Linting and Static Code Analysis

Overview

The starter kit includes pre-configured linting and security scanning that runs locally and in CI/CD. These tools catch errors early and ensure security compliance before infrastructure reaches production.

Tools included

Tool	Purpose
cfn-lint	Validates template syntax, resource properties, and AWS best practices
Checkov	Scans for security misconfigurations and compliance violations

Both tools run automatically via the validation script and in GitHub Actions.

cfn-lint configuration

The starter kit includes .cfnlintrc:

templates:
  - templates/*.yml
ignore_templates:
  - codebuild.yaml

What it validates

Check	Description
Syntax errors	Invalid YAML/JSON structure
Resource properties	Required properties, valid values, types
AWS limits	Resource name lengths, parameter counts
Best practices	Proper use of Refs, GetAtt, intrinsic functions
Region availability	Resources available in target regions

Customization

Edit .cfnlintrc to add/remove template patterns or ignore rules. See the cfn-lint reference for complete documentation.

Checkov configuration

The starter kit includes .checkov.yml:

branch: main
directory:
  - templates
download-external-modules: false
evaluate-variables: true
external-modules-download-path: .external_modules
framework:
  - cloudformation
secrets-scan-file-type: []
skip-check:
  - CKV_AWS_7
  - CKV_AWS_18
  - CKV_AWS_21
  - CKV_AWS_62
  - CKV_AWS_107
  - CKV_AWS_108
  - CKV_AWS_109
  - CKV_AWS_110
  - CKV_AWS_111
  - CKV_AWS_115
  - CKV_AWS_116
  - CKV_AWS_117
  - CKV_AWS_157
  - CKV_AWS_162
  - CKV_SECRET_14

Configuration options

Option	Description
`framework`	Set to `cloudformation` for template scanning
`directory`	Lists directories to scan
`evaluate-variables`	Evaluates CloudFormation parameters
`skip-check`	Check IDs to skip (pre-configured exceptions)

Inline suppressions

Suppress checks for specific resources:

Resources:
  LogBucket:
    # checkov:skip=CKV_AWS_18:Access logging not required for log aggregation bucket
    Type: AWS::S3::Bucket
    Properties:
      BucketName: app-access-logs

Always include a justification explaining why the check is skipped.

See the Checkov reference for complete documentation.

Running validation

Via validation script

./scripts/validate-templates.sh

Runs Checkov security scanning on all templates using the .checkov.yml configuration.

Individual tools

# cfn-lint only
cfn-lint templates/*.yml

# Checkov only
checkov --directory templates/ --framework cloudformation

CI/CD integration

Both tools run automatically in GitHub Actions. Failed checks block the deployment pipeline, ensuring only validated and secure infrastructure reaches production.

See CI/CD Workflows for integration details.

Next steps

cfn-lint Reference - Detailed rules and configuration
Checkov Reference - Security checks and compliance
Scripts Reference - Validation script details
CI/CD Workflows - Pipeline integration