Skip to content

Commit d475e9e

Browse files
webtonizewebtonize
authored
Fix #83 - remove selectors, add example supression groups (#86)
1 parent 6e899b5 commit d475e9e

4 files changed

Lines changed: 86 additions & 13 deletions

File tree

example/best-practice/SupressionGroups.Rule.yaml

Lines changed: 84 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,84 @@
1+
---
2+
# Synopsis: Only main, master, develop, and release branches should be protected
3+
apiVersion: github.com/microsoft/PSRule/v1
4+
kind: SuppressionGroup
5+
metadata:
6+
name: 'non-production-branches'
7+
spec:
8+
expiresOn: null
9+
rule:
10+
- Azure.DevOps.Repos.Branch.BranchPolicyAllowSelfApproval
11+
- Azure.DevOps.Repos.Branch.BranchPolicyCommentResolution
12+
- Azure.DevOps.Repos.Branch.BranchPolicyEnforceLinkedWorkItems
13+
- Azure.DevOps.Repos.Branch.BranchPolicyIsEnabled
14+
- Azure.DevOps.Repos.Branch.BranchPolicyMergeStrategy
15+
- Azure.DevOps.Repos.Branch.BranchPolicyMinimumReviewers
16+
- Azure.DevOps.Repos.Branch.BranchPolicyRequireBuild
17+
- Azure.DevOps.Repos.Branch.BranchPolicyResetVotes
18+
- Azure.DevOps.Repos.Branch.HasBranchPolicy
19+
if:
20+
allOf:
21+
- name: '.'
22+
notContains:
23+
- 'refs/heads/main'
24+
- 'refs/heads/master'
25+
- 'refs/heads/develop'
26+
- 'refs/heads/release'
27+
- field: 'ObjectType'
28+
equals: 'Azure.DevOps.Repo.Branch'
29+
30+
---
31+
# Synposis: Only accept and production environments and should be protected
32+
apiVersion: github.com/microsoft/PSRule/v1
33+
kind: SuppressionGroup
34+
metadata:
35+
name: 'non-production-environments'
36+
spec:
37+
expiresOn: null
38+
rule:
39+
- Azure.DevOps.Pipelines.Environments.ProductionBranchLimit
40+
- Azure.DevOps.Pipelines.Environments.ProductionCheckProtection
41+
- Azure.DevOps.Pipelines.Environments.ProductionHumanApproval
42+
if:
43+
allOf:
44+
- name: '.'
45+
notContains:
46+
- 'acc'
47+
- 'accept'
48+
- 'acceptance'
49+
- 'live'
50+
- 'pre'
51+
- 'prd'
52+
- 'prod'
53+
- 'production'
54+
- field: 'ObjectType'
55+
in:
56+
- 'Azure.DevOps.Pipelines.Environment'
57+
58+
---
59+
# Synposis: Only accept and production service connections should be protected
60+
apiVersion: github.com/microsoft/PSRule/v1
61+
kind: SuppressionGroup
62+
metadata:
63+
name: 'non-production-service-connections'
64+
spec:
65+
expiresOn: null
66+
rule:
67+
- Azure.DevOps.ServiceConnections.ProductionBranchLimit
68+
- Azure.DevOps.ServiceConnections.ProductionCheckProtection
69+
- Azure.DevOps.ServiceConnections.ProductionHumanApproval
70+
if:
71+
allOf:
72+
- name: '.'
73+
notContains:
74+
- 'acc'
75+
- 'accept'
76+
- 'acceptance'
77+
- 'live'
78+
- 'pre'
79+
- 'prd'
80+
- 'prod'
81+
- 'production'
82+
- field: 'ObjectType'
83+
in:
84+
- 'Azure.DevOps.ServiceConnection'

src/PSRule.Rules.AzureDevOps/rules/AzureDevOps.Pipelines.Environments.Rule.ps1

Lines changed: 0 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -4,7 +4,6 @@
44
Rule 'Azure.DevOps.Pipelines.Environments.ProductionCheckProtection' `
55
-Ref 'ADO-E-001' `
66
-Type 'Azure.DevOps.Pipelines.Environment' `
7-
-With 'IsProduction' `
87
-Tag @{ release = 'GA'} `
98
-Level Warning {
109
# Description: Production environment should be protected by one or more checks
@@ -22,7 +21,6 @@ Rule 'Azure.DevOps.Pipelines.Environments.ProductionCheckProtection' `
2221
Rule 'Azure.DevOps.Pipelines.Environments.ProductionHumanApproval' `
2322
-Ref 'ADO-E-002' `
2423
-Type 'Azure.DevOps.Pipelines.Environment' `
25-
-With 'IsProduction' `
2624
-Tag @{ release = 'GA'} `
2725
-Level Warning {
2826
# Description 'Production environment should be protected by a human approval'
@@ -51,7 +49,6 @@ Rule 'Azure.DevOps.Pipelines.Environments.Description' `
5149
Rule 'Azure.DevOps.Pipelines.Environments.ProductionBranchLimit' `
5250
-Ref 'ADO-E-004' `
5351
-Type 'Azure.DevOps.Pipelines.Environment' `
54-
-With 'IsProduction' `
5552
-Tag @{ release = 'GA'} `
5653
-Level Warning {
5754
# Description 'Production environment should be limited to specific branches'

src/PSRule.Rules.AzureDevOps/rules/AzureDevOps.ServiceConnection.Rule.ps1

Lines changed: 0 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -4,7 +4,6 @@
44
Rule 'Azure.DevOps.ServiceConnections.ProductionCheckProtection' `
55
-Ref 'ADO-SC-001' `
66
-Type 'Azure.DevOps.ServiceConnection' `
7-
-With 'IsProduction' `
87
-Tag @{ release = 'GA'} `
98
-Level Warning {
109
# Description 'Production service connection should be protected by one or more checks.'
@@ -18,7 +17,6 @@ Rule 'Azure.DevOps.ServiceConnections.ProductionCheckProtection' `
1817
Rule 'Azure.DevOps.ServiceConnections.ProductionHumanApproval' `
1918
-Ref 'ADO-SC-002' `
2019
-Type 'Azure.DevOps.ServiceConnection' `
21-
-With 'IsProduction' `
2220
-Tag @{ release = 'GA'} `
2321
-Level Warning {
2422
# Description 'Production service connection should be protected by a human approval.'
@@ -80,7 +78,6 @@ Rule 'Azure.DevOps.ServiceConnections.WorkloadIdentityFederation' `
8078
Rule 'Azure.DevOps.ServiceConnections.ProductionBranchLimit' `
8179
-Ref 'ADO-SC-006' `
8280
-Type 'Azure.DevOps.ServiceConnection' `
83-
-With 'IsProduction' `
8481
-Tag @{ release = 'GA'} `
8582
-Level Warning {
8683
# Description 'Production service connection should be limited to specific branches.'

tests/Rules.Tests.ps1

Lines changed: 2 additions & 7 deletions
Original file line numberDiff line numberDiff line change
@@ -1571,11 +1571,6 @@ Describe 'AzureDevOps ' {
15711571
}
15721572

15731573
Context 'Azure.DevOps.ServiceConnections.ProductionBranchLimit' {
1574-
It 'Should not touch non-production service connections' {
1575-
$ruleHits = @($ruleResult | Where-Object { $_.RuleName -eq 'Azure.DevOps.ServiceConnections.ProductionBranchLimit' -and $_.TargetName -match 'fail$' })
1576-
$ruleHits.Count | Should -Be 0;
1577-
}
1578-
15791574
It 'Should pass for production targets named success' {
15801575
$ruleHits = @($ruleResult | Where-Object { $_.RuleName -eq 'Azure.DevOps.ServiceConnections.ProductionBranchLimit' -and $_.TargetName -like '*success*' })
15811576
$ruleHits[0].Outcome | Should -Be 'Pass';
@@ -1584,7 +1579,7 @@ Describe 'AzureDevOps ' {
15841579

15851580
It 'Should be the same with a ReadOnly TokenType' {
15861581
$ruleHits = @($ruleResultReadOnly | Where-Object { $_.RuleName -eq 'Azure.DevOps.ServiceConnections.ProductionBranchLimit' -and $_.TargetName -match 'fail$' })
1587-
$ruleHits.Count | Should -Be 0;
1582+
$ruleHits.Count | Should -Be 3;
15881583

15891584
$ruleHits = @($ruleResultReadOnly | Where-Object { $_.RuleName -eq 'Azure.DevOps.ServiceConnections.ProductionBranchLimit' -and $_.TargetName -like '*success*' })
15901585
$ruleHits[0].Outcome | Should -Be 'Pass';
@@ -1593,7 +1588,7 @@ Describe 'AzureDevOps ' {
15931588

15941589
It 'Should be the same with a FineGrained TokenType' {
15951590
$ruleHits = @($ruleResultFineGrained | Where-Object { $_.RuleName -eq 'Azure.DevOps.ServiceConnections.ProductionBranchLimit' -and $_.TargetName -match 'fail$' })
1596-
$ruleHits.Count | Should -Be 0;
1591+
$ruleHits.Count | Should -Be 3;
15971592

15981593
$ruleHits = @($ruleResultFineGrained | Where-Object { $_.RuleName -eq 'Azure.DevOps.ServiceConnections.ProductionBranchLimit' -and $_.TargetName -like '*success*' })
15991594
$ruleHits[0].Outcome | Should -Be 'Pass';

0 commit comments

Comments
 (0)