{"id":783,"date":"2021-01-27T18:21:19","date_gmt":"2021-01-27T18:21:19","guid":{"rendered":"https:\/\/labornet.nl\/?p=403"},"modified":"2021-01-27T18:21:19","modified_gmt":"2021-01-27T18:21:19","slug":"start-checking-arm-files-for-azskarmtemplatesecurity","status":"publish","type":"post","link":"https:\/\/www.azuregovernanceguard.com\/?p=783","title":{"rendered":"Start checking ARM files for AzSKARMTemplateSecurity"},"content":{"rendered":"\n<p class=\"wp-block-paragraph\">It is now possible to scan the ARM json files you have created with the best practices by the Core Services Engineering &amp; Operations (CSEO) division at Microsoft.\u00a0<a href=\"https:\/\/azsk.azurewebsites.net\/\">Secure DevOps Kit for Azure<\/a>\u00a0can be used to check the ARM files before deployment. But you can also check the status of your subscription and resources. This way you can increase the security of your code and deployments.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Build Pipeline<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">Before any code will be deployed the ARM fiels need to be checked for best practices. This option to check files takes a long time. And this is worth the waiting if you have ARM files present in your solution. But this is not always the case, so i created to files to speed up this process when files are not present.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"exclusions\">Exclusions<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">Within the script you now have the option to exclude files or controls. This is done with the help of three files:<\/p>\n\n\n\n<ul class=\"wp-block-list\"><li>Severity<\/li><li>AzSSkipFiles.csv<\/li><li>[Filename].AzSSkipControlsFromFile.csv<\/li><\/ul>\n\n\n\n<p class=\"wp-block-paragraph\">When using these files you will be able to skip checks specified during deployment. This can be done for regulation requirements or other reasons to make sure that the build finishes.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"severity\">Severity<\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">Filter by severity of control E.g., Critical, High, Medium, Low<\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"azsskipfilescsv\">AzSSkipFiles.csv<\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">This file needs to be stored in the directory the ARM files are stored in. When the files are configured here these files will not be checked by the script.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">The file content needs to look like this, the following files will not be scanned that are present in the directory.<\/p>\n\n\n\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"generic\" data-enlighter-theme=\"\" data-enlighter-highlight=\"\" data-enlighter-linenumbers=\"\" data-enlighter-lineoffset=\"\" data-enlighter-title=\"\" data-enlighter-group=\"\">host.json\nlocal.settings.json\nproxies.json\n<\/pre>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"filenameazsskipcontrolsfromfilecsv\">[Filename].AzSSkipControlsFromFile.csv<\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">Before you can make an exclusion for the ARM checks you first need to run the build once. After the build is done it will fail on the ARM check part.<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1023\" height=\"85\" src=\"https:\/\/www.azuregovernanceguard.com\/wp-content\/uploads\/2020\/12\/image-10.png\" alt=\"\" class=\"wp-image-327\" srcset=\"https:\/\/www.azuregovernanceguard.com\/wp-content\/uploads\/2020\/12\/image-10.png 1023w, https:\/\/www.azuregovernanceguard.com\/wp-content\/uploads\/2020\/12\/image-10-300x25.png 300w, https:\/\/www.azuregovernanceguard.com\/wp-content\/uploads\/2020\/12\/image-10-768x64.png 768w\" sizes=\"auto, (max-width: 1023px) 100vw, 1023px\" \/><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\">When you select the job that has failed you have on the right side three dots. Select them and select &#8220;Download Logs&#8221;. Download the zip file and extract the file.<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img decoding=\"async\" src=\"https:\/\/www.azuregovernanceguard.com\/wp-content\/uploads\/2020\/12\/image-6.png\" alt=\"\" class=\"wp-image-322\"\/><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\">In the extracted file there is another zip file called ARMTemplateChecker_****.<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img decoding=\"async\" src=\"https:\/\/www.azuregovernanceguard.com\/wp-content\/uploads\/2020\/12\/image-7.png\" alt=\"\" class=\"wp-image-323\"\/><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\">Open then ARMCheckerResults** file and fix the problems that needs to fix. If you decide to not fix these problems copy the content of this file and place it into the <strong>test<\/strong>.AzSSkipControlsFromFile.csv file and upload this.<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img decoding=\"async\" src=\"https:\/\/www.azuregovernanceguard.com\/wp-content\/uploads\/2020\/12\/image-8.png\" alt=\"\" class=\"wp-image-324\"\/><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\">The file content needs to look like this:<\/p>\n\n\n\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"generic\" data-enlighter-theme=\"\" data-enlighter-highlight=\"\" data-enlighter-linenumbers=\"\" data-enlighter-lineoffset=\"\" data-enlighter-title=\"\" data-enlighter-group=\"\">\"ControlId\",\"FeatureName\",\"Status\",\"SupportedResources\",\"Severity\",\"PropertyPath\",\"LineNumber\",\"CurrentValue\",\"ExpectedProperty\",\"ExpectedValue\",\"ResourcePath\",\"ResourceLineNumber\",\"Description\",\"FilePath\"\n\"Azure_AppService_BCDR_Use_Multiple_Instances\",\"AppService\",\"Skipped\",\"Microsoft.Web\/sites , Microsoft.Web\/serverfarms , Microsoft.Web\/sites\/config\",\"Medium\",\"resources[0].sku.capacity\",\"25\",\"0\",\"$.sku.capacity\",\"GreaterThan 1\",\"resources[0]\",\"15\",\"App Service must be deployed on a minimum of two instances to ensure availability\",\".\\template.json\"\n\"Azure_AppService_Config_Disable_Remote_Debugging\",\"AppService\",\"Passed\",\"Microsoft.Web\/sites , Microsoft.Web\/serverfarms , Microsoft.Web\/sites\/config\",\"High\",\"resources[2].properties.remoteDebuggingEnabled\",\"95\",\"false\",\"$.properties.siteConfig.remoteDebuggingEnabled | $.properties.remoteDebuggingEnabled\",\"'False'\",\"resources[2]\",\"71\",\"Remote debugging must be turned off for App Service\",\".\\template.json\"\n\"Azure_AppService_Config_Disable_Web_Sockets\",\"AppService\",\"Passed\",\"Microsoft.Web\/sites , Microsoft.Web\/serverfarms , Microsoft.Web\/sites\/config\",\"High\",\"resources[2].properties.webSocketsEnabled\",\"102\",\"false\",\"$.properties.siteConfig.webSocketsEnabled | $.properties.webSocketsEnabled\",\"'False'\",\"resources[2]\",\"71\",\"Web Sockets should be disabled for App Service\",\".\\template.json\"\n\"Azure_AppService_BCDR_Use_AlwaysOn\",\"AppService\",\"Skipped\",\"Microsoft.Web\/sites , Microsoft.Web\/serverfarms , Microsoft.Web\/sites\/config\",\"Medium\",\"resources[2].properties.alwaysOn\",\"103\",\"false\",\"$.properties.siteConfig.alwaysOn | $.properties.alwaysOn\",\"'True'\",\"resources[2]\",\"71\",\"'Always On' should be configured for App Service\",\".\\template.json\"\n\"Azure_AppService_Deploy_Use_Latest_Version\",\"AppService\",\"Passed\",\"Microsoft.Web\/sites , Microsoft.Web\/serverfarms , Microsoft.Web\/sites\/config\",\"Low\",\"resources[2].properties.netFrameworkVersion\",\"92\",\"\"\"v4.0\"\"\",\"$.properties.siteConfig.netFrameworkVersion | $.properties.netFrameworkVersion\",\"Allow '^(v4.0|v4.7)$'\",\"resources[2]\",\"71\",\"The latest version of .NET framework version should be used for App Service\",\".\\template.json\"\n\"Azure_AppService_Audit_Enable_Logging_and_Monitoring\",\"AppService\",\"Passed\",\"Microsoft.Web\/sites , Microsoft.Web\/serverfarms , Microsoft.Web\/sites\/config\",\"Medium\",\"resources[2].properties.requestTracingEnabled\",\"94\",\"true\",\"$.properties.siteConfig.requestTracingEnabled | $.properties.requestTracingEnabled\",\"'True'\",\"resources[2]\",\"71\",\"Auditing and Monitoring must be enabled for App Service\",\".\\template.json\"\n\"Azure_AppService_Audit_Enable_Logging_and_Monitoring\",\"AppService\",\"Passed\",\"Microsoft.Web\/sites , Microsoft.Web\/serverfarms , Microsoft.Web\/sites\/config\",\"Medium\",\"resources[2].properties.httpLoggingEnabled\",\"97\",\"true\",\"$.properties.siteConfig.httpLoggingEnabled | $.properties.httpLoggingEnabled\",\"'True'\",\"resources[2]\",\"71\",\"Auditing and Monitoring must be enabled for App Service\",\".\\template.json\"\n\"Azure_AppService_Audit_Enable_Logging_and_Monitoring\",\"AppService\",\"Passed\",\"Microsoft.Web\/sites , Microsoft.Web\/serverfarms , Microsoft.Web\/sites\/config\",\"Medium\",\"resources[2].properties.detailedErrorLoggingEnabled\",\"98\",\"true\",\"$.properties.siteConfig.detailedErrorLoggingEnabled | $.properties.detailedErrorLoggingEnabled\",\"'True'\",\"resources[2]\",\"71\",\"Auditing and Monitoring must be enabled for App Service\",\".\\template.json\"\n\"Azure_AppService_DP_Dont_Allow_HTTP_Access\",\"AppService\",\"Passed\",\"Microsoft.Web\/sites , Microsoft.Web\/serverfarms , Microsoft.Web\/sites\/config\",\"High\",\"resources[1].properties.httpsOnly\",\"67\",\"true\",\"$.properties.httpsOnly\",\"'True'\",\"resources[1]\",\"39\",\"App Service must only be accessible over HTTPS\",\".\\template.json\"\n\"Azure_AppService_AuthN_Use_AAD_for_Client_AuthN\",\"AppService\",\"Skipped\",\"Microsoft.Web\/sites , Microsoft.Web\/serverfarms , Microsoft.Web\/sites\/config\",\"High\",\"Not found\",\"-1\",\"\",\"$.properties.siteConfig.siteAuthEnabled | $.properties.siteAuthEnabled\",\"'True'\",\"resources[2] , resources[1] , resources[0]\",\"15\",\"App Service must authenticate users using Azure Active Directory backed credentials\",\".\\template.json\"\n\"Azure_AppService_AuthN_Use_AAD_for_Client_AuthN\",\"AppService\",\"Skipped\",\"Microsoft.Web\/sites , Microsoft.Web\/serverfarms , Microsoft.Web\/sites\/config\",\"High\",\"Not found\",\"-1\",\"\",\"$.properties.siteConfig.siteAuthSettings.clientId | $.properties.siteAuthSettings.clientId\",\"Non-null string\",\"resources[2] , resources[1] , resources[0]\",\"15\",\"App Service must authenticate users using Azure Active Directory backed credentials\",\".\\template.json\"\n\"Azure_AppService_AuthN_Use_Managed_Service_Identity\",\"AppService\",\"Skipped\",\"Microsoft.Web\/sites , Microsoft.Web\/serverfarms , Microsoft.Web\/sites\/config\",\"Medium\",\"Not found\",\"-1\",\"\",\"$.identity.type\",\"Allow 'SystemAssigned'\",\"resources[2] , resources[1] , resources[0]\",\"15\",\"Use Managed Service Identity (MSI) for accessing other AAD-protected resources from the app service.\",\".\\template.json\"\n\"Azure_AppService_DP_Use_Secure_TLS_Version\",\"AppService\",\"Passed\",\"Microsoft.Web\/sites , Microsoft.Web\/serverfarms , Microsoft.Web\/sites\/config\",\"High\",\"resources[2].properties.minTlsVersion\",\"135\",\"\"\"1.2\"\"\",\"$.properties.siteConfig.minTlsVersion | $.properties.minTlsVersion\",\"GreaterThanOrEqual '1.2'\",\"resources[2]\",\"71\",\"Use approved version of TLS for the App Service\",\".\\template.json\"\n\"Azure_AppService_DP_Review_CORS_Request_Credential\",\"AppService\",\"Passed\",\"Microsoft.Web\/sites , Microsoft.Web\/serverfarms , Microsoft.Web\/sites\/config\",\"Medium\",\"Not found\",\"-1\",\"\",\"$.properties.siteConfig.cors.supportCredentials | $.properties.cors.supportCredentials\",\"'False'\",\"resources[2] , resources[1] , resources[0]\",\"15\",\"Review use of credentials in CORS request for App Service\",\".\\template.json\"\n<\/pre>\n\n\n\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"generic\" data-enlighter-theme=\"\" data-enlighter-highlight=\"\" data-enlighter-linenumbers=\"\" data-enlighter-lineoffset=\"\" data-enlighter-title=\"\" data-enlighter-group=\"\">- task: PowerShell@2\n  displayName: Start checking ARM files for AzSKARMTemplateSecurity\n  inputs:\n    targetType: \"inline\"\n    pwsh: true\n    failOnStderr: false\n    script: Invoke-Build -Task TestARMAZSK -ModuleName $(module.Name)\n    workingDirectory: $(System.DefaultWorkingDirectory)<\/pre>\n\n\n\n<p class=\"wp-block-paragraph\"><\/p>\n","protected":false},"excerpt":{"rendered":"<p>It is now possible to scan the ARM json files you have created with the best practices by the Core<\/p>\n<p><a href=\"https:\/\/www.azuregovernanceguard.com\/?p=783\" class=\"more-link\">Continue reading<span class=\"screen-reader-text\">Start checking ARM files for AzSKARMTemplateSecurity<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_jetpack_newsletter_access":"","_jetpack_dont_email_post_to_subs":false,"_jetpack_newsletter_tier_id":0,"_jetpack_memberships_contains_paywalled_content":false,"_jetpack_feature_clip_id":0,"_jetpack_memberships_contains_paid_content":false,"footnotes":"","jetpack_post_was_ever_published":false},"categories":[1],"tags":[],"class_list":["post-783","post","type-post","status-publish","format-standard","hentry","category-uncategorized"],"aioseo_notices":[],"aioseo_head":"\n\t\t<!-- All in One SEO 4.9.8 - aioseo.com -->\n\t<meta name=\"description\" content=\"It is now possible to scan the ARM json files you have created with the best practices by the Core Services Engineering &amp; Operations (CSEO) division at Microsoft. Secure DevOps Kit for Azure can be used to check the ARM files before deployment. But you can also check the status of your subscription and resources. This way\" \/>\n\t<meta name=\"robots\" content=\"max-image-preview:large\" \/>\n\t<meta name=\"author\" content=\"Eelco Labordus\"\/>\n\t<link rel=\"canonical\" href=\"https:\/\/www.azuregovernanceguard.com\/?p=783\" \/>\n\t<meta name=\"generator\" content=\"All in One SEO (AIOSEO) 4.9.8\" \/>\n\t\t<meta property=\"og:locale\" content=\"en_US\" \/>\n\t\t<meta property=\"og:site_name\" content=\"Azure Governance Guard -\" \/>\n\t\t<meta property=\"og:type\" content=\"article\" \/>\n\t\t<meta property=\"og:title\" content=\"Start checking ARM files for AzSKARMTemplateSecurity - Azure Governance Guard\" \/>\n\t\t<meta property=\"og:description\" content=\"It is now possible to scan the ARM json files you have created with the best practices by the Core Services Engineering &amp; Operations (CSEO) division at Microsoft. Secure DevOps Kit for Azure can be used to check the ARM files before deployment. But you can also check the status of your subscription and resources. This way\" \/>\n\t\t<meta property=\"og:url\" content=\"https:\/\/www.azuregovernanceguard.com\/?p=783\" \/>\n\t\t<meta property=\"og:image\" content=\"https:\/\/i0.wp.com\/www.azuregovernanceguard.com\/wp-content\/uploads\/2023\/06\/logo-white-1.png?fit=10001000&#038;ssl=1\" \/>\n\t\t<meta property=\"og:image:secure_url\" content=\"https:\/\/i0.wp.com\/www.azuregovernanceguard.com\/wp-content\/uploads\/2023\/06\/logo-white-1.png?fit=10001000&#038;ssl=1\" \/>\n\t\t<meta property=\"article:published_time\" content=\"2021-01-27T18:21:19+00:00\" \/>\n\t\t<meta property=\"article:modified_time\" content=\"2021-01-27T18:21:19+00:00\" \/>\n\t\t<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n\t\t<meta name=\"twitter:site\" content=\"@EelcoLabordus\" \/>\n\t\t<meta name=\"twitter:title\" content=\"Start checking ARM files for AzSKARMTemplateSecurity - Azure Governance Guard\" \/>\n\t\t<meta name=\"twitter:description\" content=\"It is now possible to scan the ARM json files you have created with the best practices by the Core Services Engineering &amp; Operations (CSEO) division at Microsoft. Secure DevOps Kit for Azure can be used to check the ARM files before deployment. But you can also check the status of your subscription and resources. This way\" \/>\n\t\t<meta name=\"twitter:creator\" content=\"@EelcoLabordus\" \/>\n\t\t<meta name=\"twitter:image\" content=\"https:\/\/i0.wp.com\/www.azuregovernanceguard.com\/wp-content\/uploads\/2023\/06\/logo-white-1.png?fit=10001000&amp;ssl=1\" \/>\n\t\t<script type=\"application\/ld+json\" class=\"aioseo-schema\">\n\t\t\t{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"BlogPosting\",\"@id\":\"https:\\\/\\\/www.azuregovernanceguard.com\\\/?p=783#blogposting\",\"name\":\"Start checking ARM files for AzSKARMTemplateSecurity - Azure Governance Guard\",\"headline\":\"Start checking ARM files for AzSKARMTemplateSecurity\",\"author\":{\"@id\":\"https:\\\/\\\/www.azuregovernanceguard.com\\\/?author=1#author\"},\"publisher\":{\"@id\":\"https:\\\/\\\/www.azuregovernanceguard.com\\\/#person\"},\"image\":{\"@type\":\"ImageObject\",\"url\":\"https:\\\/\\\/www.azuregovernanceguard.com\\\/wp-content\\\/uploads\\\/2020\\\/12\\\/image-10.png\",\"@id\":\"https:\\\/\\\/www.azuregovernanceguard.com\\\/?p=783\\\/#articleImage\",\"width\":1023,\"height\":85},\"datePublished\":\"2021-01-27T18:21:19+00:00\",\"dateModified\":\"2021-01-27T18:21:19+00:00\",\"inLanguage\":\"en\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/www.azuregovernanceguard.com\\\/?p=783#webpage\"},\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.azuregovernanceguard.com\\\/?p=783#webpage\"},\"articleSection\":\"Uncategorized\"},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/www.azuregovernanceguard.com\\\/?p=783#breadcrumblist\",\"itemListElement\":[{\"@type\":\"ListItem\",\"@id\":\"https:\\\/\\\/www.azuregovernanceguard.com#listItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/www.azuregovernanceguard.com\",\"nextItem\":{\"@type\":\"ListItem\",\"@id\":\"https:\\\/\\\/www.azuregovernanceguard.com\\\/?cat=1#listItem\",\"name\":\"Uncategorized\"}},{\"@type\":\"ListItem\",\"@id\":\"https:\\\/\\\/www.azuregovernanceguard.com\\\/?cat=1#listItem\",\"position\":2,\"name\":\"Uncategorized\",\"item\":\"https:\\\/\\\/www.azuregovernanceguard.com\\\/?cat=1\",\"nextItem\":{\"@type\":\"ListItem\",\"@id\":\"https:\\\/\\\/www.azuregovernanceguard.com\\\/?p=783#listItem\",\"name\":\"Start checking ARM files for AzSKARMTemplateSecurity\"},\"previousItem\":{\"@type\":\"ListItem\",\"@id\":\"https:\\\/\\\/www.azuregovernanceguard.com#listItem\",\"name\":\"Home\"}},{\"@type\":\"ListItem\",\"@id\":\"https:\\\/\\\/www.azuregovernanceguard.com\\\/?p=783#listItem\",\"position\":3,\"name\":\"Start checking ARM files for AzSKARMTemplateSecurity\",\"previousItem\":{\"@type\":\"ListItem\",\"@id\":\"https:\\\/\\\/www.azuregovernanceguard.com\\\/?cat=1#listItem\",\"name\":\"Uncategorized\"}}]},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/www.azuregovernanceguard.com\\\/#person\",\"name\":\"Eelco Labordus\",\"image\":{\"@type\":\"ImageObject\",\"@id\":\"https:\\\/\\\/www.azuregovernanceguard.com\\\/?p=783#personImage\",\"url\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/e156d3802a198fc2a5ec87dfdd45a0822a113d40bc8e55917bb5b76065e8322c?s=96&d=mm&r=g\",\"width\":96,\"height\":96,\"caption\":\"Eelco Labordus\"}},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/www.azuregovernanceguard.com\\\/?author=1#author\",\"url\":\"https:\\\/\\\/www.azuregovernanceguard.com\\\/?author=1\",\"name\":\"Eelco Labordus\",\"image\":{\"@type\":\"ImageObject\",\"@id\":\"https:\\\/\\\/www.azuregovernanceguard.com\\\/?p=783#authorImage\",\"url\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/e156d3802a198fc2a5ec87dfdd45a0822a113d40bc8e55917bb5b76065e8322c?s=96&d=mm&r=g\",\"width\":96,\"height\":96,\"caption\":\"Eelco Labordus\"}},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/www.azuregovernanceguard.com\\\/?p=783#webpage\",\"url\":\"https:\\\/\\\/www.azuregovernanceguard.com\\\/?p=783\",\"name\":\"Start checking ARM files for AzSKARMTemplateSecurity - Azure Governance Guard\",\"description\":\"It is now possible to scan the ARM json files you have created with the best practices by the Core Services Engineering & Operations (CSEO) division at Microsoft. Secure DevOps Kit for Azure can be used to check the ARM files before deployment. But you can also check the status of your subscription and resources. This way\",\"inLanguage\":\"en\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.azuregovernanceguard.com\\\/#website\"},\"breadcrumb\":{\"@id\":\"https:\\\/\\\/www.azuregovernanceguard.com\\\/?p=783#breadcrumblist\"},\"author\":{\"@id\":\"https:\\\/\\\/www.azuregovernanceguard.com\\\/?author=1#author\"},\"creator\":{\"@id\":\"https:\\\/\\\/www.azuregovernanceguard.com\\\/?author=1#author\"},\"datePublished\":\"2021-01-27T18:21:19+00:00\",\"dateModified\":\"2021-01-27T18:21:19+00:00\"},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/www.azuregovernanceguard.com\\\/#website\",\"url\":\"https:\\\/\\\/www.azuregovernanceguard.com\\\/\",\"name\":\"Azure Governance Guard\",\"inLanguage\":\"en\",\"publisher\":{\"@id\":\"https:\\\/\\\/www.azuregovernanceguard.com\\\/#person\"}}]}\n\t\t<\/script>\n\t\t<!-- All in One SEO -->\n\n","aioseo_head_json":{"title":"Start checking ARM files for AzSKARMTemplateSecurity - Azure Governance Guard","description":"It is now possible to scan the ARM json files you have created with the best practices by the Core Services Engineering & Operations (CSEO) division at Microsoft. Secure DevOps Kit for Azure can be used to check the ARM files before deployment. But you can also check the status of your subscription and resources. This way","canonical_url":"https:\/\/www.azuregovernanceguard.com\/?p=783","robots":"max-image-preview:large","keywords":"","webmasterTools":{"miscellaneous":""},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"BlogPosting","@id":"https:\/\/www.azuregovernanceguard.com\/?p=783#blogposting","name":"Start checking ARM files for AzSKARMTemplateSecurity - Azure Governance Guard","headline":"Start checking ARM files for AzSKARMTemplateSecurity","author":{"@id":"https:\/\/www.azuregovernanceguard.com\/?author=1#author"},"publisher":{"@id":"https:\/\/www.azuregovernanceguard.com\/#person"},"image":{"@type":"ImageObject","url":"https:\/\/www.azuregovernanceguard.com\/wp-content\/uploads\/2020\/12\/image-10.png","@id":"https:\/\/www.azuregovernanceguard.com\/?p=783\/#articleImage","width":1023,"height":85},"datePublished":"2021-01-27T18:21:19+00:00","dateModified":"2021-01-27T18:21:19+00:00","inLanguage":"en","mainEntityOfPage":{"@id":"https:\/\/www.azuregovernanceguard.com\/?p=783#webpage"},"isPartOf":{"@id":"https:\/\/www.azuregovernanceguard.com\/?p=783#webpage"},"articleSection":"Uncategorized"},{"@type":"BreadcrumbList","@id":"https:\/\/www.azuregovernanceguard.com\/?p=783#breadcrumblist","itemListElement":[{"@type":"ListItem","@id":"https:\/\/www.azuregovernanceguard.com#listItem","position":1,"name":"Home","item":"https:\/\/www.azuregovernanceguard.com","nextItem":{"@type":"ListItem","@id":"https:\/\/www.azuregovernanceguard.com\/?cat=1#listItem","name":"Uncategorized"}},{"@type":"ListItem","@id":"https:\/\/www.azuregovernanceguard.com\/?cat=1#listItem","position":2,"name":"Uncategorized","item":"https:\/\/www.azuregovernanceguard.com\/?cat=1","nextItem":{"@type":"ListItem","@id":"https:\/\/www.azuregovernanceguard.com\/?p=783#listItem","name":"Start checking ARM files for AzSKARMTemplateSecurity"},"previousItem":{"@type":"ListItem","@id":"https:\/\/www.azuregovernanceguard.com#listItem","name":"Home"}},{"@type":"ListItem","@id":"https:\/\/www.azuregovernanceguard.com\/?p=783#listItem","position":3,"name":"Start checking ARM files for AzSKARMTemplateSecurity","previousItem":{"@type":"ListItem","@id":"https:\/\/www.azuregovernanceguard.com\/?cat=1#listItem","name":"Uncategorized"}}]},{"@type":"Person","@id":"https:\/\/www.azuregovernanceguard.com\/#person","name":"Eelco Labordus","image":{"@type":"ImageObject","@id":"https:\/\/www.azuregovernanceguard.com\/?p=783#personImage","url":"https:\/\/secure.gravatar.com\/avatar\/e156d3802a198fc2a5ec87dfdd45a0822a113d40bc8e55917bb5b76065e8322c?s=96&d=mm&r=g","width":96,"height":96,"caption":"Eelco Labordus"}},{"@type":"Person","@id":"https:\/\/www.azuregovernanceguard.com\/?author=1#author","url":"https:\/\/www.azuregovernanceguard.com\/?author=1","name":"Eelco Labordus","image":{"@type":"ImageObject","@id":"https:\/\/www.azuregovernanceguard.com\/?p=783#authorImage","url":"https:\/\/secure.gravatar.com\/avatar\/e156d3802a198fc2a5ec87dfdd45a0822a113d40bc8e55917bb5b76065e8322c?s=96&d=mm&r=g","width":96,"height":96,"caption":"Eelco Labordus"}},{"@type":"WebPage","@id":"https:\/\/www.azuregovernanceguard.com\/?p=783#webpage","url":"https:\/\/www.azuregovernanceguard.com\/?p=783","name":"Start checking ARM files for AzSKARMTemplateSecurity - Azure Governance Guard","description":"It is now possible to scan the ARM json files you have created with the best practices by the Core Services Engineering & Operations (CSEO) division at Microsoft. Secure DevOps Kit for Azure can be used to check the ARM files before deployment. But you can also check the status of your subscription and resources. This way","inLanguage":"en","isPartOf":{"@id":"https:\/\/www.azuregovernanceguard.com\/#website"},"breadcrumb":{"@id":"https:\/\/www.azuregovernanceguard.com\/?p=783#breadcrumblist"},"author":{"@id":"https:\/\/www.azuregovernanceguard.com\/?author=1#author"},"creator":{"@id":"https:\/\/www.azuregovernanceguard.com\/?author=1#author"},"datePublished":"2021-01-27T18:21:19+00:00","dateModified":"2021-01-27T18:21:19+00:00"},{"@type":"WebSite","@id":"https:\/\/www.azuregovernanceguard.com\/#website","url":"https:\/\/www.azuregovernanceguard.com\/","name":"Azure Governance Guard","inLanguage":"en","publisher":{"@id":"https:\/\/www.azuregovernanceguard.com\/#person"}}]},"og:locale":"en_US","og:site_name":"Azure Governance Guard -","og:type":"article","og:title":"Start checking ARM files for AzSKARMTemplateSecurity - Azure Governance Guard","og:description":"It is now possible to scan the ARM json files you have created with the best practices by the Core Services Engineering &amp; Operations (CSEO) division at Microsoft. Secure DevOps Kit for Azure can be used to check the ARM files before deployment. But you can also check the status of your subscription and resources. This way","og:url":"https:\/\/www.azuregovernanceguard.com\/?p=783","og:image":"https:\/\/i0.wp.com\/www.azuregovernanceguard.com\/wp-content\/uploads\/2023\/06\/logo-white-1.png?fit=10001000&#038;ssl=1","og:image:secure_url":"https:\/\/i0.wp.com\/www.azuregovernanceguard.com\/wp-content\/uploads\/2023\/06\/logo-white-1.png?fit=10001000&#038;ssl=1","article:published_time":"2021-01-27T18:21:19+00:00","article:modified_time":"2021-01-27T18:21:19+00:00","twitter:card":"summary_large_image","twitter:site":"@EelcoLabordus","twitter:title":"Start checking ARM files for AzSKARMTemplateSecurity - Azure Governance Guard","twitter:description":"It is now possible to scan the ARM json files you have created with the best practices by the Core Services Engineering &amp; Operations (CSEO) division at Microsoft. Secure DevOps Kit for Azure can be used to check the ARM files before deployment. But you can also check the status of your subscription and resources. This way","twitter:creator":"@EelcoLabordus","twitter:image":"https:\/\/i0.wp.com\/www.azuregovernanceguard.com\/wp-content\/uploads\/2023\/06\/logo-white-1.png?fit=10001000&ssl=1"},"aioseo_meta_data":{"post_id":"783","title":null,"description":null,"keywords":null,"keyphrases":null,"primary_term":null,"canonical_url":null,"og_title":null,"og_description":null,"og_object_type":"default","og_image_type":"default","og_image_url":null,"og_image_width":null,"og_image_height":null,"og_image_custom_url":null,"og_image_custom_fields":null,"og_video":null,"og_custom_url":null,"og_article_section":null,"og_article_tags":null,"twitter_use_og":false,"twitter_card":"default","twitter_image_type":"default","twitter_image_url":null,"twitter_image_custom_url":null,"twitter_image_custom_fields":null,"twitter_title":null,"twitter_description":null,"schema":{"blockGraphs":[],"customGraphs":[],"default":{"data":{"Article":[],"Course":[],"Dataset":[],"FAQPage":[],"Movie":[],"Person":[],"Product":[],"ProductReview":[],"Car":[],"Recipe":[],"Service":[],"SoftwareApplication":[],"WebPage":[]},"graphName":"","isEnabled":true},"graphs":[]},"schema_type":"default","schema_type_options":null,"pillar_content":false,"robots_default":true,"robots_noindex":false,"robots_noarchive":false,"robots_nosnippet":false,"robots_nofollow":false,"robots_noimageindex":false,"robots_noodp":false,"robots_notranslate":false,"robots_max_snippet":null,"robots_max_videopreview":null,"robots_max_imagepreview":"large","priority":null,"frequency":null,"local_seo":null,"breadcrumb_settings":null,"limit_modified_date":false,"ai":null,"created":"2025-09-15 13:49:29","updated":"2025-09-15 13:49:29","seo_analyzer_scan_date":null},"aioseo_breadcrumb":"<div class=\"aioseo-breadcrumbs\"><span class=\"aioseo-breadcrumb\">\n\t\t\t<a href=\"https:\/\/www.azuregovernanceguard.com\" title=\"Home\">Home<\/a>\n\t\t<\/span><span class=\"aioseo-breadcrumb-separator\">&raquo;<\/span><span class=\"aioseo-breadcrumb\">\n\t\t\t<a href=\"https:\/\/www.azuregovernanceguard.com\/?cat=1\" title=\"Uncategorized\">Uncategorized<\/a>\n\t\t<\/span><span class=\"aioseo-breadcrumb-separator\">&raquo;<\/span><span class=\"aioseo-breadcrumb\">\n\t\t\tStart checking ARM files for AzSKARMTemplateSecurity\n\t\t<\/span><\/div>","aioseo_breadcrumb_json":[{"label":"Home","link":"https:\/\/www.azuregovernanceguard.com"},{"label":"Uncategorized","link":"https:\/\/www.azuregovernanceguard.com\/?cat=1"},{"label":"Start checking ARM files for AzSKARMTemplateSecurity","link":"https:\/\/www.azuregovernanceguard.com\/?p=783"}],"jetpack_featured_media_url":"","jetpack-related-posts":[{"id":362,"url":"https:\/\/www.azuregovernanceguard.com\/?p=362","url_meta":{"origin":783,"position":0},"title":"The journey that is called Microsoft Azure Stack","author":"Eelco Labordus","date":"January 4, 2021","format":false,"excerpt":"A couple of years ago, I was present at TechEd Europe 2014 for the launch of Windows Azure Pack. This version was built to give the same experience as the first version of Azure (now known as the classic portal). A big challenge was getting started with the Windows Azure\u2026","rel":"","context":"In &quot;Microsoft Azure Stack Hub&quot;","block_context":{"text":"Microsoft Azure Stack Hub","link":"https:\/\/www.azuregovernanceguard.com\/?cat=118"},"img":{"alt_text":"","src":"https:\/\/i0.wp.com\/www.azuregovernanceguard.com\/wp-content\/uploads\/2021\/01\/Blog-eelco-labordus-azure-2.width-1118.jpg?resize=350%2C200&ssl=1","width":350,"height":200,"srcset":"https:\/\/i0.wp.com\/www.azuregovernanceguard.com\/wp-content\/uploads\/2021\/01\/Blog-eelco-labordus-azure-2.width-1118.jpg?resize=350%2C200&ssl=1 1x, https:\/\/i0.wp.com\/www.azuregovernanceguard.com\/wp-content\/uploads\/2021\/01\/Blog-eelco-labordus-azure-2.width-1118.jpg?resize=525%2C300&ssl=1 1.5x"},"classes":[]},{"id":412,"url":"https:\/\/www.azuregovernanceguard.com\/?p=412","url_meta":{"origin":783,"position":1},"title":"How do I govern my Governance (policies)","author":"Eelco Labordus","date":"March 5, 2024","format":false,"excerpt":"In the dynamic tech landscape, Azure policies are critical for system security and operation, requiring regular updates and monitoring for changes using alerts.","rel":"","context":"In &quot;Azure Policy&quot;","block_context":{"text":"Azure Policy","link":"https:\/\/www.azuregovernanceguard.com\/?cat=14"},"img":{"alt_text":"","src":"https:\/\/i0.wp.com\/www.azuregovernanceguard.com\/wp-content\/uploads\/2024\/02\/image-9.png?resize=350%2C200&ssl=1","width":350,"height":200,"srcset":"https:\/\/i0.wp.com\/www.azuregovernanceguard.com\/wp-content\/uploads\/2024\/02\/image-9.png?resize=350%2C200&ssl=1 1x, https:\/\/i0.wp.com\/www.azuregovernanceguard.com\/wp-content\/uploads\/2024\/02\/image-9.png?resize=525%2C300&ssl=1 1.5x, https:\/\/i0.wp.com\/www.azuregovernanceguard.com\/wp-content\/uploads\/2024\/02\/image-9.png?resize=700%2C400&ssl=1 2x"},"classes":[]},{"id":136,"url":"https:\/\/www.azuregovernanceguard.com\/?p=136","url_meta":{"origin":783,"position":2},"title":"Mastering Successful Deployments: Validating with What-If Deployment and Azure Policies","author":"Eelco Labordus","date":"June 30, 2023","format":false,"excerpt":"Explore the benefits of What-If deployment with Azure Policies for secure and compliant cloud operations. Preview changes, ensure policy alignment, and simplify cloud management for enhanced governance.","rel":"","context":"In &quot;Azure Policy&quot;","block_context":{"text":"Azure Policy","link":"https:\/\/www.azuregovernanceguard.com\/?cat=14"},"img":{"alt_text":"","src":"https:\/\/i0.wp.com\/www.azuregovernanceguard.com\/wp-content\/uploads\/2023\/06\/Screenshot-2023-06-30-095316.png?resize=350%2C200&ssl=1","width":350,"height":200,"srcset":"https:\/\/i0.wp.com\/www.azuregovernanceguard.com\/wp-content\/uploads\/2023\/06\/Screenshot-2023-06-30-095316.png?resize=350%2C200&ssl=1 1x, https:\/\/i0.wp.com\/www.azuregovernanceguard.com\/wp-content\/uploads\/2023\/06\/Screenshot-2023-06-30-095316.png?resize=525%2C300&ssl=1 1.5x, https:\/\/i0.wp.com\/www.azuregovernanceguard.com\/wp-content\/uploads\/2023\/06\/Screenshot-2023-06-30-095316.png?resize=700%2C400&ssl=1 2x"},"classes":[]},{"id":363,"url":"https:\/\/www.azuregovernanceguard.com\/?p=363","url_meta":{"origin":783,"position":3},"title":"Microsoft\u2019s Framework Trio: Cloud Adoption Framework (CAF), Azure Well-Architected Framework (WAF) and Security Adoption Framework (SAF)","author":"Eelco Labordus","date":"December 17, 2023","format":false,"excerpt":"Intro\u00a0 I will be taking a closer look at Microsoft's Cloud Adoption Framework for Azure (CAF), the Azure Well-Architected Framework (WAF), and the Security Adoption Framework (SAF). These frameworks are like a trusty roadmap for a smooth, secure, and optimized cloud journey.\u00a0 Microsoft Cloud Adoption Framework for Azure (CAF)\u00a0 Imagine\u2026","rel":"","context":"Similar post","block_context":{"text":"Similar post","link":""},"img":{"alt_text":"","src":"https:\/\/i0.wp.com\/www.azuregovernanceguard.com\/wp-content\/uploads\/2023\/12\/caf-overview-graphic.png?resize=350%2C200&ssl=1","width":350,"height":200,"srcset":"https:\/\/i0.wp.com\/www.azuregovernanceguard.com\/wp-content\/uploads\/2023\/12\/caf-overview-graphic.png?resize=350%2C200&ssl=1 1x, https:\/\/i0.wp.com\/www.azuregovernanceguard.com\/wp-content\/uploads\/2023\/12\/caf-overview-graphic.png?resize=525%2C300&ssl=1 1.5x, https:\/\/i0.wp.com\/www.azuregovernanceguard.com\/wp-content\/uploads\/2023\/12\/caf-overview-graphic.png?resize=700%2C400&ssl=1 2x"},"classes":[]},{"id":112,"url":"https:\/\/www.azuregovernanceguard.com\/?p=112","url_meta":{"origin":783,"position":4},"title":"Maximizing Azure Policy: Leveraging Audit and Deny Modes for Development and Production Environments","author":"Eelco Labordus","date":"June 11, 2023","format":false,"excerpt":"Azure Policy is a powerful governance service offered by Microsoft Azure that helps organizations enforce compliance, security, and best practices across their cloud infrastructure. It provides a range of policy definitions that can be used to monitor and control resources, ensuring they adhere to specific rules and guidelines. In this\u2026","rel":"","context":"In &quot;Azure Policy&quot;","block_context":{"text":"Azure Policy","link":"https:\/\/www.azuregovernanceguard.com\/?cat=14"},"img":{"alt_text":"","src":"https:\/\/i0.wp.com\/www.azuregovernanceguard.com\/wp-content\/uploads\/2023\/06\/5bbefd999475d-b42b3cecb8c79693f9e3e09763126c06.png?resize=350%2C200&ssl=1","width":350,"height":200,"srcset":"https:\/\/i0.wp.com\/www.azuregovernanceguard.com\/wp-content\/uploads\/2023\/06\/5bbefd999475d-b42b3cecb8c79693f9e3e09763126c06.png?resize=350%2C200&ssl=1 1x, https:\/\/i0.wp.com\/www.azuregovernanceguard.com\/wp-content\/uploads\/2023\/06\/5bbefd999475d-b42b3cecb8c79693f9e3e09763126c06.png?resize=525%2C300&ssl=1 1.5x, https:\/\/i0.wp.com\/www.azuregovernanceguard.com\/wp-content\/uploads\/2023\/06\/5bbefd999475d-b42b3cecb8c79693f9e3e09763126c06.png?resize=700%2C400&ssl=1 2x"},"classes":[]},{"id":193,"url":"https:\/\/www.azuregovernanceguard.com\/?p=193","url_meta":{"origin":783,"position":5},"title":"Safeguarding Cloud Resources with Azure Policy&#8217;s DenyAction Effect","author":"Eelco Labordus","date":"July 25, 2023","format":false,"excerpt":"In this blog article, we explore the significance of safeguarding cloud resources from accidental or malicious deletion in Azure environments. To ensure the integrity and security of your cloud infrastructure, Azure Policy's DenyAction Effect provides a powerful feature. We discuss the importance of protecting resources due to accidental deletions, which\u2026","rel":"","context":"In &quot;Azure Policy&quot;","block_context":{"text":"Azure Policy","link":"https:\/\/www.azuregovernanceguard.com\/?cat=14"},"img":{"alt_text":"","src":"https:\/\/i0.wp.com\/www.azuregovernanceguard.com\/wp-content\/uploads\/2023\/07\/Untitled.png?resize=350%2C200&ssl=1","width":350,"height":200,"srcset":"https:\/\/i0.wp.com\/www.azuregovernanceguard.com\/wp-content\/uploads\/2023\/07\/Untitled.png?resize=350%2C200&ssl=1 1x, https:\/\/i0.wp.com\/www.azuregovernanceguard.com\/wp-content\/uploads\/2023\/07\/Untitled.png?resize=525%2C300&ssl=1 1.5x, https:\/\/i0.wp.com\/www.azuregovernanceguard.com\/wp-content\/uploads\/2023\/07\/Untitled.png?resize=700%2C400&ssl=1 2x"},"classes":[]}],"jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/www.azuregovernanceguard.com\/index.php?rest_route=\/wp\/v2\/posts\/783","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.azuregovernanceguard.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.azuregovernanceguard.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.azuregovernanceguard.com\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.azuregovernanceguard.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=783"}],"version-history":[{"count":0,"href":"https:\/\/www.azuregovernanceguard.com\/index.php?rest_route=\/wp\/v2\/posts\/783\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.azuregovernanceguard.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=783"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.azuregovernanceguard.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=783"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.azuregovernanceguard.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=783"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}