Add pinned script dependency rules for Automation runbooks and Deployment scripts

[Copilot]

External scripts pulled from mutable URLs (e.g., a branch ref on raw.githubusercontent.com) are a supply chain risk — the content can change between runs without notice.

New Rules

Azure.Automation.RunbookPinned (AZR-000543)

• Resource: Microsoft.Automation/automationAccounts/runbooks
• Checks: properties.publishContentLink.uri — if it references raw.githubusercontent.com, it must use a 40-char hex SHA commit hash, not a branch/tag ref

Azure.DeploymentScript.Pinned (AZR-000536)

• Resource: Microsoft.Resources/deploymentScripts
• Checks: properties.primaryScriptUri and all entries in properties.supportingScriptUris — same pinned commit hash requirement

Fail — unpinned branch ref:

https://raw.githubusercontent.com/Azure/PSRule.Rules.Azure/refs/heads/main/scripts/run.ps1

Pass — pinned to commit SHA:

https://raw.githubusercontent.com/Azure/PSRule.Rules.Azure/8dc395b739a8be00571d039c0af9df88d85c1e2a/scripts/run.ps1

URLs not targeting raw.githubusercontent.com are not evaluated by these rules.

Supporting Changes

• ruleSet validation regex updated to include 2026
• Localization string GitHubRawScriptUnpinned added
• Test data and unit tests added for both rules
• Documentation added for both rules

Original prompt

---

This section details on the original issue you should resolve

<issue_title>[RULE] Use pinned script dependencies</issue_title>
<issue_description>### Existing rule

No response

Suggested rule

When pulling in external files that will be executed such as scripts a pinned URL should be used, to prevent the file at the end of the URL from being maliciously changed latter. (supply chain).

The URL must use a method that prevents the content from being changed. For example, a git branch or tag can be easily changed, and a git commit hash is considered unique (excluding collisions for the key space).

Separate rules should be created for:

• Automation runbooks
• Deployment scripts

Initially focus on https://raw.githubusercontent.com/.

For example:

This is not pinned: https://raw.githubusercontent.com/Azure/PSRule.Rules.Azure/refs/heads/main/scripts/pipeline-deps.ps1

This is pinned to a SHA commit hash: https://raw.githubusercontent.com/Azure/PSRule.Rules.Azure/8dc395b739a8be00571d039c0af9df88d85c1e2a/scripts/pipeline-deps.ps1

Pillar

Security

Additional context

No response</issue_description>

Comments on the Issue (you are @copilot in this section)

• Fixes [RULE] Use pinned script dependencies #3324

---

⚡ Quickly spin up Copilot coding agent tasks from anywhere on your macOS or Windows machine with Raycast.

[BernieWhite]

@copilot Update Azure.Automation.RunbookPinned to use rule ID AZR-000543.

[Copilot]

@copilot Update Azure.Automation.RunbookPinned to use rule ID AZR-000543.

Updated in e6fe855.