Merge pull request #306 from Azure/development

Merge development into main for version 0.4

README.md

@@ -2,7 +2,6 @@
 [![Code Coverage](https://shields.io/azure-devops/coverage/azure/template-analyzer/91)](https://dev.azure.com/azure/template-analyzer/_build/latest?definitionId=91&branchName=main)
 
 # Template Best Practice Analyzer (BPA)
-***Note**: The Template BPA is currently in development. It is not yet recommended for production usage.*
 
 ## What is the Template BPA?
 The Template BPA scans ARM ([Azure Resource Manager](https://docs.microsoft.com/azure/azure-resource-manager/templates/overview)) and [Bicep](https://docs.microsoft.com/azure/azure-resource-manager/bicep/)  Infrastructure-as-Code (IaC) templates to ensure security and best practice checks are being followed before deployment of your Azure solutions.
@@ -37,7 +36,7 @@ Argument | Description
 **(Optional)** `-v` or `--verbose` | Shows details about the analysis
 **(Optional)** `--include-non-security-rules` | Run all the rules against the templates, including non-security rules
 
- The Template BPA runs the [configured rules](#understanding-and-customizing-rules) against the provided template and its corresponding [template parameters](https://docs.microsoft.com/azure/azure-resource-manager/templates/parameter-files), if specified. If no template parameters are specified, then the Template BPA generates the minimum number of placeholder parameters to properly evaluate [template functions](https://docs.microsoft.com/azure/azure-resource-manager/templates/template-functions) in the template.
+ The Template BPA runs the [configured rules](#understanding-and-customizing-rules) against the provided template and its corresponding [template parameters](https://docs.microsoft.com/azure/azure-resource-manager/templates/parameter-files), if specified. If no template parameters are specified, then the Template BPA will check if templates with the [general naming standards defined by Microsoft](https://learn.microsoft.com/azure/azure-resource-manager/templates/parameter-files#file-name) are present in the same folder, otherwise it generates the minimum number of placeholder parameters to properly evaluate [template functions](https://docs.microsoft.com/azure/azure-resource-manager/templates/template-functions) in the template.
 
 **Note**: Providing the Template BPA with template parameter values will result in more accurate results as it will more accurately represent your deployments. The values provided to parameters may affect the evaluation of the Template BPA rule, altering its results. That said, **DO NOT** save sensitive data (passwords, connection strings, etc.) in parameter files in your repositories. Instead, [retrieve these values from your template from Azure Key Vault](https://docs.microsoft.com/azure/azure-resource-manager/templates/key-vault-parameter?tabs=azure-cli#reference-secrets-with-static-id).
 
@@ -53,12 +52,17 @@ For a template which deploys an API App that does not require HTTPS, running the
 
 File: C:\Templates\azuredeploy.json
 
-        AppServiceApiApp_HTTPS: API App should only be accessible over HTTPS
-                More information: https://github.com/Azure/template-analyzer/blob/main/docs/built-in-bpa-rules.md#api-app-should-only-be-accessible-over-https
+        TA-000004: API app should only be accessible over HTTPS
+                Severity: Medium
+                Recommendation: Use HTTPS to ensure server/service authentication and protect data in transit from network layer eavesdropping attacks
+                More information: https://github.com/Azure/template-analyzer/blob/main/docs/built-in-bpa-rules.md#ta-000004-api-app-should-only-be-accessible-over-https
                 Result: Failed
-                Line: 114
+                Line: 67
 
-        Rules passed: 25
+        Rules passed: 16
+
+Execution summary:
+        The execution completed successfully
 ```
 
 #### SARIF

docs/authoring-json-rules.md

@@ -1,5 +1,5 @@
 # Authoring Template BPA JSON Rules
-<a name="note"></a>***Note**: The Template BPA is currently in development. All features that have yet to be implemented have been flagged with an asterisk [\*].*
+<a name="note"></a>***Note**: All features that have yet to be implemented have been flagged with an asterisk [\*].*
 
 ## Overview
 Template BPA built-in rules are authored in JSON.  Each rule contains metadata about what's being evaluated (such as id, description, help information, severity), along with the specifics of the evaluation itself.  Files consisting of multiple rules should contain an array of rule objects.
@@ -9,19 +9,23 @@ Here are the fields that make up a rule definition.
 ```javascript
 {
     "id": "Rule id",
-    "description": "Brief description of what the rule is evaluating",
+    "name": "A human-readable identifier"
+    "shortDescription": "Brief description of what the rule is evaluating",
+    "fullDescription": "Detailed description of what the rule is evaluating",
     "recommendation": "Guidance describing what should be done to fix the issue if a template violates the rule",
     "helpUri": "URI to find more detailed information about the rule and how to fix a template",
     "severity" : "Integer value between 1 and 3, with 1 being high and 3 being low, designating the importance of the rule",
-    "evaluation": { … } // The evaluation logic of the rule.  More details below.
+    "evaluation": { … } // The evaluation logic of the rule. More details below.
 }
 ```
 
 ### Guidelines for rule metadata
 | Property Name | Description | Is required for contributing<br/>a built-in rule | Is required<br/>in schema | Default Value |
 |---|---|---|---|---|
 | id | The `id` should look like `TA-NNNNNN`, with `NNNNNN` being the next unused number according to the [rule ids already defined](https://github.com/Azure/template-analyzer/blob/main/docs/built-in-bpa-rules.md). | yes | yes | - |
-| description | Brief description of what the rule is evaluating | yes | yes | - |
+| name | A human-readable identifier, more details [here](https://github.com/microsoft/sarif-tutorials/blob/main/docs/Authoring-rule-metadata-and-result-messages.md#human-readable-identifier). | yes | yes | - |
+| shortDescription | Brief description of what the rule is evaluating, more details [here](https://docs.oasis-open.org/sarif/sarif/v2.0/csprd02/sarif-v2.0-csprd02.html#_Toc10127743). | yes | yes | - |
+| fullDescription | Detailed description of what the rule is evaluating, more details [here](https://docs.oasis-open.org/sarif/sarif/v2.0/csprd02/sarif-v2.0-csprd02.html#_Toc10127744). | yes | yes | - |
 | recommendation | The `recommendation` should provide clear but concise guidance on how to modify a template if the rule fails.<br/>If some details are somewhat complex, or the rule takes a bit more to understand, add those details to a guide accessible at the URI in `helpUri`. | yes | no | none |
 | helpUri | The `helpUri` is optional, but it is good practice to include.  For built-in rules, this will point to a guide in the GitHub repository. | yes | no | none |
 | severity | The `severity` is optional. If no severity is provided, it defaults to a severity of 2. | yes | no | 2 |