AzureResourceManager creates Security Hotspots for existing resources in Bicep code


We have a number of repositories in Azure DevOps which consist of Azure Bicep modules. We are using the AzureResourceManager template to scan the code. In Bicep, a resource is defined using the resource keyword is used to define a resource which is being scanned correctly in SonarCloud.

However, the existing keyword is applied to the resource block to indicate a lookup of an existing resource based on its name. These blocks of code do not have all the configuration of a resource that’s being created and yet they are scanned and Security Hotspots are getting created against them anyway. This is causing a large number of false positives and causing our Quality Gate to fail. See example below

resource keyVault 'Microsoft.KeyVault/vaults@2023-02-01' existing = {
Omitting 'enableRbacAuthorization' disables role-based access control for this resource. Make sure it is safe here.
  name: keyVaultName

Can this be updated to not create security hotspots for existing resources?

Hello @kbatten and welcome to the community!

Thanks for raising awareness on this issue, we recently discovered this and started our investigation on it.
We have created a ticket to follow up on it.

Sorry for the inconvenience caused by this, we hope to deliver a fix soon.