Add container workload coverage and tighten compute-control

README.md

@@ -1,7 +1,7 @@
 # AzureFox
 
 <p align="center">
-  <img src="docs/branding/azurefox-logo.png" alt="AzureFox logo" width="180" />
+  <img src="docs/branding/azurefox-logo.png" alt="AzureFox logo" height="240" />
 </p>
 
 Find attack paths, pivot opportunities, and movement across Azure before you drown in inventory.
@@ -97,6 +97,14 @@ azurefox permissions
 
 ## Currently Supported Azure Commands
 
+### Orchestration
+
+| Grouped Command | Live Families |
+| --- | --- |
+| [`chains`](https://github.com/TacoRocket/AzureFox/wiki/Chains) | [`credential-path`](https://github.com/TacoRocket/AzureFox/wiki/Chains-Credential-Path), [`deployment-path`](https://github.com/TacoRocket/AzureFox/wiki/Chains-Deployment-Path), [`escalation-path`](https://github.com/TacoRocket/AzureFox/wiki/Chains-Escalation-Path), [`compute-control`](https://github.com/TacoRocket/AzureFox/wiki/Chains-Compute-Control) |
+
+### Flat Commands
+
 | Section | Commands |
 | --- | --- |
 | `core` | [`inventory`](https://github.com/TacoRocket/AzureFox/wiki/Inventory) |
@@ -106,8 +114,7 @@ azurefox permissions
 | `resource` | [`automation`](https://github.com/TacoRocket/AzureFox/wiki/Automation), [`devops`](https://github.com/TacoRocket/AzureFox/wiki/Devops), [`acr`](https://github.com/TacoRocket/AzureFox/wiki/ACR), [`api-mgmt`](https://github.com/TacoRocket/AzureFox/wiki/API-Mgmt), [`databases`](https://github.com/TacoRocket/AzureFox/wiki/Databases), [`resource-trusts`](https://github.com/TacoRocket/AzureFox/wiki/Resource-Trusts) |
 | `storage` | [`storage`](https://github.com/TacoRocket/AzureFox/wiki/Storage) |
 | `network` | [`nics`](https://github.com/TacoRocket/AzureFox/wiki/Nics), [`dns`](https://github.com/TacoRocket/AzureFox/wiki/DNS), [`endpoints`](https://github.com/TacoRocket/AzureFox/wiki/Endpoints), [`network-effective`](https://github.com/TacoRocket/AzureFox/wiki/Network-Effective), [`network-ports`](https://github.com/TacoRocket/AzureFox/wiki/Network-Ports) |
-| `compute` | [`workloads`](https://github.com/TacoRocket/AzureFox/wiki/Workloads), [`app-services`](https://github.com/TacoRocket/AzureFox/wiki/App-Services), [`functions`](https://github.com/TacoRocket/AzureFox/wiki/Functions), [`aks`](https://github.com/TacoRocket/AzureFox/wiki/AKS), [`vms`](https://github.com/TacoRocket/AzureFox/wiki/VMs), [`vmss`](https://github.com/TacoRocket/AzureFox/wiki/VMSS), [`snapshots-disks`](https://github.com/TacoRocket/AzureFox/wiki/Snapshots-Disks) |
-| orchestration | [`chains`](https://github.com/TacoRocket/AzureFox/wiki/Chains) |
+| `compute` | [`workloads`](https://github.com/TacoRocket/AzureFox/wiki/Workloads), [`app-services`](https://github.com/TacoRocket/AzureFox/wiki/App-Services), [`functions`](https://github.com/TacoRocket/AzureFox/wiki/Functions), [`container-apps`](https://github.com/TacoRocket/AzureFox/wiki/Container-Apps), [`container-instances`](https://github.com/TacoRocket/AzureFox/wiki/Container-Instances), [`aks`](https://github.com/TacoRocket/AzureFox/wiki/AKS), [`vms`](https://github.com/TacoRocket/AzureFox/wiki/VMs), [`vmss`](https://github.com/TacoRocket/AzureFox/wiki/VMSS), [`snapshots-disks`](https://github.com/TacoRocket/AzureFox/wiki/Snapshots-Disks) |
 
 ## Need A Test Lab?
 

src/azurefox/chains/compute_control.py

@@ -566,6 +566,11 @@ def _build_compute_control_record(
             "tokens "
             f"as {identity_name}; that identity already maps to {stronger_outcome}."
         )
+    why_care = _compute_control_why_care(
+        why_care,
+        surface_row=surface_row,
+        workload_row=workload_row,
+    )
     evidence_commands = ["tokens-credentials", "workloads"]
     joined_surface_types = ["managed-identity-token", "workload"]
     if mixed_identity_corroborated:
@@ -711,6 +716,11 @@ def _build_mixed_identity_candidate_record(
         "identities. AzureFox cannot yet defend one chosen identity, but visible Azure control "
         f"currently maps to {stronger_outcome}."
     )
+    why_care = _compute_control_why_care(
+        why_care,
+        surface_row=surface_row,
+        workload_row=workload_row,
+    )
 
     evidence_commands = ["tokens-credentials", "workloads"]
     joined_surface_types = ["managed-identity-token", "workload"]
@@ -813,6 +823,63 @@ def _compute_control_next_review(workload_row: dict, *, identity_choice_basis: s
     )
 
 
+def _compute_control_why_care(
+    base_text: str,
+    *,
+    surface_row: dict,
+    workload_row: dict,
+) -> str:
+    return f"{base_text} {_compute_control_required_foothold(surface_row, workload_row)}"
+
+
+def _compute_control_required_foothold(surface_row: dict, workload_row: dict) -> str:
+    access_path = str(surface_row.get("access_path") or "")
+    asset_kind = str(workload_row.get("asset_kind") or "workload")
+    public_signal = _has_public_compute_signal(workload_row)
+    public_compute_label = (
+        "this public-facing container group"
+        if asset_kind == "ContainerInstance"
+        else "this public-facing service"
+    )
+    internal_compute_label = (
+        "this container group" if asset_kind == "ContainerInstance" else "this workload"
+    )
+
+    if access_path == "workload-identity":
+        if public_signal:
+            return (
+                "To turn this into downstream Azure access, an operator would need "
+                f"server-side execution in {public_compute_label}. AzureFox is a recon tool "
+                "and does not verify exploitation activity beyond what is explicitly stated here."
+            )
+        return (
+            "To turn this into downstream Azure access, an operator would need a service-side "
+            f"foothold that can run inside {internal_compute_label} and invoke its token request "
+            "path. "
+            "AzureFox does not yet show that start from the current foothold."
+        )
+
+    if access_path == "imds":
+        if public_signal:
+            return (
+                "To turn this into downstream Azure access, an operator would need a "
+                "server-side request path from this public-facing workload to the Azure VM "
+                "metadata service. AzureFox is a recon tool and does not verify exploitation "
+                "activity beyond what is explicitly stated here."
+            )
+        return (
+            f"To turn this into downstream Azure access, an operator would need host-level "
+            f"execution or admin access on this {asset_kind} so the Azure VM metadata token "
+            "path is reachable. AzureFox does not yet show that start from the current foothold."
+        )
+
+    return (
+        "To turn this into downstream Azure access, an operator would need a foothold that "
+        "can reach the workload-side token path. AzureFox does not yet show that start from "
+        "the current foothold."
+    )
+
+
 def _permission_control_summary(permission_row: dict | None) -> str | None:
     if not permission_row:
         return None

src/azurefox/cli.py

@@ -132,6 +132,16 @@ def functions(ctx: typer.Context) -> None:
     _run_single(ctx, "functions")
 
 
+@app.command("container-apps")
+def container_apps(ctx: typer.Context) -> None:
+    _run_single(ctx, "container-apps")
+
+
+@app.command("container-instances")
+def container_instances(ctx: typer.Context) -> None:
+    _run_single(ctx, "container-instances")
+
+
 @app.command("aks")
 def aks(ctx: typer.Context) -> None:
     _run_single(ctx, "aks")

src/azurefox/collectors/commands.py

@@ -28,6 +28,8 @@
     ArmDeploymentsOutput,
     AuthPoliciesOutput,
     AutomationOutput,
+    ContainerAppsOutput,
+    ContainerInstancesOutput,
     CrossTenantOutput,
     DatabasesOutput,
     DevopsOutput,
@@ -279,6 +281,41 @@ def collect_functions(provider: BaseProvider, options: GlobalOptions) -> Functio
     )
 
 
+def collect_container_apps(
+    provider: BaseProvider,
+    options: GlobalOptions,
+) -> ContainerAppsOutput:
+    data = provider.container_apps()
+    container_apps = sorted(data.get("container_apps", []), key=_container_app_sort_key)
+    return ContainerAppsOutput.model_validate(
+        {
+            "metadata": _metadata(provider, "container-apps", options),
+            "findings": [],
+            **data,
+            "container_apps": container_apps,
+        }
+    )
+
+
+def collect_container_instances(
+    provider: BaseProvider,
+    options: GlobalOptions,
+) -> ContainerInstancesOutput:
+    data = provider.container_instances()
+    container_instances = sorted(
+        data.get("container_instances", []),
+        key=_container_instance_sort_key,
+    )
+    return ContainerInstancesOutput.model_validate(
+        {
+            "metadata": _metadata(provider, "container-instances", options),
+            "findings": [],
+            **data,
+            "container_instances": container_instances,
+        }
+    )
+
+
 def collect_arm_deployments(provider: BaseProvider, options: GlobalOptions) -> ArmDeploymentsOutput:
     data = provider.arm_deployments()
     deployments = sorted(data.get("deployments", []), key=_arm_deployment_sort_key)
@@ -1048,6 +1085,24 @@ def _function_app_sort_key(item: dict) -> tuple[bool, bool, bool, tuple[int, int
     )
 
 
+def _container_app_sort_key(item: dict) -> tuple[bool, bool, bool, str]:
+    return (
+        not bool(item.get("external_ingress_enabled")),
+        not _has_workload_identity(item),
+        not bool(item.get("default_hostname")),
+        item.get("name") or "",
+    )
+
+
+def _container_instance_sort_key(item: dict) -> tuple[bool, bool, bool, str]:
+    return (
+        not bool(item.get("public_ip_address") or item.get("fqdn")),
+        not _has_workload_identity(item),
+        not bool(item.get("fqdn")),
+        item.get("name") or "",
+    )
+
+
 def _arm_deployment_sort_key(item: dict) -> tuple[int, int, int, int, bool, str, str]:
     link_count = int(bool(item.get("template_link"))) + int(bool(item.get("parameters_link")))
     provider_count = len(item.get("providers", []) or [])