Bicep Repository Scans Failing in Checkov, IaC File Scanner, and Template Analyzer

[weekendclimber]

Edited: added screenshot of errors from build summary page.

I'm having issues with the task running in my environment. I've got Bicep files that I would like to have scanned, but it seems that the IaC category scanners all fail in various modes.

In my pipeline I have the following:

- task: MicrosoftSecurityDevOps@1
  displayName: "Run Microsoft Security Scan"
  inputs:
    policy: 'azuredevops'
    categories: 'IaC'
    publish: false
    artifactName: 'CodeAnalysisLogs'

It appears that Microsoft Defender for Cloud picks up the runs, unless I don't understand the dashboard in Azure fully. Not sure what is failing within the task. I believe this is running within a container, which is not publicly available like the task code is on GitHub. Otherwise, I would dig in and see what is going on with it.

See screenshots below.

Microsoft Defender for Cloud Dashboard:

Checkov Results:

IaC File Scanner Results:

Template Analyzer Results:

Final Results:

Azure DevOps Build Summary:

Raw Task Log:
rawlog.txt

[vikenparikh]

Hey @weekendclimber , My team and I are looking into this, Thanks for sharing the information, we ll get back to you soon with our findings

[weekendclimber]

Thank you. Please let me know if there is anything more I can provide to help track it down.

One thing that I am doing regarding Checkov to get around the error with this extension is that I've got a custom PowerShell script running it. That script first exports the Bicep files to ARM template JSON using az bicep build and then it runs successfully against those ARM templates. That is with Checkov version 3.2.447.

[vikenparikh]

Thanks for your patience, we are evaluating if it's possible for us to add support for it or not, meanwhile you can continue the workaround that you have been using, we'll get back to you after further discussion with the team.

Do your Bicep templates reference modules?
If yes, are those modules private (need authentication)?

[vikenparikh]

Hi @weekendclimber
We had a follow up question, Do your Bicep templates reference modules? If yes, are those modules private (need authentication)?
We assume that if it's an auth issue it might be getting fixed after az bicep build as private modules are currently not supported

If not, could you share with us a Debug-Drop? -https://github.com/microsoft/security-devops-azdevops/wiki/Debug-Drops
Thank you

[weekendclimber]

I do reference modules in my bicep templates, but they are from the Azure Verified Modules repository and I copy them into my local repository. They are not private and do not require authentication of any sorts.

[vikenparikh]

Thanks for sharing this,
We would need to look at the files, please schedule some time with our PM James for us to understand more on the issue- https://outlook.office.com/bookwithme/user/34964fbf61f64b17866cacbff302928e@microsoft.com?anonymous&ismsaljsauthenabled&ep=bwmEmailSignature
Thank you

[JohnathonMohr]

@weekendclimber improvements are being made to Template Analyzer in response to the errors here. There may still be some warnings, but the errors should resolve after this gets pushed to MSDO.

[jbrotsos]

Resolved as fixed.