App Audit

Audit applications and their infrastructure configurations against the standards defined in your

Platform-Engineering-Constitution.md

Workflow

Read the platform constitution. Load
```
Platform-Engineering-Constitution.md
```
and extract all auditable standards (providers, regions, naming, tags, container standards, IaC conventions, network policies, secret management).
Discover application artifacts. Scan the repository for IaC files (
```
.bicep
```
,
```
.tf
```
,
```
*.yaml
```
), Dockerfiles, Kubernetes manifests, CI/CD configs, and application code.
Run audit checks against each category below.
Generate an audit report with findings, severity levels, and remediation recommendations.
Present the report to the user and offer to fix any issues found.

Audit Categories

1. Cloud Provider & Region Compliance

Check that all infrastructure targets only approved providers and regions.

Check	What to look for	Severity
Approved providers only	Provider blocks in Terraform, resource types in Bicep	🔴 Critical
Approved regions only	`location` , `region` parameters in IaC	🔴 Critical
No hardcoded cloud-specific resources in app.bicep	Should use portable Radius types	🟡 Warning

2. Container Standards

Verify Dockerfiles and container configurations meet standards.

Check	What to look for	Severity
Non-root user	`USER` directive in Dockerfile (not root)	🔴 Critical
Health endpoints	`/healthz` and `/readyz` endpoints in application code	🟡 Warning
Multi-stage build	Multiple `FROM` stages in Dockerfile	🟡 Warning
Image registry	Images reference approved registries (ACR, ECR)	🟡 Warning
No `latest` tag in production	Image tags should be pinned	🟡 Warning

3. IaC Standards

Validate Terraform/Bicep follows constitution conventions.

Check	What to look for	Severity
Approved IaC tooling	Only uses tooling listed in constitution	🔴 Critical
Module versions pinned	`version = "~> X.Y"` in module blocks	🟡 Warning
Remote state backend	`backend` block configured in Terraform	🟡 Warning
Variables have descriptions	All `variable` blocks have `description`	🟢 Info
Variables have type constraints	All `variable` blocks have `type`	🟢 Info
`terraform fmt` clean	Code passes `terraform fmt -check`	🟢 Info

4. Naming Conventions

Verify resource names follow the constitution's pattern.

Check	What to look for	Severity
Resource names match pattern	Names follow `<org>-<env>-<region>-<service>-<type>`	🟡 Warning
Consistent casing	All lowercase, hyphens as separators	🟢 Info

5. Tagging / Labeling

Ensure all required tags are present.

Check	What to look for	Severity
Required tags present	All tags from constitution ( `environment` , `team` , `service` , `managed-by` , `cost-center` )	🟡 Warning
No missing tags on resources	Every resource has all required tags	🟡 Warning

6. Network & Security

Validate network and security configurations.

Check	What to look for	Severity
NetworkPolicies defined	Kubernetes NetworkPolicy manifests exist	🟡 Warning
No secrets in source code	Grep for API keys, passwords, tokens	🔴 Critical
Secret management aligned	Uses approved secret management (K8s Secrets, Key Vault, Secrets Manager)	🟡 Warning
RBAC enabled	Cluster configs enable RBAC	🟡 Warning

7. Radius-Specific Checks

If the app uses Radius, validate Radius configuration.

Check	What to look for	Severity
`bicepconfig.json` exists	Required for Radius Bicep extensions	🔴 Critical
Portable resource types used	`Radius.Compute/` , `Radius.Data/` , `Radius.Storage/` , `Radius.Security/` , `Radius.AI/` , or `Applications.Datastores/` instead of cloud-specific	🟡 Warning
`environment` parameter present	All Radius resources include `environment`	🔴 Critical
Recipe properties set	Properties expected by recipes are declared (e.g., `size` )	🟡 Warning
Connection env var handling	App code handles both `_PROPERTIES` JSON and individual vars	🟡 Warning
Health probes configured	Container resources include readiness/liveness probes	🟡 Warning
No local file paths in recipes	Recipe template paths use OCI registry URLs	🔴 Critical
No `localhost` in image/recipe refs	Should use `host.docker.internal` or cloud registry	🟡 Warning

Treat

Radius.Data/redisCaches

as a valid custom pattern when the repo or environment explicitly includes that resource type, even though it is not part of the current checked-in inventory of

radius-resource-types

Audit Report Format

markdown

# Application Audit Report

**Repository:** <repo-name>
**Date:** <date>
**Constitution Version:** <version from changelog>

## Summary

| Severity | Count |
|----------|-------|
| 🔴 Critical | N |
| 🟡 Warning | N |
| 🟢 Info | N |
| ✅ Pass | N |

## Findings

### 🔴 Critical

#### [C1] <Finding Title>
- **File:** `path/to/file:line`
- **Issue:** Description of what's wrong
- **Constitution Reference:** Section N — <section title>
- **Remediation:** How to fix it

### 🟡 Warning

#### [W1] <Finding Title>
- **File:** `path/to/file:line`
- **Issue:** Description of what's wrong
- **Constitution Reference:** Section N — <section title>
- **Remediation:** How to fix it

### 🟢 Info

#### [I1] <Finding Title>
- **Recommendation:** Suggested improvement

### ✅ Passing Checks

- Provider compliance: ✅
- Region compliance: ✅
- Container non-root: ✅
- ...

How to Run an Audit

When invoked, perform these steps:

Find the constitution:

Look for Platform-Engineering-Constitution.md in repo root or parent directories

Scan for artifacts:

bash

# Find all auditable files
find . -name "*.bicep" -o -name "*.tf" -o -name "Dockerfile*" \
       -o -name "*.yaml" -o -name "*.yml" -o -name "bicepconfig.json"

Run checks by reading each file and comparing against constitution rules.

Check application code for health endpoints, connection handling, and secret exposure: