prowler-cloud/prowler

Azure - filtering scans by Resource Groups

Open

#10137 opened on Feb 23, 2026

View on GitHub
 (21 comments) (0 reactions) (1 assignee)Python (8,957 stars) (1,322 forks)batch import
feature-requesthelp wantednot-plannedprovider/azure

Description

Feature search

  • I have searched the existing issues and this feature has not been requested yet or is already in our Public Roadmap

Which component would this feature affect?

Prowler CLI/SDK

Related to specific cloud provider?

Azure

New feature motivation

At first thank you for the wonderful tool! I'd like to ask if it's possible to implement a simple switch for Azure scans that narrows down scans to a certain Resource Group. I often audit customers' Azure environments, but most often they request only one (or two) RGs to be validated, corresponding to the environment of some application - not entire Azure tenant/sub.

Solution Proposed

Adding a CLI arg for Azure scans like --resource-group group1 group2 that narrow searches to given RGs.

Use case and benefits

  1. Scans are faster, especially for large subscriptions.
  2. Scans consume less memory and disk, especially with Cloud Shell for large subscriptions.
  3. Scans are compliant with customer's scope ("Please audit only RG 'foo', 'bar' is out of scope").

Describe alternatives you've considered

For now I'm parsing JSON output with jq:

jq '.[] | select(.resources[].data.metadata.id|test("some-resource-group")?)' prowler-output-xxx.ocsf.json

Then load into my own simple HTML viewer. It does not, however, solve the problems described above in "use cases and benefits".

Additional context

No response

Contributor guide

Tech stack
pythonazure
Domain
cloudsecurity
Issue type
feature
DifficultyEstimated implementation difficulty for a new contributor, from 1 for very small changes to 5 for expert-level work.
3
Estimated timeA rough time range for an experienced contributor to investigate, implement, test, and prepare a pull request.
half day
Activity statusHow available the issue appears right now: fresh, active, stale, blocked, or waiting on maintainer input.
blocked
ClarityHow clearly the issue explains the expected change, acceptance criteria, and next step.
clear
Prerequisites
PythonAzure SDK for PythonProwler contribution guide
Newbie friendlinessA 1-100 score estimating how approachable this issue is for first-time contributors.
60
Research direction
Review the existing Azure scanning implementation in the Prowler codebase, likely under `prowler/providers/azure/`. Look for how CLI arguments are defined (e.g., using Click or argparse) and how the scanner iterates over resources. The issue mentions adding a ` resource group` flag; follow existing patterns like ` region` for AWS. Check the comments for any proposed design or maintainer feedback.