{"id":13451474,"url":"https://github.com/brendanjryan/ccheck","last_synced_at":"2026-03-14T14:33:02.757Z","repository":{"id":70033886,"uuid":"195886867","full_name":"brendanjryan/ccheck","owner":"brendanjryan","description":"A command line tool for validating Kubernetes configs with rego","archived":false,"fork":false,"pushed_at":"2019-07-18T18:31:21.000Z","size":14,"stargazers_count":65,"open_issues_count":0,"forks_count":3,"subscribers_count":2,"default_branch":"master","last_synced_at":"2024-12-30T12:45:27.121Z","etag":null,"topics":["cncf","kubernetes","opa","rego","test","validation","yaml"],"latest_commit_sha":null,"homepage":"","language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/brendanjryan.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2019-07-08T21:13:06.000Z","updated_at":"2024-10-21T15:04:13.000Z","dependencies_parsed_at":null,"dependency_job_id":"e7e8d79c-bb2f-45bf-81d2-2d979d5acd10","html_url":"https://github.com/brendanjryan/ccheck","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/brendanjryan%2Fccheck","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/brendanjryan%2Fccheck/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/brendanjryan%2Fccheck/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/brendanjryan%2Fccheck/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/brendanjryan","download_url":"https://codeload.github.com/brendanjryan/ccheck/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":245149692,"owners_count":20568949,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["cncf","kubernetes","opa","rego","test","validation","yaml"],"created_at":"2024-07-31T07:00:54.404Z","updated_at":"2025-12-15T03:20:27.638Z","avatar_url":"https://github.com/brendanjryan.png","language":"Go","funding_links":[],"categories":["Go"],"sub_categories":[],"readme":"# `ccheck`\n---\n\n`ccheck` is a command line application for writing tests against configuration files and data using the [`rego` query language](https://www.openpolicyagent.org/docs/latest). It's intended purpose is for checking kubernetes config files (`.json` or `.yaml`) but can be extended to support other file types.\n\n## Usage\n\nThe `ccheck` binary checks for `rego` rules of the form `deny_\u003crule_name\u003e` and `warn_\u003crule_name\u003e` during its evaluation process. If a resource matches a `\"deny\"` rule, a failure will be issued, otherwise a `\"warning\"` will be logged to the command line. An example of a valid, well-formed `ccheck` config is as follows:\n\n**Example `.rego file`**\n\n```rego\npackage main\n\nis_hpa {\n  input.kind = \"HorizontalPodAutoscaler\"\n}\n\n# checks that we do not include any horizontal pod autoscalers\ndeny_no_hpa[msg] {\n    not is_hpa\n    msg = sprintf(\"%s must not include any Horizontal Pod AutoScalers\", [input.metadata.name])\n}\n\n# checks that apps do not live in the default namespace\nwarn_no_default_namespace[msg] {\n    not input.metadata.namespace = \"default\"\n    msg = sprintf(\"%s should not be configured to live in the default namespace\", [input.metadata.name])\n```\n\n**N.B.** As an added bonus you can also use `ccheck` rules as policies in the [Open Policy Agent Admission Controller](https://www.openpolicyagent.org/docs/latest/kubernetes-admission-control/#4-define-a-policy-and-load-it-into-opa-via-kubernetes) \n\n`ccheck` can then be invoked using this policy via: \n\n```bash \nccheck -p \u003cpolicy directory\u003e \u003cfiles to check....\u003e\n```\n\nFor example using the following file:\n\n**Example Kubernetes `.yaml` file**\n\n```yaml\napiVersion: apps/v1\nkind: Deployment\nmetadata:\n  name: nginx-deployment\n  labels:\n    app: nginx\nspec:\n  replicas: 3\n  selector:\n    matchLabels:\n      app: nginx\n  template:\n    metadata:\n      labels:\n        app: nginx\n    spec:\n      containers:\n      - name: nginx\n        image: nginx:1.7.9\n        ports:\n        - containerPort: 80\n\n---\n\napiVersion: autoscaling/v1\nkind: HorizontalPodAutoscaler\nmetadata:\n  name: nginx\n  namespace: default\nspec:\n  scaleTargetRef:\n    apiVersion: apps/v1\n    kind: Deployment\n    name: nginx\n  minReplicas: 1\n  maxReplicas: 10\n  targetCPUUtilizationPercentage: 50\n```\n\nWill produce the following output: \n\n```bash \nWarning: /Users/brendanjryan/projects/ccheck/example/test.yaml - nginx-deployment should not be configured to live in the default namespace\nFailure: /Users/brendanjryan/projects/ccheck/example/test.yaml - nginx-deployment must not include any Horizontal Pod AutoScalers\nbrendanjryan@Brendans-MacBook-Pro:~/projects/ccheck|\n```\n\n\n**Full Example:**\n\nIf you would like to see `ccheck` in action - this project bundles this example in its source as well. Just `clone` this project and run: \n\n\n```bash\n./ccheck -p example/policies example/test.yaml \nWarning: /Users/brendanjryan/projects/ccheck/example/test.yaml - nginx-deployment should not be configured to live in the default namespace\nFailure: /Users/brendanjryan/projects/ccheck/example/test.yaml - nginx-deployment must not include any Horizontal Pod AutoScalers\n```\n\n## FAQ\n\n- Why use `rego` instead of another declarative language like `hcl`?\n\n  Although `rego` is a very new and domain specific language, it's simple grammar and extensibility were the main motivators in using it instead of a more popular declarative language or framework. As an added bonus, you can re-use your policies declared in `rego` right out of the box in [kubernetes admission controllers](https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/) powered by [Open Policy Agent](https://www.openpolicyagent.org/)\n\n## Additional References\n\n- [Rego language spec](https://www.openpolicyagent.org/docs/latest)\n- [Open Policy Agent Project](https://www.openpolicyagent.org/)\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fbrendanjryan%2Fccheck","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fbrendanjryan%2Fccheck","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fbrendanjryan%2Fccheck/lists"}