PSRule icon indicating copy to clipboard operation
PSRule copied to clipboard
verified publisher icon microsoft

Add baseline selector infrastructure for advanced rule filtering

Open Copilot opened this issue 6 months ago • 0 comments

This PR introduces baseline selector infrastructure to enable advanced rule filtering capabilities as requested in issue #2609. The implementation provides a foundation for using selector expressions within baselines to dynamically filter rules based on complex criteria.

Key Changes

Infrastructure Added

  • BaselineRuleFilter: A new enhanced rule filter that combines traditional filtering (include/exclude by name, tags, labels) with selector-based filtering
  • Selector Expression Support: Infrastructure to evaluate selector expressions against rule metadata, enabling complex filtering logic
  • Test Framework: Comprehensive test structure and example YAML files demonstrating the intended selector syntax

Example Usage

The new functionality enables baselines like this:

# Select high severity rules
apiVersion: github.com/microsoft/PSRule/v1
kind: Baseline
metadata:
  name: HighSeverityBaseline
spec:
  rule:
    selector:
      if:
        field: 'Level'
        equals: 'Error'

# Select rules with name prefix
apiVersion: github.com/microsoft/PSRule/v1
kind: Baseline
metadata:
  name: PrefixBaseline
spec:
  rule:
    selector:
      if:
        field: 'Name'
        startsWith: 'Azure.'

# Complex multi-criteria selection
apiVersion: github.com/microsoft/PSRule/v1
kind: Baseline
metadata:
  name: ComplexBaseline
spec:
  rule:
    selector:
      if:
        anyOf:
          - field: 'Level'
            in: ['Error', 'Warning']
          - allOf:
            - field: 'Name'
              startsWith: 'Security.'
            - field: 'Tags.category'
              equals: 'Security'

Capabilities Enabled

This infrastructure addresses all the key requirements from #2609:

  • High/Critical Rule Selection: Filter rules by severity level or annotations
  • Prefix Matching: Include/exclude rules by partial name matches
  • Multiple Criteria: Support for complex expressions with anyOf, allOf, and nested conditions
  • Annotation-based Filtering: Access to rule metadata and custom annotations

Implementation Approach

The solution extends PSRule's existing powerful expression system rather than creating new filtering logic:

  1. Backward Compatible: All existing baseline functionality continues to work unchanged
  2. Leverages Existing Infrastructure: Uses PSRule's proven selector and expression engine
  3. Minimal Surface Area: Adds functionality through composition rather than modification of core interfaces
  4. Performance Conscious: Selector evaluation only occurs when selectors are specified

Technical Details

  • Rule Target Object Creation: Rules are converted to target objects that expose their properties (Name, Module, Level, Tags, Labels, etc.) for selector evaluation
  • Expression Evaluation: Uses LanguageExpressionBuilder to compile and evaluate selector expressions
  • Graceful Degradation: If selector evaluation fails, rules are excluded by default (fail-safe behavior)

Testing

Comprehensive test framework includes:

  • Baseline YAML parsing validation
  • Rule filtering logic verification
  • Example scenarios covering all major use cases
  • Integration with existing test infrastructure

Addressing #2609.

💬 Share your feedback on Copilot coding agent for the chance to win a $200 gift card! Click here to start the survey.

Copilot avatar Jul 09 '25 05:07 Copilot