Grouping rules#
Abstract
Labels are additional metadata that can be used to classify rules. Together with tags they can be used to group or filter rules.
Using labels#
When defining a rule you can specify labels to classify or link rules using a framework or standard. A single rule can be can linked to multiple labels. For example:
- The Azure Well-Architected Framework (WAF) defines pillars such as Security and Reliability.
- The CIS Benchmarks define a number of control IDs such as 3.12 and 13.4.
To specify labels in YAML, use the labels property:
---
# Synopsis: A rule with labels defined.
apiVersion: github.com/microsoft/PSRule/v1
kind: Rule
metadata:
name: WithLabels
labels:
Azure.WAF/pillar: Security
Azure.ASB.v3/control: [ 'ID-1', 'ID-2' ]
spec: { }
To specify labels in JSON, use the labels property:
{
// Synopsis: A rule with labels defined.
"apiVersion": "github.com/microsoft/PSRule/v1",
"kind": "Rule",
"metadata": {
"name": "WithLabels",
"labels": {
"Azure.WAF/pillar": "Security",
"Azure.ASB.v3/control": [ "ID-1", "ID-2" ]
}
},
"spec": { }
}
To specify labels in PowerShell, use the -Labels parameter:
# Synopsis: A rule with labels defined.
Rule 'WithLabels' -Labels @{ 'Azure.WAF/pillar' = 'Security'; 'Azure.ASB.v3/control' = @('ID-1', 'ID-2') } {
# Define conditions here
}
Filtering with labels#
A reason for assigning labels to rules is to perform filtering of rules to a specific subset.
This can be accomplished using baselines and the spec.rule.labels property.
For example:
---
# Synopsis: A baseline which returns only security rules.
apiVersion: github.com/microsoft/PSRule/v1
kind: Baseline
metadata:
name: TestBaseline6
spec:
rule:
labels:
Azure.WAF/pillar: [ 'Security' ]
---
# Synopsis: A baseline which returns any rules that are classified to Azure.WAF/pillar.
apiVersion: github.com/microsoft/PSRule/v1
kind: Baseline
metadata:
name: TestBaseline6
spec:
rule:
labels:
Azure.WAF/pillar: '*'