├── .github ├── CODEOWNERS ├── dependabot.yml └── workflows │ ├── kube-linter-sample.yml │ ├── self-test.yml │ └── versioning.yml ├── .gitignore ├── LICENSE ├── README.md ├── action.yml └── sample ├── .kube-linter-config.yml ├── invalid-yaml └── deploy.yaml ├── non-kubernetes-yaml └── food.yaml └── valid-yaml └── deploy.yaml /.github/CODEOWNERS: -------------------------------------------------------------------------------- 1 | * @janisz 2 | -------------------------------------------------------------------------------- /.github/dependabot.yml: -------------------------------------------------------------------------------- 1 | version: 2 2 | updates: 3 | - package-ecosystem: "github-actions" 4 | directory: "/" 5 | schedule: 6 | interval: "daily" 7 | -------------------------------------------------------------------------------- /.github/workflows/kube-linter-sample.yml: -------------------------------------------------------------------------------- 1 | name: Check Kubernetes YAMLs with kube-linter 2 | 3 | on: 4 | # Note that both `push` and `pull_request` triggers should be present for GitHub to consistently present kube-linter 5 | # SARIF reports. 6 | push: 7 | branches: [ main, master ] 8 | pull_request: 9 | 10 | jobs: 11 | scan: 12 | runs-on: ubuntu-latest 13 | steps: 14 | - uses: actions/checkout@v4 15 | 16 | # This prepares directory where github/codeql-action/upload-sarif@v1 looks up report files by default. 17 | - name: Create ../results directory for SARIF report files 18 | shell: bash 19 | run: mkdir -p ../results 20 | 21 | - name: Scan yaml files with kube-linter 22 | uses: stackrox/kube-linter-action@v1.0.7 23 | id: kube-linter-action-scan 24 | with: 25 | # Adjust this directory to the location where your kubernetes resources and helm charts are located. 26 | directory: sample/valid-yaml 27 | # Adjust this to the location of kube-linter config you're using, or remove the setting if you'd like to use 28 | # the default config. 29 | config: sample/.kube-linter-config.yaml 30 | # The following two settings make kube-linter produce scan analysis in SARIF format which would then be 31 | # made available in GitHub UI via upload-sarif action below. 32 | format: sarif 33 | output-file: ../results/kube-linter.sarif 34 | # The following line prevents aborting the workflow immediately in case your files fail kube-linter checks. 35 | # This allows the following upload-sarif action to still upload the results to your GitHub repo. 36 | continue-on-error: true 37 | 38 | - name: Upload SARIF report files to GitHub 39 | uses: github/codeql-action/upload-sarif@v3 40 | 41 | # Ensure the workflow eventually fails if files did not pass kube-linter checks. 42 | - name: Verify kube-linter-action succeeded 43 | shell: bash 44 | run: | 45 | echo "If this step fails, kube-linter found issues. Check the output of the scan step above." 46 | [[ "${{ steps.kube-linter-action-scan.outcome }}" == "success" ]] 47 | -------------------------------------------------------------------------------- /.github/workflows/self-test.yml: -------------------------------------------------------------------------------- 1 | # This workflow is provided for testing changes to the action. 2 | # When developing make sure that "Scan 2 - failing" produces expected kube-linter validation logs. 3 | 4 | name: kube-linter-action development self-test 5 | 6 | on: 7 | push: 8 | branches: [ main ] 9 | pull_request: 10 | branches: [ main ] 11 | 12 | jobs: 13 | test-scan: 14 | strategy: 15 | matrix: 16 | os: [ ubuntu-latest, windows-latest, macos-latest ] 17 | format: [ plain, json, sarif ] 18 | version: [ latest, 0.2.3 ] 19 | runs-on: ${{ matrix.os }} 20 | steps: 21 | - uses: actions/checkout@v4 22 | 23 | - name: Scan 1 - should succeed 24 | uses: ./ 25 | with: 26 | directory: sample/valid-yaml 27 | config: sample/.kube-linter-config.yaml 28 | format: ${{ matrix.format }} 29 | version: ${{ matrix.version }} 30 | 31 | - name: Scan 2 - should fail 32 | id: failing-scan 33 | uses: ./ 34 | with: 35 | directory: sample/invalid-yaml 36 | config: sample/.kube-linter-config.yaml 37 | format: ${{ matrix.format }} 38 | version: ${{ matrix.version }} 39 | continue-on-error: true 40 | 41 | - name: Verify Scan 2 should have failed 42 | shell: bash 43 | run: | 44 | echo "Verifying that kube-linter-action outcome (${{ steps.failing-scan.outcome }}) from Scan 2 is failure." 45 | [[ "${{ steps.failing-scan.outcome }}" == "failure" ]] 46 | 47 | test-with-sarif-upload: 48 | runs-on: ubuntu-latest 49 | steps: 50 | - uses: actions/checkout@v4 51 | 52 | # Setup directory where github/codeql-action/upload-sarif@v3 looks up files by default. 53 | - name: Create ../results directory for sarif files 54 | shell: bash 55 | run: mkdir -p ../results 56 | 57 | - name: Scan 1 - should succeed 58 | uses: ./ 59 | with: 60 | directory: sample/valid-yaml 61 | config: sample/.kube-linter-config.yaml 62 | format: sarif 63 | output-file: ../results/kube-linter-success.sarif 64 | 65 | - name: Scan 2 - should fail 66 | uses: ./ 67 | with: 68 | directory: sample/invalid-yaml 69 | config: sample/.kube-linter-config.yaml 70 | format: sarif 71 | output-file: ../results/kube-linter-fail.sarif 72 | continue-on-error: true 73 | 74 | - name: Upload SARIF output file to GitHub 75 | uses: github/codeql-action/upload-sarif@v3 76 | 77 | test-fail-on-invalid-resource: 78 | runs-on: ubuntu-latest 79 | steps: 80 | - uses: actions/checkout@v4 81 | - name: Scan 1 - should succeed 82 | uses: ./ 83 | with: 84 | directory: sample/non-kubernetes-yaml 85 | config: sample/.kube-linter-config.yaml 86 | 87 | - name: Scan 2 - should fail 88 | id: failing-scan 89 | uses: ./ 90 | with: 91 | directory: sample/non-kubernetes-yaml 92 | config: sample/.kube-linter-config.yaml 93 | fail-on-invalid-resource: "true" 94 | continue-on-error: true 95 | 96 | - name: Verify Scan 2 should have failed 97 | shell: bash 98 | run: | 99 | echo "Verifying that kube-linter-action outcome (${{ steps.failing-scan.outcome }}) from Scan 2 is failure." 100 | [[ "${{ steps.failing-scan.outcome }}" == "failure" ]] 101 | -------------------------------------------------------------------------------- /.github/workflows/versioning.yml: -------------------------------------------------------------------------------- 1 | name: Update Semver 2 | on: 3 | push: 4 | branches-ignore: 5 | - '**' 6 | tags: 7 | - 'v*.*.*' 8 | jobs: 9 | update-semver: 10 | runs-on: ubuntu-latest 11 | steps: 12 | - uses: actions/checkout@v4 13 | - uses: haya14busa/action-update-semver@v1 14 | with: 15 | major_version_tag_only: true 16 | -------------------------------------------------------------------------------- /.gitignore: -------------------------------------------------------------------------------- 1 | .idea/ 2 | -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | Apache License 2 | Version 2.0, January 2004 3 | http://www.apache.org/licenses/ 4 | 5 | TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION 6 | 7 | 1. Definitions. 8 | 9 | "License" shall mean the terms and conditions for use, reproduction, 10 | and distribution as defined by Sections 1 through 9 of this document. 11 | 12 | "Licensor" shall mean the copyright owner or entity authorized by 13 | the copyright owner that is granting the License. 14 | 15 | "Legal Entity" shall mean the union of the acting entity and all 16 | other entities that control, are controlled by, or are under common 17 | control with that entity. For the purposes of this definition, 18 | "control" means (i) the power, direct or indirect, to cause the 19 | direction or management of such entity, whether by contract or 20 | otherwise, or (ii) ownership of fifty percent (50%) or more of the 21 | outstanding shares, or (iii) beneficial ownership of such entity. 22 | 23 | "You" (or "Your") shall mean an individual or Legal Entity 24 | exercising permissions granted by this License. 25 | 26 | "Source" form shall mean the preferred form for making modifications, 27 | including but not limited to software source code, documentation 28 | source, and configuration files. 29 | 30 | "Object" form shall mean any form resulting from mechanical 31 | transformation or translation of a Source form, including but 32 | not limited to compiled object code, generated documentation, 33 | and conversions to other media types. 34 | 35 | "Work" shall mean the work of authorship, whether in Source or 36 | Object form, made available under the License, as indicated by a 37 | copyright notice that is included in or attached to the work 38 | (an example is provided in the Appendix below). 39 | 40 | "Derivative Works" shall mean any work, whether in Source or Object 41 | form, that is based on (or derived from) the Work and for which the 42 | editorial revisions, annotations, elaborations, or other modifications 43 | represent, as a whole, an original work of authorship. For the purposes 44 | of this License, Derivative Works shall not include works that remain 45 | separable from, or merely link (or bind by name) to the interfaces of, 46 | the Work and Derivative Works thereof. 47 | 48 | "Contribution" shall mean any work of authorship, including 49 | the original version of the Work and any modifications or additions 50 | to that Work or Derivative Works thereof, that is intentionally 51 | submitted to Licensor for inclusion in the Work by the copyright owner 52 | or by an individual or Legal Entity authorized to submit on behalf of 53 | the copyright owner. For the purposes of this definition, "submitted" 54 | means any form of electronic, verbal, or written communication sent 55 | to the Licensor or its representatives, including but not limited to 56 | communication on electronic mailing lists, source code control systems, 57 | and issue tracking systems that are managed by, or on behalf of, the 58 | Licensor for the purpose of discussing and improving the Work, but 59 | excluding communication that is conspicuously marked or otherwise 60 | designated in writing by the copyright owner as "Not a Contribution." 61 | 62 | "Contributor" shall mean Licensor and any individual or Legal Entity 63 | on behalf of whom a Contribution has been received by Licensor and 64 | subsequently incorporated within the Work. 65 | 66 | 2. Grant of Copyright License. Subject to the terms and conditions of 67 | this License, each Contributor hereby grants to You a perpetual, 68 | worldwide, non-exclusive, no-charge, royalty-free, irrevocable 69 | copyright license to reproduce, prepare Derivative Works of, 70 | publicly display, publicly perform, sublicense, and distribute the 71 | Work and such Derivative Works in Source or Object form. 72 | 73 | 3. Grant of Patent License. Subject to the terms and conditions of 74 | this License, each Contributor hereby grants to You a perpetual, 75 | worldwide, non-exclusive, no-charge, royalty-free, irrevocable 76 | (except as stated in this section) patent license to make, have made, 77 | use, offer to sell, sell, import, and otherwise transfer the Work, 78 | where such license applies only to those patent claims licensable 79 | by such Contributor that are necessarily infringed by their 80 | Contribution(s) alone or by combination of their Contribution(s) 81 | with the Work to which such Contribution(s) was submitted. If You 82 | institute patent litigation against any entity (including a 83 | cross-claim or counterclaim in a lawsuit) alleging that the Work 84 | or a Contribution incorporated within the Work constitutes direct 85 | or contributory patent infringement, then any patent licenses 86 | granted to You under this License for that Work shall terminate 87 | as of the date such litigation is filed. 88 | 89 | 4. Redistribution. You may reproduce and distribute copies of the 90 | Work or Derivative Works thereof in any medium, with or without 91 | modifications, and in Source or Object form, provided that You 92 | meet the following conditions: 93 | 94 | (a) You must give any other recipients of the Work or 95 | Derivative Works a copy of this License; and 96 | 97 | (b) You must cause any modified files to carry prominent notices 98 | stating that You changed the files; and 99 | 100 | (c) You must retain, in the Source form of any Derivative Works 101 | that You distribute, all copyright, patent, trademark, and 102 | attribution notices from the Source form of the Work, 103 | excluding those notices that do not pertain to any part of 104 | the Derivative Works; and 105 | 106 | (d) If the Work includes a "NOTICE" text file as part of its 107 | distribution, then any Derivative Works that You distribute must 108 | include a readable copy of the attribution notices contained 109 | within such NOTICE file, excluding those notices that do not 110 | pertain to any part of the Derivative Works, in at least one 111 | of the following places: within a NOTICE text file distributed 112 | as part of the Derivative Works; within the Source form or 113 | documentation, if provided along with the Derivative Works; or, 114 | within a display generated by the Derivative Works, if and 115 | wherever such third-party notices normally appear. The contents 116 | of the NOTICE file are for informational purposes only and 117 | do not modify the License. You may add Your own attribution 118 | notices within Derivative Works that You distribute, alongside 119 | or as an addendum to the NOTICE text from the Work, provided 120 | that such additional attribution notices cannot be construed 121 | as modifying the License. 122 | 123 | You may add Your own copyright statement to Your modifications and 124 | may provide additional or different license terms and conditions 125 | for use, reproduction, or distribution of Your modifications, or 126 | for any such Derivative Works as a whole, provided Your use, 127 | reproduction, and distribution of the Work otherwise complies with 128 | the conditions stated in this License. 129 | 130 | 5. Submission of Contributions. Unless You explicitly state otherwise, 131 | any Contribution intentionally submitted for inclusion in the Work 132 | by You to the Licensor shall be under the terms and conditions of 133 | this License, without any additional terms or conditions. 134 | Notwithstanding the above, nothing herein shall supersede or modify 135 | the terms of any separate license agreement you may have executed 136 | with Licensor regarding such Contributions. 137 | 138 | 6. Trademarks. This License does not grant permission to use the trade 139 | names, trademarks, service marks, or product names of the Licensor, 140 | except as required for reasonable and customary use in describing the 141 | origin of the Work and reproducing the content of the NOTICE file. 142 | 143 | 7. Disclaimer of Warranty. Unless required by applicable law or 144 | agreed to in writing, Licensor provides the Work (and each 145 | Contributor provides its Contributions) on an "AS IS" BASIS, 146 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or 147 | implied, including, without limitation, any warranties or conditions 148 | of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A 149 | PARTICULAR PURPOSE. You are solely responsible for determining the 150 | appropriateness of using or redistributing the Work and assume any 151 | risks associated with Your exercise of permissions under this License. 152 | 153 | 8. Limitation of Liability. In no event and under no legal theory, 154 | whether in tort (including negligence), contract, or otherwise, 155 | unless required by applicable law (such as deliberate and grossly 156 | negligent acts) or agreed to in writing, shall any Contributor be 157 | liable to You for damages, including any direct, indirect, special, 158 | incidental, or consequential damages of any character arising as a 159 | result of this License or out of the use or inability to use the 160 | Work (including but not limited to damages for loss of goodwill, 161 | work stoppage, computer failure or malfunction, or any and all 162 | other commercial damages or losses), even if such Contributor 163 | has been advised of the possibility of such damages. 164 | 165 | 9. Accepting Warranty or Additional Liability. While redistributing 166 | the Work or Derivative Works thereof, You may choose to offer, 167 | and charge a fee for, acceptance of support, warranty, indemnity, 168 | or other liability obligations and/or rights consistent with this 169 | License. However, in accepting such obligations, You may act only 170 | on Your own behalf and on Your sole responsibility, not on behalf 171 | of any other Contributor, and only if You agree to indemnify, 172 | defend, and hold each Contributor harmless for any liability 173 | incurred by, or claims asserted against, such Contributor by reason 174 | of your accepting any such warranty or additional liability. 175 | 176 | END OF TERMS AND CONDITIONS 177 | 178 | APPENDIX: How to apply the Apache License to your work. 179 | 180 | To apply the Apache License to your work, attach the following 181 | boilerplate notice, with the fields enclosed by brackets "[]" 182 | replaced with your own identifying information. (Don't include 183 | the brackets!) The text should be enclosed in the appropriate 184 | comment syntax for the file format. We also recommend that a 185 | file or class name and description of purpose be included on the 186 | same "printed page" as the copyright notice for easier 187 | identification within third-party archives. 188 | 189 | Copyright [yyyy] [name of copyright owner] 190 | 191 | Licensed under the Apache License, Version 2.0 (the "License"); 192 | you may not use this file except in compliance with the License. 193 | You may obtain a copy of the License at 194 | 195 | http://www.apache.org/licenses/LICENSE-2.0 196 | 197 | Unless required by applicable law or agreed to in writing, software 198 | distributed under the License is distributed on an "AS IS" BASIS, 199 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 200 | See the License for the specific language governing permissions and 201 | limitations under the License. 202 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 |

2 | 3 | # kube-linter-action - KubeLinter GitHub Action 4 | 5 | This is a GitHub action for scanning Kubernetes YAML files and Helm charts in your GitHub workflow with [kube-linter](https://github.com/stackrox/kube-linter). 6 | 7 | ## Quickstart 8 | 9 | 1. Copy [.github/workflows/kube-linter-sample.yml](https://github.com/stackrox/kube-linter-action/tree/main/.github/workflows/kube-linter-sample.yml) file to `.github/workflows` directory in your repo. 10 | 2. Adjust scan `directory` to the location where your Kubernetes or Helm files are. See Parameters below. 11 | 3. Adjust or remove `config` parameter. 12 | 13 | The new workflow will run every time there's a new push to the repo master branch and for pull requests. 14 | 15 | The workflow will fail if kube-linter detects issues. You'll find issues in the output of `kube-linter-action` and in [Security | Code scanning alerts](https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/managing-code-scanning-alerts-for-your-repository#viewing-the-alerts-for-a-repository) view of your GitHub repo (if you used provided sample workflow). 16 | 17 | ### Example 18 | 19 | ```yaml 20 | - name: Scan repo with kube-linter 21 | uses: stackrox/kube-linter-action@v1.0.4 22 | with: 23 | directory: yamls 24 | config: .kube-linter/config.yaml 25 | format: sarif 26 | output-file: kube-linter.sarif 27 | ``` 28 | 29 | ### Parameters 30 | 31 | | Parameter name | Required? | Description | 32 | | --- | --- | --- | 33 | | `directory` | **(required)** | Path of file or directory to scan, absolute or relative to the root of the repo. | 34 | | `config` | (optional) | Path to a [configuration file](https://docs.kubelinter.io/#/configuring-kubelinter) if you wish to use a non-default configuration. | 35 | | `format` | (optional) | Output format. Allowed values: `sarif`, `plain`, `json`. Default is `plain`. | 36 | | `output-file` | (optional) | Path to a file where kube-linter output will be stored. Default is `kube-linter.log`. File will be overwritten if it exists. | 37 | | `version` | (optional) | kube-linter release version to use, e.g. "0.2.4". The latest available version is used by default. | 38 | | `fail-on-invalid-resource` | (optional) | Set `true` to error out when we have an invalid resource. | 39 | | `token` | (optional) | Token to use when pulling release info from github.com | 40 | -------------------------------------------------------------------------------- /action.yml: -------------------------------------------------------------------------------- 1 | name: 'kube-linter' 2 | description: 'Scan directory or file with kube-linter' 3 | branding: 4 | icon: 'check-circle' 5 | color: 'green' 6 | inputs: 7 | directory: 8 | description: 'Directory or file to scan' 9 | required: true 10 | config: 11 | description: 'Path to config file' 12 | required: false 13 | format: 14 | description: 'Output format. Allowed values: sarif, plain, json. Default: "plain"' 15 | required: false 16 | default: 'plain' 17 | output-file: 18 | description: 'Filename to store output. File will be overwritten if it exists. Default: "kubelinter.log"' 19 | required: false 20 | default: 'kubelinter.log' 21 | version: 22 | description: 'Version of kube-linter to use. E.g. "0.2.4". Default: "latest"' 23 | required: false 24 | default: 'latest' 25 | fail-on-invalid-resource: 26 | description: 'Error out when we have an invalid resource. Default: false' 27 | required: false 28 | default: 'false' 29 | token: 30 | description: 'Used to pull release info from GitHub. Does not need to be supplied on github.com.' 31 | required: false 32 | default: ${{ github.server_url == 'https://github.com' && github.token || '' }} 33 | runs: 34 | using: "composite" 35 | steps: 36 | - name: Download kube-linter 37 | shell: bash 38 | run: | 39 | set -u 40 | case "${{ runner.os }}" in 41 | macOS) OS=darwin ;; 42 | Windows) OS=windows ;; 43 | *) OS=linux ;; 44 | esac 45 | RELEASE_URL='https://api.github.com/repos/stackrox/kube-linter/releases/latest' 46 | if [[ "${{ inputs.version }}" != "latest" ]]; then 47 | RELEASE_URL='https://api.github.com/repos/stackrox/kube-linter/releases/tags/${{ inputs.version }}' 48 | fi 49 | # Although releases endpoint is available without authentication, the current github.token is still passed 50 | # in order to increase the limit of 60 requests per hour per IP address to a higher value that's also counted 51 | # per GitHub account. 52 | # Caching is disabled in order not to receive stale responses from Varnish cache fronting GitHub API. 53 | AUTH_HEADER="" 54 | if [[ "${{ inputs.token }}" != "" ]]; then 55 | AUTH_HEADER="Authorization: Bearer ${{ inputs.token }}" 56 | fi 57 | RELEASE_INFO="$(curl --silent --show-error --fail \ 58 | --header "$AUTH_HEADER" \ 59 | --header 'Cache-Control: no-cache, must-revalidate' \ 60 | "${RELEASE_URL}")" 61 | RELEASE_NAME="$(echo "${RELEASE_INFO}" | jq --raw-output ".name")" 62 | LOCATION="$(echo "${RELEASE_INFO}" \ 63 | | jq --raw-output ".assets[].browser_download_url" \ 64 | | grep --fixed-strings "kube-linter-${OS}.tar.gz")" 65 | TARGET="kube-linter-${OS}-${RELEASE_NAME}.tar.gz" 66 | # Skip downloading release if downloaded already, e.g. when the action is used multiple times. 67 | if [[ ! -e "$TARGET" ]]; then 68 | curl --silent --show-error --fail --location --output "$TARGET" "$LOCATION" 69 | tar -xf "$TARGET" 70 | fi 71 | - name: Lint files 72 | shell: bash 73 | run: | 74 | set -u 75 | if [[ -z "${{ inputs.config }}" ]]; then 76 | CONFIG="" 77 | else 78 | CONFIG="--config ${{ inputs.config }}" 79 | fi 80 | 81 | if [[ "${{ inputs.fail-on-invalid-resource }}" == "true" ]]; then 82 | FLAG_ARGS="--fail-on-invalid-resource " 83 | else 84 | FLAG_ARGS="" 85 | fi 86 | 87 | ./kube-linter $CONFIG lint "${{ inputs.directory }}" --format "${{ inputs.format }}" $FLAG_ARGS | tee "${{ inputs.output-file }}" 88 | -------------------------------------------------------------------------------- /sample/.kube-linter-config.yml: -------------------------------------------------------------------------------- 1 | # customChecks defines custom checks. 2 | customChecks: 3 | - name: "required-annotation-team" 4 | template: "required-annotation" 5 | params: 6 | key: "team" 7 | remediation: "Add a team annotation to your object" 8 | checks: 9 | # if doNotAutoAddDefaults is true, default checks are not automatically added. 10 | doNotAutoAddDefaults: false 11 | 12 | # include explicitly adds checks, by name. You can reference any of the built-in checks. 13 | # Note that customChecks defined above are included automatically. 14 | include: [ ] 15 | # exclude explicitly excludes checks, by name. exclude has the highest priority: if a check is 16 | # in exclude, then it is not considered, even if it is in include as well. 17 | exclude: [ ] 18 | -------------------------------------------------------------------------------- /sample/invalid-yaml/deploy.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: apps/v1 2 | kind: Deployment 3 | metadata: 4 | name: nginx-deployment 5 | labels: 6 | app: nginx 7 | spec: 8 | replicas: 3 9 | selector: 10 | matchLabels: 11 | app: nginx 12 | template: 13 | metadata: 14 | labels: 15 | app: nginx 16 | spec: 17 | containers: 18 | - name: nginx 19 | image: nginx:1.14.2 20 | ports: 21 | - containerPort: 80 22 | -------------------------------------------------------------------------------- /sample/non-kubernetes-yaml/food.yaml: -------------------------------------------------------------------------------- 1 | food: 2 | - vegetables: tomatoes -------------------------------------------------------------------------------- /sample/valid-yaml/deploy.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: apps/v1 2 | kind: Deployment 3 | metadata: 4 | name: compliant 5 | namespace: my-namespace 6 | annotations: 7 | team: database 8 | spec: 9 | replicas: 1 10 | minReadySeconds: 15 11 | selector: 12 | matchLabels: 13 | app: compliant 14 | strategy: 15 | type: Recreate 16 | template: 17 | metadata: 18 | namespace: my-namespace 19 | labels: 20 | app: compliant 21 | spec: 22 | serviceAccountName: my-service-account 23 | containers: 24 | - image: nginx:1.20 25 | name: nginx 26 | securityContext: 27 | runAsNonRoot: true 28 | readOnlyRootFilesystem: true 29 | resources: 30 | requests: 31 | memory: "1Gi" 32 | cpu: "1" 33 | limits: 34 | memory: "4Gi" 35 | cpu: "2" 36 | --- 37 | apiVersion: v1 38 | kind: ServiceAccount 39 | metadata: 40 | name: my-service-account 41 | namespace: my-namespace 42 | labels: 43 | app.kubernetes.io/name: my-app 44 | annotations: 45 | team: database 46 | --------------------------------------------------------------------------------