Create bicep-audit workflow

[tonybaloney]

Adds bicep audits to the GitHub workflows and uploads results to github security.

This pull request introduces a new GitHub Actions workflow that validates bicep templates. The workflow is triggered on push and pull request events to the main branch, specifically for changes to .bicep files. It runs on the latest Ubuntu environment and uses the microsoft/security-devops-action@preview action to analyze the templates. If the repository owner is 'Azure-Samples', it uploads the analysis results to the Security tab using the github/codeql-action/upload-sarif@v3 action.

• .github/workflows/bicep-audit.yml: Added a new GitHub Actions workflow that validates bicep templates on push and pull request events to the main branch. The workflow uses the microsoft/security-devops-action@preview action for analysis and the github/codeql-action/upload-sarif@v3 action to upload the analysis results to the Security tab if the repository owner is 'Azure-Samples'.

[github-actions[bot]]

Coverage Report •

File	Stmts	Miss	Cover	Missing
TOTAL	1749	852	51%

report-only-changed-files is enabled. No files were changed during this commit :)

Tests	Skipped	Failures	Errors	Time
74	0 :zzz:	0 :x:	0 :fire:	9.771s :stopwatch:

[superhindupur]

Hello @tonybaloney, and thanks for the PR - looks interesting. I'm curious to understand what type of validation of the bicep files the action does - is it syntax, security, something else?

[tonybaloney]

Almost entirely security. Some of the rules are here https://github.com/Azure/template-analyzer/blob/main/docs/built-in-rules.md I ran it by hand for this repository and it highlighted 13 issues. 2 of those are very easy to fix, but this gives a baseline

[tonybaloney]

For those issues that you don't want to fix, you can close them in GitHub security with a reason. IF someone submits a PR with changes to the bicep that introduces a new security issue, it will add that to the PR review automatically.