From 09703aaebbc36cfdb90ef355ff37552fca03e30c Mon Sep 17 00:00:00 2001 From: Anthony Shaw Date: Thu, 4 Jul 2024 12:23:45 +1000 Subject: [PATCH 1/4] Use PSRule for security audits instead of template analyser --- .github/workflows/infra-ci.yaml | 27 +++++++++++++++++---------- infra/main.test.bicep | 27 +++++++++++++++++++++++++++ ps-rule.yaml | 3 +++ 3 files changed, 47 insertions(+), 10 deletions(-) create mode 100644 infra/main.test.bicep create mode 100644 ps-rule.yaml diff --git a/.github/workflows/infra-ci.yaml b/.github/workflows/infra-ci.yaml index 278989b..32205d2 100644 --- a/.github/workflows/infra-ci.yaml +++ b/.github/workflows/infra-ci.yaml @@ -30,19 +30,26 @@ jobs: with: inlineScript: az config set bicep.use_binary_from_path=false && az bicep build -f infra/main.bicep --stdout - - name: Run Microsoft Security DevOps Analysis - uses: microsoft/security-devops-action@v1 - id: msdo - continue-on-error: true + - name: Run PSRule analysis + uses: microsoft/ps-rule@v2.9.0 with: - tools: templateanalyzer + modules: PSRule.Rules.Azure + baseline: Azure.Pillar.Security + inputPath: infra/*.test.bicep + outputFormat: Sarif + outputPath: reports/ps-rule-results.sarif + summary: true + continue-on-error: true + + env: + PSRULE_CONFIGURATION_AZURE_BICEP_FILE_EXPANSION: 'true' + PSRULE_CONFIGURATION_AZURE_BICEP_FILE_EXPANSION_TIMEOUT: '30' - - name: Upload alerts to Security tab - uses: github/codeql-action/upload-sarif@v2 - if: github.repository == 'Azure-Samples/azure-search-openai-demo-java' + - name: Upload results to security tab + uses: github/codeql-action/upload-sarif@v3 + if: github.repository == 'Azure-Samples/azure-search-openai-demo' with: - sarif_file: ${{ steps.msdo.outputs.sarifFile }} - + sarif_file: reports/ps-rule-results.sarif # deploy: # name: "Deploy Infra and App using azd" diff --git a/infra/main.test.bicep b/infra/main.test.bicep new file mode 100644 index 0000000..d1f71fd --- /dev/null +++ b/infra/main.test.bicep @@ -0,0 +1,27 @@ +// This file is for doing static analysis and contains sensible defaults +// for PSRule to minimise false-positives and provide the best results. + +// This file is not intended to be used as a runtime configuration file. + +targetScope = 'subscription' + +param environmentName string = 'testing' +param location string = 'swedencentral' + +module main 'main.bicep' = { + name: 'main' + params: { + environmentName: environmentName + location: location + openAiHost: 'azure' + openAiResourceGroupLocation: location + searchIndexName: 'gptkbindex' + searchQueryLanguage: 'en-us' + searchQuerySpeller: 'lexicon' + searchServiceSkuName: 'standard' + storageSkuName: 'Standard_LRS' + useApplicationInsights: false + chatGptDeploymentName: 'chat' + embeddingDeploymentName: 'embedding' + } +} diff --git a/ps-rule.yaml b/ps-rule.yaml new file mode 100644 index 0000000..bec381f --- /dev/null +++ b/ps-rule.yaml @@ -0,0 +1,3 @@ +# YAML: Set the AZURE_BICEP_FILE_EXPANSION configuration option to enable expansion +configuration: + AZURE_BICEP_FILE_EXPANSION: true From 1def7c9d5e65dc376097f14078706210191105c6 Mon Sep 17 00:00:00 2001 From: Anthony Shaw Date: Thu, 4 Jul 2024 12:25:19 +1000 Subject: [PATCH 2/4] Update template name --- .github/workflows/infra-ci.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/infra-ci.yaml b/.github/workflows/infra-ci.yaml index 32205d2..2229b5b 100644 --- a/.github/workflows/infra-ci.yaml +++ b/.github/workflows/infra-ci.yaml @@ -47,7 +47,7 @@ jobs: - name: Upload results to security tab uses: github/codeql-action/upload-sarif@v3 - if: github.repository == 'Azure-Samples/azure-search-openai-demo' + if: github.repository == 'Azure-Samples/azure-search-openai-demo-java' with: sarif_file: reports/ps-rule-results.sarif From a810cd26107708af74d2aebca899a14a24c1f47a Mon Sep 17 00:00:00 2001 From: Anthony Shaw Date: Thu, 4 Jul 2024 12:33:07 +1000 Subject: [PATCH 3/4] Run on the app service configuration --- .github/workflows/infra-ci.yaml | 4 ++-- {infra => deploy/app-service/infra}/main.test.bicep | 0 2 files changed, 2 insertions(+), 2 deletions(-) rename {infra => deploy/app-service/infra}/main.test.bicep (100%) diff --git a/.github/workflows/infra-ci.yaml b/.github/workflows/infra-ci.yaml index 1b958a0..9748a22 100644 --- a/.github/workflows/infra-ci.yaml +++ b/.github/workflows/infra-ci.yaml @@ -54,12 +54,12 @@ jobs: with: inlineScript: az config set bicep.use_binary_from_path=false && az bicep build -f deploy/aca/infra/main.bicep --stdout - - name: Run PSRule analysis + - name: Run PSRule analysis on App Service deployment uses: microsoft/ps-rule@v2.9.0 with: modules: PSRule.Rules.Azure baseline: Azure.Pillar.Security - inputPath: infra/*.test.bicep + inputPath: deploy/app-service/infra/*.test.bicep outputFormat: Sarif outputPath: reports/ps-rule-results.sarif summary: true diff --git a/infra/main.test.bicep b/deploy/app-service/infra/main.test.bicep similarity index 100% rename from infra/main.test.bicep rename to deploy/app-service/infra/main.test.bicep From 469b53fc7ea5f428f545f21a50394c9c8f7c1e7f Mon Sep 17 00:00:00 2001 From: Anthony Shaw Date: Thu, 4 Jul 2024 12:35:39 +1000 Subject: [PATCH 4/4] Update the other workflow file --- .github/workflows/nightly-jobs.yaml | 24 ++++++++++++++++-------- 1 file changed, 16 insertions(+), 8 deletions(-) diff --git a/.github/workflows/nightly-jobs.yaml b/.github/workflows/nightly-jobs.yaml index 9350a1f..5145b1d 100644 --- a/.github/workflows/nightly-jobs.yaml +++ b/.github/workflows/nightly-jobs.yaml @@ -48,18 +48,26 @@ jobs: with: inlineScript: az config set bicep.use_binary_from_path=false && az bicep build -f deploy/aca/infra/main.bicep --stdout - - name: Run Microsoft Security DevOps Analysis - uses: microsoft/security-devops-action@v1 - id: msdo - continue-on-error: true + - name: Run PSRule analysis on App Service deployment + uses: microsoft/ps-rule@v2.9.0 with: - tools: templateanalyzer + modules: PSRule.Rules.Azure + baseline: Azure.Pillar.Security + inputPath: deploy/app-service/infra/*.test.bicep + outputFormat: Sarif + outputPath: reports/ps-rule-results.sarif + summary: true + continue-on-error: true + + env: + PSRULE_CONFIGURATION_AZURE_BICEP_FILE_EXPANSION: 'true' + PSRULE_CONFIGURATION_AZURE_BICEP_FILE_EXPANSION_TIMEOUT: '30' - - name: Upload alerts to Security tab - uses: github/codeql-action/upload-sarif@v2 + - name: Upload results to security tab + uses: github/codeql-action/upload-sarif@v3 if: github.repository == 'Azure-Samples/azure-search-openai-demo-java' with: - sarif_file: ${{ steps.msdo.outputs.sarifFile }} + sarif_file: reports/ps-rule-results.sarif frontend: name: "Front-end validation"