cfn-lint
CFN-Lint (CloudFormation Linter) is the official AWS tool for validating AWS CloudFormation yaml/json templates against the AWS CloudFormation resource provider schemas and additional best practice checks.
Key Features:
- AWS Schema Validation: Validates templates against official AWS CloudFormation resource provider schemas
- Property Validation: Checks valid values for resource properties and ensures correct data types
- Best Practice Enforcement: Identifies CloudFormation best practices and anti-patterns
- SAM Support: Fully supports AWS Serverless Application Model (SAM) templates with transformation validation
- Custom Rules: Supports custom one-line rules for organization-specific requirements
- Multiple Output Formats: Supports JSON, JUnit, SARIF, and other output formats
- Region-Specific Validation: Tests templates against multiple AWS regions to catch region-specific issues
- Extensible Rules Engine: Comprehensive collection of rules with support for custom rule extensions
Common validations include:
- Resource type and property validation
- Parameter constraints and dependencies
- Output and condition logic validation
- Security best practices (IAM policies, encryption, etc.)
- Resource naming and tagging conventions
- Cross-reference validation between resources
Advanced features:
- Template metadata configuration for granular control
- Graph visualization of template resources
- Experimental rules for cutting-edge CloudFormation features
- Override specifications for custom organizational requirements
CFN-Lint helps ensure your CloudFormation templates are valid, secure, and follow AWS best practices before deployment.
cfn-lint documentation
- Version in MegaLinter: 1.40.2
- Visit Official Web Site
- See How to configure cfn-lint rules
- If custom
.cfnlintrc.ymlconfig file isn't found, .cfnlintrc.yml will be used
- If custom
- See How to disable cfn-lint rules in files
- See Index of problems detected by cfn-lint
Configuration in MegaLinter
- Enable cfn-lint by adding
CLOUDFORMATION_CFN_LINTin ENABLE_LINTERS variable - Disable cfn-lint by adding
CLOUDFORMATION_CFN_LINTin DISABLE_LINTERS variable
| Variable | Description | Default value |
|---|---|---|
| CLOUDFORMATION_CFN_LINT_ARGUMENTS | User custom arguments to add in linter CLI call Ex: -s --foo "bar" |
|
| CLOUDFORMATION_CFN_LINT_COMMAND_REMOVE_ARGUMENTS | User custom arguments to remove from command line before calling the linter Ex: -s --foo "bar" |
|
| CLOUDFORMATION_CFN_LINT_FILTER_REGEX_INCLUDE | Custom regex including filter Ex: (src\|lib) |
Include every file |
| CLOUDFORMATION_CFN_LINT_FILTER_REGEX_EXCLUDE | Custom regex excluding filter Ex: (test\|examples) |
Exclude no file |
| CLOUDFORMATION_CFN_LINT_CLI_LINT_MODE | Override default CLI lint mode - file: Calls the linter for each file- list_of_files: Call the linter with the list of files as argument- project: Call the linter from the root of the project |
list_of_files |
| CLOUDFORMATION_CFN_LINT_FILE_EXTENSIONS | Allowed file extensions. "*" matches any extension, "" matches empty extension. Empty list excludes all filesEx: [".py", ""] |
[".yml", ".yaml", ".json"] |
| CLOUDFORMATION_CFN_LINT_FILE_NAMES_REGEX | File name regex filters. Regular expression list for filtering files by their base names using regex full match. Empty list includes all files Ex: ["Dockerfile(-.+)?", "Jenkinsfile"] |
Include every file |
| CLOUDFORMATION_CFN_LINT_PRE_COMMANDS | List of bash commands to run before the linter | None |
| CLOUDFORMATION_CFN_LINT_POST_COMMANDS | List of bash commands to run after the linter | None |
| CLOUDFORMATION_CFN_LINT_UNSECURED_ENV_VARIABLES | List of env variables explicitly not filtered before calling CLOUDFORMATION_CFN_LINT and its pre/post commands | None |
| CLOUDFORMATION_CFN_LINT_CONFIG_FILE | cfn-lint configuration file name Use LINTER_DEFAULT to let the linter find it |
.cfnlintrc.yml |
| CLOUDFORMATION_CFN_LINT_RULES_PATH | Path where to find linter configuration file | Workspace folder, then MegaLinter default rules |
| CLOUDFORMATION_CFN_LINT_DISABLE_ERRORS | Run linter but consider errors as warnings | false |
| CLOUDFORMATION_CFN_LINT_DISABLE_ERRORS_IF_LESS_THAN | Maximum number of errors allowed | 0 |
| CLOUDFORMATION_CFN_LINT_CLI_EXECUTABLE | Override CLI executable | ['cfn-lint'] |
IDE Integration
Use cfn-lint in your favorite IDE to catch errors before MegaLinter !
| IDE | Extension Name | Install | |
|---|---|---|---|
| IDEA | cfn-lint | ||
| Sublime Text | SublimeLinter CloudFormation | Visit Web Site | |
| Visual Studio Code | vscode-cfn-lint |  |
MegaLinter Flavors
This linter is available in the following flavors
| Flavor | Description | Embedded linters | Info | |
|---|---|---|---|---|
 |
all | Default MegaLinter Flavor | 127 |   |
| cupcake | MegaLinter for the most commonly used languages | 88 |   |
|
| security | Optimized for security | 24 |   |
Behind the scenes
How are identified applicable files
- File extensions:
.yml,.yaml,.json - Detected file content (regex):
AWSTemplateFormatVersion,(AWS|Alexa|Custom)::
How the linting is performed
- cfn-lint is called once with the list of files as arguments (
list_of_filesCLI lint mode)
Example calls
cfn-lint myfile.yml
cfn-lint --config-file .cfnlintrc.yml myfile.yml
Help content
usage:
Basic: cfn-lint test.yaml
Ignore a rule: cfn-lint -i E3012 -- test.yaml
Configure a rule: cfn-lint -x E3012:strict=true -t test.yaml
Lint all yaml files in a folder: cfn-lint dir/**/*.yaml
CloudFormation Linter
options:
-h, --help show this help message and exit
Standard:
TEMPLATE The CloudFormation template to be linted
-t, --template TEMPLATE [TEMPLATE ...]
The CloudFormation template to be linted
-b, --ignore-bad-template
Ignore failures with Bad template
--ignore-templates IGNORE_TEMPLATES [IGNORE_TEMPLATES ...]
Ignore templates
--deployment-files DEPLOYMENT_FILES [DEPLOYMENT_FILES ...]
Deployment files
--parameters PARAMETERS [PARAMETERS ...]
A list of parameters
--parameter-files PARAMETER_FILES [PARAMETER_FILES ...]
A list of parameter files
-f, --format {quiet,parseable,json,junit,pretty,sarif}
Output Format
-l, --list-rules list all the rules
-r, --regions REGIONS [REGIONS ...]
list the regions to validate against.
-i, --ignore-checks IGNORE_CHECKS [IGNORE_CHECKS ...]
only check rules whose id do not match these values
-c, --include-checks INCLUDE_CHECKS [INCLUDE_CHECKS ...]
include rules whose id match these values
-m, --mandatory-checks MANDATORY_CHECKS [MANDATORY_CHECKS ...]
always check rules whose id match these values,
regardless of template exclusions
-e, --include-experimental
Include experimental rules
-x, --configure-rule CONFIGURE_RULES [CONFIGURE_RULES ...]
Provide configuration for a rule. Format
RuleId:key=value. Example: E3012:strict=true
--config-file CONFIG_FILE
Specify the cfnlintrc file to use
-z, --custom-rules CUSTOM_RULES
Allows specification of a custom rule file.
-v, --version Version of cfn-lint
--output-file OUTPUT_FILE
Writes the output to the specified file, ideal for
producing reports
--merge-configs Merges lists between configuration layers
--non-zero-exit-code {informational,warning,error,none}
Exit code will be non zero from the specified rule
class and higher
Advanced / Debugging:
-D, --debug Enable debug logging
-I, --info Enable information logging
-L, --list-templates List all the templates would have linted
-a, --append-rules APPEND_RULES [APPEND_RULES ...]
specify one or more rules directories using one or
more --append-rules arguments.
-o, --override-spec OVERRIDE_SPEC
A CloudFormation Spec override file that allows
customization
-g, --build-graph Creates a file in the same directory as the template
that models the template's resources in DOT format
-s, --registry-schemas REGISTRY_SCHEMAS [REGISTRY_SCHEMAS ...]
one or more directories of CloudFormation Registry
Schemas
-u, --update-specs Update the CloudFormation Specs
-p, --patch-specs Patch the CloudFormation Specs in place
Installation on mega-linter Docker image
- Dockerfile commands :
# renovate: datasource=pypi depName=cfn-lint
ARG PIP_CFN_LINT_VERSION=1.40.2
- PIP packages (Python):