then check tags via Azure Resource Graph:
az graph query -q "
Resources
| where resourceGroup has '{environmentName}'
| where tags !has 'environment' or tags !has 'cost-center' or tags !has 'deployed-by'
| project name, type, resourceGroup, tags
"
Policy 2: NSG Security Rules
Network Security Groups must NOT have:
- Port 22 (SSH) open to
0.0.0.0/0or* - Port 3389 (RDP) open to
0.0.0.0/0or* - Any allow rule with source
*and destination port*
Detection query:
az graph query -q "
Resources
| where type == 'microsoft.network/networksecuritygroups'
| where resourceGroup has '{environmentName}'
| mv-expand rules = properties.securityRules
| where rules.properties.access == 'Allow'
and rules.properties.direction == 'Inbound'
and (rules.properties.sourceAddressPrefix == '*' or rules.properties.sourceAddressPrefix == '0.0.0.0/0')
and (rules.properties.destinationPortRange == '22' or rules.properties.destinationPortRange == '3389' or rules.properties.destinationPortRange == '*')
| project nsgName=name, ruleName=rules.name, sourcePrefix=rules.properties.sourceAddressPrefix, destPort=rules.properties.destinationPortRange
"
Policy 3: VM Diagnostics
All VMs must have:
- Boot diagnostics enabled
- Azure Monitor Agent installed
- Data Collection Rule associated
Detection:
az graph query -q "
Resources
| where type == 'microsoft.compute/virtualmachines'
| where resourceGroup has '{environmentName}'
| where properties.diagnosticsProfile.bootDiagnostics.enabled != true
| project name, location, diagnostics=properties.diagnosticsProfile
"
Policy 4: Storage Account Security
Storage accounts must have:
- HTTPS-only traffic enforced
- Public blob access disabled
- Minimum TLS version 1.2
Drift Detection Procedure
Step 1: Scan Resources
Use Azure Resource Graph to query all resources in scope.
Step 2: Evaluate Each Policy
Run detection queries for each policy. Collect violations.
Step 3: Generate Report
## Compliance Drift Report
**Scan Time:** {timestamp}
**Scope:** Resource Group {rgName}
**Total Resources Scanned:** {count}
### Summary
| Policy | Status | Violations |
|--------|--------|------------|
| Required Tags | {PASS/FAIL} | {count} |
| NSG Security | {PASS/FAIL} | {count} |
| VM Diagnostics | {PASS/FAIL} | {count} |
| Storage Security | {PASS/FAIL} | {count} |
### Violations Detail
#### Missing Tags
| Resource | Missing Tags | Last Modified By |
|----------|-------------|------------------|
| {name} | {tags} | {caller} |
#### Insecure NSG Rules
| NSG | Rule | Source | Port | Risk |
|-----|------|--------|------|------|
| {nsg} | {rule} | {src} | {port} | {HIGH/MEDIUM} |
### Recommended Remediations
1. {action} — {resource} — {expected outcome}
Step 4: Remediate (with approval)
Tag remediation:
az tag update --resource-id {resourceId} --operation merge --tags environment=demo cost-center=sre-ebc deployed-by=pipeline compliance-required=true
NSG remediation:
az network nsg rule delete --resource-group {rg} --nsg-name {nsg} --name {ruleName}
Boot diagnostics remediation:
az vm boot-diagnostics enable --resource-group {rg} --name {vmName}
Safety Rules
- ALWAYS generate a report before proposing remediation
- ALWAYS require human approval before modifying NSG rules
- ALWAYS require human approval before changing resource tags in production
- NEVER delete resources as part of compliance remediation
- PREFER additive fixes (add missing tag) over destructive ones (remove resource)
- LOG all drift detections and remediation actions
Related Skills
microsoft/deployment-compliance-check
testing
VerifiedTrustedCommunity
Checks whether Azure Container App deployments comply with the organization's CI/CD-only deployment policy. Uses three signals: Activity Log caller identity, Docker image labels (tamper-proof), and resource tags. QueryLogAnalyticsByWorkspaceId
99SKILL.mdUpdated May 9, 2026
microsoft/deployment-compliance-check
testing
VerifiedTrustedCommunity
Checks whether Azure Container App deployments comply with the organization's CI/CD-only deployment policy. Uses three signals: Activity Log caller identity, Docker image labels (tamper-proof), and resource tags. QueryLogAnalyticsByWorkspaceId
83SKILL.mdUpdated Apr 17, 2026
microsoft/labs/vm-cosmosdb/skills/vm-performance-diagnostics
testing
VerifiedTrustedCommunity
# VM Performance Diagnostics You are an SRE Agent skill specialized in diagnosing and remediating VM performance issues for SAP workloads running on Azure VMs. ## When to Use This Skill Activate this skill when: - A CPU or memory alert fires on a VM - A user reports slow application performance - A scheduled health check detects performance degradation - VM disk I/O or network throughput anomalies are detected ## Investigation Procedure ### Step 1: Gather Current Metrics Run the following
83SKILL.mdUpdated Apr 17, 2026
openclaw/openclaw-secret-scanning-maintainer
development
VerifiedTrustedCommunity
Maintainer-only workflow for handling GitHub Secret Scanning alerts on OpenClaw. Use when Codex needs to triage, redact, clean up, and resolve secret leakage found in issue comments, issue bodies, PR comments, or other GitHub content.
357,764SKILL.mdUpdated Apr 15, 2026