Assess Azure Bicep and ARM Template Security with cnspec
Scan Azure Bicep files and ARM templates for security misconfigurations using cnspec.
Use cnspec to scan Azure Bicep files and ARM templates for security misconfigurations and policy violations before deploying them. cnspec parses .bicep source files and ARM template JSON, exposing resources, parameters, modules, outputs, and other template sections as queryable MQL resources.
Prerequisites
To scan Bicep files with cnspec, you must have:
- cnspec installed on your workstation
- Bicep files (
.bicep) or ARM template JSON files to scan
Scan Bicep files
Scan a single Bicep file:
cnspec scan bicep main.bicepScan a directory of Bicep files:
cnspec scan bicep ./infra/Scan an ARM template JSON file directly:
cnspec scan bicep azuredeploy.jsonScan options
| Option | Description |
|---|---|
--asset-name | Override the asset name |
--annotation | Add an annotation to the asset (key=value) |
--incognito | Run in incognito mode (do not report results to Mondoo Platform) |
-o, --output | Set the output format (compact, full, json, junit, summary, yaml) |
-f, --policy-bundle | Path to a policy file (local path, s3:// URI, or http(s):// URL) |
--policy | Specify policies to execute (requires --policy-bundle) |
--risk-threshold | Exit with status 1 if any risk meets or exceeds this value (0-100) |
Example checks
Run cnspec shell bicep main.bicep to open the interactive shell. From there you can make checks like the examples below.
List all resource declarations
bicep.files { resources { type symbolicName apiVersion } }Check that all storage accounts enforce HTTPS
bicep.files {
resources.where(type == "Microsoft.Storage/storageAccounts").all(
properties["properties"]["supportsHttpsTrafficOnly"] == true
)
}Find resources without an explicit location
bicep.files { resources.where(location == "") { symbolicName type } }List all parameters and whether they are secure
bicep.files { parameters { name type secure } }Inspect module references
bicep.files { modules { name source isRegistry } }Query a compiled ARM template
bicep.template.resources { type name apiVersion }Learn more
-
For the full MQL resource reference, see the MQL Bicep provider documentation.
-
To learn more about how the MQL query language works, read Write Effective MQL.