Closed riosengineer closed 7 months ago
chrisnielsen-MS
commented
1 year ago Thank you for reaching out! Currently the version of TemplateAnalyzer in Defender for DevOps does not support this feature, but I will follow up with my team about this and see if I can get an ETA for when it will be available.
riosengineer
commented
1 year ago Thank you for reaching out! Currently the version of TemplateAnalyzer in Defender for DevOps does not support this feature, but I will follow up with my team about this and see if I can get an ETA for when it will be available.
Thank you!
chrisnielsen-MS
commented
1 year ago We are planning an update on TemplateAnalyzer in the next couple of weeks and now we will be including the -c parameter in that update, which should enable you to use a configuration file and in turn grant access to this feature. A rough ETA for release would be about 2-3 weeks.
riosengineer
commented
1 year ago We are planning an update on TemplateAnalyzer in the next couple of weeks and now we will be including the -c parameter in that update, which should enable you to use a configuration file and in turn grant access to this feature. A rough ETA for release would be about 2-3 weeks.
That's great, thank you for the speedy update, appreciated. If you require any feedback or testing I'd be happy help if need be 😃
brotheroneill
commented
11 months ago We are planning an update on TemplateAnalyzer in the next couple of weeks and now we will be including the -c parameter in that update, which should enable you to use a configuration file and in turn grant access to this feature. A rough ETA for release would be about 2-3 weeks.
Hey, did this feature get release yet? We've got a requirment for this too, as we've had to create a custom role definition within our ESLZ, and the scan is currently failing because 'Using custom roles is treated as an exception and requires a rigorous review and threat modeling..'. I can't see any way I can supress this and accept the risk? I was hoping to be able to include the Id (TA-000020) in the config file, as documented on the Terrascan repo.
Interface007
commented
9 months ago We have similar problems: for example, we have some storage accounts where we cannot set IP firewall rules, so it is important to us, to be able to suppress some of the rules.
riosengineer
commented
8 months ago We've actually stopped using this entirely now and fallen back to PSRule as we get full control of the scanning, rule exclusions, etc.
donran
commented
7 months ago We are planning an update on TemplateAnalyzer in the next couple of weeks and now we will be including the -c parameter in that update, which should enable you to use a configuration file and in turn grant access to this feature. A rough ETA for release would be about 2-3 weeks.
Hey, any update on those 2-3 weeks? @chrisnielsen-MS
chrisnielsen-MS
commented
7 months ago At long last, I believe this has finally been deployed. I am closing this issue accordingly, please re-open or create a new issue if you continue to experience problems with the -c parameter.
Hi,
The docs for the .gdnconfig show only a handful of variables for the TemplateAnalyzer: https://github.com/microsoft/security-devops-action/wiki#templateanalyzer-options
Of which, there doesn't appear to be a way to suppress or skip certain rules.
The docs for TemplateAnalyzer indicate you can skip objects: https://github.com/Azure/template-analyzer/blob/main/docs/customizing-evaluation-outputs.md#template-analyzer-rule-object
Is this possible in Defender for DevOps currently, and it's more of a documentation gap or is this not yet a feature we can leverage?
Thanks