# KubeLinter — Static Analysis for Kubernetes YAML and Helm Charts > KubeLinter checks Kubernetes manifests and Helm charts against security and production-readiness best practices, catching misconfigurations before they reach the cluster. ## Install Save as a script file and run: # KubeLinter — Static Analysis for Kubernetes YAML and Helm Charts ## Quick Use ```bash # Install via Go go install golang.stackrox.io/kube-linter/cmd/kube-linter@latest # Or download a binary curl -LO https://github.com/stackrox/kube-linter/releases/latest/download/kube-linter-linux chmod +x kube-linter-linux && sudo mv kube-linter-linux /usr/local/bin/kube-linter # Lint a directory of manifests kube-linter lint ./k8s/ # Lint a Helm chart kube-linter lint ./charts/myapp/ ``` ## Introduction KubeLinter is an open-source static analysis tool created by StackRox (now part of Red Hat). It scans Kubernetes YAML files and Helm charts for common misconfigurations — missing resource limits, containers running as root, writable root filesystems — and flags them before deployment, shifting security checks left into the development workflow. ## What KubeLinter Does - Scans Kubernetes YAML manifests for security and best-practice violations - Renders and analyzes Helm charts including values overrides - Ships with 40+ built-in checks covering security contexts, resource management, and networking - Supports custom check configuration to enforce organization-specific policies - Returns non-zero exit codes for CI/CD pipeline gating ## Architecture Overview KubeLinter is a single Go binary. It parses YAML files (or renders Helm charts via the Helm library) into Kubernetes object representations, then runs a configurable set of check functions against each object. Checks are categorized by severity and can be individually enabled, disabled, or customized. Results are output as structured text, JSON, or SARIF for integration with code scanning platforms. ## Self-Hosting & Configuration - Single binary with zero dependencies; runs on Linux, macOS, and Windows - Default checks run out of the box with no configuration required - `.kube-linter.yaml` at the repo root customizes which checks are enabled and their parameters - Custom checks can be defined using the built-in check template system - CI integration via GitHub Actions, GitLab CI, Jenkins, or any pipeline that runs shell commands ## Key Features - 40+ built-in checks covering runAsNonRoot, readOnlyRootFilesystem, resource limits, liveness probes, and more - Helm-native: renders charts with values before analysis, catching template-level issues - SARIF output integrates with GitHub Code Scanning and other security dashboards - Configurable severity thresholds for CI gating (error, warning, info) - Fast execution: scans hundreds of manifests in seconds ## Comparison with Similar Tools - **Kubescape** — Broader Kubernetes security platform with runtime scanning; KubeLinter focuses purely on static manifest analysis - **Datree** — Policy enforcement with a managed rule catalog; KubeLinter is fully offline and self-contained - **Polaris** — Similar static checks with a web dashboard; KubeLinter emphasizes CLI and CI integration - **Checkov** — Multi-framework IaC scanner (Terraform, CloudFormation, K8s); KubeLinter is Kubernetes-specific and lighter - **kube-score** — Kubernetes manifest linter with opinionated defaults; fewer built-in checks than KubeLinter ## FAQ **Q: Does KubeLinter require a running Kubernetes cluster?** A: No. It is purely static analysis. It reads YAML files from disk and does not connect to any cluster. **Q: Can I use KubeLinter with Kustomize?** A: Run `kustomize build | kube-linter lint -` to pipe rendered output into KubeLinter via stdin. **Q: How do I suppress a check for a specific resource?** A: Add an annotation `ignore-check.kube-linter.io/: "reason"` to the resource metadata. **Q: Is KubeLinter suitable for production policy enforcement?** A: For pre-deployment gating in CI it works well. For runtime enforcement, pair it with an admission controller like OPA Gatekeeper or Kyverno. ## Sources - https://github.com/stackrox/kube-linter - https://docs.kubelinter.io/ --- Source: https://tokrepo.com/en/workflows/asset-a42c21d3 Author: Script Depot