Frameworks mean nothing, until they change what gets built!
In this article we discuss how Git-Ape turns architecture and governance into delivery controls on Azure because, if frameworks do not shape delivery decisions, they are just decoration.
Cloud teams do not have a framework problem. They have an execution problem. The industry is full of architecture guidance, governance models, and security baselines, yet far too many deployments still reach production with obvious weaknesses because the frameworks are treated like reference material instead of delivery controls. That is the real issue, not a lack of standards, but a habit of consulting them too late and far too selectively.
This is where Git-Ape can help. It treats architecture, governance, and security guidance as part of the engineering path, not as a post-hoc review ritual. Instead of waiting for a design review, audit finding, or production incident to expose weak decisions, it brings those controls into the repo, the workflow, and the assessment loop itself. In other words, it shifts framework alignment from a compliance theatre exercise into something that can shape how systems get built.
Frameworks only matter when they force decisions
The cloud industry already has no shortage of guidance. The real question is whether that guidance is allowed to influence delivery decisions before weak patterns land in production. The Azure Well-Architected Framework is built around five pillars, Reliability, Security, Cost Optimization, Operational Excellence, and Performance Efficiency. These are designed specifically to force better trade-offs and better design choices.
Git-Ape pushes that logic into the workflow itself. Instead of asking teams to remember guidance, manually interpret policy, and then retrofit the outcome into infrastructure code, it turns those frameworks into an assessment loop that can challenge bad assumptions early. That is the difference between framework awareness and actual control.
Built-in framework coverage
| Framework | What it helps you evaluate | How Git-Ape uses it |
| Azure Well-Architected Framework | Architecture quality across security, reliability, performance efficiency, cost optimization, and operational excellence. | Scores each pillar, highlights gaps, and prioritizes remediation by severity. |
| NIST SP 800-53 Rev. 5 via Azure Policy | Whether platform controls align with a recognised security and compliance baseline. | Compares template posture with subscription policy posture, then recommends policy assignments and enforcement steps. |
| CAF naming and tagging guidance | Consistency, governance, and operational clarity across Azure resources. | Reinforces naming standards, required tags, and repeatable deployment patterns. |
Why weak delivery habits still ship weak systems
This matters because most cloud failures are not caused by ignorance. They come from the gap between what teams say they want and what they build. Security baselines are assumed instead of verified. Reliability trade-offs stay invisible until an outage forces the conversation. Cost decisions get celebrated as efficiency while quietly baking in operational fragility. The Well-Architected guidance exists to make those trade-offs explicit, and Git-Ape applies that logic to the repository and the Azure environment itself. It can surface missing HTTPS enforcement, over-scoped identity, absent observability, or a hosting choice that looks economical but makes the workload unreliable. In this model, frameworks stop being decorative best practice and start acting like engineering overwatch.
From passive guidance to engineering overwatch
Git-Ape combines repository analysis with architecture and policy context, which is exactly what most review processes pretend to do and rarely achieve. It reads infrastructure code, workflow definitions, and supporting documentation, then evaluates that material against explicit framework expectations. The result is not generic advice, a style check, or a glorified linting pass. It is an evidence-backed assessment tied directly to the artefacts that shape the deployment, where the design is solid, where it is weak, and which changes deserve priority. That creates a far more honest operating loop for platform teams who assess the workload, fix the highest-risk issues, and then re-run the same assessment to prove posture has improved instead of merely being discussed.
In practice, the loop is simple: review or generate infrastructure code, run a framework assessment, receive prioritized findings and remediation guidance, update the code and policy assignments, then assess again to confirm measurable improvement. That repeatability is the point. It turns architecture quality, governance posture, and security alignment into engineering outputs instead of one-off review theatre.
How to make a repo answer for its design
Assessing a codebase with Git-Ape is straightforward, but the value is not in running a scan and exporting a report. It is in forcing evidence into the conversation. Start by opening or cloning the repository so Git-Ape can inspect the infrastructure code, workflow definitions, and supporting documentation. Run a Well-Architected assessment to establish posture across the five Azure pillars. Then run a policy-oriented assessment to compare the design with the subscription’s actual Azure Policy baseline. Microsoft’s guidance for the NIST SP 800-53 Rev. 5 regulatory compliance initiative makes the same point plainly, policy mappings can help assess controls, but compliance in Azure Policy is only a partial view unless those controls are assigned and enforced. From there, the work is prioritisation, not documentation theatre, focus on the P0 and P1 issues, make the highest-value changes, and re-run the same assessment so improvement is measurable.
Illustrative Git-Ape prompts used for the examples
These prompts are included to show the kind of assessment commands that produced the output in the examples below. The example repositories are the same AWS source repo and Azure target repo used in the Microsoft DevBlogs migration walkthrough, Removing the Monkey Work of Migration, where Git-Ape analyses an AWS Terraform deployment and generates an Azure-native replacement. In that walkthrough, the source repo is contoso-migration, and the generated Azure repo is contoso-azure. The prompts shown here are illustrative examples of how an engineer could assess those repos after generation to inspect architecture quality, governance posture, and production-readiness gaps.
- @git-ape assess this repo <repo-url> for WAF
- @git-ape assess this repo <repo-url> for NIST
- @git-ape what architecture frameworks are set
- @git-ape what security frameworks are set
What engineering overwatch looks like
When this approach is working, the change is obvious. Frameworks are no longer cited in architecture decks and ignored in delivery. They are enforced through code, policy, and repeatable review. Security and reliability decisions become auditable because they are tied to repository evidence and concrete subscription-level controls. Over time, teams gain something far more useful than a polished governance narrative, they gain a defensible view of current posture and a repeatable way to prove improvement. The examples below show what that looks like when the assessment loop is applied to example workloads.
Example A — Cheap on paper, fragile in reality
The first assessment shows what Git-Ape exposes when a workload is still stuck in a lift-and-shift mindset. On paper, the design looks inexpensive. The scorecard reveals the usual bargain: weak security controls, limited resilience, almost no observability, and operational practices that would collapse under production pressure. This is exactly where framework-driven assessment earns its keep, not when a design is obviously broken, but when it looks serviceable until the evidence shows how fragile it really is.
The assessment was run against the AWS example repo from the migration blog using an illustrative prompt such as @git-ape assess this repo <contoso-migration> for WAF. The code being assessed is the same example deployment used to demonstrate the original state in the migration path, which makes the findings easier to interpret. The scorecard is showing what happens when the original lift-and-shift design is evaluated against architecture and operational standards, not just whether the code deploys.
| Pillar | Score | Reading |
| Security | 2.5 / 10 | Critical exposure and weak baseline controls. |
| Reliability | 3.5 / 10 | Single-instance design with no recovery path. |
| Performance Efficiency | 4.0 / 10 | Undersized and fragile under load. |
| Cost Optimization | 6.0 / 10 | Low cost, but with governance trade-offs. |
| Operational Excellence | 3.5 / 10 | No CI/CD, remote state, or observability baseline. |
| Overall | 3.9 / 10 | Functional, but not production ready. |
Representative critical findings:
- S1: SSH open to internet (0.0.0.0/0) — main.tf:104-109
- S3: No HTTPS on ALB — main.tf:287-296
- S4: Terraform state committed to git — terraform.tfstate.backup:1-200
- R1: Single EC2 instance SPOF — main.tf:218-243
- O3: No CI/CD workflows present —. GitHub/workflows/ absent
Example B — Better design, but not finished
The second assessment is more interesting because it shows real improvement without pretending the work is finished. The Azure-native design is stronger in the ways that matter, platform-managed runtime, better security defaults, integrated telemetry, and a more repeatable deployment path. But the scorecard still exposes the weaknesses that matter for pre-production readiness, including reliability concerns, broad role scope, and operational shortcuts that would need tightening before anyone should call the environment robust.
That is the right result. A credible assessment shows progress without overselling maturity.
The assessment was run against the generated Azure target repo from the same migration walkthrough using an illustrative prompt such as @git-ape assess this repo <contoso-azure> for WAF. That repo is intentionally stronger than the AWS source, but it is not presented as the final word on production readiness. The migration walkthrough stops at artefact generation and does not exercise the full hardening path, including onboarding, RBAC and OIDC setup, quality gates, controlled approvals, and post-deployment validation. That is why the Azure-native result is materially better while still showing clear pre-production gaps.
Representative high-impact findings:
What matters here is not just that findings exist, but that the evidence is specific enough to force action. Each issue is tied back to a file, a line range, or an observable gap in the repository structure. That makes the output useful instead of performative. Teams do not have to guess what the agent is reacting to or translate vague principles into engineering work. The remediation path is already anchored to the artefacts that need to change.
- R1: App Service plan is B1 (no SLA) infra/main.bicep:55-58
- R3/O2: Pipeline health check is non-blocking — .github/workflows/deploy.yml:86
- S1: Contributor role granted at subscription scope — README.md:70-72
- O1: CHAT_DISABLING_OPTIONS.md is AWS-specific and stale for Azure operations
Example C — A policy gap you cannot hand-wave away
The third example shifts from architecture quality to governance posture. A workload can look partially aligned with a framework in design terms while still lacking the policy assignments needed to make that alignment durable at scale. Azure Policy’s NIST SP 800-53 Rev. 5 regulatory compliance initiative maps controls to policy definitions, but Microsoft is explicit that policy compliance is only a partial view unless those controls are assigned and enforced in scope. Git-Ape makes that gap hard to ignore by separating what the code suggests from what the subscription enforces. In other words, it distinguishes between being NIST-aware and being NIST-governed.
| Check | Result |
| Framework | NIST SP 800-53 Rev. 5 |
| Initiative available | Yes — built-in regulatory compliance initiative present. |
| Initiative assigned | No — no active assignment at assessment time. |
| Current baseline | Three Security centre initiatives, none NIST-specific. |
| Overall posture | Partially NIST-aligned, but not NIST-enforced. |
Representative NIST-aligned recommendations generated:
- Assign NIST SP 800-53 Rev. 5 initiative in Audit mode first, then tighten to Deny for critical controls.
- Assign App Service HTTPS-only and Managed Identity policies to prevent drift.
- Add App Service diagnostic settings policy/implementation for AU-2 / AU-6 / AU-12 style audit controls.
Frameworks are only useful when are enforced.
If frameworks do not change what gets built, they are not controls. They are decoration. That is the real line Git-Ape draws. Frameworks such as the Azure Well-Architected Framework, the NIST SP 800-53 Rev. 5 regulatory compliance initiative in Azure Policy, and Cloud Adoption Framework guidance for naming and tagging only matter if they can change the code, the pipeline, and the deployment decisions in front of you. If they sit in a slide deck, a design review, or a policy library without influencing execution, they are not controls. They are just words, Git-Ape is useful because it forces those frameworks into the delivery path, where trade-offs become visible, weak decisions get challenged early, and improvement can be measured instead of asserted. In a cloud environment where speed is rising and governance pressure is not going away, that shift matters. The difference between teams that cite standards and teams that build with them is the difference, these teams are adding intelligence and trust.
0 comments
Be the first to start the discussion.