{"id":18900291,"url":"https://github.com/hex0punk/goaz","last_synced_at":"2025-09-04T13:33:24.725Z","repository":{"id":56615945,"uuid":"197253348","full_name":"hex0punk/goaz","owner":"hex0punk","description":"Azure security auditor that finds what Azure Security Center doesn't","archived":false,"fork":false,"pushed_at":"2020-11-20T22:42:11.000Z","size":50,"stargazers_count":4,"open_issues_count":0,"forks_count":1,"subscribers_count":1,"default_branch":"master","last_synced_at":"2024-11-08T08:54:00.681Z","etag":null,"topics":["azure","azure-security","cloud-security","cloud-security-audit"],"latest_commit_sha":null,"homepage":"","language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/hex0punk.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null}},"created_at":"2019-07-16T19:12:54.000Z","updated_at":"2024-09-30T12:26:08.000Z","dependencies_parsed_at":"2022-08-15T22:00:49.648Z","dependency_job_id":null,"html_url":"https://github.com/hex0punk/goaz","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/hex0punk%2Fgoaz","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/hex0punk%2Fgoaz/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/hex0punk%2Fgoaz/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/hex0punk%2Fgoaz/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/hex0punk","download_url":"https://codeload.github.com/hex0punk/goaz/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":231968161,"owners_count":18453565,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["azure","azure-security","cloud-security","cloud-security-audit"],"created_at":"2024-11-08T08:50:48.358Z","updated_at":"2024-12-31T09:29:17.843Z","avatar_url":"https://github.com/hex0punk.png","language":"Go","funding_links":[],"categories":[],"sub_categories":[],"readme":"# Auditing Azure with goaz\n\ngoaz is a simple application meant to help researchers and blue teams audit azure. The following resources are supported:\n\n- Azure Kubernetes Services\n- Virtual Machine Scale Sets\n- Azure storage (containers, blobs, file shares, queues)\n- Service Bus\n- Key Vault\n- Azure Public Addresses\n- Network Security Groups\n\n## Getting Started\n\nCurrently, the only way to authenticate is to log in to the Azure CLI using `az login` and run `goaz`. `goaz` will then use the current CLI authentication values to do its job.\n\nAll commands require that you enter a `subscriptionId` value so that goaz knows which subscription to work with.\n\n## Supported checks\n\n### Storage\n\nGoaz checks the following types of Azure storage and verifies that secure transfers are enabled and that Firewall and VNET restrictions are in place. It also flags any storage resource with a public access type other than none.\n\n- Blobs\n- File Shares\n- Storage Queues\n\nTo perform an audit of all storage types listed above type the following:\n\n```shell\ngoaz storage --subscriptionId \u003csubscription ID\u003e -A\n```\n\nYou can also specify the resource group if desired:\n\n```shell\ngoaz storage --subscriptionId \u003csubscription ID\u003e --resourceGroup \u003cresource group name\u003e -A\n```\n\n#### Stalking Queues\n\nGoaz can also monitor storage queues by \"peeking\" into any given queue. Note that this does not remove messages from the queue. Use this functionality sparingly, as peeking into a queue can result in additional charges on your Azure account.\n\nTo stalk a message queue type the following:\n\n```shell\ngoaz stalk -q --subscriptionId \u003csubscription ID\u003e --account \u003cstorage account name\u003e -name outqueue --key \u003cstorage account key\u003e\n```\n\n### Virtual Machine Scale sets\n\nGoaz will look for issues due to missing Azure Disk Encryption (ADE), and will verify that boot diagnostics are turned on. It will also flag VMSS that are not configured with security groups.\n\n```shell\ngoaz vms --subscriptionId \u003csubscription ID\u003e\n```\n\n### Azure Kubernetes Services\n\nAt the moment, goaz will only list basic information for AKS, including the URL for the k8s API\n\n```shell\ngoaz aks --subscriptionId \u003csubscription ID\u003e\n```\n\n### Message Bus\n\nGoaz checks whether redundancy is enabled and whether VNET and Firewall rules are in place restricting public access to the queues.\n\n```shell\ngoaz sbus --subscriptionId \u003csubscription ID\u003e\n```\n\n### Azure Key Vault\n\nGoaz checks that Key Vaults are configured with Firewall rules and their access restricted by VNETs. It will also detect whether keys are used for deployments or disk encryption.\n\n```shell\ngoaz kv --subscriptionId \u003csubscription ID\u003e\n```\n\n### Network\n\nProvided by `goaz net`\n\n#### Network Security Groups\n\nGoaz checks for insecure security group settings:\n\n```shell\ngoaz net nsg --subscriptionId \u003csubscription ID\u003e\n```\n\n#### Public IPs\n\nGoaz checks for Azure public IPs and verifies DDoS protections are in place:\n\n```shell\ngoaz net pips --subscriptionId \u003csubscription ID\u003e\n```\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fhex0punk%2Fgoaz","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fhex0punk%2Fgoaz","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fhex0punk%2Fgoaz/lists"}