wingetCollections
  • Auto
  • Search
  • Awesome Collections
  • Awesome Programs
  • My Favorite Collections
  • My Collections
  • Account / Settings
  • Terms of Service
  • Privacy
  • About

© 2025 winget.ragerworks.com

Loading...
Install Microsoft Azure Template Analyzer using Winget - wingetCollections
  1. Go back
  2. Packages
  3. Microsoft Azure Template Analyzer
Microsoft Azure Template Analyzer logo

Microsoft Azure Template Analyzer Microsoft Azure

Use this command to install Microsoft Azure Template Analyzer:
winget install --id=Microsoft.Azure.TemplateAnalyzer -e

Azure Bicep and ARM Template scanner for security misconfiguration and best practices

Microsoft Azure Template Analyzer

Microsoft Azure Template Analyzer is a tool designed to enhance security and adherence to best practices in Azure Infrastructure-as-Code (IaC) templates. It scans ARM and Bicep templates to identify potential misconfigurations and ensure compliance before deployment.

Key Features:

  • Comprehensive Scanning: Analyzes both ARM (Azure Resource Manager) JSON templates and Bicep files for security vulnerabilities and best practice deviations.
  • Customizability: Users can develop their own checks or utilize existing rules, enabling tailored analysis to meet specific requirements.
  • Command-Line Execution: Operates via a command line interface, supporting analysis of individual templates or entire directories.
  • Output Flexibility: Results are displayed in console format for immediate review or exported in SARIF format for further processing.
  • Error Codes: Exits with predefined error codes, indicating success, warnings, or failures, facilitating integration into automated workflows.
  • Extensibility: Supports the addition of new rules, allowing continuous updates to address emerging security concerns.

Audience & Benefits: Ideal for Azure solution architects, DevOps engineers, and security professionals, this tool enhances the security posture by identifying issues early. It ensures templates are secure and compliant with best practices, preventing potential vulnerabilities in production environments. The ability to customize checks allows organizations to enforce policies aligned with their specific needs, fostering a robust and adaptable security framework.

Available for installation via winget, Microsoft Azure Template Analyzer is an essential tool for maintaining high standards in Azure deployments.

README

Build Status

Template Analyzer

What is Template Analyzer?

Template Analyzer scans ARM (Azure Resource Manager) and Bicep Infrastructure-as-Code (IaC) templates to ensure security and best practice checks are being followed before deployment of your Azure solutions.

Template Analyzer provides a simple and extensible solution to improve the security of your Azure resources before deployment and ensures your templates follow best practices. Template Analyzer is designed to be customizable - users can write their own checks and/or enforce only the checks that are relevant for them.

Getting started with Template Analyzer

Download the latest Template Analyzer release in the releases section.

To preview the rules that come bundled with Template Analyzer, explore the built-in rules.

Using Template Analyzer

Template Analyzer is executed via a command line. There are two formats to invoke it:

TemplateAnalyzer.exe analyze-template [-p ] [-c ] [--report-format ] [-o ] [-v]

or

TemplateAnalyzer.exe analyze-directory [-c ] [--report-format ] [-o ] [-v]

Input

Template Analyzer accepts the following inputs:

ArgumentDescription
``The path of the template to analyze
``The directory in which to search for templates (recursively finds and analyzes all ARM and Bicep templates in the directory and its subdirectories).ARM templates are identified by a '.json' file extension and a valid top-level $schema property>. Bicep templates are identified by a '.bicep' file extension.
(Optional) -p or --parameters-file-pathA parameters file
Versions
0.8.5
Website
github.com
License
Last Updated
7/22/2025
(Optional) -c or --config-file-path
A configuration file which sets custom settings for the analyzer.If argument is not provided, Template Analyzer will attempt to load a configuration from <ExecutablePath>/configuration.json if the file exists..
(Optional) --report-formatValid formats:Console: output results to the console in plain text. **(default)**Sarif: output results to a file in SARIF format.
-o or --output-file-path(Required if --report-format is Sarif) File path to output SARIF results to.
(Optional) -v or --verboseShows details about the analysis
(Optional) --include-non-security-rulesRun all the rules against the templates, including non-security rules
(Optional) --custom-json-rules-pathThe JSON rules file to use against the templates.If not specified, will use the default JSON rule set that is shipped with the tool.

Template Analyzer runs the configured rules against the provided template and its corresponding template parameters, if specified. If no template parameters are specified, then Template Analyzer will check if templates with the general naming standards defined by Microsoft are present in the same folder, otherwise it generates the minimum number of placeholder parameters to properly evaluate template functions in the template.

Note: Providing Template Analyzer with template parameter values will result in more accurate results as it will more accurately represent your deployments. The values provided to parameters may affect the evaluation of Template Analyzer rules, altering its results. That said, DO NOT save sensitive data (passwords, connection strings, etc.) in parameter files in your repositories. Instead, retrieve these values from your template from Azure Key Vault.

Output

Results can be output in plain text to the console, or output to a file in SARIF format. Template Analyzer will exit with an error code if any errors or violations are found during a scan.

Console

Template Analyzer outputs the results of violated rules, the corresponding line numbers where rules failed, and a recommendation to remediate each violation.

For a template which deploys an API App that does not require HTTPS, running Template Analyzer on the template would produce output which looks similar to the following:

&gt;TemplateAnalyzer.exe analyze-template "C:\Templates\azuredeploy.json"

File: C:\Templates\azuredeploy.json

        TA-000004: API app should only be accessible over HTTPS
                Severity: Medium
                Recommendation: Use HTTPS to ensure server/service authentication and protect data in transit from network layer eavesdropping attacks
                More information: https://github.com/Azure/template-analyzer/blob/main/docs/built-in-rules.md#ta-000004-api-app-should-only-be-accessible-over-https
                Result: Failed
                Line: 67

        Rules passed: 16

Execution summary:
        The execution completed successfully

SARIF

Results are written to the file specified (with the -o or --output-file-path argument) in SARIF format.

Exit codes

ScenarioExit Code
Success: Operation was successful0
Error: Problem with command1
Error: Invalid file or directory path2
Error: Missing file or directory path3
Error: Problem loading configuration file4
Error: Invalid ARM template specified10
Error: Invalid Bicep template specified11
Violation: Scan found rule violations in analyzed template(s)20
Error: An error was encountered trying to analyze a template21
Violation + Error: Scan encountered both violations in template(s) and errors trying to analyze template(s)22

Understanding and customizing rules

The analysis rules used by Template Analyzer are written in JSON, located in Rules/BuiltInRules.json (starting from the directory TemplateAnalyzer.exe is in). This file can be added to and/or modified to change the rules that are run. See the documentation for more information about how to author Template Analyzer JSON rules.

Contributing

This project welcomes contributions and suggestions. Please see the Contribution Guide for more details about how to contribute to Template Analyzer. Most contributions require you to agree to a Contributor License Agreement (CLA) declaring that you have the right to, and actually do, grant us the rights to use your contribution. For details, visit https://cla.microsoft.com.

When you submit a pull request, a CLA-bot will automatically determine whether you need to provide a CLA and decorate the PR appropriately (e.g., label, comment). Simply follow the instructions provided by the bot. You will only need to do this once across all repositories using our CLA.

This project has adopted the Microsoft Open Source Code of Conduct. For more information see the Code of Conduct FAQ or contact opencode@microsoft.com with any additional questions or comments.

Trademarks

This project may contain trademarks or logos for projects, products, or services. Authorized use of Microsoft trademarks or logos is subject to and must follow Microsoft's Trademark & Brand Guidelines. Use of Microsoft trademarks or logos in modified versions of this project must not cause confusion or imply Microsoft sponsorship. Any use of third-party trademarks or logos are subject to those third-party's policies.

Usage

This project follows Microsoft Privacy Standards. This product does not collect nor store any personal data.