feat(misconf): add support for ARM resources declared with symbolic names #9467
Description
Discussed in #9466
Originally posted by bve-wd September 10, 2025
Description
When building a Bicep file that contains a module with az bicep build -f main.bicep, then trivy does not detect issues for the generated Azure ARM template when running trivy config .
The main difference I noticed when using modules is, that the resources property is a dictionary instead of an array.
Desired Behavior
Trivy should yield issues for Bicep modules
Actual Behavior
Trivy does not return any issues if modules are used in main.bicep. It seems that it does not even use the azure-arm scanner (or the scanner does not yield issues)
Reproduction Steps
Example main.bicep:
targetScope = 'subscription'
resource myrg 'Microsoft.Resources/resourceGroups@2025-04-01' = {
name: 'myrg'
location: 'WestEurope'
}
module insecure 'insecure.bicep' = {
scope: myrg
}Example insecure.bicep:
resource storageAccount 'Microsoft.Storage/storageAccounts@2022-09-01' = {
name: 'insecurestorage${uniqueString(resourceGroup().id)}'
location: resourceGroup().location
sku: {
name: 'Standard_LRS'
}
kind: 'StorageV2'
properties: {
allowBlobPublicAccess: true
minimumTlsVersion: 'TLS1_0' // This yields an error, if insecure.bicep is built directly
supportsHttpsTrafficOnly: false
accessTier: 'Hot'
}
}- Run
az bicep build -f main.bicep - Run
trivy config .
Result: No issues detected
main.json:
{
"$schema": "https://schema.management.azure.com/schemas/2018-05-01/subscriptionDeploymentTemplate.json#",
"languageVersion": "2.0",
"contentVersion": "1.0.0.0",
"metadata": {
"_generator": {
"name": "bicep",
"version": "0.37.4.10188",
"templateHash": "9375790898027716067"
}
},
"resources": {
"myrg": {
"type": "Microsoft.Resources/resourceGroups",
"apiVersion": "2025-04-01",
"name": "myrg",
"location": "WestEurope"
},
"insecure": {
"type": "Microsoft.Resources/deployments",
"apiVersion": "2022-09-01",
"name": "[format('insecure-{0}', uniqueString('insecure', deployment().name))]",
"resourceGroup": "myrg",
"properties": {
"expressionEvaluationOptions": {
"scope": "inner"
},
"mode": "Incremental",
"template": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"metadata": {
"_generator": {
"name": "bicep",
"version": "0.37.4.10188",
"templateHash": "1574586486505528430"
}
},
"resources": [
{
"type": "Microsoft.Storage/storageAccounts",
"apiVersion": "2022-09-01",
"name": "[format('insecurestorage{0}', uniqueString(resourceGroup().id))]",
"location": "[resourceGroup().location]",
"sku": {
"name": "Standard_LRS"
},
"kind": "StorageV2",
"properties": {
"allowBlobPublicAccess": true,
"minimumTlsVersion": "TLS1_0",
"supportsHttpsTrafficOnly": false,
"accessTier": "Hot"
}
}
]
}
},
"dependsOn": [
"myrg"
]
}
}
}- Run
az bicep build -f insecure.bicep - Run
trivy config .
Result: Issues detected
insecure.json:
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"metadata": {
"_generator": {
"name": "bicep",
"version": "0.37.4.10188",
"templateHash": "1574586486505528430"
}
},
"resources": [
{
"type": "Microsoft.Storage/storageAccounts",
"apiVersion": "2022-09-01",
"name": "[format('insecurestorage{0}', uniqueString(resourceGroup().id))]",
"location": "[resourceGroup().location]",
"sku": {
"name": "Standard_LRS"
},
"kind": "StorageV2",
"properties": {
"allowBlobPublicAccess": true,
"minimumTlsVersion": "TLS1_0",
"supportsHttpsTrafficOnly": false,
"accessTier": "Hot"
}
}
]
}Target
Filesystem
Scanner
Misconfiguration
Output Format
None
Mode
Standalone
Debug Output
# Run for main.json: trivy config . --debug
2025-09-10T16:05:22+02:00 DEBUG No plugins loaded
2025-09-10T16:05:22+02:00 DEBUG Default config file "file_path=trivy.yaml" not found, using built in values
2025-09-10T16:05:22+02:00 DEBUG Cache dir dir="C:\\Users\\USER\\AppData\\Local\\trivy"
2025-09-10T16:05:22+02:00 DEBUG Cache dir dir="C:\\Users\\USER\\AppData\\Local\\trivy"
2025-09-10T16:05:22+02:00 DEBUG Parsed severities severities=[UNKNOWN LOW MEDIUM HIGH CRITICAL]
2025-09-10T16:05:22+02:00 DEBUG [notification] Running version check
2025-09-10T16:05:22+02:00 INFO [misconfig] Misconfiguration scanning is enabled
2025-09-10T16:05:22+02:00 DEBUG [misconfig] Checks successfully loaded from disk
2025-09-10T16:05:23+02:00 DEBUG [notification] Version check completed latest_version="0.66.0"
2025-09-10T16:05:23+02:00 DEBUG [rego] Overriding filesystem for checks
2025-09-10T16:05:23+02:00 DEBUG [rego] Embedded libraries are loaded count=17
2025-09-10T16:05:23+02:00 DEBUG [rego] Embedded checks are loaded count=519
2025-09-10T16:05:24+02:00 DEBUG [rego] Checks from disk are loaded count=536
2025-09-10T16:05:24+02:00 DEBUG [rego] Overriding filesystem for data
2025-09-10T16:05:24+02:00 DEBUG Enabling misconfiguration scanners scanners=[azure-arm cloudformation dockerfile helm kubernetes terraform terraformplan-json terraformplan-snapshot]
2025-09-10T16:05:24+02:00 DEBUG Initializing scan cache... type="memory"
2025-09-10T16:05:24+02:00 DEBUG [fs] Analyzing... root="."
2025-09-10T16:05:24+02:00 DEBUG Created process-specific temp directory path="C:\\Users\\USER\\AppData\\Local\\Temp\\trivy-41468"
2025-09-10T16:05:24+02:00 DEBUG [misconfig] Scanning files for misconfigurations... scanner="CloudFormation"
2025-09-10T16:05:24+02:00 DEBUG [cloudformation parser] Context loaded from source file_path="main.json"
2025-09-10T16:05:24+02:00 DEBUG [rego] Scanning inputs count=1
2025-09-10T16:05:24+02:00 DEBUG OS is not detected.
2025-09-10T16:05:24+02:00 INFO Detected config files num=1
2025-09-10T16:05:24+02:00 DEBUG Scanned config file file_path="main.json"
2025-09-10T16:05:24+02:00 DEBUG Specified ignore file does not exist file=".trivyignore"
2025-09-10T16:05:24+02:00 DEBUG [vex] VEX filtering is disabled
Report Summary
┌───────────┬────────────────┬───────────────────┐
│ Target │ Type │ Misconfigurations │
├───────────┼────────────────┼───────────────────┤
│ main.json │ cloudformation │ 0 │
└───────────┴────────────────┴───────────────────┘
Legend:
- '-': Not scanned
- '0': Clean (no security findings detected)
2025-09-10T16:05:24+02:00 DEBUG Cleaning up temp directory path="C:\\Users\\USER>\\AppData\\Local\\Temp\\trivy-41468"
# Run for insecure.json: trivy config . --debug
2025-09-10T16:18:43+02:00 DEBUG No plugins loaded
2025-09-10T16:18:43+02:00 DEBUG Default config file "file_path=trivy.yaml" not found, using built in values
2025-09-10T16:18:43+02:00 DEBUG Cache dir dir="C:\\Users\\USER\\AppData\\Local\\trivy"
2025-09-10T16:18:43+02:00 DEBUG Cache dir dir="C:\\Users\\USER\\AppData\\Local\\trivy"
2025-09-10T16:18:43+02:00 DEBUG Parsed severities severities=[UNKNOWN LOW MEDIUM HIGH CRITICAL]
2025-09-10T16:18:43+02:00 INFO [misconfig] Misconfiguration scanning is enabled
2025-09-10T16:18:43+02:00 DEBUG [notification] Running version check
2025-09-10T16:18:43+02:00 DEBUG [misconfig] Checks successfully loaded from disk
2025-09-10T16:18:43+02:00 DEBUG [notification] Version check completed latest_version="0.66.0"
2025-09-10T16:18:43+02:00 DEBUG [rego] Overriding filesystem for checks
2025-09-10T16:18:43+02:00 DEBUG [rego] Embedded libraries are loaded count=17
2025-09-10T16:18:44+02:00 DEBUG [rego] Embedded checks are loaded count=519
2025-09-10T16:18:44+02:00 DEBUG [rego] Checks from disk are loaded count=536
2025-09-10T16:18:44+02:00 DEBUG [rego] Overriding filesystem for data
2025-09-10T16:18:44+02:00 DEBUG Enabling misconfiguration scanners scanners=[azure-arm cloudformation dockerfile helm kubernetes terraform terraformplan-json terraformplan-snapshot]
2025-09-10T16:18:44+02:00 DEBUG Initializing scan cache... type="memory"
2025-09-10T16:18:44+02:00 DEBUG [fs] Analyzing... root="."
2025-09-10T16:18:44+02:00 DEBUG Created process-specific temp directory path="C:\\Users\\USER\\AppData\\Local\\Temp\\trivy-31280"
2025-09-10T16:18:44+02:00 DEBUG [misconfig] Scanning files for misconfigurations... scanner="Azure ARM"
2025-09-10T16:18:44+02:00 DEBUG [rego] Scanning inputs count=1
2025-09-10T16:18:44+02:00 DEBUG [misconfig] Scanning files for misconfigurations... scanner="CloudFormation"
2025-09-10T16:18:44+02:00 DEBUG [cloudformation parser] Context loaded from source file_path="main.json"
2025-09-10T16:18:44+02:00 DEBUG [rego] Scanning inputs count=1
2025-09-10T16:18:44+02:00 DEBUG OS is not detected.
2025-09-10T16:18:44+02:00 INFO Detected config files num=2
2025-09-10T16:18:44+02:00 DEBUG Scanned config file file_path="insecure.json"
2025-09-10T16:18:44+02:00 DEBUG Scanned config file file_path="main.json"
2025-09-10T16:18:44+02:00 DEBUG Specified ignore file does not exist file=".trivyignore"
2025-09-10T16:18:44+02:00 DEBUG [vex] VEX filtering is disabled
Report Summary
┌───────────────┬────────────────┬───────────────────┐
│ Target │ Type │ Misconfigurations │
├───────────────┼────────────────┼───────────────────┤
│ insecure.json │ azure-arm │ 3 │
├───────────────┼────────────────┼───────────────────┤
│ main.json │ cloudformation │ 0 │
└───────────────┴────────────────┴───────────────────┘
Legend:
- '-': Not scanned
- '0': Clean (no security findings detected)
insecure.json (azure-arm)
=========================
Tests: 6 (SUCCESSES: 3, FAILURES: 3)
Failures: 3 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 1, CRITICAL: 2)
AVD-AZU-0008 (HIGH): Account does not enforce HTTPS.
════════════════════════════════════════
You can configure your storage account to accept requests from secure connections only by setting the Secure transfer required property for the storage account.
When you require secure transfer, any requests originating from an insecure connection are rejected.
Microsoft recommends that you always require secure transfer for all of your storage accounts.
See https://avd.aquasec.com/misconfig/avd-azu-0008
────────────────────────────────────────
insecure.json:24
via insecure.json:21-26 (resources[0].properties)
via insecure.json:12-27 (resources[0])
via insecure.json:1-29 ()
via insecure.json:0 ()
────────────────────────────────────────
1 {
.
24 [ "supportsHttpsTrafficOnly": false,
..
29 }
────────────────────────────────────────
AVD-AZU-0011 (CRITICAL): Storage account uses an insecure TLS version.
════════════════════════════════════════
Azure Storage currently supports three versions of the TLS protocol: 1.0, 1.1, and 1.2.
Azure Storage uses TLS 1.2 on public HTTPS endpoints, but TLS 1.0 and TLS 1.1 are still supported for backward compatibility.
This check will warn if the minimum TLS is not set to TLS1_2.
See https://avd.aquasec.com/misconfig/avd-azu-0011
────────────────────────────────────────
insecure.json:23
via insecure.json:21-26 (resources[0].properties)
via insecure.json:12-27 (resources[0])
via insecure.json:1-29 ()
via insecure.json:0 ()
────────────────────────────────────────
1 {
.
23 [ "minimumTlsVersion": "TLS1_0",
..
29 }
────────────────────────────────────────
AVD-AZU-0012 (CRITICAL): Network rules allow access by default.
════════════════════════════════════════
The default_action for network rules should come into effect when no other rules are matched.
The default action should be set to Deny.
See https://avd.aquasec.com/misconfig/avd-azu-0012
────────────────────────────────────────
insecure.json:12-27
via insecure.json:1-29 ()
via insecure.json:0 ()
────────────────────────────────────────
1 {
.
12 ┌ {
13 │ "type": "Microsoft.Storage/storageAccounts",
14 │ "apiVersion": "2022-09-01",
15 │ "name": "[format('insecurestorage{0}', uniqueString(resourceGroup().id))]",
16 │ "location": "[resourceGroup().location]",
17 │ "sku": {
18 └ "name": "Standard_LRS"
..
────────────────────────────────────────
2025-09-10T16:18:44+02:00 DEBUG Cleaning up temp directory path="C:\\Users\\USER\\AppData\\Local\\Temp\\trivy-31280"Operating System
Windows
Version
Version: 0.66.0
Check Bundle:
Digest: sha256:a471e90b7c7335e914ec9075b74cf8f65e4c91e6cecfa7e39c587382808d2684
DownloadedAt: 2025-09-10 14:04:22.2716591 +0000 UTCChecklist
- Run
trivy clean --all - Read the troubleshooting