fix(Bicep): Remove existing resources from bicep payload

[cx-rui-araujo]

Reason for Proposed Changes

• Resources declared with the existing keyword must already be deployed in the environment. Otherwise, a Not Found error is returned at deployment time. The existing keyword is intended to reference (or "select") an already deployed resource, not to create or update it.
• Currently, KICS treats existing resources the same as regular resources during the parser stage. As a result, KICS evaluates these resources against security queries that rely on properties which are not defined in the existing resources declaration. This often leads to false positives, since existing resource declarations do not include all the properties required by the queries, and their actual configuration is unknown from static analysis alone.
• Documentation: https://learn.microsoft.com/en-us/azure/azure-resource-manager/bicep/existing-resource

Proposed Changes

• Exclude resources declared with the existing keyword from the payload. This prevents KICS from flagging vulnerabilities on resources whose real properties cannot be determined through static analysis. Since KICS does not have access to the runtime state of existing resources, analyzing them as fully defined resources produces inaccurate results in most cases.

I submit this contribution under the Apache-2.0 license.

[github-actions]

KICS version: v2.1.18

Category Results CRITICAL 0 HIGH 0 MEDIUM 0 LOW 0 INFO 0 TRACE 0 TOTAL 0	Metric Values Files scanned 1 Files parsed 1 Files failed to scan 0 Total executed queries 47 Queries failed to execute 0 Execution time 0

[cx-bruno-silva]

LGTM

[cx-artur-ribeiro]

LGTM, the payload no longer contains the parent resource if it contains the "existing" keyword and the same happens for the child resource as well.

Well done Rui!