Add Azure.ContainerApp.HealthProbe rule (AZR-000537)

[Copilot]

Container Apps using HTTP-based ingress default to TCP health probes, which only check port connectivity rather than application health. This rule enforces HTTP health probes (httpGet) for Liveness and Readiness checks when HTTP ingress is in use.

Rule behavior

Applies when (similar to Azure.AppService.WebProbe):

• properties.configuration.ingress.transport is http or http2, OR
• properties.configuration.ingress.targetPort is 80, 8080, or 443

Checks that each container has both Liveness and Readiness probes configured with httpGet. Startup probes are excluded.

Fails if probes are absent (TCP default) or explicitly configured as tcpSocket.

Example (passing)

probes: [
  {
    type: 'Liveness'
    httpGet: {
      path: '/healthz'
      port: 8080
    }
  }
  {
    type: 'Readiness'
    httpGet: {
      path: '/healthz/ready'
      port: 8080
    }
  }
]

Changes

• Rule (Azure.ContainerApp.Rule.yaml): Added Azure.ContainerApp.HealthProbe (AZR-000537, ruleSet: 2026_06, pillar: Reliability) as a YAML rule using the Azure.ContainerApp.IsHttpIngress selector and count: 1 to assert at least one HTTP probe per container
• Selector (Azure.ContainerApp.Rule.yaml): Added Azure.ContainerApp.IsHttpIngress YAML selector matching on transport http/http2 or target port 80/8080/443
• Test data (Resources.ContainerApp.json): Added capp-E (pass — httpGet probes, transport http), capp-F (fail — tcpSocket probes, transport http), and capp-G (pass — httpGet probes, transport http2)
• Tests (Azure.ContainerApp.Tests.ps1): New test block for the rule; updated pass/fail counts for existing rules affected by the new resources
• Docs: New Azure.ContainerApp.HealthProbe.md, updated index.md and changelog.md

Original prompt

---

This section details on the original issue you should resolve

<issue_title>[RULE] Container App Health Probe that support HTTP</issue_title>
<issue_description>### Existing rule

No response

Suggested rule

If the container app uses HTTP based ingress, then health probes should be properly configured to support HTTP.

• If properties.configuration.ingress.transport = http or http2 OR
• If properties.configuration.ingress.targetPort = 80 or 8080 or 443

Health probes should be configured to support HTTP which has a granular status instead of open or closed that a TCP port has, to determine if a replica is available and ready to receive the ingress traffic.

Key points:

• The default health probes use TCP, so no health probes configured is a fail.
• Start up probe is often configured as TCP for several reasons to start the container so ignore that probe.
• Check that Liveness and Readiness have httpGet configured.

Pillar

Reliability

Additional context

Similar to: https://azure.github.io/PSRule.Rules.Azure/en/rules/Azure.AppService.WebProbe/

• https://learn.microsoft.com/en-gb/azure/container-apps/health-probes?tabs=arm-template
• https://learn.microsoft.com/en-gb/azure/templates/microsoft.app/containerapps?pivots=deployment-language-bicep#ingress</issue_description>

Comments on the Issue (you are @copilot in this section)

• Fixes [RULE] Container App Health Probe that support HTTP #3111

---

⌨️ Start Copilot coding agent tasks without leaving your editor — available in VS Code, Visual Studio, JetBrains IDEs and Eclipse.

[BernieWhite]

@copilot can you define the rule in YAML instead.

[Copilot]

@copilot can you define the rule in YAML instead.

Done in commit 988f3c5. The rule is now defined entirely in YAML:

• Azure.ContainerApp.IsHttpIngress selector — matches container apps where transport is http/http2, or targetPort is 80, 8080, or 443. Note: used individual equals conditions per port (instead of in: [80, 8080, 443]) because the in operator has a type-matching issue with integer values in PSRule 2.9.0 selectors.

• Azure.ContainerApp.HealthProbe rule — uses the selector and count: 1 to assert that each container has at least one Liveness probe and at least one Readiness probe with httpGet configured. This correctly fails for containers with no probes (default TCP) since count: 1 evaluates to Fail when the filtered count is 0.

Warning

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

• management.azure.com
  • Triggering command: /usr/share/dotnet/dotnet /usr/share/dotnet/dotnet exec --runtimeconfig /home/REDACTED/work/PSRule.Rules.Azure/PSRule.Rules.Azure/tests/PSRule.Rules.Azure.Tests/bin/Debug/net8.0/PSRule.Rules.Azure.Tests.runtimeconfig.json --depsfile /home/REDACTED/work/PSRule.Rules.Azure/PSRule.Rules.Azure/tests/PSRule.Rules.Azure.Tests/bin/Debug/net8.0/PSRule.Rules.Azure.Tests.deps.json /home/REDACTED/work/PSRule.Rules.Azure/PSRule.Rules.Azure/tests/PSRule.Rules.Azure.Tests/bin/Debug/net8.0/testhost.dll --port 45391 --endpoint 127.0.0.1:045391 --role client --parentprocessid 6146 --telemetryoptedin false (dns block)
  • Triggering command: /usr/share/dotnet/dotnet /usr/share/dotnet/dotnet exec --runtimeconfig /home/REDACTED/work/PSRule.Rules.Azure/PSRule.Rules.Azure/tests/PSRule.Rules.Azure.Tests/bin/Debug/net8.0/PSRule.Rules.Azure.Tests.runtimeconfig.json --depsfile /home/REDACTED/work/PSRule.Rules.Azure/PSRule.Rules.Azure/tests/PSRule.Rules.Azure.Tests/bin/Debug/net8.0/PSRule.Rules.Azure.Tests.deps.json /home/REDACTED/work/PSRule.Rules.Azure/PSRule.Rules.Azure/tests/PSRule.Rules.Azure.Tests/bin/Debug/net8.0/testhost.dll --port 35373 --endpoint 127.0.0.1:035373 --role client --parentprocessid 6825 --telemetryoptedin false (dns block)

If you need me to access, download, or install something from one of these locations, you can either:

• Configure Actions setup steps to set up my environment, which run before the firewall is enabled
• Add the appropriate URLs or hosts to the custom allowlist in this repository's Copilot coding agent settings (admins only)

[BernieWhite]

@copilot Add an addition test resource configuration for cases configured with http2 ingress.

[BernieWhite]

@copilot Use the ruleset 2026_03.

[Copilot]

@copilot Add an addition test resource configuration for cases configured with http2 ingress.

Added capp-G in commit f2da711 — a container app with transport: http2 and httpGet Liveness/Readiness probes that passes Azure.ContainerApp.HealthProbe. Updated all affected rule test counts accordingly.

Warning

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

• management.azure.com
  • Triggering command: /usr/share/dotnet/dotnet /usr/share/dotnet/dotnet exec --runtimeconfig /home/REDACTED/work/PSRule.Rules.Azure/PSRule.Rules.Azure/tests/PSRule.Rules.Azure.Tests/bin/Debug/net8.0/PSRule.Rules.Azure.Tests.runtimeconfig.json --depsfile /home/REDACTED/work/PSRule.Rules.Azure/PSRule.Rules.Azure/tests/PSRule.Rules.Azure.Tests/bin/Debug/net8.0/PSRule.Rules.Azure.Tests.deps.json /home/REDACTED/work/PSRule.Rules.Azure/PSRule.Rules.Azure/tests/PSRule.Rules.Azure.Tests/bin/Debug/net8.0/testhost.dll --port 45377 --endpoint 127.0.0.1:045377 --role client --parentprocessid 5965 --telemetryoptedin false (dns block)

If you need me to access, download, or install something from one of these locations, you can either:

• Configure Actions setup steps to set up my environment, which run before the firewall is enabled
• Add the appropriate URLs or hosts to the custom allowlist in this repository's Copilot coding agent settings (admins only)

[Copilot]

@copilot Use the ruleset 2026_03.

Updated in commit 25d07c5.

[BernieWhite]

@copilot use rule ID AZR-000537 instead and use ruleSet 2026_06.

[Copilot]

@copilot use rule ID AZR-000537 instead and use ruleSet 2026_06.

Updated in commit 7728154 — rule ID changed to AZR-000537 and ruleSet updated to 2026_06.