From 06f5e413e54fac8e425066cc95256cb1fbfed2c0 Mon Sep 17 00:00:00 2001 From: Anthony Shaw Date: Thu, 6 Jun 2024 19:03:08 +1000 Subject: [PATCH] Switch to PSRule for security analysis --- .github/workflows/bicep-audit.yml | 22 +++++++++++++++------- bicep/main.bicep | 2 +- bicep/main.test.bicep | 20 ++++++++++++++++++++ bicep/modules/sqldb.bicep | 4 ++-- ps-rule.yaml | 3 +++ 5 files changed, 41 insertions(+), 10 deletions(-) create mode 100644 bicep/main.test.bicep create mode 100644 ps-rule.yaml diff --git a/.github/workflows/bicep-audit.yml b/.github/workflows/bicep-audit.yml index eb7f66d..7ededd4 100644 --- a/.github/workflows/bicep-audit.yml +++ b/.github/workflows/bicep-audit.yml @@ -21,15 +21,23 @@ jobs: - name: Checkout uses: actions/checkout@v4 - - name: Run Microsoft Security DevOps Analysis - uses: microsoft/security-devops-action@preview - id: msdo - continue-on-error: true + - name: Run PSRule analysis + uses: microsoft/ps-rule@v2.9.0 with: - tools: templateanalyzer + modules: PSRule.Rules.Azure + baseline: Azure.Pillar.Security + inputPath: bicep/*.test.bicep + outputFormat: Sarif + outputPath: reports/ps-rule-results.sarif + summary: true + continue-on-error: true + + env: + PSRULE_CONFIGURATION_AZURE_BICEP_FILE_EXPANSION: 'true' + PSRULE_CONFIGURATION_AZURE_BICEP_FILE_EXPANSION_TIMEOUT: '30' - - name: Upload alerts to Security tab + - name: Upload results to security tab uses: github/codeql-action/upload-sarif@v3 if: github.repository_owner == 'Azure-Samples' with: - sarif_file: ${{ steps.msdo.outputs.sarifFile }} + sarif_file: reports/ps-rule-results.sarif diff --git a/bicep/main.bicep b/bicep/main.bicep index d62d9fb..d975d6e 100644 --- a/bicep/main.bicep +++ b/bicep/main.bicep @@ -50,7 +50,7 @@ module sqlDb 'modules/sqldb.bicep' = { name: 'sqldb' params: { sqlServerName: sqlServerName - sqlDatabaeName: applicationName + sqlDatabaseName: applicationName administratorLogin: sqlAdminLogin administratorPassword: sqlAdminPassword location: location diff --git a/bicep/main.test.bicep b/bicep/main.test.bicep new file mode 100644 index 0000000..052b2e7 --- /dev/null +++ b/bicep/main.test.bicep @@ -0,0 +1,20 @@ +// This file is for doing static analysis and contains sensible defaults +// for the bicep analyser to minimise false-positives and provide the best results. + +// This file is not intended to be used as a runtime configuration file. + +targetScope = 'resourceGroup' + +// Random, dummy data for static analysis +param sqlAdminLogin string = newGuid() +@secure() +param sqlAdminPassword string = newGuid() + +module main 'main.bicep' = { + name: 'main' + params: { + staticWebAppLocation: 'westus2' + sqlAdminLogin: sqlAdminLogin + sqlAdminPassword: sqlAdminPassword + } +} diff --git a/bicep/modules/sqldb.bicep b/bicep/modules/sqldb.bicep index ba3bf29..7017ba0 100644 --- a/bicep/modules/sqldb.bicep +++ b/bicep/modules/sqldb.bicep @@ -1,5 +1,5 @@ param sqlServerName string -param sqlDatabaeName string +param sqlDatabaseName string param location string param administratorLogin string @secure() @@ -20,7 +20,7 @@ resource sqlServer 'Microsoft.Sql/servers@2021-05-01-preview' = { resource servers_rideshare_server_name_databases_Rideshare_name 'Microsoft.Sql/servers/databases@2021-05-01-preview' = { parent: sqlServer - name: sqlDatabaeName + name: sqlDatabaseName location: location tags: resourceTags sku: { diff --git a/ps-rule.yaml b/ps-rule.yaml new file mode 100644 index 0000000..bb4904b --- /dev/null +++ b/ps-rule.yaml @@ -0,0 +1,3 @@ +# YAML: Set the AZURE_BICEP_FILE_EXPANSION configuration option to enable expansion +configuration: + AZURE_BICEP_FILE_EXPANSION: true \ No newline at end of file