Skip to content

Commit 0392b26

Browse files
committed
feat(audit-bicep): update workflow to use PSRule analysis and improve configuration
1 parent 415222a commit 0392b26

1 file changed

Lines changed: 17 additions & 9 deletions

File tree

.github/workflows/audit-bicep.yml

Lines changed: 17 additions & 9 deletions
Original file line numberDiff line numberDiff line change
@@ -1,12 +1,12 @@
11
name: Scan Bicep code
22
on:
33
push:
4-
branches:
4+
branches:
55
- main
66
paths:
77
- "infra/bicep/**"
88
pull_request:
9-
branches:
9+
branches:
1010
- main
1111
paths:
1212
- "infra/bicep/**"
@@ -19,17 +19,25 @@ jobs:
1919
security-events: write
2020
steps:
2121
- name: Checkout
22-
uses: actions/checkout@v4
22+
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
2323

24-
- name: Run Microsoft Security DevOps Analysis
25-
uses: microsoft/security-devops-action@preview
26-
id: msdo
27-
continue-on-error: true
24+
- name: Run PSRule analysis
25+
uses: microsoft/ps-rule@46451b8f5258c41beb5ae69ed7190ccbba84112c # v2.9.0
2826
with:
29-
tools: templateanalyzer
27+
modules: PSRule.Rules.Azure
28+
baseline: Azure.Pillar.Security
29+
inputPath: ./infra/bicep/main.bicep
30+
outputFormat: Sarif
31+
outputPath: reports/ps-rule-results.sarif
32+
summary: true
33+
continue-on-error: true
34+
35+
env:
36+
PSRULE_CONFIGURATION_AZURE_BICEP_FILE_EXPANSION: "true"
37+
PSRULE_CONFIGURATION_AZURE_BICEP_FILE_EXPANSION_TIMEOUT: "30"
3038

3139
- name: Upload alerts to Security tab
32-
uses: github/codeql-action/upload-sarif@v3
40+
uses: github/codeql-action/upload-sarif@ff0a06e83cb2de871e5a09832bc6a81e7276941f # v3
3341
if: github.repository_owner == 'Azure-Samples'
3442
with:
3543
sarif_file: ${{ steps.msdo.outputs.sarifFile }}

0 commit comments

Comments
 (0)