Azure · reynoldsa · Aug 1, 2024 · Jul 28, 2024 · Aug 1, 2024 · Aug 1, 2024
@@ -143,7 +143,11 @@ private void SetupCommonOptionsForCommands(List<Command> commands)
 
                 new Option(
                     "--include-non-security-rules",
-                    "Run all the rules against the templates, including non-security rules")
+                    "Run all the rules against the templates, including non-security rules"),
+
+                new Option<FileInfo>(
+                    "--custom-rules-json-path",
+                    "The rules JSON file to use against the templates. If not specified, will use the default rule set that is shipped with the tool.")
             };
 
             commands.ForEach(c => options.ForEach(c.AddOption));
@@ -157,7 +161,8 @@ private int AnalyzeTemplateCommandHandler(
             ReportFormat reportFormat,
             FileInfo outputFilePath,
             bool includeNonSecurityRules,
-            bool verbose)
+            bool verbose,
+            FileInfo customRulesJsonPath)
         {
             // Check that template file paths exist
             if (!templateFilePath.Exists)
@@ -166,7 +171,7 @@ private int AnalyzeTemplateCommandHandler(
                 return (int)ExitCode.ErrorInvalidPath;
             }
 
-            var setupResult = SetupAnalysis(configFilePath, directoryToAnalyze: null, reportFormat, outputFilePath, includeNonSecurityRules, verbose);
+            var setupResult = SetupAnalysis(configFilePath, directoryToAnalyze: null, reportFormat, outputFilePath, includeNonSecurityRules, verbose, customRulesJsonPath);
             if (setupResult != ExitCode.Success)
             {
                 return (int)setupResult;
@@ -203,15 +208,16 @@ private int AnalyzeDirectoryCommandHandler(
             ReportFormat reportFormat,
             FileInfo outputFilePath,
             bool includeNonSecurityRules,
-            bool verbose)
+            bool verbose,
+            FileInfo customRulesJsonPath)
         {
             if (!directoryPath.Exists)
             {
                 Console.Error.WriteLine("Invalid directory: {0}", directoryPath);
                 return (int)ExitCode.ErrorInvalidPath;
             }
 
-            var setupResult = SetupAnalysis(configFilePath, directoryPath, reportFormat, outputFilePath, includeNonSecurityRules, verbose);
+            var setupResult = SetupAnalysis(configFilePath, directoryPath, reportFormat, outputFilePath, includeNonSecurityRules, verbose, customRulesJsonPath);
             if (setupResult != ExitCode.Success)
             {
                 return (int)setupResult;
@@ -278,7 +284,8 @@ private ExitCode SetupAnalysis(
             ReportFormat reportFormat,
             FileInfo outputFilePath,
             bool includeNonSecurityRules,
-            bool verbose)
+            bool verbose,
+            FileInfo customRulesJsonPath)
         {
             // Output file path must be specified if SARIF was chosen as the report format
             if (reportFormat == ReportFormat.Sarif && outputFilePath == null)
@@ -290,7 +297,7 @@ private ExitCode SetupAnalysis(
             this.reportWriter = GetReportWriter(reportFormat, outputFilePath, directoryToAnalyze?.FullName);
             CreateLoggers(verbose);
 
-            this.templateAnalyzer = TemplateAnalyzer.Create(includeNonSecurityRules, this.logger);
+            this.templateAnalyzer = TemplateAnalyzer.Create(includeNonSecurityRules, this.logger, customRulesJsonPath);
 
             if (!TryReadConfigurationFile(configurationFile, out var config))
             {

@@ -226,6 +226,30 @@ public void FilterRules_ValidConfiguration_NoExceptionThrown()
             TemplateAnalyzer.Create(false).FilterRules(new ConfigurationDefinition());
         }
 
+        [TestMethod]
+        public void CustomRulesFileIsProvided_NoExceptionThrown()
+        {
+            var rulesDir = Path.Combine(
+                Path.GetDirectoryName(Assembly.GetExecutingAssembly().Location),
+                "Rules");
+            var rulesFile = Path.Combine(rulesDir, "BuiltInRules.json");
+            var movedFile = Path.Combine(rulesDir, "MovedRules.json");
+
+            // Move rules file
+            File.Move(rulesFile, movedFile);
+
+            var customRulesFile = new FileInfo(movedFile);
+
+            try
+            {
+                TemplateAnalyzer.Create(false, null, customRulesFile);
+            }
+            finally
+            {
+                File.Move(movedFile, rulesFile, overwrite: true);
+            }
+        }
+
         [TestMethod]
         [ExpectedException(typeof(ArgumentNullException))]
         public void FilterRules_ConfigurationNull_ExceptionThrown()

@@ -51,13 +51,14 @@ private TemplateAnalyzer(JsonRuleEngine jsonRuleEngine, PowerShellRuleEngine pow
         /// </summary>
         /// <param name="includeNonSecurityRules">Whether or not to run also non-security rules against the template.</param>
         /// <param name="logger">A logger to report errors and debug information</param>
+        /// <param name="customRulesJsonPath">An optional custom rules json file path.</param>
         /// <returns>A new <see cref="TemplateAnalyzer"/> instance.</returns>
-        public static TemplateAnalyzer Create(bool includeNonSecurityRules, ILogger logger = null)
+        public static TemplateAnalyzer Create(bool includeNonSecurityRules, ILogger logger = null, FileInfo customRulesJsonPath = null)
         {
             string rules;
             try
             {
-                rules = LoadRules();
+                rules = LoadRules(customRulesJsonPath);
             }
             catch (Exception e)
             {
@@ -224,12 +225,16 @@ private IEnumerable<IEvaluation> AnalyzeAllIncludedTemplates(string populatedTem
             }
         }
 
-        private static string LoadRules()
+        private static string LoadRules(FileInfo rulesFile)
         {
-            return File.ReadAllText(
-                Path.Combine(
+            rulesFile ??= new FileInfo(Path.Combine(
                     Path.GetDirectoryName(AppContext.BaseDirectory),
                     "Rules/BuiltInRules.json"));
+
+            using var fileStream = rulesFile.OpenRead();
+            using var streamReader = new StreamReader(fileStream);
+
+            return streamReader.ReadToEnd();
         }
 
         /// <summary>