diff --git a/.github/workflows/bicep-validation.yaml b/.github/workflows/bicep-validation.yaml
new file mode 100644
index 0000000..36f4e08
--- /dev/null
+++ b/.github/workflows/bicep-validation.yaml
@@ -0,0 +1,38 @@
+name: Validate AZD template
+on:
+  push:
+    branches: [ main ]
+    paths:
+      - "infra/**"
+  pull_request:
+    branches: [ main ]
+    paths:
+      - "infra/**"
+
+jobs:
+  build:
+
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Build Bicep for linting
+        uses: azure/CLI@v1
+        with:
+          inlineScript: az config set bicep.use_binary_from_path=false && az bicep build -f infra/main.bicep --stdout
+          
+      - name: Run Microsoft Security DevOps Analysis
+        uses: microsoft/security-devops-action@v1
+        env:
+            GDN_TEMPLATEANALYZER_VERBOSE: 1
+        id: msdo
+        continue-on-error: true
+        with:
+          tools: templateanalyzer
+
+      - name: Upload alerts to Security tab
+        uses: github/codeql-action/upload-sarif@v3
+        if: github.repository == 'Azure-Samples/langfuse-on-azure'
+        with:
+          sarif_file: ${{ steps.msdo.outputs.sarifFile }}
diff --git a/.gitignore b/.gitignore
index 68bc17f..7c94a07 100644
--- a/.gitignore
+++ b/.gitignore
@@ -158,3 +158,5 @@ cython_debug/
 #  and can be added to the global gitignore or merged into this file.  For a more nuclear
 #  option (not recommended) you can uncomment the following to ignore the entire idea folder.
 #.idea/
+
+.azure
diff --git a/infra/main.bicep b/infra/main.bicep
index 121c12f..5e61cb4 100644
--- a/infra/main.bicep
+++ b/infra/main.bicep
@@ -23,6 +23,7 @@ param salt string
 
 param useAuthentication bool = false
 param authClientId string = ''
+@secure()
 param authClientSecret string = ''
 param authTenantId string = ''