Announcing new scanning support for Bicep templates with Checkov and Bridgecrew

Bridgecrew and Checkov now natively support scanning Bicep templates for misconfigurations!

You can now use Bridgecrew and Checkov to scan your Bicep files and compare them against Azure security best practices. Bicep policies cover our existing ARM policies as well as some Bicep-specific policies, including graph-based policies that can determine policy violations based on complex interdependencies of resources.

Bicep scanning in the Bridgecrew platform's projects page

Let’s dive into how you can scan your Bicep files for misconfigurations and improve the posture of your Azure deployments from code to cloud. But first, let’s walk through some basics.

What is Bicep?

The Bicep language is Microsoft’s declarative domain specific language (DSL). It is used to provision Azure resources, and is a successor to ARM templates.

Bicep was developed to solve many of the common challenges developers face as they work with ARM templates, such as managing lengthy JSON files and learning complex syntax specifically for use in Azure.

Bicep retains all the functionality of ARM templates and allows for a modular approach to infrastructure as code (IaC), making it easy for developers to create reusable configuration blocks. And because the Bicep language is a stripped-down version of JSON, it is much more compact and readable.

How does Bicep work with ARM templates?

Bicep provides a layer of abstraction over the JSON file that creates an ARM template. When you deploy an IaC file written in Bicep, the Bicep CLI will convert the Bicep file into an ARM template written in JSON and ultimately deploy those ARM templates.

Bicep security considerations

Just like with any IaC framework, including ARM templates, Bicep templates contain all the configurations needed to provision secure cloud resources. Unfortunately, misconfigured templates provision misconfigured cloud resources, which leads to alerts that security teams are left to triage and developers then need to address. Identifying those issues earlier in the development lifecycle is the best way to bake security in from the start.

Before we added this capability, you could scan the resulting ARM templates produced by Bicep templates. However, this did not help you get to the source of the issue that resides in the Bicep templates.

Scanning Bicep templates with Bridgecrew or Checkov

With Bridgecrew and Checkov’s built-in Azure checks, it’s easy to surface those misconfigurations across the development lifecycle.

You can scan Bicep templates as you’re writing code in your IDE, validating it in your command line, making new commits, or as part of your test and build pipeline.

Getting started with Checkov for Bicep

Checkov added support for Bicep in version 2.0.1068. You can quickly give it a try by installing Checkov, forking BicepGoat, and running a scan.

git clone
cd bicepgoat
checkov -d . --framework bicep

The `–framework` flag is optional. The result is a series of misconfigurations across the Bicep templates. You can also add your Bridgecrew API key to get the severities for each finding.

Use the Checkov CLI to see the severities of each finding

This same scan can be automated to run in your continuous integration pipelines, such as GitHub Actions or Azure Pipelines.

View your Bridgecrew or Checkov scan results in your Azure pipelines

This can be set as a hard or soft fail to provide security guardrails for your Azure deployments.

Native integrations with the Bridgecrew platform

In addition to the Checkov and CI integrations, you can leverage Bridgecrew’s integrations with VCS providers (GitHub, GitLab, BitBucket, and Azure Repos) to scan repositories periodically and with pull requests. The platform will surface the findings with policy control in the Projects Page (pictured in the intro) and in the Supply Chain Graph.

Bicep supply chain graph in the Bridgecrew platform

Bicep makes it easier for you to create IaC templates to manage and deploy Azure resources. And now that both Bridgecrew and Checkov support misconfiguration scanning for Bicep templates, you’ll be able to find and fix misconfigurations faster and ensure your Azure resources are secure by default. Try it out for yourself with Checkov or a free Bridgecrew account.