Salt-lint

salt-lint checks Salt State files (SLS) for best practices and behavior that could potentially be improved.

The project is heavily based on ansible-lint, which was created by Will Thames and is now maintained as part of the Ansible by Red Hat project.

Demo

Installing

Using Pip

pip install salt-lint

From Source

pip install git+https://github.com/warpnet/salt-lint.git

Usage

Command Line Options

The following is the output from salt-lint --help, providing an overview of the basic command line options:

usage: salt-lint [-h] [--version] [-L] [-r RULESDIR] [-R] [-t TAGS] [-T] [-v] [-x SKIP_LIST] [--nocolor] [--force-color]
                 [--exclude EXCLUDE_PATHS] [--json] [--severity] [-c C]
                 files [files ...]

positional arguments:
  files                 One or more files or paths.

optional arguments:
  -h, --help            show this help message and exit
  --version             show program's version number and exit
  -L                    list all the rules
  -r RULESDIR           specify one or more rules directories using one or more -r arguments. Any -r flags
                        override the default rules in /path/to/salt-lint/saltlint/rules, unless -R is also used.
  -R                    Use default rules in /path/to/salt-lint/saltlint/rules in addition to any extra rules
                        directories specified with -r. There is no need to specify this if no -r flags are used.
  -t TAGS               only check rules whose id/tags match these values
  -T                    list all the tags
  -v                    Increase verbosity level
  -x SKIP_LIST          only check rules whose id/tags do not match these values
  --nocolor, --nocolour
                        disable colored output
  --force-color, --force-colour
                        Try force colored output (relying on salt's code)
  --exclude EXCLUDE_PATHS
                        path to directories or files to skip. This option is repeatable.
  --json                parse the output as JSON
  --severity            add the severity to the standard output
  -c C                  Specify configuration file to use. Defaults to ".salt-lint"

Linting Salt State files

It's important to note that salt-lint accepts a list of Salt State files or a list of directories.

Docker

salt-lint is available on Dockerhub.

Example usage:

docker run -v $(pwd):/data:ro --entrypoint=/bin/bash -it warpnetbv/salt-lint:latest -c 'find /data -type f -name "*.sls" | xargs --no-run-if-empty salt-lint'

GitHub Action

Salt-lint is available on the GitHub marketplace as a GitHub Action. The salt-lint-action allows you to run salt-lint with no additional options.

To use the action simply add the following lines to your .github/workflows/main.yml.

on: [push]

jobs:
  test:
    runs-on: ubuntu-latest
    name: Salt Lint Action
    steps:
    - uses: actions/checkout@v1
    - name: Run salt-lint
      uses: roaldnefs/salt-lint-action@master
      env:
        ACTION_STATE_NAME: init.sls

Configuring

Configuration File

Salt-lint supports local configuration via a .salt-lint configuration file. Salt-lint checks the working directory for the presence of this file and applies any configuration found there. The configuration file location can also be overridden via the -c path/to/file CLI flag.

If a value is provided on both the command line and via a configuration file, the values will be merged (if a list like exclude_paths), or the True value will be preferred, in the case of something like quiet.

The following values are supported, and function identically to their CLI counterparts:

---
exclude_paths:
  - exclude_this_file
  - exclude_this_directory/
  - exclude/this/sub-directory/
skip_list:
  - 207
  - 208
tags:
  - formatting
verbosity: 1
rules:
  formatting:
    ignore: |
      ignore/this/directory/*.sls
      *.jinja
  210:
    ignore: 'exclude_this_file.sls'
severity: True

Pre-commit Setup

To use salt-lint with pre-commit, just add the following to your local repo's .pre-commit-config.yaml file. Prior to version 0.12.0 of pre-commit the file was hooks.yaml (now .pre-commit-config.yaml).

---

# For use with pre-commit.
# See usage instructions at http://pre-commit.com

-   repo: https://github.com/warpnet/salt-lint
    rev: v0.4.0
    hooks:
      - id: salt-lint

Optionally override the default file selection as follows:

      ...
      - id: salt-lint
        files: \.(sls|jinja|tmpl)$

Rules

List of rules

False Positives: Skipping Rules

Some rules are bit of a rule of thumb. To skip a specific rule for a specific task, inside your state add # noqa [rule_id] at the end of the line. You can skip multiple rules via a space-separated list. Example:

/tmp/testfile:
  file.managed:
    - source: salt://{{unspaced_var}}/example  # noqa: 206

Plugins

Currently, there is a salt-lint plugin available for the following applications:

Wish to create a salt-lint extension for your favourite editor? We're always looking for contributions!

Fix common issues

sed might be one of the better tools to fix common issues, as shown in commands below.

Note: these commands assume your current working directory is the salt (states) directory/repository.

Fix spacing around {{ var_name }}, eg. {{env}} --> {{ env }}:
sed -i -E "s/\{\{\s?([^}]*[^} ])\s?\}\}/\{\{ \1 \}\}/g" $(find . -name '*.sls')

Make the dir_mode, file_mode and mode arguments in the desired syntax:
sed -i -E "s/\b(dir_|file_|)mode: 0?([0-7]{3})/\1mode: '0\2'/" $(find . -name '*.sls')

Add quotes around numeric values that start with a 0:
sed -i -E "s/\b(minute|hour): (0[0-7]?)\$/\1: '\2'/" $(find . -name '*.sls')

Authors

The project is heavily based on ansible-lint, with the modified work by Warpnet B.V.. ansible-lint was created by Will Thames and is now maintained as part of the Ansible by Red Hat project.