From 431b7094f505ae519fa17439e861f091e116a14a Mon Sep 17 00:00:00 2001
From: Anthony Shaw <anthony.p.shaw@gmail.com>
Date: Mon, 10 Jun 2024 22:21:05 +1000
Subject: [PATCH] Move from template analyser to psrule for security audits
 (#133)

---
 .github/workflows/bicep-audit.yml | 28 ++++++++++++++++++----------
 infra/main.test.bicep             | 17 +++++++++++++++++
 ps-rule.yaml                      |  5 +++++
 3 files changed, 40 insertions(+), 10 deletions(-)
 create mode 100644 infra/main.test.bicep
 create mode 100644 ps-rule.yaml

diff --git a/.github/workflows/bicep-audit.yml b/.github/workflows/bicep-audit.yml
index 55eb0172..6eae1310 100644
--- a/.github/workflows/bicep-audit.yml
+++ b/.github/workflows/bicep-audit.yml
@@ -1,15 +1,15 @@
-name: Validate AZD template
+name: Validate bicep templates
 on:
   push:
     branches: 
       - main
     paths:
-      - "infra/**"
+      - "**/*.bicep"
   pull_request:
     branches: 
       - main
     paths:
-      - "infra/**"
+      - "**/*.bicep"
   workflow_dispatch:
 
 jobs:
@@ -21,15 +21,23 @@ jobs:
       - name: Checkout
         uses: actions/checkout@v4
 
-      - name: Run Microsoft Security DevOps Analysis
-        uses: microsoft/security-devops-action@preview
-        id: msdo
-        continue-on-error: true
+      - name: Run PSRule analysis
+        uses: microsoft/ps-rule@v2.9.0
         with:
-          tools: templateanalyzer
+          modules: PSRule.Rules.Azure
+          baseline: Azure.Pillar.Security
+          inputPath: infra/*.test.bicep
+          outputFormat: Sarif
+          outputPath: reports/ps-rule-results.sarif
+          summary: true
+        continue-on-error: true
+          
+        env:
+          PSRULE_CONFIGURATION_AZURE_BICEP_FILE_EXPANSION: 'true'
+          PSRULE_CONFIGURATION_AZURE_BICEP_FILE_EXPANSION_TIMEOUT: '30'
 
-      - name: Upload alerts to Security tab
+      - name: Upload results to security tab
         uses: github/codeql-action/upload-sarif@v3
         if: github.repository_owner == 'Azure-Samples'
         with:
-          sarif_file: ${{ steps.msdo.outputs.sarifFile }}
+          sarif_file: reports/ps-rule-results.sarif
diff --git a/infra/main.test.bicep b/infra/main.test.bicep
new file mode 100644
index 00000000..19899b82
--- /dev/null
+++ b/infra/main.test.bicep
@@ -0,0 +1,17 @@
+// This file is for doing static analysis and contains sensible defaults
+// for the bicep analyser to minimise false-positives and provide the best results.
+
+// This file is not intended to be used as a runtime configuration file.
+
+targetScope = 'subscription'
+
+param environmentName string = 'testing'
+param location string = 'westus2'
+
+module main 'main.bicep' = {
+  name: 'main'
+  params: {
+    environmentName: environmentName
+    location: location
+  }
+}
diff --git a/ps-rule.yaml b/ps-rule.yaml
new file mode 100644
index 00000000..a1ac1363
--- /dev/null
+++ b/ps-rule.yaml
@@ -0,0 +1,5 @@
+# YAML: Set the AZURE_BICEP_FILE_EXPANSION configuration option to enable expansion
+configuration:
+  AZURE_BICEP_FILE_EXPANSION: true
+  AZURE_DEPLOYMENT_NONSENSITIVE_PARAMETER_NAMES:
+   - resourceToken
\ No newline at end of file