cfn-lint

cfn-lint documentation

Version in MegaLinter: 1.16.1
Visit Official Web Site
- If custom .cfnlintrc.yml config file isn't found, .cfnlintrc.yml will be used
See Index of problems detected by cfn-lint

Configuration in MegaLinter

Enable cfn-lint by adding CLOUDFORMATION_CFN_LINT in ENABLE_LINTERS variable
Disable cfn-lint by adding CLOUDFORMATION_CFN_LINT in DISABLE_LINTERS variable

Variable	Description	Default value
CLOUDFORMATION_CFN_LINT_ARGUMENTS	User custom arguments to add in linter CLI call Ex: `-s --foo "bar"`
CLOUDFORMATION_CFN_LINT_COMMAND_REMOVE_ARGUMENTS	User custom arguments to remove from command line before calling the linter Ex: `-s --foo "bar"`
CLOUDFORMATION_CFN_LINT_FILTER_REGEX_INCLUDE	Custom regex including filter Ex: `(src\\|lib)`	Include every file
CLOUDFORMATION_CFN_LINT_FILTER_REGEX_EXCLUDE	Custom regex excluding filter Ex: `(test\\|examples)`	Exclude no file
CLOUDFORMATION_CFN_LINT_CLI_LINT_MODE	Override default CLI lint mode - `file`: Calls the linter for each file - `list_of_files`: Call the linter with the list of files as argument - `project`: Call the linter from the root of the project	`list_of_files`
CLOUDFORMATION_CFN_LINT_FILE_EXTENSIONS	Allowed file extensions. `"*"` matches any extension, `""` matches empty extension. Empty list excludes all files Ex: `[".py", ""]`	`[".yml", ".yaml", ".json"]`
CLOUDFORMATION_CFN_LINT_FILE_NAMES_REGEX	File name regex filters. Regular expression list for filtering files by their base names using regex full match. Empty list includes all files Ex: `["Dockerfile(-.+)?", "Jenkinsfile"]`	Include every file
CLOUDFORMATION_CFN_LINT_PRE_COMMANDS	List of bash commands to run before the linter	None
CLOUDFORMATION_CFN_LINT_POST_COMMANDS	List of bash commands to run after the linter	None
CLOUDFORMATION_CFN_LINT_UNSECURED_ENV_VARIABLES	List of env variables explicitly not filtered before calling CLOUDFORMATION_CFN_LINT and its pre/post commands	None
CLOUDFORMATION_CFN_LINT_CONFIG_FILE	cfn-lint configuration file nameUse `LINTER_DEFAULT` to let the linter find it	`.cfnlintrc.yml`
CLOUDFORMATION_CFN_LINT_RULES_PATH	Path where to find linter configuration file	Workspace folder, then MegaLinter default rules
CLOUDFORMATION_CFN_LINT_DISABLE_ERRORS	Run linter but consider errors as warnings	`false`
CLOUDFORMATION_CFN_LINT_DISABLE_ERRORS_IF_LESS_THAN	Maximum number of errors allowed	`0`
CLOUDFORMATION_CFN_LINT_CLI_EXECUTABLE	Override CLI executable	`['cfn-lint']`

IDE Integration

Use cfn-lint in your favorite IDE to catch errors before MegaLinter !

IDE	Extension Name	Install
Atom	atom-cfn-lint	Visit Web Site
IDEA	cfn-lint
Sublime Text	SublimeLinter CloudFormation	Visit Web Site
Visual Studio Code	vscode-cfn-lint

MegaLinter Flavors

This linter is available in the following flavors

Flavor	Description	Embedded linters
all	Default MegaLinter Flavor	124
cupcake	MegaLinter for the most commonly used languages	83
security	Optimized for security	24

Behind the scenes

How are identified applicable files

File extensions: .yml, .yaml, .json
Detected file content (regex): AWSTemplateFormatVersion, (AWS|Alexa|Custom)::

How the linting is performed

cfn-lint is called once with the list of files as arguments (list_of_files CLI lint mode)

Example calls

cfn-lint myfile.yml

cfn-lint --config-file .cfnlintrc.yml myfile.yml

Help content

usage:
Basic: cfn-lint test.yaml
Ignore a rule: cfn-lint -i E3012 -- test.yaml
Configure a rule: cfn-lint -x E3012:strict=true -t test.yaml
Lint all yaml files in a folder: cfn-lint dir/**/*.yaml

CloudFormation Linter

options:
  -h, --help            show this help message and exit

Standard:
  TEMPLATE              The CloudFormation template to be linted
  -t TEMPLATE [TEMPLATE ...], --template TEMPLATE [TEMPLATE ...]
                        The CloudFormation template to be linted
  -b, --ignore-bad-template
                        Ignore failures with Bad template
  --ignore-templates IGNORE_TEMPLATES [IGNORE_TEMPLATES ...]
                        Ignore templates
  -f {quiet,parseable,json,junit,pretty,sarif}, --format {quiet,parseable,json,junit,pretty,sarif}
                        Output Format
  -l, --list-rules      list all the rules
  -r REGIONS [REGIONS ...], --regions REGIONS [REGIONS ...]
                        list the regions to validate against.
  -i IGNORE_CHECKS [IGNORE_CHECKS ...], --ignore-checks IGNORE_CHECKS [IGNORE_CHECKS ...]
                        only check rules whose id do not match these values
  -c INCLUDE_CHECKS [INCLUDE_CHECKS ...], --include-checks INCLUDE_CHECKS [INCLUDE_CHECKS ...]
                        include rules whose id match these values
  -m MANDATORY_CHECKS [MANDATORY_CHECKS ...], --mandatory-checks MANDATORY_CHECKS [MANDATORY_CHECKS ...]
                        always check rules whose id match these values,
                        regardless of template exclusions
  -e, --include-experimental
                        Include experimental rules
  -x CONFIGURE_RULES [CONFIGURE_RULES ...], --configure-rule CONFIGURE_RULES [CONFIGURE_RULES ...]
                        Provide configuration for a rule. Format
                        RuleId:key=value. Example: E3012:strict=true
  --config-file CONFIG_FILE
                        Specify the cfnlintrc file to use
  -z CUSTOM_RULES, --custom-rules CUSTOM_RULES
                        Allows specification of a custom rule file.
  -v, --version         Version of cfn-lint
  --output-file OUTPUT_FILE
                        Writes the output to the specified file, ideal for
                        producing reports
  --merge-configs       Merges lists between configuration layers
  --non-zero-exit-code {informational,warning,error,none}
                        Exit code will be non zero from the specified rule
                        class and higher

Advanced / Debugging:
  -D, --debug           Enable debug logging
  -I, --info            Enable information logging
  -a APPEND_RULES [APPEND_RULES ...], --append-rules APPEND_RULES [APPEND_RULES ...]
                        specify one or more rules directories using one or
                        more --append-rules arguments.
  -o OVERRIDE_SPEC, --override-spec OVERRIDE_SPEC
                        A CloudFormation Spec override file that allows
                        customization
  -g, --build-graph     Creates a file in the same directory as the template
                        that models the template's resources in DOT format
  -s REGISTRY_SCHEMAS [REGISTRY_SCHEMAS ...], --registry-schemas REGISTRY_SCHEMAS [REGISTRY_SCHEMAS ...]
                        one or more directories of CloudFormation Registry
                        Schemas
  -u, --update-specs    Update the CloudFormation Specs
  -p, --patch-specs     Patch the CloudFormation Specs in place

Installation on mega-linter Docker image

PIP packages (Python):
- cfn-lint[sarif]