Note
This workshop is part of the Agentic Accelerator Framework.
Learn to scan Azure infrastructure for cost governance violations using four open-source tools—PSRule, Checkov, Cloud Custodian, and Infracost—producing SARIF output for GitHub Security tab integration.
graph LR
subgraph "IaC Scanners"
PSRule[PSRule for Azure]
Checkov[Checkov]
end
subgraph "Runtime Scanners"
Custodian[Cloud Custodian]
Infracost[Infracost]
end
PSRule -->|Native SARIF| SARIF[SARIF v2.1.0]
Checkov -->|Native SARIF| SARIF
Custodian -->|JSON → Converter| SARIF
Infracost -->|JSON → Converter| SARIF
SARIF --> Security[GitHub Security Tab]
SARIF --> PowerBI[Power BI Dashboard]
| Lab | Title | Duration | Level |
|---|---|---|---|
| 00 | Prerequisites and Environment Setup | 30 min | Beginner |
| 01 | Explore the Demo Apps and FinOps Violations | 25 min | Beginner |
| 02 | PSRule — Infrastructure as Code Analysis | 35 min | Intermediate |
| 03 | Checkov — Static Policy Scanning | 30 min | Intermediate |
| 04 | Cloud Custodian — Runtime Resource Scanning | 40 min | Intermediate |
| 05 | Infracost — Cost Estimation and Budgeting | 35 min | Intermediate |
| 06 | SARIF Output and GitHub Security Tab | 30 min | Intermediate |
| 07 | GitHub Actions Pipelines and Cost Gates | 45 min | Advanced |
| Tool | Focus | SARIF Output | License |
|---|---|---|---|
| PSRule for Azure | WAF Cost Optimization rules on Bicep/ARM | Native | MIT |
| Checkov | 1,000+ multi-cloud IaC policies | Native | Apache 2.0 |
| Cloud Custodian | Orphans, tagging, right-sizing on live resources | Converted | Apache 2.0 |
| Infracost | Pre-deployment cost estimates | Converted | Apache 2.0 |
- GitHub account with access to create repositories
- Azure subscription (required for Labs 04, 05, 07; free tier works)
- VS Code with the Bicep and PowerShell extensions
- Azure CLI, GitHub CLI, PowerShell 7+
- PSRule, Checkov, Cloud Custodian, and Infracost (installed during Lab 00)
- Click Use this template to create your own copy.
- Install the prerequisite tools by following Lab 00.
- Start with Lab 01 to explore the demo apps.
| Tier | Labs | Duration | Azure Required |
|---|---|---|---|
| Half-Day | 00, 01, 02, 03, 06 | ~3.5 hours | No |
| Full-Day | 00–07 (all) | ~7.25 hours | Yes |
See CONTRIBUTING.md for guidelines on contributing labs, fixing issues, and submitting pull requests.
This project is licensed under the MIT License.