DEV Community

Cover image for We built a free open source alternative to Wiz for Azure — here is how it works
Vishnu Ajith
Vishnu Ajith

Posted on

We built a free open source alternative to Wiz for Azure — here is how it works

#security #azure #cloud #devsecops

Enterprise cloud security tools like Wiz, Prisma Cloud, and
Microsoft Defender for Cloud cost upwards of $500,000 per year.
Most organisations running on Azure simply cannot afford them.

So we built OpenShield — a free, open source Cloud Security
Posture Management (CSPM) platform for Azure.

What is OpenShield

OpenShield scans your Azure subscription for misconfigurations,
maps every finding to compliance frameworks, and ships an
automated remediation playbook for every single rule.

It is built in Python, MIT licensed, and completely free.

github.com/openshield-org/openshield

What it detects

OpenShield currently has 20+ scan rules across six categories:

  • Storage - public blob access, missing lifecycle policies, disabled diagnostic logging
  • Network — open SSH/RDP, missing NSGs, no DDoS protection, WAF disabled, VPN using IKEv1, Network Watcher not enabled
  • Identity — overprivileged service principals, MFA not enforced, unrestricted guest access in Entra ID
  • Database — public PostgreSQL access, SQL auditing disabled
  • Compute — VMs with no NSG, unencrypted disks
  • Key Vault — soft delete disabled, public network access, diagnostic logging disabled

Every rule returns a structured finding with the resource ID,
description, remediation steps, and a link to the playbook.

Compliance mapping

Every finding is automatically mapped to four frameworks:

  • CIS Azure Benchmark
  • NIST CSF
  • ISO 27001
  • SOC 2 Type II

This means you get compliance posture out of the box with
no manual mapping required.

Remediation playbooks

This is the part that makes OpenShield different from most
open source security tools.

Every scan rule ships with a hardened CLI playbook. When you
get a finding, you do not just learn what is wrong — you get
the exact command to fix it.

Example playbook for AZ-STOR-004 (storage diagnostic logging):

./fix_az_stor_004.sh my-resource-group my-storage-account \
  /subscriptions/.../resourceGroups/log-rg/.../logstore
Enter fullscreen mode Exit fullscreen mode

Playbooks are hardened with input validation, shell injection
prevention, secure temp file handling, and confirmation prompts
before making any changes.

Microsoft Sentinel integration

OpenShield pushes findings directly to Microsoft Sentinel via
Log Analytics. Four KQL detection rules are included out of
the box:

  • HIGH severity findings in the last 24 hours
  • Misconfiguration wave detection
  • Persistent misconfigurations
  • New resource type critical findings

This means you get SIEM-level visibility from a free open
source tool.

The API

A Flask REST API exposes scan results, compliance scores, and
findings data. It is deployed on Render and live at:

https://openshield-api.onrender.com

Endpoints include:

  • GET /api/findings — list all findings with filters
  • GET /api/score — security posture score (0-100)
  • GET /api/compliance/cis — CIS compliance breakdown
  • GET /api/compliance/nist — NIST compliance breakdown
  • POST /api/scans/trigger — trigger a live scan

CI pipeline

Every pull request runs seven automated checks:

  1. Python syntax check on all rule files
  2. Rule structure validation and RULE_ID uniqueness
  3. Hardcoded credential scan
  4. Playbook existence and bash syntax validation
  5. Compliance JSON validation across all four frameworks
  6. API syntax check
  7. Compliance vs rule cross-reference

This means every contribution is validated before it touches
the main branch.

How to run it 

git clone https://github.com/openshield-org/openshield
cd openshield
pip install -r requirements.txt

cp .env.example .env
# Add your Azure credentials to .env

python scanner/engine.py
Enter fullscreen mode Exit fullscreen mode

You need an Azure service principal with Reader role on your
subscription. Full setup guide is in the repo.

How it was built

OpenShield was built in public by students and engineers from
Ulster University, Southampton Solent University, and Middlesex
University alongside researchers at Quentangle Quantum Systems
in London.

Every contributor has a PR merged into a production grade open
source security tool. That goes on their GitHub profile and CV
permanently.

Contributing

OpenShield is actively looking for contributors. If you want
to add a scan rule, write a remediation playbook, or improve
the compliance mappings, the contributing guide gets you
making your first PR in under 30 minutes.

github.com/openshield-org/openshield

Good first issues are labelled and waiting. The whole team
is available on Discord to help you through your first PR.

What is next

  • React dashboard with live demo URL
  • 30+ scan rules
  • BSides Birmingham conference talk
  • OWASP project listing

If you work in cloud security and want a free tool that
actually works, or you want your first open source contribution
on a real security project — come build with us.

github.com/openshield-org/openshield

Top comments (0)