Microsoft AzureOverview
Function App runtime stacks eventually go out of support as language versions and platform images age. Unsupported runtimes can carry unpatched vulnerabilities, may block platform upgrades, and often prevent teams from consuming current security features.
Runtime upgrades should be handled as a release-management activity: validate code compatibility, update dependencies, redeploy, and monitor the new version.
Remediation guidance
Remediation
Move the Function App to a supported runtime stack. The exact command depends on the operating system and language stack, so validate the target runtime in a staging slot or non-production app first.
Azure CLI
Inspect the current runtime settings:
az functionapp config show \
--resource-group {{asset.azureResourceGroup}} \
--name {{asset.name}} \
--query '{linuxFxVersion:linuxFxVersion,nodeVersion:nodeVersion,pythonVersion:pythonVersion,javaVersion:javaVersion,powerShellVersion:powerShellVersion,netFrameworkVersion:netFrameworkVersion}'
For Linux Function Apps, set the target runtime stack. Replace {{manual.linuxFxVersion}} with the approved stack value, for example a currently supported PYTHON|..., NODE|..., DOTNET-ISOLATED|..., or JAVA|... value.
az functionapp config set \
--resource-group {{asset.azureResourceGroup}} \
--name {{asset.name}} \
--linux-fx-version "{{manual.linuxFxVersion}}"
For Windows Function Apps, update the language-specific setting supported by your stack and deployment model, then redeploy the function package from CI/CD.
Rollout guidance
- Update application dependencies and build images/packages against the target runtime.
- Use deployment slots for production Function Apps and swap only after health checks pass.
- Validate triggers, bindings, managed identity access, and outbound dependencies after redeploy.
- Add CI/CD checks so unsupported runtime stack values cannot be reintroduced.
References
- https://learn.microsoft.com/en-us/azure/azure-functions/supported-languages
- https://learn.microsoft.com/en-us/cli/azure/functionapp/config
Query logic
These are the stored checks tied to this control.
Azure Function Apps with unsupported runtime
Connectors
Covered asset types
Expected check: eq []
{
functionApps(
where: {
configs_SOME: {
isDeprecated: { eq: true }
OR: [
{ NOT: { nodeVersion: { eq: "" } } }
{ NOT: { pythonVersion: { eq: "" } } }
{ NOT: { javaVersion: { eq: "" } } }
{ NOT: { powerShellVersion: { eq: "" } } }
{ NOT: { netFrameworkVersion: { eq: "" } } }
{ NOT: { linuxFxVersion: { eq: "" } } }
]
}
}
) {
...AssetFragment
}
}
