bicep

Bicep Code Review Rules

Security (Critical)

• Never hardcode secrets, connection strings, or keys
• Use Key Vault references for secrets
• Apply least privilege to managed identities
• Enable diagnostic settings for auditing
• Use private endpoints where available
• Enforce encryption at rest for all supported resources
• Validate Azure Policy compliance for resources
• Check regulatory standards compliance (HIPAA, PCI-DSS, etc.)
• Always escape or validate user-provided strings before using them in resource names, tags, and outputs to prevent injection risks
• Never use HTML comments (<!-- -->) or expose template syntax in outputs