PSRule
A cross-platform module to validate infrastructure as code (IaC) and objects using PowerShell rules. PSRule works great and integrates with popular continuous integration (CI) systems.
Features of PSRule include:
- Extensible - Use PowerShell, a flexible scripting language.
- Cross-platform - Run on MacOS, Linux, and Windows.
- Reusable - Share rules across teams or organizations.
- Recommendations - Include detailed instructions to remediate issues.
Support
This project uses GitHub Issues to track bugs and feature requests. Please search the existing issues before filing new issues to avoid duplicates.
- For new issues, file your bug or feature request as a new issue.
- For help, discussion, and support questions about using this project, join or start a discussion.
Support for this project/ product is limited to the resources listed above.
Getting the module
You can download and install the PSRule module from the PowerShell Gallery.
| Module | Description | Downloads / instructions |
|---|---|---|
| PSRule | Validate infrastructure as code (IaC) and objects using PowerShell rules. | latest / instructions |
For rule and integration modules see related projects.
Getting extensions
Companion extensions are available for the following platforms.
| Platform | Description | Downloads / instructions |
|---|---|---|
| Azure Pipelines | Validate infrastructure as code (IaC) and DevOps repositories using Azure Pipelines. | latest / instructions |
| GitHub Actions | Validate infrastructure as code (IaC) and DevOps repositories using GitHub Actions. | latest / instructions |
| Visual Studio Code | Visual Studio Code extension for PSRule. | latest / instructions |
Getting started
The following example shows basic PSRule usage for validating PowerShell objects. For specific use cases see scenarios.
For frequently asked questions, see the FAQ.
Define a rule
To define a rule, use a Rule block saved to a file with the .Rule.ps1 extension.
Rule 'NameOfRule' {
# Rule conditions
}
Within the body of the rule provide one or more conditions.
A condition is valid PowerShell that results in $True or $False.
For example:
Rule 'isFruit' {
# Condition to determine if the object is fruit
$TargetObject.Name -in 'Apple', 'Orange', 'Pear'
}
An optional result message can be added to by using the Recommend keyword.
Rule 'isFruit' {
# An recommendation to display in output
Recommend 'Fruit is only Apple, Orange and Pear'
# Condition to determine if the object is fruit
$TargetObject.Name -in 'Apple', 'Orange', 'Pear'
}
The rule is saved to a file named isFruit.Rule.ps1 file.
One or more rules can be defined within a single file.
Execute a rule
To execute the rule use Invoke-PSRule.
For example:
# Define objects to validate
$items = @();
$items += [PSCustomObject]@{ Name = 'Fridge' };
$items += [PSCustomObject]@{ Name = 'Apple' };
# Validate each item using rules saved in current working path
$items | Invoke-PSRule;
The output of this example is:
TargetName: Fridge
RuleName Outcome Recommendation
-------- ------- --------------
isFruit Fail Fruit is only Apple, Orange and Pear
TargetName: Apple
RuleName Outcome Recommendation
-------- ------- --------------
isFruit Pass Fruit is only Apple, Orange and Pear
Additional options
To filter results to only non-fruit results, use Invoke-PSRule -Outcome Fail.
Passed, failed and error results are shown by default.
# Only show non-fruit results
$items | Invoke-PSRule -Outcome Fail;
For a summary of results for each rule use Invoke-PSRule -As Summary.
For example:
# Show rule summary
$items | Invoke-PSRule -As Summary;
The output of this example is:
RuleName Pass Fail Outcome
-------- ---- ---- -------
isFruit 1 1 Fail
An optional failure reason can be added to the rule block by using the Reason keyword.
Rule 'isFruit' {
# An recommendation to display in output
Recommend 'Fruit is only Apple, Orange and Pear'
# An failure reason to display for non-fruit
Reason "$($PSRule.TargetName) is not fruit."
# Condition to determine if the object is fruit
$TargetObject.Name -in 'Apple', 'Orange', 'Pear'
}
To include the reason with output use Invoke-PSRule -OutputFormat Wide.
For example:
# Show failure reason for failing results
$items | Invoke-PSRule -OutputFormat Wide;
The output of this example is:
TargetName: Fridge
RuleName Outcome Reason Recommendation
-------- ------- ------ --------------
isFruit Fail Fridge is not fruit. Fruit is only Apple, Orange and Pear
TargetName: Apple
RuleName Outcome Reason Recommendation
-------- ------- ------ --------------
isFruit Pass Fruit is only Apple, Orange and Pear
The final rule is saved to isFruit.Rule.ps1.
Scenarios
For walk through examples of PSRule usage see:
- Validate Azure resource configuration
- Validate Azure resources tags
- Validate Kubernetes resources
- Using within continuous integration
- Packaging rules in a module
- Writing rule help
Language reference
PSRule extends PowerShell with domain specific language (DSL) keywords, cmdlets and automatic variables.
Keywords
The following language keywords are used by the PSRule module:
- Rule - A rule definition.
- Exists - Assert that a field or property must exist.
- Match - Assert that the field must match any of the regular expressions.
- AnyOf - Assert that any of the child expressions must be true.
- AllOf - Assert that all of the child expressions must be true.
- Within - Assert that the field must match any of the values.
- TypeOf - Assert that the object must be of a specific type.
- Reason - Return a reason for why the rule failed.
- Recommend - Return a recommendation to resolve the issue and pass the rule.
Commands
The following commands exist in the PSRule module:
- Assert-PSRule - Evaluate objects against matching rules and assert any failures.
- Get-PSRule - Get a list of rule definitions.
- Get-PSRuleBaseline - Get a list of baselines.
- Get-PSRuleHelp - Get documentation for a rule.
- Get-PSRuleTarget - Get a list of target objects.
- Invoke-PSRule - Evaluate objects against matching rules and output the results.
- New-PSRuleOption - Create options to configure PSRule execution.
- Set-PSRuleOption - Sets options that configure PSRule execution.
- Test-PSRuleTarget - Pass or fail objects against matching rules.
Concepts
The following conceptual topics exist in the PSRule module:
-
Assert
- Contains
- EndsWith
- FileHeader
- FilePath
- Greater
- GreaterOrEqual
- HasDefaultValue
- HasField
- HasFields
- HasFieldValue
- HasJsonSchema
- In
- IsArray
- IsBoolean
- IsInteger
- IsLower
- IsNumeric
- IsString
- IsUpper
- JsonSchema
- Less
- LessOrEqual
- Match
- NotHasField
- NotIn
- NotMatch
- NotNull
- Null
- NullOrEmpty
- TypeOf
- StartsWith
- Version
- Baselines
- Docs
-
Options
- Binding.Field
- Binding.IgnoreCase
- Binding.NameSeparator
- Binding.TargetName
- Binding.TargetType
- Binding.UseQualifiedName
- Configuration
- Execution.LanguageMode
- Execution.InconclusiveWarning
- Execution.NotProcessedWarning
- Input.Format
- Input.ObjectPath
- Input.PathIgnore
- Input.TargetType
- Logging.LimitDebug
- Logging.LimitVerbose
- Logging.RuleFail
- Logging.RulePass
- Output.As
- Output.Culture
- Output.Encoding
- Output.Format
- Output.Outcome
- Output.Path
- Output.Style
- Rule.Include
- Rule.Exclude
- Rule.Tag
- Suppression
- Variables
Schemas
PSRule uses the following schemas:
- Options - Schema for PSRule YAML options file.
- Resources - Schema for PSRule YAML resources such as baselines.
Related projects
The following projects use or integrate with PSRule.
| Name | Description |
|---|---|
| PSRule.Rules.Azure | A suite of rules to validate Azure resources and infrastructure as code (IaC) using PSRule. |
| PSRule.Rules.Kubernetes | A suite of rules to validate Kubernetes resources using PSRule. |
| PSRule.Rules.CAF | A suite of rules to validate Azure resources against the Cloud Adoption Framework (CAF) using PSRule. |
| PSRule.Rules.GitHub | A suite of rules to validate GitHub repositories using PSRule. |
| PSRule.Rules.MSFT.OSS | A suite of rules to validate repositories against Microsoft Open Source Software (OSS) requirements. |
| PSRule.Monitor | Send and query PSRule analysis results in Azure Monitor. |
| PSRule-pipelines | Validate infrastructure as code (IaC) and DevOps repositories using Azure Pipelines. |
| ps-rule | Validate infrastructure as code (IaC) and DevOps repositories using GitHub Actions. |
| PSRule-vscode | Visual Studio Code extension for PSRule. |
Changes and versioning
Modules in this repository use semantic versioning to declare breaking changes. For a list of module changes please see the change log.
Pre-release module versions are created on major commits and can be installed from the PowerShell Gallery. Pre-release versions should be considered experimental. Modules and change log details for pre-releases will be removed as stable releases are made available.
Contributing
This project welcomes contributions and suggestions. If you are ready to contribute, please visit the contribution guide.
Code of Conduct
This project has adopted the Microsoft Open Source Code of Conduct. For more information see the Code of Conduct FAQ or contact [email protected] with any additional questions or comments.
Maintainers
License
This project is licensed under the MIT License.