feat: add Azure.VM.SecureBoot and Azure.VMSS.SecureBoot rules (AZR-000538 and AZR-000539)#3731
Open
coder999999999 wants to merge 4 commits intoAzure:mainfrom
Open
Conversation
…3728, Azure#3730) Add rules to check that VMs and VMSS use Trusted Launch with Secure Boot enabled (or ConfidentialVM security type). - Azure.VM.SecureBoot (AZR-000535) - Azure.VMSS.SecureBoot (AZR-000536) Includes: - Rule definitions for VM and VMSS - Localized error messages - Documentation with ARM and Bicep examples - Isolated test data and Pester tests
…secure boot rules - Add changelog entries for Azure.VM.SecureBoot (AZR-000535) and Azure.VMSS.SecureBoot (AZR-000536) - Add missing Id field to all test data entries in Resources.VM.SecureBoot.json - Add vmss-secureBoot-confidential test case with ConfidentialVM security type - Update Pester test assertions to account for new VMSS pass case https://claude.ai/code/session_01MBAfB8do1VZiMY1HsJaWZG
There was a problem hiding this comment.
Pull request overview
Adds two new PSRule security rules to validate that Azure VMs and VMSS use Trusted Launch (or Confidential VM) with Secure Boot enabled, along with documentation, localization, changelog, and dedicated tests/resources.
Changes:
- Added
Azure.VM.SecureBootandAzure.VMSS.SecureBootrules to validatesecurityTypeandsecureBootEnabled. - Added localized reason strings and new rule documentation pages with ARM/Bicep examples.
- Added isolated Pester tests and JSON resource fixtures for pass/fail coverage.
Reviewed changes
Copilot reviewed 8 out of 8 changed files in this pull request and generated 10 comments.
Show a summary per file
| File | Description |
|---|---|
| tests/PSRule.Rules.Azure.Tests/Resources.VM.SecureBoot.json | Adds VM/VMSS resource fixtures covering pass/fail Secure Boot scenarios |
| tests/PSRule.Rules.Azure.Tests/Azure.VM.SecureBoot.Tests.ps1 | Adds Pester coverage for both new rules using the new fixture file |
| src/PSRule.Rules.Azure/rules/Azure.VMSS.Rule.ps1 | Introduces Azure.VMSS.SecureBoot rule assertions and localized reasons |
| src/PSRule.Rules.Azure/rules/Azure.VM.Rule.ps1 | Introduces Azure.VM.SecureBoot rule assertions and localized reasons |
| src/PSRule.Rules.Azure/en/PSRule-rules.psd1 | Adds localized reason strings for the new rule failures |
| docs/en/rules/Azure.VMSS.SecureBoot.md | Documents the VMSS rule intent and deployment examples |
| docs/en/rules/Azure.VM.SecureBoot.md | Documents the VM rule intent and deployment examples |
| docs/changelog.md | Records the new rules in the Unreleased changelog |
- Docs: SYNOPSIS and RECOMMENDATION now mention both TrustedLaunch and
ConfidentialVM to match actual rule behavior
- Docs: grammar fix for TPM description
- Localization: error messages now include literal property values
('TrustedLaunch' or 'ConfidentialVM') for clearer remediation
- Tests: replaced Should -BeIn with Should -Contain per name to
correctly validate arrays of TargetName results
BernieWhite
requested changes
Mar 26, 2026
Collaborator
BernieWhite
left a comment
BernieWhite
left a comment
There was a problem hiding this comment.
Thanks for your contribution @coder999999999. Your suggested rules look great.
There is a few minor changes required, please see comments below.
| $here = (Resolve-Path $PSScriptRoot).Path; | ||
| } | ||
|
|
||
| Describe 'Azure.VM.SecureBoot' -Tag 'VM', 'SecureBoot' { |
Collaborator
There was a problem hiding this comment.
We need to move these tests into Azure.VM.Tests.ps1 and Azure.VMSS.Tests.ps1. It negatively impacts performance of the unit tests if we're running Invoke-PSRule too many times. We're actively trying to improve this.
- Bumped rule IDs: AZR-000538 (VM), AZR-000539 (VMSS) - Updated ruleSet to 2026_06 - Replaced SYNOPSIS and DESCRIPTION with BernieWhite's suggested text covering threat model and verification
BernieWhite
changed the title
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Closes #3728, closes #3730
Adds two new security rules to check that VMs and VMSS use Trusted Launch (or Confidential VM) with Secure Boot enabled.
New Rules
Azure.VM.SecureBootMicrosoft.Compute/virtualMachinesAzure.VMSS.SecureBootMicrosoft.Compute/virtualMachineScaleSetsBoth rules accept
TrustedLaunchorConfidentialVMas valid security types and verifysecureBootEnabledistrue.Changes
Azure.VM.Rule.ps1,Azure.VMSS.Rule.ps1— new rule definitionsPSRule-rules.psd1— 4 new error message stringsAzure.VM.SecureBoot.md,Azure.VMSS.SecureBoot.md— includes ARM template and Bicep exampleschangelog.md— entries for both rulesAzure.VM.SecureBoot.Tests.ps1with dedicated test dataResources.VM.SecureBoot.json— does not modify existing test files or countsTest Coverage
vm-secureBoot-passvm-secureBoot-confidentialvm-secureBoot-fail-nonevm-secureBoot-fail-disabledvmss-secureBoot-passvmss-secureBoot-confidentialvmss-secureBoot-fail-nonevmss-secureBoot-fail-disabledReferences