1.5.0 - Grouped Chains And DevOps Proof

v1.5.0 - grouped chains and DevOps proof

v1.5.0 is where grouped chains gets a lot more usable live, and where devops / chains deployment-path starts pulling real Azure Repos pipeline evidence into the picture instead of leaving that whole story trapped in YAML.

What shipped:

• YAML-backed Azure DevOps pipeline evidence, so devops and chains deployment-path can now surface repo-backed Azure service connections and variable groups from real pipeline definitions and same-repo local templates instead of making you go prove that by hand
• strict grouped chains artifact reuse for compatible local source JSON, so repeat family reruns can reuse evidence that already exists instead of recollecting the same backing commands every time
• batched role-trusts Graph fanout, which speeds up trust-edge collection and carries forward into grouped chains families that depend on the same trust reads
  In testing, the same trust-edge collection dropped from around 342 seconds to as low as 24 seconds depending on the environment, which worked out to roughly a 78.6% to 93% reduction in time.
  That carried forward into grouped chains runs too:
  escalation-path dropped from 26 seconds to 2 seconds, about 16x faster and roughly 93% less time.
  deployment-path dropped from 38 seconds to 1.62 seconds, about 23x faster and roughly 95% less time.
  compute-control dropped from 19 seconds to 1.6 seconds, about 11.8x faster and roughly 91.6% less time.
• tighter reduced-view and maintenance-mode truthfulness across permissions, tokens-credentials, credential-path, deployment-path, functions, arm-deployments, and resource-trusts, so partial visibility reads as partial visibility instead of sounding like stronger proof than the run actually earned

Project note:
AzureFox is moving into maintenance mode from here. If people find issues that are real blockers for usage or that break the tool against its current expectations, those will still get fixed and patched.

The bigger push from here is going into the Go rewrite in HarrierOps Azure.

1.4.0 - Compute-control chain added

Compute-control chain added

v1.4.0 is a big step for AzureFox because it closes the gap between flat reconnaissance and defended operator follow-on. This release ships the new compute-control chain family plus first-class container-apps and container-instances commands, so container-heavy environments are now visible both as direct inventory and as joined control-path opportunities. In practice, that means AzureFox can do more of the "what can I reach from here, and why does it matter?" work in one pass instead of making the operator stitch it together manually.

priority  when     reach from here                compute foothold  token path             identity             Azure access                         proof status
high      act now  public exposure visible;       app-empty-mi      service token request  app-empty-mi-system  Contributor across subscription-wide confirmed
                    exploitation not proved                                                                   scope

note
AppService 'app-empty-mi' can request tokens as app-empty-mi-system; that identity already maps to Contributor across subscription-wide scope. To turn this into downstream Azure access, an operator would need server-side execution in this public-facing service. AzureFox is a recon tool and does not verify exploitation activity beyond what is explicitly stated here.

What's Changed

• docs: sharpen positioning and retire planning notes by @TacoRocket in #84
• test: cover vms and snapshots flows by @TacoRocket in #85
• deps: update pytest-cov requirement from <6,>=5.0 to >=5.0,<8 by @dependabot[bot] in #66
• tighten credential-path proof boundaries by @TacoRocket in #86
• Harden deployment-path actionability by @TacoRocket in #87
• deps: update azure-mgmt-network requirement from <27,>=26.0 to >=26.0,<31 by @dependabot[bot] in #35
• fix: harden deployment path joins and docs by @TacoRocket in #88
• Align chain wording and issue scope contract by @TacoRocket in #89
• deps: update azure-mgmt-resource requirement from <24,>=23.1 to >=23.1,<26 by @dependabot[bot] in #33
• Tighten chain-family output wording and proof boundaries by @TacoRocket in #90
• Finish deployment-path slice by @TacoRocket in #91
• Refine compute-control mixed identity paths by @TacoRocket in #93
• Add container workload coverage and tighten compute-control by @TacoRocket in #94
• Refine chains README blurbs by @TacoRocket in #95
• chore: prepare v1.4.0 release by @TacoRocket in #96

Full Changelog: v1.3.0...v1.4.0

1.3.0 - Credential-path chain shipped

Credential-path chain shipped

v1.3.0 is where AzureFox's chain views became a real shipped workflow instead of just supporting clues. This release landed the reusable chain plumbing, shipped credential-path, and tightened the wording and proof boundaries so the tool could start showing defended follow-on paths without overstating what the current access proved.

What's Changed

• feat: add application-gateway command by @TacoRocket in #58
• fix: hydrate thin service reads by @TacoRocket in #59
• feat: add chains scaffold and loot contract by @TacoRocket in #60
• Deprecate all-checks and tighten operator wording by @TacoRocket in #61
• Enforce publish metadata guardrails by @TacoRocket in #62
• feat: implement credential-path chains by @TacoRocket in #63
• feat: tighten lane 2 chain hints by @TacoRocket in #64
• docs: link supported commands to wiki pages by @TacoRocket in #65
• docs: tighten offensive recon wording across help and wiki by @TacoRocket in #67
• feat: tighten identity chain hints by @TacoRocket in #68
• feat: add role-trusts hints and command output examples by @TacoRocket in #69
• chore: remove handoff artifacts from repo by @TacoRocket in #70
• Reframe deployment path around source actionability by @TacoRocket in #71
• docs: update license attribution by @TacoRocket in #72
• Harden devops trusted input proof follow-ups by @TacoRocket in #73
• Add escalation-path v1 and trust transform fields by @TacoRocket in #74
• docs: refresh README first-run positioning by @TacoRocket in #75
• Update README.md by @TacoRocket in #76
• Remove all-checks and harden output paths by @TacoRocket in #77
• Auth mode reporting and visibility tier seed by @TacoRocket in #78
• Extend visibility tiers for DevOps and Functions by @TacoRocket in #79
• feat: streamline chains runtime and overview by @TacoRocket in #80
• fix: hydrate automation and clarify role trusts by @TacoRocket in #81
• feat: add credential-path verification registry by @TacoRocket in #82
• chore: prepare v1.3.0 release by @TacoRocket in #83

Full Changelog: v1.2.0...v1.3.0

1.2.0 - Phase 4 service lane completed

Phase 4 service lane completed

v1.2.0 closed the first Azure-native service expansion wave for AzureFox. This is the release where the tool grew beyond the initial core recon surface and started covering more of the operator's real Azure follow-on space with shipped snapshots-disks, vmss, lighthouse, cross-tenant, automation, and devops command coverage.

What's Changed

• feat: add snapshots-disks and reorganize wiki docs by @TacoRocket in #49
• feat: add vmss command slice by @TacoRocket in #50
• feat: add lighthouse command and retire sort drift by @TacoRocket in #51
• feat: add cross-tenant command and retire drift by @TacoRocket in #52
• feat: add automation command and retire drift by @TacoRocket in #53
• Add devops command slice by @TacoRocket in #55
• feat: retire remaining drift and phase 4 fixes by @TacoRocket in #56
• chore: bump phase 4 release to 1.2.0 by @TacoRocket in #57

Full Changelog: v1.1.0...v1.2.0

1.1.0 - First grounded depth tranche added

First grounded depth tranche added

v1.1.0 was the first release that pushed AzureFox past simple presence reporting and into richer operator-facing depth. Existing commands started surfacing more meaningful posture, ranking, and follow-up value across ACR, databases, DNS, storage, AKS, and network-effective so the tool could better answer what deserves attention first.

What's Changed

• ci: bump actions/checkout from 4 to 6 by @dependabot[bot] in #30
• ci: bump actions/setup-python from 5 to 6 by @dependabot[bot] in #31
• deps: update rich requirement from <14,>=13.7 to >=13.7,<15 by @dependabot[bot] in #34
• fix: tighten help UX and repo housekeeping by @TacoRocket in #36
• fix: replace logo asset with cleaner transparent crop by @TacoRocket in #37
• fix: make default install operational by @TacoRocket in #38
• docs: simplify quickstart install by @TacoRocket in #39
• docs: move quickstart higher by @TacoRocket in #40
• chore: stop tracking ds store by @TacoRocket in #41
• docs: add wiki bootstrap seed pages by @TacoRocket in #42
• feat: add role-trusts collection modes by @TacoRocket in #43
• ci: bump actions/download-artifact from 4 to 8 by @dependabot[bot] in #32
• ci: bump actions/upload-artifact from 4 to 7 by @dependabot[bot] in #29
• Add network-effective triage view by @TacoRocket in #44
• feat: land first grounded depth tranche progress by @TacoRocket in #45
• expand acr and relational database depth by @TacoRocket in #46
• feat: deepen dns and storage command posture by @TacoRocket in #47
• chore: prepare v1.1.0 release by @TacoRocket in #48

New Contributors

• @dependabot[bot] made their first contribution in #30

Full Changelog: v1.0.0...v1.1.0

1.0.0 - AzureFox launched

AzureFox launched

v1.0.0 is the first public AzureFox release boundary. It established the core offensive Azure recon surface across identity, privilege, secrets, workloads, network, storage, apps, APIs, and databases, along with the packaging and release path needed to ship the tool as a real installable product.

What's Changed

• docs: clarify Azure CLI web auth and non-web options by @TacoRocket in #1
• feat: add permissions command slice by @TacoRocket in #2
• docs: trim roadmap to public summary by @TacoRocket in #3
• feat: add scoped help surface by @TacoRocket in #4
• chore: ignore local output artifacts by @TacoRocket in #5
• feat: add privesc command slice by @TacoRocket in #6
• feat: add role-trusts command slice by @TacoRocket in #7
• feat: add auth-policies command slice by @TacoRocket in #8
• add keyvault slice by @TacoRocket in #9
• improve terminal operator ux by @TacoRocket in #10
• add resource-trusts slice by @TacoRocket in #11
• add arm-deployments slice by @TacoRocket in #12
• fix arm-deployments drift by @TacoRocket in #13
• add env-vars slice by @TacoRocket in #14
• fix: align keyvault exposure findings by @TacoRocket in #15
• feat: add tokens-credentials slice by @TacoRocket in #16
• Add Phase 3 network foundation slices by @TacoRocket in #17
• feat: add workloads command by @TacoRocket in #18
• Add app-services command by @TacoRocket in #19
• feat: add functions command by @TacoRocket in #20
• feat: add api-mgmt command by @TacoRocket in #21
• feat: add aks command by @TacoRocket in #22
• feat: add acr command by @TacoRocket in #23
• feat: add databases command by @TacoRocket in #24
• feat: add dns command by @TacoRocket in #25
• fix: harden trust edge truthfulness by @TacoRocket in #26
• Harden release readiness and packaging by @TacoRocket in #27
• Prepare AzureFox v1.0.0 release by @TacoRocket in #28

New Contributors

• @TacoRocket made their first contribution in #1

Full Changelog: https://github.com/TacoRocket/AzureFox/commits/v1.0.0