{"id":16846884,"url":"https://github.com/mumoshu/conflint","last_synced_at":"2025-04-11T06:35:02.092Z","repository":{"id":64302040,"uuid":"272955964","full_name":"mumoshu/conflint","owner":"mumoshu","description":"Unified lint runners for various configuration files","archived":false,"fork":false,"pushed_at":"2020-07-03T20:14:07.000Z","size":33,"stargazers_count":5,"open_issues_count":0,"forks_count":0,"subscribers_count":2,"default_branch":"master","last_synced_at":"2024-10-13T13:05:49.291Z","etag":null,"topics":["ci","conftest","gitops","kubeval"],"latest_commit_sha":null,"homepage":"","language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/mumoshu.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null}},"created_at":"2020-06-17T11:26:14.000Z","updated_at":"2020-09-05T23:06:59.000Z","dependencies_parsed_at":"2023-01-15T09:31:20.506Z","dependency_job_id":null,"html_url":"https://github.com/mumoshu/conflint","commit_stats":null,"previous_names":[],"tags_count":5,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/mumoshu%2Fconflint","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/mumoshu%2Fconflint/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/mumoshu%2Fconflint/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/mumoshu%2Fconflint/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/mumoshu","download_url":"https://codeload.github.com/mumoshu/conflint/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":248357752,"owners_count":21090400,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["ci","conftest","gitops","kubeval"],"created_at":"2024-10-13T13:05:42.308Z","updated_at":"2025-04-11T06:35:02.037Z","avatar_url":"https://github.com/mumoshu.png","language":"Go","funding_links":[],"categories":[],"sub_categories":[],"readme":"# conflint\n\n`conflint` is an unified lint runners for various configuration files.\n\n![image](https://user-images.githubusercontent.com/22009/85349934-b9504e80-b53a-11ea-9af4-1faa53a0d102.png)\n\nIt can run multiple lint runners in oneshot and output the result in a consistent and portable format so that\nyou can use it with e.g. [reviewdog](https://github.com/reviewdog/reviewdog) for surfacing the result as GitHub Pull Request reviews.\n\nCompare vanilla output from the original tool and output from `conflint` to see how it works. It's really simple.\n\nVanilla `conftest`:\n\n```console\n$ conftest test app1/nginx.deploy.yaml -p app1/policy\nWARN - app1/nginx.deploy.yaml - apiVersion: Too old apiVersion. It must be apps/v1\nFAIL - app1/nginx.deploy.yaml - spec.template.spec.containers[*]?(@.securityContext.privileged == true): `privileged: true` is forbidden\n\n2 tests, 0 passed, 1 warning, 1 failure\n```\n\n`conflint`:\n\n```console\n$ conflint run\napp1/nginx.deploy.yaml:15:11: `privileged: true` is forbidden\nError: found 1 linter error\n```\n\nSo, basically it runs various linters and aggregate results.\n\nThe small but important feature of it is to add line and colum numbers to every single lint error. This is achieved by assuming the beginning of every lint error message as a JSON Path-like notation.\n\n`conflint` parses the path and searches for the YAML node at the path, and obtains the line and colum number to augument the output, so that the numbers can be used to annotate pull request diff line by line.\n\n## Supported linters\n\n- [conftest](https://github.com/open-policy-agent/conftest)\n- [kubeval](https://github.com/instrumenta/kubeval)\n\n## Integrations\n\n- [reviewdog](https://github.com/reviewdog/reviewdog)\n\n## Installation\n\n- Pull [official docker images](https://hub.docker.com/repository/docker/mumoshu/conflint) containing conflint, conftest, kubeeval, and reviewdog binaries.\n- Grab [release binaries](https://github.com/mumoshu/conflint/releases)\n\n## Usage\n\n`conflint run` runs linters as configured in your `conflint.yaml`. Include one or more configuration section(s) depending on which linter you want `conflint` to run.\n\n### conftest\n\nAny `conftest` policy message should start with a jsonpath expression for augmenting `conftest` errors with suspicious line and column numbers.\n\nExample:\n\n```\n\"spec.template.spec.containers[*]?(@.securityContext.privileged == true): `privileged: true` is forbidden\"\n```\n\nBeyond that, all you need is providing `conflint` enough information about for which files and with which policy it should run `conftest`:\n\n```yaml\nconftest:\n- files:\n  - app1/*.yaml\n  policy: app1/policy\n```\n\nIn addition to the basic setup shown above, `conflint` covers most of conftest settings.\n\nSee `conftest run -h` and the below reference for more information:\n\n```yaml\nconftest:\n- files:\n  - app1/*.yaml\n  policy: app1/policy\n  # input type for given source, especially useful when using conftest with stdin, valid options are: [toml tf hcl hcl1 cue ini yml yaml json Dockerfile edn vcl xml]\n  input: yaml\n  # combine all given config files to be evaluated together\n  combine: true\n  # return a non-zero exit code if only warnings are found\n  failOnWarn: true\n  # A list of paths from which data for the rego policies will be recursively loaded\n  data:\n  - path/to/data\n  # find deny and warn rules in all namespaces. If set, the flag \"namespace\" is ignored\n  allNamespaces: true\n  # namespace in which to find deny and warn rules (default [main])\n  namespace:\n  - foo\n  - bar\n```\n\n### kubeval\n\nJust provide target files in `conflint.yaml`:\n\n```yaml\nkubeval:\n- files:\n  - app1/*.yaml\n```\n\nIn addition to the basic setup shown above, `conflint` supports wide range of kubeval options.\n\nSee `kubeval -h` and the reference conflint config for more information:\n\n```yaml\nkubeval:\n- files:\n  - app1/*.yaml\n  # Disallow additional properties not in schema\n  strict: true\n  # Base URLs used to download schemas\n  schemaLocations:\n  - url/to/schema1\n  - url/to/schema2\n  # Skip validation for resource definitions without a schema\n  # NOTE: This is a must-have when you use CRDs, as kubeval doesn't work against custom resources out-of-box\n  ignoreMissingSchemas: true\n  # A list of regular expressions specifying filenames to ignore\n  ignoredFilenamePatterns:\n  - some/regexp/pattern\n  # A list of case-sensitive kinds to skip when validating against schemas\n  skipKinds: true\n```\n\n## Reviewdog Integration\n\n`conflint` formats every lint error message in `errorfmt`, so that using it with `reviewdog` is matter of running:\n\n```\n$ conflint run -efm \"%f:%l:%c: %m\" | reviewdog -efm=\"%f:%l:%c: %m\"\n```\n\nTo run reviewdog with conflint on GitHub Actions, use this snippet:\n\n```yaml\n- name: Run reviewdog\n  env:\n    REVIEWDOG_GITHUB_API_TOKEN: ${{ secrets.GITHUB_TOKEN }}\n  run: |\n    conflint run -efm \"%f:%l:%c: %m\" | reviewdog -efm=\"%f:%l:%c: %m\" -reporter=github-pr-check\n```\n\nPlease see [reviewdog's official documentation](https://github.com/reviewdog/reviewdog#option-2-install-reviewdog-github-apps) for how you can run it as a GitHub app.\n\n## GitHub Pull Request Check with conflint\n\nThis is possible by running `conflint` and `reviewdog` on GitHub Actions.\n\nUse a workflow definition like the one below:\n\n```\nname: lint\n\non:\n  pull_request:\n\njobs:\n  lint:\n    runs-on: ubuntu-latest\n    container: mumoshu/conflint:latest\n    env:\n      REVIEWDOG_GITHUB_API_TOKEN: ${{ secrets.GITHUB_TOKEN }}\n    steps:\n    - uses: actions/checkout@v1\n    - name: conflint\n      run: |\n        set -vx\n        export CONFLINT_LOG=DBEUG\n        conflint run -efm \"%f:%l:%c: %m\" || true\n        conflint run -efm \"%f:%l:%c: %m\" | reviewdog -efm=\"%f:%l:%c: %m\" -reporter=github-pr-check -tee\n```\n\nSee [gitops-demo](https://github.com/mumoshu/gitops-demo/blob/master/.github/workflows/lint.yml) repository for a working example, and [a check failure](https://github.com/mumoshu/gitops-demo/pull/2/files#diff-de00537bb5e8739d8c2bce941858ef79R8) reported by it.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fmumoshu%2Fconflint","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fmumoshu%2Fconflint","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fmumoshu%2Fconflint/lists"}