Giter VIP home page Giter VIP logo

policy-compliance-scan's Introduction

GitHub Action for Azure Policy Compliance Scan

With the Azure Policy Compliance Scan action, you can now easily trigger a on demand scan from your GitHub workflow on one or multiple resources, resource groups or subscriptions, and continue/fail the workflow based on the compliance state of resources. You can also use this Github Action to generate a report on the compliance state of scanned resources for further analysis or archiving.

New to Azure Policy? Its an Azure service that lets you enforce organizational standards and asses compliance at scale. To know more check out: Azure Policies - Overview

The definition of this Github Action is in action.yml.

Inputs for the Action

  • scopes: mandatory. Takes a full identifier for one or more azure resources, resource groups or subscriptions. The on-demand policy compliance scan is triggered for all of these. The identifier(resource ID or the subscription ID) can generally be found in the properties section of the resource in Azure Portal.
  • scopes-ignore: Optional. Takes full identifier for one or more azure resources, resource groups. If the resources are found non-compliant after the scan completion, the action fails. However, in this input you can specify resources or resource groups for which the compliance state will be ignored. The action will pass irrespective of the compliance state of these resources. In case you want the action to always pass irrespective of the compliance state of resources, you can set its value as 'all'.
  • policy-assignments-ignore: Optional. Takes full identifier for one or more policy assignments ids. If the resources are found non-compliant for given policy after the scan completion, the action fails. However, in this input you can specify policy assignments ids for which the compliance state will be ignored. The action will pass irrespective of the compliance state of these policies.
  • wait: Optional. Depending on the breadth, the time taken for compliance scan can range from a few minutes to several hours. By default, the action will wait for the compliance scan to complete and succeed or fail based on the compliance state of resources. However, you can mark this input as false, in which case the action will trigger the compliance scan and succeed immediately. The status of the triggered scan and the compliance state of resources would have to be then viewed in activity log of the resource in Azure portal.
  • skip-report: Optional. Defaults to false. If false, the action will upload a CSV file containing a list of resources that are non-compliant after the triggered scan is complete. The CSV file can be downloaded as an artifact from the workflow run for manual analysis. Note that the number of rows in CSV are capped at 100,000.
  • report-name: Optional. The filename for the CSV to be uploaded. Ignored if skip-report is set to true.

End-to-End Sample Workflows

Dependencies on other Github Actions

  • Azure Login Action: Authenticate using Azure Login action. The Policy Compliance Scan action assumes that Azure Login is done using an Azure service principal that has sufficient permissions to trigger azure policy compliance scan on selected scopes. Once login is done, the next set of Actions in the workflow can perform tasks such as triggering the compliance scan and fetching the compliance state of resources. For more details, checkout 'Configure credentials for Azure login action' section in this file or alternatively you can refer the full documentation of Azure Login Action.

This action is supported for the Azure public cloud as well as Azure government clouds ('AzureUSGovernment' or 'AzureChinaCloud') and Azure Stack ('AzureStack') Hub. Before running this action, login to the respective Azure Cloud using Azure Login by setting appropriate value for the environment parameter.

Sample workflow to trigger a scan on a subscription

# File: .github/workflows/workflow.yml

on: push

    runs-on: ubuntu-latest
    # Azure Login       
    - name: Login to Azure
      uses: azure/login@v1
        creds: ${{secrets.AZURE_CREDENTIALS}} 
    - name: Check for resource compliance
      uses: azure/policy-compliance-scan@v0
        scopes: |

The above workflow will trigger a policy compliance scan on the provided subscription, wait till the scan is complete, fetch the latest compliance state of resources and upload a CSV file containing the list of non compliant resources and the associated policy assignments. The action will fail if there are any non-compliant resources.

Sample workflow to trigger a scan on a resource group and ignore compliance state of an individual resource

# File: .github/workflows/workflow.yml

on: push

    runs-on: ubuntu-latest
    # Azure Login       
    - name: Login to Azure
      uses: azure/login@v1
        creds: ${{secrets.AZURE_CREDENTIALS}} 
    - name: Check for resource compliance
      uses: azure/policy-compliance-scan@v0
        scopes: |
        scopes-ignore: |

The above workflow will trigger a policy compliance scan on the 'QA' resource group. After the scan is complete, it will fetch the compliance state of resources. The action will fail if there are any non-compliant resources except for 'demoApp' resource.

Sample workflow to trigger a scan at resource(s) level and ignore compliance state for a given policy

# File: .github/workflows/workflow.yml

on: push

    runs-on: ubuntu-latest
    # Azure Login       
    - name: Login to Azure
      uses: azure/login@v1
        creds: ${{secrets.AZURE_CREDENTIALS}} 
    - name: Check for resource compliance
      uses: azure/policy-compliance-scan@v0
        scopes: |
        policy-assignments-ignore: |

The above workflow will trigger a policy compliance scan on the two resources - demoApp and my-vm. After the scan is complete, it will fetch the compliance state of the two resources. The action will fail if any of the two resources is non-compliant except on Azure Security Center built-in policies.

Sample workflow to trigger a scan on a subscription and continue with workflow without waiting for scan completion

# File: .github/workflows/workflow.yml

on: push

    runs-on: ubuntu-latest
    # Azure Login       
    - name: Login to Azure
      uses: azure/login@v1
        creds: ${{secrets.AZURE_CREDENTIALS}} 
    - name: Check for resource compliance
      uses: azure/policy-compliance-scan@v0
        scopes: |
        wait: false
    - run: |
        echo 'Running scripts...'

The above workflow will trigger a policy compliance scan on the provided subscription and proceed to the next step without waiting for the compliance scan to be complete. In this case the triggering of scan is successful, then the action will be marked as passed. To see the progress/result of scan, the user can refer the activity logs for the subscription or resource group.

Configure credentials for Azure login action:

With the Azure login Action, you can perform an Azure login using Azure service principal. The credentials of Azure Service Principal can be added as secrets in the GitHub repository and then used in the workflow. Follow the below steps to generate credentials and store in github.

  • Prerequisite: You should have installed Azure cli on your local machine to run the command or use the cloudshell in the Azure portal. To install Azure cli, follow Install Azure Cli. To use cloudshell, follow CloudShell Quickstart. After you have one of the above ready, follow these steps:

  • Run the below Azure cli command and copy the output JSON object to your clipboard.

   az ad sp create-for-rbac --name "myApp" --role contributor \
                            --scopes /subscriptions/{subscription-id} \
  # Replace {subscription-id} with the subscription identifiers
  # The command should output a JSON object similar to this:

    "clientId": "<GUID>",
    "clientSecret": "<GUID>",
    "subscriptionId": "<GUID>",
    "tenantId": "<GUID>",
  • Define a 'New secret' under your GitHub repository settings -> 'Secrets' menu. Lets name it 'AZURE_CREDENTIALS'.
  • Paste the contents of the clipboard as the value of the above secret variable.
  • Use the secret variable in the Azure Login Action(Refer to the examples above)

If needed, you can modify the Azure CLI command to further reduce the scope for which permissions are provided. Here is the command that gives contributor access to only a resource group.

   az ad sp create-for-rbac --name "myApp" --role contributor \
                            --scopes /subscriptions/{subscription-id}/resourceGroups/{resource-group} \
  # Replace {subscription-id}, {resource-group} with the subscription and resource group identifiers.

You can also provide permissions to multiple scopes using the Azure CLI command:

   az ad sp create-for-rbac --name "myApp" --role contributor \
                            --scopes /subscriptions/{subscription-id}/resourceGroups/{resource-group1} \
                            /subscriptions/{subscription-id}/resourceGroups/{resource-group2} \
  # Replace {subscription-id}, {resource-group1}, {resource-group2} with the subscription and resource group identifiers.


This project welcomes contributions and suggestions. Most contributions require you to agree to a Contributor License Agreement (CLA) declaring that you have the right to, and actually do, grant us the rights to use your contribution. For details, visit

When you submit a pull request, a CLA bot will automatically determine whether you need to provide a CLA and decorate the PR appropriately (e.g., status check, comment). Simply follow the instructions provided by the bot. You will only need to do this once across all repos using our CLA.

This project has adopted the Microsoft Open Source Code of Conduct. For more information see the Code of Conduct FAQ or contact [email protected] with any additional questions or comments.

policy-compliance-scan's People


ajinkya599 avatar dependabot[bot] avatar josh-01 avatar microsoft-github-operations[bot] avatar microsoftopensource avatar raiyanalam avatar rgsubh avatar sundargs2000 avatar tailzip avatar tauhid621 avatar thesattiraju avatar zainuvk avatar


 avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar


 avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar

policy-compliance-scan's Issues

Unexpected token ( in JSON at position 109


We get SyntaxError: Unexpected token ( in JSON at position 109 when running the action as per example. Workflow:

name: 'Az Policy Scan' 
      - test-az-policy-action   
    runs-on: ubuntu-22.04

      - uses: azure/login@v1
          creds: ${{ secrets.SP_CBF_IPEXDEVOPS_NONPRD }}
      - name: Check for resource compliance
        uses: azure/policy-compliance-scan@v0
          scopes: |

Log excerpts:

2022-11-02T08:25:06.4629185Z No resources ignored
2022-11-02T08:25:06.4630475Z ----------------------------------------------------------------------------------------------------
2022-11-02T08:25:06.4632573Z ##[debug]# of Unique resourceIds scanned : 23
2022-11-02T08:25:06.4633954Z ##[debug]----------------------------------------------------------------------------------------------------
2022-11-02T08:25:06.4634659Z ##[debug]Second set of batch calls - Fetching all details of non-compliant resourceIds::
2022-11-02T08:25:06.4635321Z ##[debug]----------------------------------------------------------------------------------------------------
2022-11-02T08:25:06.4636190Z ##[debug]Getting results for requests # 0 to # 22  ==>
2022-11-02T08:25:06.4637169Z ##[debug]Batch request :: Batch URL: # Requests: 23
2022-11-02T08:25:06.4639031Z ##[debug]	Request URL sample: =>***/providers/Microsoft.PolicyInsights/policyStates/latest/queryResults?api-version=2019-10-01&$expand=PolicyEvaluationDetails
2022-11-02T08:25:06.4640309Z ##[debug][POST]
2022-11-02T08:25:06.5105185Z ##[debug]Batch response :: Status: 202 Location: Body: undefined
2022-11-02T08:25:06.5107318Z ##[debug]Polling requests # 1  ==>
2022-11-02T08:26:06.5133421Z ##[debug]Batch request :: Batch URL: # Requests: 0
2022-11-02T08:26:06.5136008Z ##[debug][GET]
2022-11-02T08:26:06.6499384Z ##[debug]Batch response :: Status: 200 Location: undefined Body: [object Object]
2022-11-02T08:26:06.6500149Z ##[debug]Status :: Pending 0 responses. | Completed 1 responses.
2022-11-02T08:26:06.6501293Z ##[debug]----------------------------------------------------------------------------------------------------
2022-11-02T08:26:06.6501751Z ##[debug]Saving 23 completed responses.
2022-11-02T08:26:06.6502202Z ##[debug]----------------------------------------------------------------------------------------------------
2022-11-02T08:26:06.6502853Z ##[debug]# of paginated calls: 0
2022-11-02T08:26:06.6503412Z ##[debug]Getting batch calls final responses # :: 23
2022-11-02T08:26:06.6506072Z ----------------------------------------------------------------------------------------------------
2022-11-02T08:26:06.6506508Z Ignoring policy assignments : 
2022-11-02T08:26:06.6508702Z ----------------------------------------------------------------------------------------------------
2022-11-02T08:26:06.6509317Z An error has occured while parsing policyEvaluationDetails [[object Object]]. Error: SyntaxError: Unexpected token ( in JSON at position 109.
2022-11-02T08:26:06.6510318Z An error has occured while parsing policyEvaluationDetails [[object Object]]. Error: SyntaxError: Unexpected token ( in JSON at position 109.
2022-11-02T08:26:06.6537535Z ----------------------------------------------------------------------------------------------------
2022-11-02T08:26:06.6538336Z No policy assignments ignored
2022-11-02T08:26:06.6539585Z ----------------------------------------------------------------------------------------------------
2022-11-02T08:26:06.6561525Z ##[debug]----------------------------------------------------------------------------------------------------
2022-11-02T08:26:06.6562565Z ##[debug]Saved 131 records to intermediate file.
2022-11-02T08:26:06.6563445Z ##[debug]----------------------------------------------------------------------------------------------------
2022-11-02T08:26:06.6565359Z ##[debug]----------------------------------------------------------------------------------------------------
2022-11-02T08:26:06.6566033Z ##[debug]Results saved. Time taken in ms:: 60447
2022-11-02T08:26:06.6566731Z ##[debug]----------------------------------------------------------------------------------------------------
2022-11-02T08:26:06.6573014Z ##[debug]----------------------------------------------------------------------------------------------------
2022-11-02T08:26:06.6573437Z ##[debug]Reading from json file
2022-11-02T08:26:06.6573881Z ##[debug]----------------------------------------------------------------------------------------------------
2022-11-02T08:26:06.6574532Z ----------------------------------------------------------------------------------------------------
2022-11-02T08:26:06.6575002Z Policy compliance scan report:: Total records : 131
2022-11-02T08:26:06.6575832Z ----------------------------------------------------------------------------------------------------

Subscriptions are not included as non-compliant resources

I am running the action with scope set to multiple subscriptions, but even though there are non-compliant resources of type "Microsoft.Resources/subscriptions", those resources are not included in the report.
Is this an issue or am I missing something?

Node.js 12 Deprecation Warning for @v0

Actions run against this have the following code warning:

Node.js 12 actions are deprecated. Please update the following actions to use Node.js 16: azure/policy-compliance-scan@v0. For more information see:

Feature request: ignore policy assignment


We'd like to ignore a given policy assignment, is there a plan to add such feature in the future?

Our use case, along with our custom policies, we have Azure Security Center built-in policy initiative which contains policies that are partially non-relevant for our needs.

We could have a new input that would look like this :

  - name: Check for compliance
    uses: azure/policy-compliance-scan@v0
      scopes: |
      assignment-ignore: |

Scope as variable


I would like to ask if we can add scope as variable?
So every time new subscription is created we automatically set it instead of modifying subscriptions.

Unable to use policy-assignments-ignore argument

When I try to use the policy-assignments-ignore argument I get the warning below...

Warning: Unexpected input(s) 'policy-assignments-ignore', valid inputs are ['scopes', 'scopes-ignore', 'wait', 'skip-report', 'report-name']

and the scan does not ignore the policy. Has this change been released into Github for everyone to use or has only the code been updated...or am I just using it wrong?

The end of my action yaml is below with the guids removed...

uses: azure/policy-compliance-scan@v0
        scopes: |
        policy-assignments-ignore: |

CIS Benchmarks?

Is this include CIS Benchmarks scanning?
if No, any tools available to scan Azure CIS Benchmarks?
Thank you.

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    ๐Ÿ–– Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. ๐Ÿ“Š๐Ÿ“ˆ๐ŸŽ‰

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google โค๏ธ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.