Bicep existing resources are still checked

  • What language is this for? Bicep/AzureResourceManager
  • Which rule? several, see below
  • Why do you believe it’s a false-positive/false-negative? The setting of the property is not allowed
  • Are you using
    • SonarQube - which version? developer edition
  • How can we reproduce the problem? Give us a self-contained snippet of code (formatted text, no screenshots)

In a bicep file, create an existing resource and run the analyzer, you will get security hotspots on missing properties like:

resource functionApp 'Microsoft.Web/sites@2021-03-01' existing = {
  name: '${prefixName}-func'

gives the following security hotspots:

  • Omitting “clientCertEnabled” disables certificate-based authentication. Make sure it is safe here, azureresourcemanager:S6382
  • Omitting authsettingsV2 disables authentication. Make sure it is safe here, azureresourcemanager:S6380
  • Omitting “httpsOnly” allows the use of clear-text protocols. Make sure it is safe here, azureresourcemanager:S5332
  • Omitting the “identity” block disables Azure Managed Identities. Make sure it is safe here, azureresourcemanager:S6378

It also happens with other types of resources like

resource kv 'Microsoft.KeyVault/vaults@2022-11-01' existing = {
  name: '${prefixName}-kv'

this gives the following security hotspot:

  • Omitting ‘enableRbacAuthorization’ disables role-based access control for this resource. Make sure it is safe here, azureresourcemanager:S6383

These rules (and others) should not be triggered if the existing is present on the resource as it’s not allowed to define these settings on existing resources.

Hey there.

Thanks for the report. Take a look at this thread: