Merge pull request #4 from Azure-Samples/bicepvalid

Add secure() decorator and Bicep validation
Azure-Samples · Mar 12, 2024 · 1f43836 · 1f43836
2 parents cb48fd0 + 828a736
commit 1f43836
Show file tree

Hide file tree

Showing 3 changed files with 41 additions and 0 deletions.
diff --git a/.github/workflows/bicep-validation.yaml b/.github/workflows/bicep-validation.yaml
@@ -0,0 +1,38 @@
+name: Validate AZD template
+on:
+  push:
+    branches: [ main ]
+    paths:
+      - "infra/**"
+  pull_request:
+    branches: [ main ]
+    paths:
+      - "infra/**"
+
+jobs:
+  build:
+
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Build Bicep for linting
+        uses: azure/CLI@v1
+        with:
+          inlineScript: az config set bicep.use_binary_from_path=false && az bicep build -f infra/main.bicep --stdout
+
+      - name: Run Microsoft Security DevOps Analysis
+        uses: microsoft/security-devops-action@v1
+        env:
+            GDN_TEMPLATEANALYZER_VERBOSE: 1
+        id: msdo
+        continue-on-error: true
+        with:
+          tools: templateanalyzer
+
+      - name: Upload alerts to Security tab
+        uses: github/codeql-action/upload-sarif@v3
+        if: github.repository == 'Azure-Samples/langfuse-on-azure'
+        with:
+          sarif_file: ${{ steps.msdo.outputs.sarifFile }}
diff --git a/.gitignore b/.gitignore
@@ -158,3 +158,5 @@ cython_debug/
 #  and can be added to the global gitignore or merged into this file.  For a more nuclear
 #  option (not recommended) you can uncomment the following to ignore the entire idea folder.
 #.idea/
+
+.azure
diff --git a/infra/main.bicep b/infra/main.bicep
@@ -23,6 +23,7 @@ param salt string
 
 param useAuthentication bool = false
 param authClientId string = ''
+@secure()
 param authClientSecret string = ''
 param authTenantId string = ''