{"id":13533266,"url":"https://github.com/stackrox/kube-linter","last_synced_at":"2025-05-13T15:12:46.089Z","repository":{"id":37287228,"uuid":"287336275","full_name":"stackrox/kube-linter","owner":"stackrox","description":"KubeLinter is a static analysis tool that checks Kubernetes YAML files and Helm charts to ensure the applications represented in them adhere to best practices.","archived":false,"fork":false,"pushed_at":"2025-05-07T17:24:05.000Z","size":2463,"stargazers_count":3175,"open_issues_count":97,"forks_count":244,"subscribers_count":37,"default_branch":"main","last_synced_at":"2025-05-12T21:05:09.034Z","etag":null,"topics":["hactoberfest","helm-charts","kubernetes","static-analysis","yaml-files"],"latest_commit_sha":null,"homepage":"https://docs.kubelinter.io/","language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/stackrox.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":"CONTRIBUTING.md","funding":null,"license":"LICENSE","code_of_conduct":"CODE_OF_CONDUCT.md","threat_model":null,"audit":null,"citation":null,"codeowners":".github/CODEOWNERS","security":"SECURITY.md","support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null}},"created_at":"2020-08-13T17:05:00.000Z","updated_at":"2025-05-10T17:52:51.000Z","dependencies_parsed_at":"2023-10-11T21:41:17.874Z","dependency_job_id":"6b819166-ec04-4d53-9c9b-901b1df0a8ae","html_url":"https://github.com/stackrox/kube-linter","commit_stats":{"total_commits":563,"total_committers":82,"mean_commits":6.865853658536586,"dds":0.3978685612788633,"last_synced_commit":"8d689190b7dcd63a8bbb50d05e1739273dbc1e9a"},"previous_names":[],"tags_count":35,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/stackrox%2Fkube-linter","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/stackrox%2Fkube-linter/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/stackrox%2Fkube-linter/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/stackrox%2Fkube-linter/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/stackrox","download_url":"https://codeload.github.com/stackrox/kube-linter/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":253969266,"owners_count":21992264,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["hactoberfest","helm-charts","kubernetes","static-analysis","yaml-files"],"created_at":"2024-08-01T07:01:18.223Z","updated_at":"2025-05-13T15:12:41.061Z","avatar_url":"https://github.com/stackrox.png","language":"Go","readme":"\u003cp align=\"center\"\u003e\u003cimg src=\"images/logo/KubeLinter-horizontal.svg\" width=\"360\"\u003e\u003c/p\u003e\n\u003cp align=\"center\"\u003e\u003cb\u003eStatic analysis for Kubernetes\u003c/b\u003e\u003c/p\u003e\n\n[![Go Report Card](https://goreportcard.com/badge/github.com/stackrox/kube-linter)](https://goreportcard.com/report/github.com/stackrox/kube-linter)\n\n# What is KubeLinter?\n\nKubeLinter analyzes Kubernetes YAML files and Helm charts, and checks them against a variety of best practices, with a focus on production readiness and security.\n\nKubeLinter runs sensible default checks, designed to give you useful information about your Kubernetes YAML files and Helm charts. This is to help teams check early and often for security misconfigurations and DevOps best practices. Some common examples of these include running containers as a non-root user, enforcing least privilege, and storing sensitive information only in secrets.\n\nKubeLinter is configurable, so you can enable and disable checks, as well as create your own custom checks, depending on the policies you want to follow within your organization.\n\nWhen a lint check fails, KubeLinter reports recommendations for how to resolve any potential issues and returns a non-zero exit code.\n\n## Documentation\nVisit https://docs.kubelinter.io for detailed documentation on installing, using and configuring KubeLinter.\n\n## Installing KubeLinter\n\nKube-linter binaries could be found here: https://github.com/stackrox/kube-linter/releases/latest\n\n### Using Go\n\nTo install using [Go](https://golang.org/), run the following command:\n\n```bash\ngo install golang.stackrox.io/kube-linter/cmd/kube-linter@latest\n```\nOtherwise, download the latest binary from [Releases](https://github.com/stackrox/kube-linter/releases) and add it to your\nPATH.\n\n### Using Homebrew for macOS or LinuxBrew for Linux\n\nTo install using Homebrew or LinuxBrew, run the following command:\n\n```bash\nbrew install kube-linter\n```\n\n### Using nix-shell\n\n```\nnix-shell -p kube-linter\n```\n\n### Using docker\n\n```\ndocker pull stackrox/kube-linter:latest\n```\n\n\n## Development\n\n### Prerequisites\n- Make sure that you have [installed Go](https://golang.org/doc/install) prior to building from source.\n\n### Building KubeLinter\n\nInstalling KubeLinter from source is as simple as following these steps:\n\n1. First, clone the KubeLinter repository.\n\n   ```bash\n   git clone git@github.com:stackrox/kube-linter.git\n   ```\n\n1. Then, compile the source code. This will create the kube-linter binary files for each platform and places them in the `.gobin` folder.\n\n   ```bash\n   make build\n   ```\n\n1. Finally, you are ready to start using KubeLinter. Verify your version to ensure you've successfully installed KubeLinter.\n\n   ```bash\n   .gobin/kube-linter version\n   ```\n\n### Testing KubeLinter\nThere are several layers of testing. Each layer is expected to pass.\n\n1. `go` unit tests:\n\n   ```bash\n   make test\n   ```\n\n2. end-to-end integration tests:\n\n   ```bash\n   make e2e-test\n   ```\n\n3. and finally, end-to-end integration tests using `bats-core`:\n\n   ```bash\n   make e2e-bats\n   ```\n\n## Verifying KubeLinter images\n\nKubeLinter images are signed by [cosign](https://github.com/sigstore/cosign).\nWe recommend verifying the image before using it.\n\nOnce you've installed cosign, you can use the [KubeLinter public key](kubelinter-cosign.pub) to verify the KubeLinter image with:\n\n```shell\ncat kubelinter-cosign.pub\n-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEl0HCkCRzYv0qH5QiazoXeXe2qwFX\nDmAszeH26g1s3OSsG/focPWkN88wEKQ5eiE95v+Z2snUQPl/mjPdvqpyjA==\n-----END PUBLIC KEY-----\n\n\ncosign verify --key kubelinter-cosign $IMAGE_NAME\n```\n\nKubeLinter also provides [cosign keyless signatures](https://github.com/sigstore/cosign/blob/623d50f9b77ee85886a166daac648455e65003ec/KEYLESS.md).\n\nYou can verify the KubeLinter image with:\n```shell\n# NOTE: Keyless signatures are NOT PRODUCTION ready.\n\nCOSIGN_EXPERIMENTAL=1 cosign verify $IMAGE_NAME\n```\n\n## Using KubeLinter\n\n### Local YAML Linting\n\nRunning KubeLinter to Lint your YAML files only requires two steps in its most basic form.\n\n1. Locate the YAML file you'd like to test for security and production readiness best practices:\n1. Run the following command:\n\n   ```bash\n   kube-linter lint /path/to/your/yaml.yaml\n   ```\n\n### Example\n\nConsider the following sample pod specification file `pod.yaml`. This file has two production readiness issues and one security issue:\n\n**Security Issue:**\n1. The container in this pod is not running as a read only file system, which could allow it to write to the root filesystem.\n\n**Production readiness:**\n1. The container's memory limits are not set, which could allow it to consume excessive memory\n\n   ```yaml\n   apiVersion: v1\n   kind: Pod\n   metadata:\n     name: security-context-demo\n   spec:\n     securityContext:\n       runAsUser: 1000\n       runAsGroup: 3000\n       fsGroup: 2000\n     volumes:\n     - name: sec-ctx-vol\n       emptyDir: {}\n     containers:\n     - name: sec-ctx-demo\n       image: busybox\n       resources:\n         requests:\n           memory: \"64Mi\"\n           cpu: \"250m\"\n       command: [ \"sh\", \"-c\", \"sleep 1h\" ]\n       volumeMounts:\n       - name: sec-ctx-vol\n         mountPath: /data/demo\n       securityContext:\n         allowPrivilegeEscalation: false\n   ```\n\n1. Copy the YAML above to pod.yaml and lint this file by running the following command:\n\n   ```bash\n   kube-linter lint pod.yaml\n   ```\n1. KubeLinter runs its default checks and reports recommendations. Below is the output from our previous command.\n\n   ```\n   pod.yaml: (object: \u003cno namespace\u003e/security-context-demo /v1, Kind=Pod) The container \"sec-ctx-demo\" is using an invalid container image, \"busybox\". Please use images that are not blocked by the `BlockList` criteria : [\".*:(latest)$\" \"^[^:]*$\" \"(.*/[^:]+)$\"] (check: latest-tag, remediation: Use a container image with a specific tag other than latest.)\n\n   pod.yaml: (object: \u003cno namespace\u003e/security-context-demo /v1, Kind=Pod) container \"sec-ctx-demo\" does not have a read-only root file system (check: no-read-only-root-fs, remediation: Set readOnlyRootFilesystem to true in the container securityContext.)\n\n   pod.yaml: (object: \u003cno namespace\u003e/security-context-demo /v1, Kind=Pod) container \"sec-ctx-demo\" has memory limit 0 (check: unset-memory-requirements, remediation: Set memory limits for your container based on its requirements. Refer to https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/#requests-and-limits for details.)\n\n   Error: found 3 lint errors\n   ```\nTo learn more about using and configuring KubeLinter, visit the [documentation](./docs) page.\n\n## Mentions/Tutorials\n\nThe following are tutorials on KubeLinter written by users. If you have one that you would like to add to this list, please send a PR!\n\n* [Ensuring YAML best practices using KubeLinter](https://www.civo.com/learn/yaml-best-practices-using-kubelinter) at civo.com by Saiyam Pathak.\n* [Analyze Kubernetes files for errors with KubeLinter](https://opensource.com/article/21/1/kubelinter) at opensource.com by Jessica Cherry.\n* [How to add a new check in KubeLinter?](https://www.psaggu.com/upstream-contribution/2021/08/17/notes.html) by Priyanka Saggu.\n* [Extending kube-linter To Build A Custom Template](https://github.com/garethahealy/kubelinter-extending-blog) by [Gareth Healy](https://github.com/garethahealy).\n\n## Community\n\nIf you would like to engage with the KubeLinter community, including maintainers and other users, you can join the Slack workspace [here](https://join.slack.com/t/kube-linter/shared_invite/zt-kla9qvyo-Tk~wynTSbr9EE3AjHcv4BQ).\n\nTo contribute, check out our [contributing guide](./CONTRIBUTING.md).\n\nAs a reminder, all participation in the KubeLinter community is governed by our [code of conduct](./CODE_OF_CONDUCT.md).\n\n## WARNING: Alpha release\n\nKubeLinter is at an early stage of development. There may be breaking changes in\nthe future to the command usage, flags, and configuration file formats. However,\nwe encourage you to use KubeLinter to test your environment YAML files, see what\nbreaks, and [contribute](./CONTRIBUTING.md).\n\n## LICENSE\n\nKubeLinter is licensed under the [Apache License 2.0](./LICENSE).\n\n## StackRox\n\nKubeLinter is made with ❤️ by [StackRox](https://stackrox.com/).\n\nIf you're interested in KubeLinter, or in any of the other cool things we do, please know that we're hiring!\nCheck out our [open positions](https://www.stackrox.com/job-board/). We'd love to hear from you!\n","funding_links":[],"categories":["Kubernetes","Go","Tools and Libraries","Repositories / Tools","kubernetes","Security and Governance 🏯","Configuration \u0026 Policy Automation","Other","Configuration Management","OPS","Container and Kubernetes Security","Kubernetes Security"],"sub_categories":["Kubernetes static analysis","Security and Compliance","Defending","Kubernetes Audit","Runtime Security"],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fstackrox%2Fkube-linter","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fstackrox%2Fkube-linter","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fstackrox%2Fkube-linter/lists"}