Bicep / Azure ARM issues are not detected for modules #9466

bve-wd · 2025-09-10T14:24:30Z

bve-wd
Sep 10, 2025

Description

When building a Bicep file that contains a module with az bicep build -f main.bicep, then trivy does not detect issues for the generated Azure ARM template when running trivy config .
The main difference I noticed when using modules is, that the resources property is a dictionary instead of an array.

Desired Behavior

Trivy should yield issues for Bicep modules

Actual Behavior

Trivy does not return any issues if modules are used in main.bicep. It seems that it does not even use the azure-arm scanner (or the scanner does not yield issues)

Reproduction Steps

Example main.bicep:

targetScope = 'subscription'

resource myrg 'Microsoft.Resources/resourceGroups@2025-04-01' = {
  name: 'myrg'
  location: 'WestEurope'
}

module insecure 'insecure.bicep' = {
  scope: myrg
}

Example insecure.bicep:

resource storageAccount 'Microsoft.Storage/storageAccounts@2022-09-01' = {
  name: 'insecurestorage${uniqueString(resourceGroup().id)}'
  location: resourceGroup().location
  sku: {
    name: 'Standard_LRS'
  }
  kind: 'StorageV2'
  properties: {
    allowBlobPublicAccess: true
    minimumTlsVersion: 'TLS1_0'  // This yields an error, if insecure.bicep is built directly
    supportsHttpsTrafficOnly: false
    accessTier: 'Hot'
  }
}

Run az bicep build -f main.bicep
Run trivy config .

Result: No issues detected

main.json:

{
  "$schema": "https://schema.management.azure.com/schemas/2018-05-01/subscriptionDeploymentTemplate.json#",
  "languageVersion": "2.0",
  "contentVersion": "1.0.0.0",
  "metadata": {
    "_generator": {
      "name": "bicep",
      "version": "0.37.4.10188",
      "templateHash": "9375790898027716067"
    }
  },
  "resources": {
    "myrg": {
      "type": "Microsoft.Resources/resourceGroups",
      "apiVersion": "2025-04-01",
      "name": "myrg",
      "location": "WestEurope"
    },
    "insecure": {
      "type": "Microsoft.Resources/deployments",
      "apiVersion": "2022-09-01",
      "name": "[format('insecure-{0}', uniqueString('insecure', deployment().name))]",
      "resourceGroup": "myrg",
      "properties": {
        "expressionEvaluationOptions": {
          "scope": "inner"
        },
        "mode": "Incremental",
        "template": {
          "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
          "contentVersion": "1.0.0.0",
          "metadata": {
            "_generator": {
              "name": "bicep",
              "version": "0.37.4.10188",
              "templateHash": "1574586486505528430"
            }
          },
          "resources": [
            {
              "type": "Microsoft.Storage/storageAccounts",
              "apiVersion": "2022-09-01",
              "name": "[format('insecurestorage{0}', uniqueString(resourceGroup().id))]",
              "location": "[resourceGroup().location]",
              "sku": {
                "name": "Standard_LRS"
              },
              "kind": "StorageV2",
              "properties": {
                "allowBlobPublicAccess": true,
                "minimumTlsVersion": "TLS1_0",
                "supportsHttpsTrafficOnly": false,
                "accessTier": "Hot"
              }
            }
          ]
        }
      },
      "dependsOn": [
        "myrg"
      ]
    }
  }
}

Run az bicep build -f insecure.bicep
Run trivy config .

Result: Issues detected

insecure.json:

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "metadata": {
    "_generator": {
      "name": "bicep",
      "version": "0.37.4.10188",
      "templateHash": "1574586486505528430"
    }
  },
  "resources": [
    {
      "type": "Microsoft.Storage/storageAccounts",
      "apiVersion": "2022-09-01",
      "name": "[format('insecurestorage{0}', uniqueString(resourceGroup().id))]",
      "location": "[resourceGroup().location]",
      "sku": {
        "name": "Standard_LRS"
      },
      "kind": "StorageV2",
      "properties": {
        "allowBlobPublicAccess": true,
        "minimumTlsVersion": "TLS1_0",
        "supportsHttpsTrafficOnly": false,
        "accessTier": "Hot"
      }
    }
  ]
}

Target

Filesystem

Scanner

Misconfiguration

Output Format

None

Mode

Standalone

Debug Output

# Run for main.json: trivy config . --debug

2025-09-10T16:05:22+02:00       DEBUG   No plugins loaded
2025-09-10T16:05:22+02:00       DEBUG   Default config file "file_path=trivy.yaml" not found, using built in values
2025-09-10T16:05:22+02:00       DEBUG   Cache dir       dir="C:\\Users\\USER\\AppData\\Local\\trivy"
2025-09-10T16:05:22+02:00       DEBUG   Cache dir       dir="C:\\Users\\USER\\AppData\\Local\\trivy"
2025-09-10T16:05:22+02:00       DEBUG   Parsed severities       severities=[UNKNOWN LOW MEDIUM HIGH CRITICAL]
2025-09-10T16:05:22+02:00       DEBUG   [notification] Running version check
2025-09-10T16:05:22+02:00       INFO    [misconfig] Misconfiguration scanning is enabled
2025-09-10T16:05:22+02:00       DEBUG   [misconfig] Checks successfully loaded from disk
2025-09-10T16:05:23+02:00       DEBUG   [notification] Version check completed  latest_version="0.66.0"
2025-09-10T16:05:23+02:00       DEBUG   [rego] Overriding filesystem for checks
2025-09-10T16:05:23+02:00       DEBUG   [rego] Embedded libraries are loaded    count=17
2025-09-10T16:05:23+02:00       DEBUG   [rego] Embedded checks are loaded       count=519
2025-09-10T16:05:24+02:00       DEBUG   [rego] Checks from disk are loaded      count=536
2025-09-10T16:05:24+02:00       DEBUG   [rego] Overriding filesystem for data
2025-09-10T16:05:24+02:00       DEBUG   Enabling misconfiguration scanners      scanners=[azure-arm cloudformation dockerfile helm kubernetes terraform terraformplan-json terraformplan-snapshot]
2025-09-10T16:05:24+02:00       DEBUG   Initializing scan cache...      type="memory"
2025-09-10T16:05:24+02:00       DEBUG   [fs] Analyzing...       root="."
2025-09-10T16:05:24+02:00       DEBUG   Created process-specific temp directory path="C:\\Users\\USER\\AppData\\Local\\Temp\\trivy-41468"
2025-09-10T16:05:24+02:00       DEBUG   [misconfig] Scanning files for misconfigurations...     scanner="CloudFormation"
2025-09-10T16:05:24+02:00       DEBUG   [cloudformation parser] Context loaded from source      file_path="main.json"
2025-09-10T16:05:24+02:00       DEBUG   [rego] Scanning inputs  count=1
2025-09-10T16:05:24+02:00       DEBUG   OS is not detected.
2025-09-10T16:05:24+02:00       INFO    Detected config files   num=1
2025-09-10T16:05:24+02:00       DEBUG   Scanned config file     file_path="main.json"
2025-09-10T16:05:24+02:00       DEBUG   Specified ignore file does not exist    file=".trivyignore"
2025-09-10T16:05:24+02:00       DEBUG   [vex] VEX filtering is disabled

Report Summary

┌───────────┬────────────────┬───────────────────┐
│  Target   │      Type      │ Misconfigurations │
├───────────┼────────────────┼───────────────────┤
│ main.json │ cloudformation │         0         │
└───────────┴────────────────┴───────────────────┘
Legend:
- '-': Not scanned
- '0': Clean (no security findings detected)

2025-09-10T16:05:24+02:00 DEBUG Cleaning up temp directory path="C:\\Users\\USER>\\AppData\\Local\\Temp\\trivy-41468"

# Run for insecure.json: trivy config . --debug

2025-09-10T16:18:43+02:00       DEBUG   No plugins loaded
2025-09-10T16:18:43+02:00       DEBUG   Default config file "file_path=trivy.yaml" not found, using built in values
2025-09-10T16:18:43+02:00       DEBUG   Cache dir       dir="C:\\Users\\USER\\AppData\\Local\\trivy"
2025-09-10T16:18:43+02:00       DEBUG   Cache dir       dir="C:\\Users\\USER\\AppData\\Local\\trivy"
2025-09-10T16:18:43+02:00       DEBUG   Parsed severities       severities=[UNKNOWN LOW MEDIUM HIGH CRITICAL]
2025-09-10T16:18:43+02:00       INFO    [misconfig] Misconfiguration scanning is enabled
2025-09-10T16:18:43+02:00       DEBUG   [notification] Running version check
2025-09-10T16:18:43+02:00       DEBUG   [misconfig] Checks successfully loaded from disk
2025-09-10T16:18:43+02:00       DEBUG   [notification] Version check completed  latest_version="0.66.0"
2025-09-10T16:18:43+02:00       DEBUG   [rego] Overriding filesystem for checks
2025-09-10T16:18:43+02:00       DEBUG   [rego] Embedded libraries are loaded    count=17
2025-09-10T16:18:44+02:00       DEBUG   [rego] Embedded checks are loaded       count=519
2025-09-10T16:18:44+02:00       DEBUG   [rego] Checks from disk are loaded      count=536
2025-09-10T16:18:44+02:00       DEBUG   [rego] Overriding filesystem for data
2025-09-10T16:18:44+02:00       DEBUG   Enabling misconfiguration scanners      scanners=[azure-arm cloudformation dockerfile helm kubernetes terraform terraformplan-json terraformplan-snapshot]
2025-09-10T16:18:44+02:00       DEBUG   Initializing scan cache...      type="memory"
2025-09-10T16:18:44+02:00       DEBUG   [fs] Analyzing...       root="."
2025-09-10T16:18:44+02:00       DEBUG   Created process-specific temp directory path="C:\\Users\\USER\\AppData\\Local\\Temp\\trivy-31280"
2025-09-10T16:18:44+02:00       DEBUG   [misconfig] Scanning files for misconfigurations...     scanner="Azure ARM"
2025-09-10T16:18:44+02:00       DEBUG   [rego] Scanning inputs  count=1
2025-09-10T16:18:44+02:00       DEBUG   [misconfig] Scanning files for misconfigurations...     scanner="CloudFormation"
2025-09-10T16:18:44+02:00       DEBUG   [cloudformation parser] Context loaded from source      file_path="main.json"
2025-09-10T16:18:44+02:00       DEBUG   [rego] Scanning inputs  count=1
2025-09-10T16:18:44+02:00       DEBUG   OS is not detected.
2025-09-10T16:18:44+02:00       INFO    Detected config files   num=2
2025-09-10T16:18:44+02:00       DEBUG   Scanned config file     file_path="insecure.json"
2025-09-10T16:18:44+02:00       DEBUG   Scanned config file     file_path="main.json"
2025-09-10T16:18:44+02:00       DEBUG   Specified ignore file does not exist    file=".trivyignore"
2025-09-10T16:18:44+02:00       DEBUG   [vex] VEX filtering is disabled

Report Summary

┌───────────────┬────────────────┬───────────────────┐
│    Target     │      Type      │ Misconfigurations │
├───────────────┼────────────────┼───────────────────┤
│ insecure.json │   azure-arm    │         3         │
├───────────────┼────────────────┼───────────────────┤
│ main.json     │ cloudformation │         0         │
└───────────────┴────────────────┴───────────────────┘
Legend:
- '-': Not scanned
- '0': Clean (no security findings detected)


insecure.json (azure-arm)
=========================
Tests: 6 (SUCCESSES: 3, FAILURES: 3)
Failures: 3 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 1, CRITICAL: 2)

AVD-AZU-0008 (HIGH): Account does not enforce HTTPS.
════════════════════════════════════════
You can configure your storage account to accept requests from secure connections only by setting the Secure transfer required property for the storage account.
When you require secure transfer, any requests originating from an insecure connection are rejected.
Microsoft recommends that you always require secure transfer for all of your storage accounts.


See https://avd.aquasec.com/misconfig/avd-azu-0008
────────────────────────────────────────
 insecure.json:24
   via insecure.json:21-26 (resources[0].properties)
    via insecure.json:12-27 (resources[0])
     via insecure.json:1-29 ()
      via insecure.json:0 ()
────────────────────────────────────────
   1   {
   .
  24 [         "supportsHttpsTrafficOnly": false,
  ..
  29   }
────────────────────────────────────────


AVD-AZU-0011 (CRITICAL): Storage account uses an insecure TLS version.
════════════════════════════════════════
Azure Storage currently supports three versions of the TLS protocol: 1.0, 1.1, and 1.2.
Azure Storage uses TLS 1.2 on public HTTPS endpoints, but TLS 1.0 and TLS 1.1 are still supported for backward compatibility.
This check will warn if the minimum TLS is not set to TLS1_2.


See https://avd.aquasec.com/misconfig/avd-azu-0011
────────────────────────────────────────
 insecure.json:23
   via insecure.json:21-26 (resources[0].properties)
    via insecure.json:12-27 (resources[0])
     via insecure.json:1-29 ()
      via insecure.json:0 ()
────────────────────────────────────────
   1   {
   .
  23 [         "minimumTlsVersion": "TLS1_0",
  ..
  29   }
────────────────────────────────────────


AVD-AZU-0012 (CRITICAL): Network rules allow access by default.
════════════════════════════════════════
The default_action for network rules should come into effect when no other rules are matched.
The default action should be set to Deny.


See https://avd.aquasec.com/misconfig/avd-azu-0012
────────────────────────────────────────
 insecure.json:12-27
   via insecure.json:1-29 ()
    via insecure.json:0 ()
────────────────────────────────────────
   1   {
   .
  12 ┌     {
  13 │       "type": "Microsoft.Storage/storageAccounts",
  14 │       "apiVersion": "2022-09-01",
  15 │       "name": "[format('insecurestorage{0}', uniqueString(resourceGroup().id))]",
  16 │       "location": "[resourceGroup().location]",
  17 │       "sku": {
  18 └         "name": "Standard_LRS"
  ..
────────────────────────────────────────


2025-09-10T16:18:44+02:00       DEBUG   Cleaning up temp directory      path="C:\\Users\\USER\\AppData\\Local\\Temp\\trivy-31280"

Operating System

Windows

Version

Version: 0.66.0
Check Bundle:
  Digest: sha256:a471e90b7c7335e914ec9075b74cf8f65e4c91e6cecfa7e39c587382808d2684
  DownloadedAt: 2025-09-10 14:04:22.2716591 +0000 UTC

Checklist

Run trivy clean --all
Read the troubleshooting

simar7 · 2025-09-10T20:30:53Z

simar7
Sep 10, 2025
Maintainer

hi @bve-wd - thanks for the report. This indeed looks like a bug to me. Please track #9467

I'm also curious to learn if you've run into any other issues with bicep/arm scanning? As you may have seen, the current Trivy implementation for azure IaC scanning isn't the most feature complete so I'm curious about your usage and if you have any suggestions on what you'd like to see get improved.

1 reply

bve-wd Sep 18, 2025
Author

I am using trivy in a build pipeline to check if there are any security related configuration issues in the azure configuration. I just started using Bicep so I can't really tell if there are any other issues besides this one. I just found this problem because there were 0 issues in my scan results and I wanted to test if I can get some result when adding dummy resources which definitely cause issues.

However, I will let you know if I stumble above any issues when the feature for symbolic names in ARM resources is available 👍.

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Bicep / Azure ARM issues are not detected for modules #9466

Uh oh!

{{title}}

Uh oh!

Uh oh!

{{editor}}'s edit

{{editor}}'s edit

Uh oh!

Replies: 1 comment 1 reply

Uh oh!

{{title}}

Uh oh!

Uh oh!

{{title}}

Uh oh!

Select a reply

Uh oh!

Bicep / Azure ARM issues are not detected for modules #9466

Uh oh!

Uh oh!

bve-wd Sep 10, 2025

Description

Desired Behavior

Actual Behavior

Reproduction Steps

Target

Scanner

Output Format

Mode

Debug Output

Operating System

Version

Checklist

Replies: 1 comment · 1 reply

Uh oh!

simar7 Sep 10, 2025 Maintainer

Uh oh!

bve-wd Sep 18, 2025 Author

bve-wd
Sep 10, 2025

Replies: 1 comment 1 reply

simar7
Sep 10, 2025
Maintainer

bve-wd Sep 18, 2025
Author