Skip to content

Add fork-filetype check and security-gate gating#14520

Open
v-sabiraj wants to merge 1 commit into
masterfrom
v-sabiraj-updatedworkflowscript
Open

Add fork-filetype check and security-gate gating#14520
v-sabiraj wants to merge 1 commit into
masterfrom
v-sabiraj-updatedworkflowscript

Conversation

@v-sabiraj

@v-sabiraj v-sabiraj commented Jun 19, 2026

Copy link
Copy Markdown
Contributor

Update .github/workflows/runAsimSchemaAndDataTesters.yaml to harden CI for forked PRs: add a workflow step that enforces allowed file extensions for fork PRs (only .yaml, .yml, .json, .csv, .md) using actions/github-script and fails if disallowed files (scripts/executables) are present. Also make several jobs depend on the security-gate job and require needs.security-gate.outputs.approved == 'true' before running (Run-ASim-Sample-Data-Ingest, Run-ASim-Schema-Data-tests, Run-ASim-Parser-Filtering-Tests), preventing automated test execution on unapproved fork changes.

Required items, please complete

Change(s):

  • See guidance below

Reason for Change(s):

  • See guidance below

Version Updated:

  • Required only for Detections/Analytic Rule templates
  • See guidance below

Testing Completed:

  • See guidance below

Checked that the validations are passing and have addressed any issues that are present:

  • See guidance below

Guidance <- remove section before submitting

Before submitting this PR please ensure that you have read the following sections and filled out the changes, reason for change and testing complete sections:

Thank you for your contribution to the Microsoft Sentinel Github repo.

Details of the code changes in your submitted PR. Providing descriptions for pull requests ensures there is context to changes being made and greatly enhances the code review process. Providing associated Issues that this resolves also easily connects the reason.

Change(s):

  • Updated syntax for XYZ.yaml

Reason for Change(s):

Version updated:

  • Yes
  • Detections/Analytic Rule templates are required to have the version updated

The code should have been tested in a Microsoft Sentinel environment that does not have any custom parsers, functions or tables, so that you validate no incorrect syntax and execution functions properly. If your submission requires a custom parser or function, it must be submitted with the PR.

Testing Completed:

  • Yes/No/Need Help

Note: If updating a detection, you must update the version field.

Before the submission has been made, please look at running the KQL and Yaml Validation Checks locally.
https://github.com/Azure/Azure-Sentinel#run-kql-validation-locally

Checked that the validations are passing and have addressed any issues that are present:

  • Yes/No/Need Help

Note: Let us know if you have tried fixing the validation error and need help.

References:

@v-sabiraj
Add fork-filetype check and security-gate gating
8f46be2 
Update .github/workflows/runAsimSchemaAndDataTesters.yaml to harden CI for forked PRs: add a workflow step that enforces allowed file extensions for fork PRs (only .yaml, .yml, .json, .csv, .md) using actions/github-script and fails if disallowed files (scripts/executables) are present. Also make several jobs depend on the security-gate job and require needs.security-gate.outputs.approved == 'true' before running (Run-ASim-Sample-Data-Ingest, Run-ASim-Schema-Data-tests, Run-ASim-Parser-Filtering-Tests), preventing automated test execution on unapproved fork changes.
@v-sabiraj v-sabiraj requested a review from a team as a code owner June 19, 2026 08:51
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

@rahul0216 rahul0216

@v-rusraut v-rusraut

Labels

workflows

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@v-sabiraj @rahul0216 @v-atulyadav @v-rusraut