Analysis output#
PSRule supports generating and saving output in a number of different formats.
Abstract
This topic covers the supported formats and options for presenting output from a PSRule run.
Setting the output format#
The output format can be configuring by setting the Output.Format
option to one the following:
Yaml
- Output is serialized as YAML.Json
- Output is serialized as JSON.Markdown
- Output is serialized as Markdown.NUnit3
- Output is serialized as NUnit3 (XML).Csv
- Output is serialized as a comma-separated values (CSV).Sarif
- Output is serialized as SARIF.
Tip
To write output to a file, also set the Output.Path
option to the file path to save.
# Analyze and save results
- name: Analyze repository
uses: microsoft/ps-rule@v2.7.0
with:
outputFormat: Sarif
outputPath: reports/ps-rule-results.sarif
# Analyze and save results
- task: ps-rule-assert@2
displayName: Analyze repository
inputs:
inputType: repository
outputFormat: Sarif
outputPath: reports/ps-rule-results.sarif
Invoke-PSRule -OutputFormat Sarif -OutputPath reports/ps-rule-results.sarif
Assert-PSRule -OutputFormat Sarif -OutputPath reports/ps-rule-results.sarif
output:
format: 'Sarif'
path: reports/ps-rule-results.sarif
Formatting as YAML#
When using the YAML output format, results a serialized as YAML. Two spaces are used to indent properties of objects.
Example output
- data: {}
info:
displayName: Local.PS.RequireTLS
name: Local.PS.RequireTLS
synopsis: An example rule to require TLS.
level: Error
outcome: Fail
outcomeReason: Processed
reason:
- The field 'configure.supportsHttpsTrafficOnly' is set to 'False'.
- The field 'configure.minTLSVersion' does not exist.
ruleName: Local.PS.RequireTLS
runId: 16b0534165ffb5279beeb1672a251fc1ff3124b6
source:
- file: C:\Dev\Workspace\PSRule\docs\authoring\writing-rules\settings.json
line: 2
position: 11
type: File
targetName: 1fe7c0f476b11301402d5017d87424c36ff085a8
targetType: app1
time: 0
Formatting as JSON#
When using the JSON output format, results are serialized as JSON. By default, no indentation is used.
Example output
[{"data":{},"info":{"displayName":"Local.PS.RequireTLS","name":"Local.PS.RequireTLS","synopsis":"An example rule to require TLS."},"level":1,"outcome":"Fail","outcomeReason":"Processed","reason":["The field 'configure.supportsHttpsTrafficOnly' is set to 'False'.","The field 'configure.minTLSVersion' does not exist."],"ruleName":"Local.PS.RequireTLS","runId":"df662aad3ae7adee6f35b9733c7aaa53dc4d6b96","source":[{"file":"C:\\Dev\\Workspace\\PSRule\\docs\\authoring\\writing-rules\\settings.json","line":2,"position":11,"type":"File"}],"targetName":"1fe7c0f476b11301402d5017d87424c36ff085a8","targetType":"app1","time":0}]
Configuring JSON indentation#
v1.8.0
The number of spaces used to indent properties and elements is configurable between 0
to 4
spaces.
By default, no indentation is used.
Example output with 2 spaces
[
{
"data": {},
"info": {
"displayName": "Local.PS.RequireTLS",
"name": "Local.PS.RequireTLS",
"synopsis": "An example rule to require TLS."
},
"level": 1,
"outcome": "Fail",
"outcomeReason": "Processed",
"reason": [
"The field 'configure.supportsHttpsTrafficOnly' is set to 'False'.",
"The field 'configure.minTLSVersion' does not exist."
],
"ruleName": "Local.PS.RequireTLS",
"runId": "3afadfed32e57f5283ad71c1aa496da822ff0c84",
"source": [
{
"file": "C:\\Dev\\Workspace\\PSRule\\docs\\authoring\\writing-rules\\settings.json",
"line": 2,
"position": 11,
"type": "File"
}
],
"targetName": "1fe7c0f476b11301402d5017d87424c36ff085a8",
"targetType": "app1",
"time": 0
}
]
Formatting as CSV#
The output from analysis can be formatted as comma-separated values (CSV). Formatting as CSV may be useful when manipulating output results by hand. Output of CSV format varies depending on if detailed or summary output is used.
For detailed output, the following columns are added to CSV output for each processed object:
Column | Description |
---|---|
RuleName |
The name of the rule. |
TargetName |
The name of the object that was analyzed. |
TargetType |
The type of the object that was analyzed. |
Outcome |
The outcome of the analysis, such as Pass or Fail . |
OutcomeReason |
An additional reason for the outcome such as Inconclusive . |
Synopsis |
A short description of the rule. |
Recommendation |
The recommendation of the rule. |
For summary output, the following columns are used:
Column | Description |
---|---|
RuleName |
The name of the rule. |
Pass |
The number of objects that passed. |
Fail |
The number of objects that failed. |
Outcome |
The worst case outcome of the analysis, such as Pass or Fail . |
Synopsis |
A short description of the rule. |
Recommendation |
The recommendation of the rule. |
Example output
RuleName,TargetName,TargetType,Outcome,OutcomeReason,Synopsis,Recommendation
"Local.PS.RequireTLS","1fe7c0f476b11301402d5017d87424c36ff085a8","app1","Fail","Processed","An example rule to require TLS.",
"Local.YAML.RequireTLS","1fe7c0f476b11301402d5017d87424c36ff085a8","app1","Fail","Processed","An example rule to require TLS.",
"Local.JSON.RequireTLS","1fe7c0f476b11301402d5017d87424c36ff085a8","app1","Fail","Processed","An example rule to require TLS.",
Formatting as SARIF#
v2.0.0
Static Analysis Results Interchange Format (SARIF) is a standard output format for static analysis tools. It enables various unrelated tools to consume analysis results from PSRule. You can use SARIF to perform Static Analysis Security Testing (SAST) in DevOps environments at-scale.
GitHub code scanning alerts#
SARIF results from PSRule can be uploaded to GitHub to create code scanning alerts against a repository. You can see these results in your repository visible under Security > Code scanning alerts.
Tip
Code scanning is available for all public repositories, and for private repositories owned by organizations where GitHub Advanced Security is enabled. For more information, see About GitHub Advanced Security.
To configure GitHub Actions, perform the following steps:
- Create a GitHub Actions workflow.
- Add a step using the
microsoft/ps-rule
action.- Configure the
outputFormat
andoutputPath
parameters.
- Configure the
- Add a step using the
github/codeql-action/upload-sarif
action.- Configure the
sarif_file
parameter to the same file path specified inoutputPath
.
- Configure the
Example .github/workflows/analyze.yaml
name: Analyze
on:
push:
branches: [ main ]
schedule:
- cron: '24 22 * * 0' # At 10:24 PM, on Sunday each week
workflow_dispatch:
jobs:
oss:
name: Analyze with PSRule
runs-on: ubuntu-latest
permissions:
contents: read
security-events: write
steps:
- name: Checkout
uses: actions/checkout@v3
- name: Run PSRule analysis
uses: microsoft/ps-rule@v2.7.0
with:
outputFormat: Sarif
outputPath: reports/ps-rule-results.sarif
- name: Upload results to security tab
uses: github/codeql-action/upload-sarif@v2
with:
sarif_file: reports/ps-rule-results.sarif
Azure DevOps scans tab#
SARIF results from PSRule can be uploaded and viewed within Azure DevOps. To add the scans tab to build results the SARIF SAST Scans Tab extension needs to be installed.