[Auto] AI Gallery Standard Validation FAILED #210
Assignees
Comments
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
AI Gallery Standard Validation: FAILED
Repository Management:
❌ README.md File. [How to fix?]
✔️ LICENSE.md File.
❌ SECURITY.md File. [How to fix?]
✔️ CODE_OF_CONDUCT.md File.
✔️ CONTRIBUTING.md File.
✔️ ISSUE_TEMPLATE.md File.
❌ Topics on repo contains ['azd-templates', 'ai-azd-templates']. [How to fix?]
Source code structure and conventions:
✔️ azure-dev.yaml File.
✔️ azure.yaml File.
✔️ infra Folder.
✔️ .devcontainer Folder.
Functional Requirements:
✔️ azd up.
✔️ azd down.
Security Requirements:
Not found security check related actions in the CI/CD pipeline.
error: AZR-000280 - By default, public network access is enabled for a Cognitive Service account. Service Endpoints and Private Link can be leveraged to restrict access to PaaS endpoints. When access is restricted, access by malicious actor is from an unauthorized virtual network is mitigated.
Configure service endpoints and private links where appropriate.
error: AZR-000282 - To send requests to Cognitive Services endpoints, each request must include an authentication header. Cognitive Services endpoints supports authentication with keys or tokens. Using an Azure AD token instead of a cryptographic key has some additional security benefits.
With Azure AD authentication, the identity is validated against Azure AD identity provider. Using Azure AD identities centralizes identity management and auditing.
Once you decide to use Azure AD authentication, you can disable authentication using keys.
warning: AZR-000283 - By default, a public endpoint is enabled for Cognitive Services accounts. The public endpoint is used for all access except for requests that use a Private Endpoint. Access through the public endpoint can be disabled or restricted to authorized virtual networks.
Data exfiltration is an attack where an malicious actor does an unauthorized data transfer. Private Endpoints help prevent data exfiltration by an internal or external malicious actor. They do this by providing clear separation between public and private endpoints. As a result, broad access to public endpoints which could be operated by a malicious actor are not required.
error: AZR-000202 - By default, storage accounts accept connections from clients on any network. To limit access to selected networks, you must first change the default action.
After changing the default action from Allow to Deny, configure one or more rules to allow traffic. Traffic can be allowed from:
Azure services on the trusted service list.
IP address or CIDR range.
Private endpoint connections.
Azure virtual network subnets with a Service Endpoint.
error: AZR-000198 - Blob containers in Azure Storage Accounts can be configured for private or anonymous public access. By default, containers are private and only accessible with a credential or access token. When a container is configured with an access type other than private, anonymous access is permitted.
Anonymous access to blobs or containers can be restricted by setting allowBlobPublicAccess to false. This enhanced security setting for a storage account overrides the individual settings for blob containers. When you disallow public access for a storage account, blobs are no longer accessible anonymously.
error: AZR-000363 - Container apps environments allows you to expose your container app to the Internet.
Container apps environments deployed as external resources are available for public requests. External environments are deployed with a virtual IP on an external, public facing IP address.
Disable public network access to improve security by exposing the Container Apps environment through an internal load balancer.
This removes the need for a public IP address and prevents internet access to all Container Apps within the environment.
To provide secure access, instead consider using an Application Gateway or Azure Front Door premium in front of your Container Apps on your private VNET.
error: AZR-000363 - Container apps environments allows you to expose your container app to the Internet.
Container apps environments deployed as external resources are available for public requests. External environments are deployed with a virtual IP on an external, public facing IP address.
Disable public network access to improve security by exposing the Container Apps environment through an internal load balancer.
This removes the need for a public IP address and prevents internet access to all Container Apps within the environment.
To provide secure access, instead consider using an Application Gateway or Azure Front Door premium in front of your Container Apps on your private VNET.
error: AZR-000361 - Using managed identities have the following benefits:
Your app connects to resources with the managed identity. You don't need to manage credentials in your container app.
You can use role-based access control to grant specific permissions to a managed identity.
System-assigned identities are automatically created and managed. They're deleted when your container app is deleted.
You can add and delete user-assigned identities and assign them to multiple resources. They're independent of your container app's life cycle.
You can use managed identity to authenticate with a private Azure Container Registry without a username and password to pull containers for your Container App.
You can use managed identity to create connections for Dapr-enabled applications via Dapr components.
How to fix?
The full Definition of Done of the AI-Gallery template and fix approached can be found HERE.
The text was updated successfully, but these errors were encountered: