Skip to content

tflint

GitHub stars sarif GitHub release (latest SemVer) GitHub last commit GitHub commit activity GitHub contributors

If you are using the GitHub action please use the TERRAFORM_TFLINT_UNSECURED_ENV_VARIABLES: GITHUB_TOKEN to prevent plugin download issues

Note: It's recommended to create your own .tflint.hcl custom config file tailored to your project's specific needs. The default configuration enables all supported languages and rules, which may not be optimal for every project.

tflint documentation

tflint - GitHub

Configuration in MegaLinter

Variable Description Default value
TERRAFORM_TFLINT_SECURED_ENV Allows to send the full env to tflint --init. Initialized with default value true. Set to false to allow tflint --init to access your env vars. True
TERRAFORM_TFLINT_ARGUMENTS User custom arguments to add in linter CLI call
Ex: -s --foo "bar"
TERRAFORM_TFLINT_COMMAND_REMOVE_ARGUMENTS User custom arguments to remove from command line before calling the linter
Ex: -s --foo "bar"
TERRAFORM_TFLINT_CLI_LINT_MODE Override default CLI lint mode
⚠️ As default value is project, overriding might not work
- file: Calls the linter for each file
- list_of_files: Call the linter with the list of files as argument
- project: Call the linter from the root of the project
project
TERRAFORM_TFLINT_FILE_EXTENSIONS Allowed file extensions. "*" matches any extension, "" matches empty extension. Empty list excludes all files
Ex: [".py", ""]
[".tf"]
TERRAFORM_TFLINT_FILE_NAMES_REGEX File name regex filters. Regular expression list for filtering files by their base names using regex full match. Empty list includes all files
Ex: ["Dockerfile(-.+)?", "Jenkinsfile"]
Include every file
TERRAFORM_TFLINT_PRE_COMMANDS List of bash commands to run before the linter None
TERRAFORM_TFLINT_POST_COMMANDS List of bash commands to run after the linter None
TERRAFORM_TFLINT_UNSECURED_ENV_VARIABLES List of env variables explicitly not filtered before calling TERRAFORM_TFLINT and its pre/post commands None
TERRAFORM_TFLINT_CONFIG_FILE tflint configuration file nameUse LINTER_DEFAULT to let the linter find it .tflint.hcl
TERRAFORM_TFLINT_RULES_PATH Path where to find linter configuration file Workspace folder, then MegaLinter default rules
TERRAFORM_TFLINT_DISABLE_ERRORS Run linter but consider errors as warnings false
TERRAFORM_TFLINT_DISABLE_ERRORS_IF_LESS_THAN Maximum number of errors allowed 0
TERRAFORM_TFLINT_CLI_EXECUTABLE Override CLI executable ['tflint']

MegaLinter Flavors

This linter is available in the following flavors

Flavor Description Embedded linters Info
all Default MegaLinter Flavor 124 Docker Image Size (tag) Docker Pulls
cupcake MegaLinter for the most commonly used languages 83 Docker Image Size (tag) Docker Pulls
security Optimized for security 24 Docker Image Size (tag) Docker Pulls
terraform Optimized for TERRAFORM based projects 54 Docker Image Size (tag) Docker Pulls

Behind the scenes

How are identified applicable files

  • File extensions: .tf

How the linting is performed

tflint is called once on the whole project directory (project CLI lint mode)

  • filtering can not be done using MegaLinter configuration variables,it must be done using tflint configuration or ignore file (if existing)
  • VALIDATE_ALL_CODEBASE: false doesn't make tflint analyze only updated files

Example calls

tflint
tflint -c .tflint.hcl

Help content

Usage:
  tflint --chdir=DIR/--recursive [OPTIONS]

Application Options:
  -v, --version                                                 Print TFLint
                                                                version
      --init                                                    Install plugins
      --langserver                                              Start language
                                                                server
  -f, --format=[default|json|checkstyle|junit|compact|sarif]    Output format
  -c, --config=FILE                                             Config file
                                                                name (default:
                                                                .tflint.hcl)
      --ignore-module=SOURCE                                    Ignore module
                                                                sources
      --enable-rule=RULE_NAME                                   Enable rules
                                                                from the
                                                                command line
      --disable-rule=RULE_NAME                                  Disable rules
                                                                from the
                                                                command line
      --only=RULE_NAME                                          Enable only
                                                                this rule,
                                                                disabling all
                                                                other defaults.
                                                                Can be
                                                                specified
                                                                multiple times
      --enable-plugin=PLUGIN_NAME                               Enable plugins
                                                                from the
                                                                command line
      --var-file=FILE                                           Terraform
                                                                variable file
                                                                name
      --var='foo=bar'                                           Set a Terraform
                                                                variable
      --call-module-type=[all|local|none]                       Types of module
                                                                to call
                                                                (default: local)
      --chdir=DIR                                               Switch to a
                                                                different
                                                                working
                                                                directory
                                                                before
                                                                executing the
                                                                command
      --recursive                                               Run command in
                                                                each directory
                                                                recursively
      --filter=FILE                                             Filter issues
                                                                by file names
                                                                or globs
      --force                                                   Return zero
                                                                exit status
                                                                even if issues
                                                                found
      --minimum-failure-severity=[error|warning|notice]         Sets minimum
                                                                severity level
                                                                for exiting
                                                                with a non-zero
                                                                error code
      --color                                                   Enable
                                                                colorized output
      --no-color                                                Disable
                                                                colorized output
      --fix                                                     Fix issues
                                                                automatically
      --no-parallel-runners                                     Disable
                                                                per-runner
                                                                parallelism
      --max-workers=N                                           Set maximum
                                                                number of
                                                                workers in
                                                                recursive
                                                                inspection
                                                                (default:
                                                                number of CPUs)

Help Options:
  -h, --help                                                    Show this help
                                                                message

Installation on mega-linter Docker image

  • Dockerfile commands :
# renovate: datasource=docker depName=ghcr.io/terraform-linters/tflint
ARG TERRAFORM_TFLINT_VERSION=0.53.0
FROM ghcr.io/terraform-linters/tflint:v${TERRAFORM_TFLINT_VERSION} AS tflint
COPY --link --from=tflint /usr/local/bin/tflint /usr/bin/