Skip to content

cfn-lint

GitHub stars sarif GitHub release (latest SemVer) GitHub last commit GitHub commit activity GitHub contributors

cfn-lint documentation

cfn-lint - GitHub

Configuration in MegaLinter

Variable Description Default value
CLOUDFORMATION_CFN_LINT_ARGUMENTS User custom arguments to add in linter CLI call
Ex: -s --foo "bar"
CLOUDFORMATION_CFN_LINT_COMMAND_REMOVE_ARGUMENTS User custom arguments to remove from command line before calling the linter
Ex: -s --foo "bar"
CLOUDFORMATION_CFN_LINT_FILTER_REGEX_INCLUDE Custom regex including filter
Ex: (src\|lib)
Include every file
CLOUDFORMATION_CFN_LINT_FILTER_REGEX_EXCLUDE Custom regex excluding filter
Ex: (test\|examples)
Exclude no file
CLOUDFORMATION_CFN_LINT_CLI_LINT_MODE Override default CLI lint mode
- file: Calls the linter for each file
- list_of_files: Call the linter with the list of files as argument
- project: Call the linter from the root of the project
list_of_files
CLOUDFORMATION_CFN_LINT_FILE_EXTENSIONS Allowed file extensions. "*" matches any extension, "" matches empty extension. Empty list excludes all files
Ex: [".py", ""]
[".yml", ".yaml", ".json"]
CLOUDFORMATION_CFN_LINT_FILE_NAMES_REGEX File name regex filters. Regular expression list for filtering files by their base names using regex full match. Empty list includes all files
Ex: ["Dockerfile(-.+)?", "Jenkinsfile"]
Include every file
CLOUDFORMATION_CFN_LINT_PRE_COMMANDS List of bash commands to run before the linter None
CLOUDFORMATION_CFN_LINT_POST_COMMANDS List of bash commands to run after the linter None
CLOUDFORMATION_CFN_LINT_UNSECURED_ENV_VARIABLES List of env variables explicitly not filtered before calling CLOUDFORMATION_CFN_LINT and its pre/post commands None
CLOUDFORMATION_CFN_LINT_CONFIG_FILE cfn-lint configuration file nameUse LINTER_DEFAULT to let the linter find it .cfnlintrc.yml
CLOUDFORMATION_CFN_LINT_RULES_PATH Path where to find linter configuration file Workspace folder, then MegaLinter default rules
CLOUDFORMATION_CFN_LINT_DISABLE_ERRORS Run linter but consider errors as warnings false
CLOUDFORMATION_CFN_LINT_DISABLE_ERRORS_IF_LESS_THAN Maximum number of errors allowed 0
CLOUDFORMATION_CFN_LINT_CLI_EXECUTABLE Override CLI executable ['cfn-lint']

IDE Integration

Use cfn-lint in your favorite IDE to catch errors before MegaLinter !

IDE Extension Name Install
Atom atom-cfn-lint Visit Web Site
IDEA cfn-lint
Sublime Text SublimeLinter CloudFormation Visit Web Site
Visual Studio Code vscode-cfn-lint Install in VSCode

MegaLinter Flavors

This linter is available in the following flavors

Flavor Description Embedded linters Info
all Default MegaLinter Flavor 124 Docker Image Size (tag) Docker Pulls
cupcake MegaLinter for the most commonly used languages 83 Docker Image Size (tag) Docker Pulls
security Optimized for security 24 Docker Image Size (tag) Docker Pulls

Behind the scenes

How are identified applicable files

  • File extensions: .yml, .yaml, .json
  • Detected file content (regex): AWSTemplateFormatVersion, (AWS|Alexa|Custom)::

How the linting is performed

  • cfn-lint is called once with the list of files as arguments (list_of_files CLI lint mode)

Example calls

cfn-lint myfile.yml
cfn-lint --config-file .cfnlintrc.yml myfile.yml

Help content

usage:
Basic: cfn-lint test.yaml
Ignore a rule: cfn-lint -i E3012 -- test.yaml
Configure a rule: cfn-lint -x E3012:strict=true -t test.yaml
Lint all yaml files in a folder: cfn-lint dir/**/*.yaml

CloudFormation Linter

options:
  -h, --help            show this help message and exit

Standard:
  TEMPLATE              The CloudFormation template to be linted
  -t TEMPLATE [TEMPLATE ...], --template TEMPLATE [TEMPLATE ...]
                        The CloudFormation template to be linted
  -b, --ignore-bad-template
                        Ignore failures with Bad template
  --ignore-templates IGNORE_TEMPLATES [IGNORE_TEMPLATES ...]
                        Ignore templates
  -f {quiet,parseable,json,junit,pretty,sarif}, --format {quiet,parseable,json,junit,pretty,sarif}
                        Output Format
  -l, --list-rules      list all the rules
  -r REGIONS [REGIONS ...], --regions REGIONS [REGIONS ...]
                        list the regions to validate against.
  -i IGNORE_CHECKS [IGNORE_CHECKS ...], --ignore-checks IGNORE_CHECKS [IGNORE_CHECKS ...]
                        only check rules whose id do not match these values
  -c INCLUDE_CHECKS [INCLUDE_CHECKS ...], --include-checks INCLUDE_CHECKS [INCLUDE_CHECKS ...]
                        include rules whose id match these values
  -m MANDATORY_CHECKS [MANDATORY_CHECKS ...], --mandatory-checks MANDATORY_CHECKS [MANDATORY_CHECKS ...]
                        always check rules whose id match these values,
                        regardless of template exclusions
  -e, --include-experimental
                        Include experimental rules
  -x CONFIGURE_RULES [CONFIGURE_RULES ...], --configure-rule CONFIGURE_RULES [CONFIGURE_RULES ...]
                        Provide configuration for a rule. Format
                        RuleId:key=value. Example: E3012:strict=true
  --config-file CONFIG_FILE
                        Specify the cfnlintrc file to use
  -z CUSTOM_RULES, --custom-rules CUSTOM_RULES
                        Allows specification of a custom rule file.
  -v, --version         Version of cfn-lint
  --output-file OUTPUT_FILE
                        Writes the output to the specified file, ideal for
                        producing reports
  --merge-configs       Merges lists between configuration layers
  --non-zero-exit-code {informational,warning,error,none}
                        Exit code will be non zero from the specified rule
                        class and higher

Advanced / Debugging:
  -D, --debug           Enable debug logging
  -I, --info            Enable information logging
  -a APPEND_RULES [APPEND_RULES ...], --append-rules APPEND_RULES [APPEND_RULES ...]
                        specify one or more rules directories using one or
                        more --append-rules arguments.
  -o OVERRIDE_SPEC, --override-spec OVERRIDE_SPEC
                        A CloudFormation Spec override file that allows
                        customization
  -g, --build-graph     Creates a file in the same directory as the template
                        that models the template's resources in DOT format
  -s REGISTRY_SCHEMAS [REGISTRY_SCHEMAS ...], --registry-schemas REGISTRY_SCHEMAS [REGISTRY_SCHEMAS ...]
                        one or more directories of CloudFormation Registry
                        Schemas
  -u, --update-specs    Update the CloudFormation Specs
  -p, --patch-specs     Patch the CloudFormation Specs in place

Installation on mega-linter Docker image