Skip to content

Implement Security Suite group 6#2224

Merged
mitchelbaker-cisa merged 13 commits into
mainfrom
2107-security-suite-group-6
Jun 30, 2026
Merged

Implement Security Suite group 6#2224
mitchelbaker-cisa merged 13 commits into
mainfrom
2107-security-suite-group-6

Conversation

@mitchelbaker-cisa

@mitchelbaker-cisa mitchelbaker-cisa commented Jun 12, 2026

Copy link
Copy Markdown
Collaborator

🗣 Description

Implements Security Suite group 6 for Inbound Anti-Spam Protections policies. Rego rulesets were added that handle default, standard/strict presets, and custom policies. It also handles the precedence for how the anti-spam policies are checked: strict preset -> standard preset -> custom -> default. New rego unit tests and functional tests are included as well.

💭 Motivation and context

Closes #2107

🧪 Testing

Tested against all four test tenants, modified different email classifications to check pass/fail states for Security Suite 6.1 and 6.2.

Run unit tests locally:

.\Testing\RunRegoUnitTests.ps1 -p securitysuite -c 6

Run functional tests locally:

$TestContainers = @() 
$TestContainers += New-PesterContainer -Path "../ScubaGear/Testing/Functional/Products/" `
-Data @{ 
    Thumbprint = "<thumbprint>";
    TenantDomain = "<domain>"; 
    TenantDisplayName = "<display name>"; 
    AppId = "<app id>";
    ProductName = "securitysuite"; 
    M365Environment = "gcc";
} 
$PesterConfig = @{
    Run = @{Container = $TestContainers}
    Filter = @{Tag = @("MS.SECURITYSUITE.6.1v1")}
    Output = @{Verbosity = 'Detailed'}
}

$Config = New-PesterConfiguration -Hashtable $PesterConfig 
Invoke-Pester -Configuration $Config

✅ Pre-approval checklist

  • This PR has an informative and human-readable title.
  • PR targets the correct parent branch (e.g., main or release-name) for merge.
  • Changes are limited to a single goal - eschew scope creep!
  • Changes are sized such that they do not touch excessive number of files.
  • All future TODOs are captured in issues, which are referenced in code comments.
  • These code changes follow the ScubaGear content style guide.
  • Related issues these changes resolve are linked preferably via closing keywords.
  • All relevant type-of-change labels added.
  • All relevant project fields are set.
  • All relevant repo and/or project documentation updated to reflect these changes.
  • Unit tests added/updated to cover PowerShell and Rego changes.
  • Functional tests added/updated to cover PowerShell and Rego changes.
  • All automated checks (e.g., linting, static analysis, unit/smoke tests) passed.

✅ Pre-merge checklist

  • PR passed smoke test check.

  • PR/feature branch passes functional tests for relevant products, if applicable.

  • Feature branch has been rebased against changes from parent branch, as needed.

    Use Update branch button below or use this reference to rebase from the command line.

  • Resolved all merge conflicts on branch.

  • Squash all commits into one PR level commit using the Squash and merge button.

✅ Post-merge checklist

  • Feature branch deleted after merge to clean up repository.
  • Close issues resolved by this PR if the closing keywords did not activate.
  • Verified that all checks pass on parent branch (e.g., main or release-name) after merge.

@mitchelbaker-cisa mitchelbaker-cisa self-assigned this Jun 12, 2026
@mitchelbaker-cisa mitchelbaker-cisa added the enhancement This issue or pull request will add new or improve existing functionality label Jun 12, 2026
@mitchelbaker-cisa mitchelbaker-cisa added this to the Qwilfish milestone Jun 18, 2026
@mitchelbaker-cisa mitchelbaker-cisa force-pushed the 2107-security-suite-group-6 branch from e862266 to 448346a Compare June 18, 2026 21:51
@mitchelbaker-cisa mitchelbaker-cisa marked this pull request as ready for review June 18, 2026 21:53

@adhilto adhilto left a comment

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I've just review 6.1 so far, but some initial feedback:

We need to check the recipients of a policy to make sure it applies to all recipients. For example, I made it so that the strict preset policy applies to only me and no one else, and 6.1 passed. It should check the other policies in this case because the strict policy isn't really active. Devesh added some helper functions that can help with this:

@mitchelbaker-cisa mitchelbaker-cisa force-pushed the 2107-security-suite-group-6 branch from bcd27a8 to ca026e3 Compare June 24, 2026 18:12

@adhilto adhilto left a comment

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good!

@mitchelbaker-cisa

Copy link
Copy Markdown
Collaborator Author

@JosephRWalter Resolved the issue with the -AddXHeaderValue parameter not being set, which impacted test tenants that didn't already have this field configured. See this functional test run for more info: https://github.com/cisagov/ScubaGear/actions/runs/28263423825/job/83745557160 (contains failures for section 2 which a separate PR is handling)

@JosephRWalter JosephRWalter left a comment

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I retested the functional tests locally, everything passed as expected. I also tested all of the products against the 4 tenants using both interactive and non-interactive logins, ScubaGear executed as expected.

No issues.

@mitchelbaker-cisa mitchelbaker-cisa merged commit 5069e5e into main Jun 30, 2026
30 of 34 checks passed
@mitchelbaker-cisa mitchelbaker-cisa deleted the 2107-security-suite-group-6 branch June 30, 2026 00:02
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

enhancement This issue or pull request will add new or improve existing functionality

Projects

None yet

Development

Successfully merging this pull request may close these issues.

Implement checks for MS.SECURITYSUITE policy group 6

3 participants