Switch to PSRule for security testing (#1687)

* Try using PSRule for security testing

* configure expansion

* reformat envvar

* Add rule file

* Try another approach

* Only security baseline results

* continue on error

* Test the secure configuration

* Remove template analyser

* Update ps-rule.yaml

* Update infra/main.test.bicep

Co-authored-by: Pamela Fox <[email protected]>

---------

Co-authored-by: Pamela Fox <[email protected]>

Author: tonybaloney

.github/workflows/azure-dev-validation.yaml

@@ -11,7 +11,7 @@ on:
   workflow_dispatch:
 
 jobs:
-  build:
+  bicep:
     runs-on: ubuntu-latest
     permissions:
       security-events: write
@@ -24,15 +24,31 @@ jobs:
         with:
           inlineScript: az config set bicep.use_binary_from_path=false && az bicep build -f infra/main.bicep --stdout
 
-      - name: Run Microsoft Security DevOps Analysis
-        uses: microsoft/security-devops-action@preview
-        id: msdo
-        continue-on-error: true
+  psrule:
+    runs-on: ubuntu-latest
+    permissions:
+      security-events: write
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Run PSRule analysis
+        uses: microsoft/[email protected]
         with:
-          tools: templateanalyzer
+          modules: PSRule.Rules.Azure
+          baseline: Azure.Pillar.Security
+          inputPath: infra/*.test.bicep
+          outputFormat: Sarif
+          outputPath: reports/ps-rule-results.sarif
+          summary: true
+        continue-on-error: true
+          
+        env:
+          PSRULE_CONFIGURATION_AZURE_BICEP_FILE_EXPANSION: 'true'
+          PSRULE_CONFIGURATION_AZURE_BICEP_FILE_EXPANSION_TIMEOUT: '30'
 
-      - name: Upload alerts to Security tab
+      - name: Upload results to security tab
         uses: github/codeql-action/upload-sarif@v3
         if: github.repository == 'Azure-Samples/azure-search-openai-demo'
         with:
-          sarif_file: ${{ steps.msdo.outputs.sarifFile }}
+          sarif_file: reports/ps-rule-results.sarif

infra/main.test.bicep

@@ -0,0 +1,40 @@
+// This file is for doing static analysis and contains sensible defaults
+// for PSRule to minimise false-positives and provide the best results.
+
+// This file is not intended to be used as a runtime configuration file.
+
+targetScope = 'subscription'
+
+param environmentName string = 'testing'
+param location string = 'swedencentral'
+
+module main 'main.bicep' = {
+  name: 'main'
+  params: {
+    environmentName: environmentName
+    location: location
+    appServiceSkuName: 'B1'
+    computerVisionSkuName: 'S1'
+    documentIntelligenceResourceGroupLocation: location
+    documentIntelligenceSkuName: 'S0'
+    openAiHost: 'azure'
+    openAiResourceGroupLocation: location
+    searchIndexName: 'gptkbindex'
+    searchQueryLanguage: 'en-us'
+    searchQuerySpeller: 'lexicon'
+    searchServiceSemanticRankerLevel: 'free'
+    searchServiceSkuName: 'standard'
+    speechServiceSkuName: 'S0'
+    storageSkuName: 'Standard_LRS'
+    useApplicationInsights: false
+    useVectors: true
+    useGPT4V: false
+    useSpeechInputBrowser: false
+    useSpeechOutputBrowser: false
+
+    // Test the secure configuration
+    enableUnauthenticatedAccess: false
+    usePrivateEndpoint: true
+    publicNetworkAccess: 'Disabled'
+  }
+}

ps-rule.yaml

@@ -0,0 +1,3 @@
+# YAML: Set the AZURE_BICEP_FILE_EXPANSION configuration option to enable expansion
+configuration:
+  AZURE_BICEP_FILE_EXPANSION: true