Skip to content

Commit 43f987b

Browse files
committed
feat(audit-bicep): update workflow to use PSRule analysis and improve configuration
1 parent 415222a commit 43f987b

1 file changed

Lines changed: 23 additions & 9 deletions

File tree

.github/workflows/audit-bicep.yml

Lines changed: 23 additions & 9 deletions
Original file line numberDiff line numberDiff line change
@@ -1,12 +1,12 @@
11
name: Scan Bicep code
22
on:
33
push:
4-
branches:
4+
branches:
55
- main
66
paths:
77
- "infra/bicep/**"
88
pull_request:
9-
branches:
9+
branches:
1010
- main
1111
paths:
1212
- "infra/bicep/**"
@@ -19,17 +19,31 @@ jobs:
1919
security-events: write
2020
steps:
2121
- name: Checkout
22-
uses: actions/checkout@v4
22+
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
2323

24-
- name: Run Microsoft Security DevOps Analysis
25-
uses: microsoft/security-devops-action@preview
26-
id: msdo
27-
continue-on-error: true
24+
- name: Bicep Build
25+
uses: Azure/bicep-build-action@v1.0.0
26+
with:
27+
bicepFilePath: ./infra/bicep/main.bicep
28+
outputFilePath: ./azuredeploy.json
29+
30+
- name: Run PSRule analysis
31+
uses: microsoft/ps-rule@46451b8f5258c41beb5ae69ed7190ccbba84112c # v2.9.0
2832
with:
29-
tools: templateanalyzer
33+
modules: PSRule.Rules.Azure
34+
baseline: Azure.Pillar.Security
35+
inputPath: ./azuredeploy.json
36+
outputFormat: Sarif
37+
outputPath: reports/ps-rule-results.sarif
38+
summary: true
39+
continue-on-error: true
40+
41+
env:
42+
PSRULE_CONFIGURATION_AZURE_BICEP_FILE_EXPANSION: "true"
43+
PSRULE_CONFIGURATION_AZURE_BICEP_FILE_EXPANSION_TIMEOUT: "30"
3044

3145
- name: Upload alerts to Security tab
32-
uses: github/codeql-action/upload-sarif@v3
46+
uses: github/codeql-action/upload-sarif@ff0a06e83cb2de871e5a09832bc6a81e7276941f # v3
3347
if: github.repository_owner == 'Azure-Samples'
3448
with:
3549
sarif_file: ${{ steps.msdo.outputs.sarifFile }}

0 commit comments

Comments
 (0)