Secure Azure Bicep and ARM Templates with cnspec

import IacScanOptions from './_iac-scan-options.mdx';

Catch insecure Azure resource configurations before they reach a deployment. cnspec parses .bicep source files and ARM template JSON, exposing resources, parameters, modules, outputs, and other template sections as queryable MQL resources. The Mondoo Azure Security policy ships Bicep variants of every check, so the same controls that evaluate your live Azure subscription also evaluate your Bicep files and ARM templates in pull requests and CI pipelines. You can also use the Bicep provider inside your own policies to enforce additional standards.

Prerequisites

To scan Bicep files with cnspec, you must have:

• cnspec installed on your workstation
• Bicep files (.bicep) or ARM template JSON files to scan

Scan Bicep files

Scan a single Bicep file:

cnspec scan bicep main.bicep

Scan a directory of Bicep files:

cnspec scan bicep ./infra/

Scan an ARM template JSON file directly:

cnspec scan bicep azuredeploy.json

Example checks

Run cnspec shell bicep main.bicep to open the interactive shell. From there you can make checks like the examples below.

List all resource declarations

bicep.files { resources { type symbolicName apiVersion } }

Check that all storage accounts enforce HTTPS

bicep.files {
  resources.where(type == "Microsoft.Storage/storageAccounts").all(
    properties["properties"]["supportsHttpsTrafficOnly"] == true
  )
}

Find resources without an explicit location

bicep.files { resources.where(location == "") { symbolicName type } }

List all parameters and whether they are secure

bicep.files { parameters { name type secure } }

Inspect module references

bicep.files { modules { name source isRegistry } }

Query a compiled ARM template

bicep.template.resources { type name apiVersion }

Learn more

• For the full MQL resource reference, see the MQL Bicep provider documentation.

• To learn more about how the MQL query language works, read Write Effective MQL.