template-analyzer/README.md

[![Build Status](https://dev.azure.com/azure/template-analyzer/_apis/build/status/BuildAndTest?branchName=main)](https://dev.azure.com/azure/template-analyzer/_build/latest?definitionId=91&branchName=main)
[![Code Coverage](https://shields.io/azure-devops/coverage/azure/template-analyzer/91)](https://dev.azure.com/azure/template-analyzer/_build/latest?definitionId=91&branchName=main)

# ARM Template Best Practice Analyzer (BPA)
***Note**: The Template BPA is currently in development. It is not yet recommended for production usage.*

## What is the ARM Template BPA?
[Azure Resource Manager (ARM) templates](https://docs.microsoft.com/azure/azure-resource-manager/templates/overview) – Infrastructure-as-code (IaC) for your Azure solutions – are JSON files that define the infrastructure and configuration for your Azure deployments. The Template BPA is an ARM template validator that scans ARM and Bicep templates to ensure security and best practice checks are being followed before deployment.

The Template BPA provides a simple and extensible solution to improve the security of your Azure resources before deployment and ensures your ARM templates follow best practices. The Template BPA is designed to be customizable - users can write their own checks and/or enforce only the checks that are relevant for them.

The Template BPA is also capable of scanning newer [Bicep template](https://docs.microsoft.com/azure/azure-resource-manager/bicep/) files.

## Getting started with the Template BPA
Download the latest Template BPA release in [the releases section](https://github.com/Azure/template-analyzer/releases).

To preview the rules that come bundled with the Template BPA, explore [the built-in rules](docs/built-in-bpa-rules.md).

## Using the Template BPA
The Template BPA is executed via a command line.  There are two formats to invoke it:

`TemplateAnalyzer.exe analyze-template <template-path> [-p <parameters-path>] [-c <config-path>] [--report-format <format>] [-o <output-path>] [-v]`

or

`TemplateAnalyzer.exe analyze-directory <directory-path> [-c <config-path>] [--report-format <format>] [-o <output-path>] [-v]`

### Input
The Template BPA accepts the following inputs:

Argument | Description
--- | ---
`<template-path>` | The ARM or Bicep template to analyze
`<directory-path>` | The directory in which to search for ARM and Bicep templates (recursively finds and analyzes all ARM and Bicep templates in the directory and its subdirectories).<br/>ARM Templates are identified by a '.json' file extension and a [valid top-level *$schema* property](https://docs.microsoft.com/azure/azure-resource-manager/templates/syntax#template-format)>. Bicep Templates are identified by a '.bicep' file extension.
**(Optional)** `-p` or `--parameters-file-path` | A [parameters file](https://docs.microsoft.com/azure/azure-resource-manager/templates/parameter-files)
**(Optional)** `-c` or `--config-file-path` | A [configuration file](docs/customizing-evaluation-outputs.md) which sets custom settings for the analyzer.<br/>**If argument is not provided, the Template BPA will attempt to load a configuration from *<_ExecutablePath_>/configuration.json* if the file exists.**.
**(Optional)** `--report-format` | Valid formats:<br/>*Console*: output results to the console in plain text. **(default)**<br/>*Sarif*: output results to a file in [SARIF](https://sarifweb.azurewebsites.net) format.
`-o` or `--output-file-path` | **(Required if `--report-format` is *Sarif*)**  File path to output SARIF results to.
**(Optional)** `-v` or `--verbose` | Shows details about the analysis

 The Template BPA runs the [configured rules](#understanding-and-customizing-rules) against the provided ARM or Bicep template and its corresponding [template parameters](https://docs.microsoft.com/azure/azure-resource-manager/templates/parameter-files), if specified. If no template parameters are specified, then the Template BPA generates the minimum number of placeholder parameters to properly evaluate [template functions](https://docs.microsoft.com/azure/azure-resource-manager/templates/template-functions) in the ARM template.

**Note**: Providing the Template BPA with template parameter values will result in more accurate results as it will more accurately represent your deployments. The values provided to parameters may affect the evaluation of the Template BPA rule, altering its results. That said, **DO NOT** save sensitive data (passwords, connection strings, etc.) in parameter files in your repositories. Instead, [retrieve these values from  your ARM template from Azure Key Vault](https://docs.microsoft.com/azure/azure-resource-manager/templates/key-vault-parameter?tabs=azure-cli#reference-secrets-with-static-id).

### Output
Results can be output in plain text to the console, or output to a file in SARIF format. Template BPA will exit with an error code if any errors or violations are found during a scan.

#### Console
The Template BPA outputs the results of violated rules, the corresponding line numbers where rules failed, and a recommendation to remediate each violation.

For a template which deploys an API App that does not require HTTPS, running the Template BPA on the template would produce output which looks similar to the following:
```
>TemplateAnalyzer.exe analyze-template "C:\Templates\azuredeploy.json"

File: C:\Templates\azuredeploy.json

        AppServiceApiApp_HTTPS: API App should only be accessible over HTTPS
                More information: https://github.com/Azure/template-analyzer/blob/main/docs/built-in-bpa-rules.md#api-app-should-only-be-accessible-over-https
                Result: Failed
                Line: 114

        Rules passed: 25
```

#### SARIF
Results are written to the file specified (with the `-o` or `--output-file-path` argument) in [SARIF](https://sarifweb.azurewebsites.net) format.

#### Exit codes
| Scenario      | Exit Code |
| ----------- | ----------- |
| Success: Operation was successful | 0 |
| Error: Problem with command | 1 |
| Error: Invalid file or directory path | 2 |
| Error: Missing file or directory path | 3 |
| Error: Problem loading configuration file | 4 |
| Error: Invalid ARM template specified | 10 |
| Error: Invalid Bicep template specified | 11 |
| Violation: Scan found rule violations in analyzed template(s) | 20 |
| Error: An error was encountered trying to analyze a template | 21 |
| Violation + Error: Scan encountered both violations in template(s) and errors trying to analyze template(s) | 22 |

### Understanding and customizing rules
The analysis rules used by the Template BPA are written in JSON, located in *Rules/BuiltInRules.json* (starting from the directory *TemplateAnalyzer.exe* is in). This file can be added to and/or modified to change the rules that are run. See the [documentation for more information about how to author Template BPA JSON rules](./docs/authoring-json-rules.md).

## Contributing
This project welcomes contributions and suggestions. Please see the [Contribution Guide](./CONTRIBUTING.md) for more details about how to contribute to the Template BPA. Most contributions require you to
agree to a Contributor License Agreement (CLA) declaring that you have the right to,
and actually do, grant us the rights to use your contribution. For details, visit
https://cla.microsoft.com.

When you submit a pull request, a CLA-bot will automatically determine whether you need
to provide a CLA and decorate the PR appropriately (e.g., label, comment). Simply follow the
instructions provided by the bot. You will only need to do this once across all repositories using our CLA.

This project has adopted the [Microsoft Open Source Code of Conduct](https://opensource.microsoft.com/codeofconduct/).
For more information see the [Code of Conduct FAQ](https://opensource.microsoft.com/codeofconduct/faq/)
or contact [opencode@microsoft.com](mailto:opencode@microsoft.com) with any additional questions or comments.

## Trademarks
This project may contain trademarks or logos for projects, products, or services. Authorized use of Microsoft trademarks or logos is subject to and must follow [Microsoft's Trademark & Brand Guidelines](https://www.microsoft.com/legal/intellectualproperty/trademarks/usage/general). Use of Microsoft trademarks or logos in modified versions of this project must not cause confusion or imply Microsoft sponsorship. Any use of third-party trademarks or logos are subject to those third-party's policies.
Fix build status badge in README 2021-01-12 05:41:10 +03:00			`[![Build Status](https://dev.azure.com/azure/template-analyzer/_apis/build/status/BuildAndTest?branchName=main)](https://dev.azure.com/azure/template-analyzer/_build/latest?definitionId=91&branchName=main)`
Add code coverage badge to Readme 2021-07-20 03:35:11 +03:00			`[![Code Coverage](https://shields.io/azure-devops/coverage/azure/template-analyzer/91)](https://dev.azure.com/azure/template-analyzer/_build/latest?definitionId=91&branchName=main)`
Add build badge to readme 2020-11-06 03:53:41 +03:00
Rename ARMory to ARM Template BPA in documentation 2021-01-12 04:18:17 +03:00			`# ARM Template Best Practice Analyzer (BPA)`
			`*Note: The Template BPA is currently in development. It is not yet recommended for production usage.*`
README and rule authoring wording updates. More info about CLI execution. 2021-07-08 22:27:33 +03:00
Rename ARMory to ARM Template BPA in documentation 2021-01-12 04:18:17 +03:00			`## What is the ARM Template BPA?`
Removing link geo-locationing (#265) * Removing link geo-locationing * Removing link geo-locationing 2022-07-13 23:53:41 +03:00			`[Azure Resource Manager (ARM) templates](https://docs.microsoft.com/azure/azure-resource-manager/templates/overview) – Infrastructure-as-code (IaC) for your Azure solutions – are JSON files that define the infrastructure and configuration for your Azure deployments. The Template BPA is an ARM template validator that scans ARM and Bicep templates to ensure security and best practice checks are being followed before deployment.`
README and rule authoring wording updates. More info about CLI execution. 2021-07-08 22:27:33 +03:00
			`The Template BPA provides a simple and extensible solution to improve the security of your Azure resources before deployment and ensures your ARM templates follow best practices. The Template BPA is designed to be customizable - users can write their own checks and/or enforce only the checks that are relevant for them.`

Update README.md Co-authored-by: Anais Miller <anamille@microsoft.com> 2022-07-11 22:06:06 +03:00			`The Template BPA is also capable of scanning newer [Bicep template](https://docs.microsoft.com/azure/azure-resource-manager/bicep/) files.`
code review comments 2022-07-11 21:05:47 +03:00
Rename ARMory to ARM Template BPA in documentation 2021-01-12 04:18:17 +03:00			`## Getting started with the Template BPA`
Update docs, improve Pulish VS Code task 2022-06-04 01:13:54 +03:00			`Download the latest Template BPA release in [the releases section](https://github.com/Azure/template-analyzer/releases).`
Update documentation and required files 2020-12-18 02:56:37 +03:00
README and rule authoring wording updates. More info about CLI execution. 2021-07-08 22:27:33 +03:00			`To preview the rules that come bundled with the Template BPA, explore [the built-in rules](docs/built-in-bpa-rules.md).`
Add reference to built-in rules in README 2021-05-28 06:01:32 +03:00
Rename ARMory to ARM Template BPA in documentation 2021-01-12 04:18:17 +03:00			`## Using the Template BPA`
Define severity, rule suppression, rule selection (#200) * add severity to bpa Co-authored-by: Johnathon Mohr <JohnathonMohr@users.noreply.github.com> Co-authored-by: Yanelis <7039880+yane3628@users.noreply.github.com> Co-authored-by: Johnathon Mohr <johnmohr@microsoft.com> 2022-04-19 01:02:56 +03:00			`The Template BPA is executed via a command line. There are two formats to invoke it:`
Better instructions for downloading and execution. 2021-05-28 05:51:14 +03:00
Clarify behavior of CLI parameters in README 2022-06-03 03:23:53 +03:00			`TemplateAnalyzer.exe analyze-template <template-path> [-p <parameters-path>] [-c <config-path>] [--report-format <format>] [-o <output-path>] [-v]`
pr comment fixes (3) 2021-07-15 23:03:02 +03:00
Define severity, rule suppression, rule selection (#200) * add severity to bpa Co-authored-by: Johnathon Mohr <JohnathonMohr@users.noreply.github.com> Co-authored-by: Yanelis <7039880+yane3628@users.noreply.github.com> Co-authored-by: Johnathon Mohr <johnmohr@microsoft.com> 2022-04-19 01:02:56 +03:00			`or`

Clarify behavior of CLI parameters in README 2022-06-03 03:23:53 +03:00			`TemplateAnalyzer.exe analyze-directory <directory-path> [-c <config-path>] [--report-format <format>] [-o <output-path>] [-v]`
Better instructions for downloading and execution. 2021-05-28 05:51:14 +03:00
Update documentation and required files 2020-12-18 02:56:37 +03:00			`### Input`
Reformat Input section of README 2021-07-08 23:36:21 +03:00			`The Template BPA accepts the following inputs:`

			`Argument \| Description`
			`--- \| ---`
code review comments 2022-07-11 21:05:47 +03:00			`<template-path>` \| The ARM or Bicep template to analyze
Removing link geo-locationing (#265) * Removing link geo-locationing * Removing link geo-locationing 2022-07-13 23:53:41 +03:00			`<directory-path>` \| The directory in which to search for ARM and Bicep templates (recursively finds and analyzes all ARM and Bicep templates in the directory and its subdirectories).<br/>ARM Templates are identified by a '.json' file extension and a [valid top-level $schema property](https://docs.microsoft.com/azure/azure-resource-manager/templates/syntax#template-format)>. Bicep Templates are identified by a '.bicep' file extension.
			(Optional) `-p` or `--parameters-file-path` \| A [parameters file](https://docs.microsoft.com/azure/azure-resource-manager/templates/parameter-files)
Clarify behavior of CLI parameters in README 2022-06-03 03:23:53 +03:00			(Optional) `-c` or `--config-file-path` \| A [configuration file](docs/customizing-evaluation-outputs.md) which sets custom settings for the analyzer.<br/>*If argument is not provided, the Template BPA will attempt to load a configuration from <_ExecutablePath_>/configuration.json* if the file exists.**.
			(Optional) `--report-format` \| Valid formats:<br/>Console: output results to the console in plain text. (default)<br/>Sarif: output results to a file in [SARIF](https://sarifweb.azurewebsites.net) format.
Update version to 0.1.0, add SARIF option to README 2021-11-17 22:51:02 +03:00			`-o` or `--output-file-path` \| *(Required if `--report-format` is Sarif)* File path to output SARIF results to.
Add verbose option to the README and a couple of minor improvements 2022-04-12 01:40:39 +03:00			(Optional) `-v` or `--verbose` \| Shows details about the analysis
Reformat Input section of README 2021-07-08 23:36:21 +03:00
Removing link geo-locationing (#265) * Removing link geo-locationing * Removing link geo-locationing 2022-07-13 23:53:41 +03:00			The Template BPA runs the [configured rules](#understanding-and-customizing-rules) against the provided ARM or Bicep template and its corresponding [template parameters](https://docs.microsoft.com/azure/azure-resource-manager/templates/parameter-files), if specified. If no template parameters are specified, then the Template BPA generates the minimum number of placeholder parameters to properly evaluate [template functions](https://docs.microsoft.com/azure/azure-resource-manager/templates/template-functions) in the ARM template.
Add reference to built-in rules in README 2021-05-28 06:01:32 +03:00
Removing link geo-locationing (#265) * Removing link geo-locationing * Removing link geo-locationing 2022-07-13 23:53:41 +03:00			Note: Providing the Template BPA with template parameter values will result in more accurate results as it will more accurately represent your deployments. The values provided to parameters may affect the evaluation of the Template BPA rule, altering its results. That said, DO NOT save sensitive data (passwords, connection strings, etc.) in parameter files in your repositories. Instead, [retrieve these values from your ARM template from Azure Key Vault](https://docs.microsoft.com/azure/azure-resource-manager/templates/key-vault-parameter?tabs=azure-cli#reference-secrets-with-static-id).
Update documentation and required files 2020-12-18 02:56:37 +03:00
			`### Output`
add error codes 2022-03-18 00:43:37 +03:00			`Results can be output in plain text to the console, or output to a file in SARIF format. Template BPA will exit with an error code if any errors or violations are found during a scan.`
Update version to 0.1.0, add SARIF option to README 2021-11-17 22:51:02 +03:00
			`#### Console`
README and rule authoring wording updates. More info about CLI execution. 2021-07-08 22:27:33 +03:00			`The Template BPA outputs the results of violated rules, the corresponding line numbers where rules failed, and a recommendation to remediate each violation.`

			`For a template which deploys an API App that does not require HTTPS, running the Template BPA on the template would produce output which looks similar to the following:`
			```
fixed readme CLI usage 2021-08-03 18:36:22 +03:00			`>TemplateAnalyzer.exe analyze-template "C:\Templates\azuredeploy.json"`
README and rule authoring wording updates. More info about CLI execution. 2021-07-08 22:27:33 +03:00
			`File: C:\Templates\azuredeploy.json`

			`AppServiceApiApp_HTTPS: API App should only be accessible over HTTPS`
			`More information: https://github.com/Azure/template-analyzer/blob/main/docs/built-in-bpa-rules.md#api-app-should-only-be-accessible-over-https`
			`Result: Failed`
			`Line: 114`

			`Rules passed: 25`
			```

Update version to 0.1.0, add SARIF option to README 2021-11-17 22:51:02 +03:00			`#### SARIF`
			Results are written to the file specified (with the `-o` or `--output-file-path` argument) in [SARIF](https://sarifweb.azurewebsites.net) format.

Update README.md Co-authored-by: Vera Bogdanich Espina <VeraBE@users.noreply.github.com> 2022-03-31 22:01:25 +03:00			`#### Exit codes`
add error codes 2022-03-18 00:43:37 +03:00			`\| Scenario \| Exit Code \|`
			`\| ----------- \| ----------- \|`
Update README.md Co-authored-by: Vera Bogdanich Espina <VeraBE@users.noreply.github.com> 2022-03-31 22:00:05 +03:00			`\| Success: Operation was successful \| 0 \|`
Update README with reordered exit codes 2022-06-10 03:50:26 +03:00			`\| Error: Problem with command \| 1 \|`
part 2 exitCodes and add Cli Functional Tests (#239) * exitCodes Co-authored-by: Vera Bogdanich Espina <VeraBE@users.noreply.github.com> Co-authored-by: Yanelis <7039880+yane3628@users.noreply.github.com> Co-authored-by: Johnathon Mohr <JohnathonMohr@users.noreply.github.com> 2022-04-29 00:41:11 +03:00			`\| Error: Invalid file or directory path \| 2 \|`
			`\| Error: Missing file or directory path \| 3 \|`
Update README with reordered exit codes 2022-06-10 03:50:26 +03:00			`\| Error: Problem loading configuration file \| 4 \|`
			`\| Error: Invalid ARM template specified \| 10 \|`
Update README.md (#268) Adding Exit code 11 to Readme 2022-07-14 20:01:41 +03:00			`\| Error: Invalid Bicep template specified \| 11 \|`
Update README with reordered exit codes 2022-06-10 03:50:26 +03:00			`\| Violation: Scan found rule violations in analyzed template(s) \| 20 \|`
			`\| Error: An error was encountered trying to analyze a template \| 21 \|`
			`\| Violation + Error: Scan encountered both violations in template(s) and errors trying to analyze template(s) \| 22 \|`
add error codes 2022-03-18 00:43:37 +03:00
			`### Understanding and customizing rules`
README and rule authoring wording updates. More info about CLI execution. 2021-07-08 22:27:33 +03:00			`The analysis rules used by the Template BPA are written in JSON, located in Rules/BuiltInRules.json (starting from the directory TemplateAnalyzer.exe is in). This file can be added to and/or modified to change the rules that are run. See the [documentation for more information about how to author Template BPA JSON rules](./docs/authoring-json-rules.md).`
Update CLI execution instructions. 2021-07-08 03:41:10 +03:00
Update documentation and required files 2020-12-18 02:56:37 +03:00			`## Contributing`
Rename ARMory to ARM Template BPA in documentation 2021-01-12 04:18:17 +03:00			`This project welcomes contributions and suggestions. Please see the [Contribution Guide](./CONTRIBUTING.md) for more details about how to contribute to the Template BPA. Most contributions require you to`
Update documentation and required files 2020-12-18 02:56:37 +03:00			`agree to a Contributor License Agreement (CLA) declaring that you have the right to,`
			`and actually do, grant us the rights to use your contribution. For details, visit`
			`https://cla.microsoft.com.`

			`When you submit a pull request, a CLA-bot will automatically determine whether you need`
			`to provide a CLA and decorate the PR appropriately (e.g., label, comment). Simply follow the`
			`instructions provided by the bot. You will only need to do this once across all repositories using our CLA.`

			`This project has adopted the [Microsoft Open Source Code of Conduct](https://opensource.microsoft.com/codeofconduct/).`
			`For more information see the [Code of Conduct FAQ](https://opensource.microsoft.com/codeofconduct/faq/)`
			`or contact [opencode@microsoft.com](mailto:opencode@microsoft.com) with any additional questions or comments.`
Add Trademark language to README 2020-12-02 02:43:32 +03:00
			`## Trademarks`
Removing link geo-locationing (#265) * Removing link geo-locationing * Removing link geo-locationing 2022-07-13 23:53:41 +03:00			This project may contain trademarks or logos for projects, products, or services. Authorized use of Microsoft trademarks or logos is subject to and must follow [Microsoft's Trademark & Brand Guidelines](https://www.microsoft.com/legal/intellectualproperty/trademarks/usage/general). Use of Microsoft trademarks or logos in modified versions of this project must not cause confusion or imply Microsoft sponsorship. Any use of third-party trademarks or logos are subject to those third-party's policies.