diff --git a/docs/header_names/allowed_framework_names.adoc b/docs/header_names/allowed_framework_names.adoc
index 4abee204df..68c361a3e4 100644
--- a/docs/header_names/allowed_framework_names.adoc
+++ b/docs/header_names/allowed_framework_names.adoc
@@ -103,6 +103,7 @@
 * Storage Accounts
 * Databases
 * ARM Templates
+* Bicep
 // Terraform
 * AWS API Gateway
 * AWS OpenSearch
diff --git a/rules/S6656/azureresourcemanager/how-to-fix-it/bicep.adoc b/rules/S6656/azureresourcemanager/how-to-fix-it/bicep.adoc
new file mode 100644
index 0000000000..32b520db99
--- /dev/null
+++ b/rules/S6656/azureresourcemanager/how-to-fix-it/bicep.adoc
@@ -0,0 +1,62 @@
+== How to fix it in Bicep
+
+In Bicep, it is recommended to use modules instead of a `Microsoft.Resources/deployments` resource. Modules allow for reuse, improve readability by encapsulating different parts of a deployment and therefore reduce the risk for errors. They also do not leakage of secure parameters from a parent resource.
+
+If it is not possible to use modules, this issue can be fixed by setting `properties.expressionEvaluationOptions.scope` to `Inner` in the `Microsoft.Resources/deployments` resource. By setting this property, template evaluations are limited to the scope of the nested template. This makes it impossible to expose secure parameters defined in the parent template.
+
+=== Code examples
+==== Noncompliant code example
+
+[source,bicep,diff-id=1,diff-type=noncompliant]
+----
+@secure()
+param adminUsername string = newGuid()
+
+resource example 'Microsoft.Resources/deployments@2022-09-01' = {
+  name: 'example-deployment'
+  properties: {
+    // Noncompliant: expressionEvaluationOptions is missing (defaults to 'Outer')
+    mode: 'Incremental'
+    template: {
+      '$schema': 'https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#'
+      contentVersion: '1.0.0.0'
+      resources: [
+        {
+          apiVersion: '2023-03-01'
+          type: 'Microsoft.Compute/virtualMachines'
+          name: 'example-vm'
+          properties: {
+            osProfile: {
+              adminUsername: adminUsername
+            }
+          }
+        }
+      ]
+    }
+  }
+}
+----
+
+==== Compliant solution
+
+[source,bicep,diff-id=1,diff-type=compliant]
+----
+// main.bicep
+module example 'vm.bicep' = {
+  name: 'example-deployment'
+}
+
+// vm.bicep
+@secure()
+param adminUsername string = newGuid()
+
+resource vmExample 'Microsoft.Compute/virtualMachines@2023-03-01' = {
+  name: 'example-vm'
+  properties: {
+    osProfile: {
+      adminUsername: adminUsername
+    }
+  }
+}
+
+----
diff --git a/rules/S6656/azureresourcemanager/rule.adoc b/rules/S6656/azureresourcemanager/rule.adoc
index 7af19c8128..b6fcb9a5bf 100644
--- a/rules/S6656/azureresourcemanager/rule.adoc
+++ b/rules/S6656/azureresourcemanager/rule.adoc
@@ -12,6 +12,8 @@ If the nested deployment contains a secure parameter in this way, then the value
 
 include::how-to-fix-it/arm.adoc[]
 
+include::how-to-fix-it/bicep.adoc[]
+
 == Resources
 === Documentation
 * Microsoft Learn - https://learn.microsoft.com/en-us/azure/templates/microsoft.resources/deployments?pivots=deployment-language-arm-template[`Microsoft.Resources/deployments`]