Switch to PSRule for security analysis

tonybaloney · tonybaloney · commit 06f5e413e54f · 2024-06-06T19:03:08.000+10:00
diff --git a/.github/workflows/bicep-audit.yml b/.github/workflows/bicep-audit.yml
@@ -21,15 +21,23 @@ jobs:
       - name: Checkout
         uses: actions/checkout@v4
 
-      - name: Run Microsoft Security DevOps Analysis
-        uses: microsoft/security-devops-action@preview
-        id: msdo
-        continue-on-error: true
+      - name: Run PSRule analysis
+        uses: microsoft/ps-rule@v2.9.0
         with:
-          tools: templateanalyzer
+          modules: PSRule.Rules.Azure
+          baseline: Azure.Pillar.Security
+          inputPath: bicep/*.test.bicep
+          outputFormat: Sarif
+          outputPath: reports/ps-rule-results.sarif
+          summary: true
+        continue-on-error: true
+          
+        env:
+          PSRULE_CONFIGURATION_AZURE_BICEP_FILE_EXPANSION: 'true'
+          PSRULE_CONFIGURATION_AZURE_BICEP_FILE_EXPANSION_TIMEOUT: '30'
 
-      - name: Upload alerts to Security tab
+      - name: Upload results to security tab
         uses: github/codeql-action/upload-sarif@v3
         if: github.repository_owner == 'Azure-Samples'
         with:
-          sarif_file: ${{ steps.msdo.outputs.sarifFile }}
+          sarif_file: reports/ps-rule-results.sarif
diff --git a/bicep/main.bicep b/bicep/main.bicep
@@ -50,7 +50,7 @@ module sqlDb 'modules/sqldb.bicep' = {
   name: 'sqldb'
   params: {
     sqlServerName: sqlServerName
-    sqlDatabaeName: applicationName
+    sqlDatabaseName: applicationName
     administratorLogin: sqlAdminLogin
     administratorPassword: sqlAdminPassword
     location: location
diff --git a/bicep/main.test.bicep b/bicep/main.test.bicep
@@ -0,0 +1,20 @@
+// This file is for doing static analysis and contains sensible defaults
+// for the bicep analyser to minimise false-positives and provide the best results.
+
+// This file is not intended to be used as a runtime configuration file.
+
+targetScope = 'resourceGroup'
+
+// Random, dummy data for static analysis
+param sqlAdminLogin string = newGuid()
+@secure()
+param sqlAdminPassword string = newGuid()
+
+module main 'main.bicep' = {
+  name: 'main'
+  params: {
+    staticWebAppLocation: 'westus2'
+    sqlAdminLogin: sqlAdminLogin
+    sqlAdminPassword: sqlAdminPassword
+  }
+}
diff --git a/bicep/modules/sqldb.bicep b/bicep/modules/sqldb.bicep
@@ -1,5 +1,5 @@
 param sqlServerName string
-param sqlDatabaeName string
+param sqlDatabaseName string
 param location string
 param administratorLogin string
 @secure()
@@ -20,7 +20,7 @@ resource sqlServer 'Microsoft.Sql/servers@2021-05-01-preview' = {
 
 resource servers_rideshare_server_name_databases_Rideshare_name 'Microsoft.Sql/servers/databases@2021-05-01-preview' = {
   parent: sqlServer
-  name: sqlDatabaeName
+  name: sqlDatabaseName
   location: location
   tags: resourceTags
   sku: {
diff --git a/ps-rule.yaml b/ps-rule.yaml
@@ -0,0 +1,3 @@
+# YAML: Set the AZURE_BICEP_FILE_EXPANSION configuration option to enable expansion
+configuration:
+  AZURE_BICEP_FILE_EXPANSION: true

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,3 @@`
	`1`	`+# YAML: Set the AZURE_BICEP_FILE_EXPANSION configuration option to enable expansion`
	`2`	`+configuration:`
	`3`	`+ AZURE_BICEP_FILE_EXPANSION: true`