QUESTION

Why didn't my GitHub Actions workflow apply changes when I changed a rule status from Enabled: true to Enabled: false in the rule YAML file in my panther-analysis repo?

ANSWER

This issue can occur when your GitHub Actions workflow includes the --filter Enabled=true flag in the panther_analysis_tool upload command. This filter only uploads rules where Enabled is set to true, which means when you disable a rule by setting Enabled: false, it gets excluded from the upload and the change doesn't take effect in Panther.

To fix this, you need to remove the --filter Enabled=true flag from your GitHub Actions workflow file.

Change this:

- name: upload
  run: |
    pipenv run panther_analysis_tool upload --filter Enabled=true --skip-tests

To this:

- name: upload
  run: |
    pipenv run panther_analysis_tool upload --skip-tests

After making this change, detections set as Enabled: false will be uploaded to Panther and properly disabled, preventing them from generating alerts.

Optional: Path filtering

If you have detections in your repository that you don't want to upload to Panther, you can use path filtering instead:

- name: upload
  run: |
    pipenv run panther_analysis_tool upload --path rules/ --path policies/ --skip-tests

This approach uploads only specific directories while still allowing you to disable rules using the Enabled: false setting.