Overview
The starter kit includes pre-configured linting and security scanning tools that run both locally and in CI/CD pipelines. These tools catch errors early, enforce best practices, and ensure security compliance before infrastructure reaches production.
Tools included:
- cfn-lint — Validates CloudFormation templates for syntax errors, resource properties, and AWS best practices
- Checkov — Scans for security misconfigurations and compliance violations
Both tools run automatically via the validation script and in GitHub Actions workflows.
cfn-lint configuration
The starter kit includes a .cfnlintrc file at the repository root:
templates:
- templates/*.yml
ignore_templates:
- codebuild.yaml
Key configuration options
- templates — Specifies which template files to validate (uses glob patterns)
- ignore_templates — Excludes specific templates from validation
What cfn-lint validates
cfn-lint checks for:
- Syntax errors — Invalid YAML/JSON structure
- Resource properties — Required properties, valid values, and property types
- AWS limits — Resource name lengths, parameter counts, and other service limits
- Best practices — Proper use of Refs, GetAtt, and other intrinsic functions
- Region-specific resources — Validates resources are available in target regions
- Property combinations — Detects incompatible property combinations
Customization
To customize the configuration:
- Edit
.cfnlintrcto add/remove template patterns or ignore rules - Run
./scripts/validate-templates.shto validate with your new configuration
For complete documentation on all rules, configuration options, and advanced usage, see the cfn-lint reference.
Checkov configuration
The starter kit includes a .checkov.yml file at the repository root:
branch: main
directory:
- templates
download-external-modules: false
evaluate-variables: true
external-modules-download-path: .external_modules
framework:
- cloudformation
secrets-scan-file-type: []
skip-check:
- CKV_AWS_7
- CKV_AWS_18
- CKV_AWS_21
- CKV_AWS_62
- CKV_AWS_107
- CKV_AWS_108
- CKV_AWS_109
- CKV_AWS_110
- CKV_AWS_111
- CKV_AWS_116
- CKV_AWS_115
- CKV_AWS_117
- CKV_AWS_157
- CKV_AWS_162
- CKV_SECRET_14
Key configuration options
- branch — Specifies the main branch for reference
- directory — Lists directories to scan for templates
- framework — Set to
cloudformationfor CloudFormation template scanning - evaluate-variables — Evaluates CloudFormation parameters and conditions
- skip-check — Lists specific check IDs to skip (pre-configured for common exceptions)
Inline suppressions
You can suppress checks for specific resources directly in your CloudFormation templates:
Resources:
LogBucket:
# checkov:skip=CKV_AWS_18:Access logging not required for log aggregation bucket
Type: AWS::S3::Bucket
Properties:
BucketName: app-access-logs
Always include a justification comment explaining why the check is skipped.
Customization
To customize the configuration:
- Edit
.checkov.ymlto skip additional checks or change scan directories - Run
./scripts/validate-templates.shto validate with your new configuration
For complete documentation on all configuration options, check IDs, compliance frameworks, and advanced customization, see the Checkov reference.
Running validation
Local validation
Run all validation checks before committing:
./scripts/validate-templates.sh
This runs both cfn-lint and Checkov on all templates.
Individual tools
Run tools separately:
# cfn-lint only
cfn-lint templates/*.yml
# Checkov only
checkov --directory templates/ --framework cloudformation
CI/CD integration
Both tools run automatically in GitHub Actions via the validation script. Failed checks block the deployment pipeline, ensuring only validated and secure infrastructure reaches production.
For details on how these tools integrate into the automated workflow, see the CI/CD Workflows documentation.
Next steps
- Learn more about cfn-lint capabilities and rules
- Explore Checkov security checks and compliance frameworks
- Review the Scripts reference for all available commands
- Understand the CI/CD workflows integration