Analyze Azure ARM templates for best practices, missing fields, and common issues.
Last verified: May 2026
Output will appear here...The linter parses the ARM template JSON, then walks each resource validating: required fields per resource type (name, location, apiVersion, properties), apiVersion freshness against a curated list of deprecated versions, secureString usage on sensitive parameter names, parameter/variable usage analysis (flags unused entries), and structural anti-patterns (e.g., hardcoded location, missing dependsOn for cross-resource references).
The ARM Template Linter analyzes Azure Resource Manager templates for best practices, missing required fields, and common issues. It checks for proper use of parameters, variables, and outputs, validates resource API versions, and flags security anti-patterns like hardcoded secrets. The linter runs entirely in your browser and provides actionable feedback with severity levels and suggested fixes, helping you catch problems before deployment.
Your security team mandates a pre-merge ARM template lint check for all infrastructure PRs. You wire the linter into a pre-commit hook. On the next PR, it catches: 1 hardcoded SQL admin password in a string parameter (should be secureString), 3 resources using a deprecated apiVersion that will stop working in 8 months, 2 unused parameters that bloat the template. Author fixes all three categories before merge. Over a quarter, the linter prevents ~15 production incidents that would have hit deploys without it.
Hardcoded secrets in ARM template parameters are the #1 security finding the linter catches. Always use secureString type for passwords, keys, and tokens — this hides values from deployment logs and prevents them from being read back via the API. The linter flags any string parameter with a name like 'password', 'secret', 'token', 'key' that lacks secureString.
Deprecated apiVersion values are the slow-burning issue. Microsoft deprecates ARM API versions periodically (typically with 6-12 months notice), and templates pinned to deprecated versions silently fail in the future. Run the linter against your full template inventory quarterly to catch deprecation drift before deployments break.
Missing 'location' on resources is the most common deployment failure cause. The linter catches it in seconds vs. discovering it when ARM deployment fails 3 minutes in. For most resources, location should reference parameters('location') or resourceGroup().location, not a hardcoded value — this makes templates portable across regions.
It detects missing required fields (like location or apiVersion), deprecated API versions, hardcoded secrets in parameters without secureString type, unused parameters and variables, missing tags, and common structural issues in resource definitions.
The az deployment validate command checks that your template is valid JSON and references valid resource providers, but it requires an Azure connection. This linter checks for best practices, code quality, and common mistakes entirely offline in your browser.
This tool is specifically for ARM JSON templates. For Bicep syntax formatting and validation, use the Azure Bicep Formatter tool.
Was this tool helpful?
Disclaimer: This tool runs entirely in your browser. No data is sent to our servers. Always verify outputs before using them in production. AWS, Azure, and GCP are trademarks of their respective owners.