syncable_cli/analyzer/kubelint/mod.rs
1//! KubeLint-RS: Native Rust Kubernetes Linter
2//!
3//! A Rust translation of the kube-linter project.
4//!
5//! # Attribution
6//!
7//! This module is a derivative work based on [kube-linter](https://github.com/stackrox/kube-linter),
8//! originally written in Go by StackRox (Red Hat).
9//!
10//! **Original Project:** <https://github.com/stackrox/kube-linter>
11//! **Original License:** Apache-2.0
12//! **Original Copyright:** Copyright (c) StackRox, Inc.
13//!
14//! This Rust translation maintains compatibility with the Apache-2.0 license.
15//! See THIRD_PARTY_NOTICES.md and LICENSE files for full details.
16//!
17//! # Features
18//!
19//! - Kubernetes YAML file validation
20//! - Helm chart linting (with template rendering)
21//! - Kustomize directory support
22//! - 63 built-in security and best practice checks
23//! - Annotation-based rule ignoring
24//! - Multiple output formats (JSON, SARIF, plain text)
25//!
26//! # Example
27//!
28//! ```rust,ignore
29//! use syncable_cli::analyzer::kubelint::{lint, KubelintConfig, LintResult};
30//! use std::path::Path;
31//!
32//! let config = KubelintConfig::default();
33//! let result = lint(Path::new("./k8s/deployment.yaml"), &config);
34//!
35//! for failure in result.failures {
36//! println!("{}: {} - {}", failure.file_path.display(), failure.code, failure.message);
37//! }
38//! ```
39//!
40//! # Checks
41//!
42//! KubeLint includes 63 built-in checks covering:
43//!
44//! ## Security Checks
45//! - Privileged containers
46//! - Privilege escalation
47//! - Run as non-root
48//! - Read-only root filesystem
49//! - Linux capabilities
50//! - Host namespace access (network, PID, IPC)
51//! - Host path mounts
52//!
53//! ## Best Practice Checks
54//! - Image tag policies (no :latest)
55//! - Liveness/readiness probes
56//! - Resource requirements (CPU/memory)
57//! - Minimum replicas
58//! - Anti-affinity rules
59//! - Rolling update strategy
60//!
61//! ## RBAC Checks
62//! - Cluster admin bindings
63//! - Wildcard rules
64//! - Access to sensitive resources
65//!
66//! ## Validation Checks
67//! - Dangling services/ingresses
68//! - Selector mismatches
69//! - Invalid target ports
70
71pub mod checks;
72pub mod config;
73pub mod context;
74pub mod extract;
75pub mod formatter;
76pub mod lint;
77pub mod objectkinds;
78pub mod parser;
79pub mod pragma;
80pub mod templates;
81pub mod types;
82
83// Re-export main types and functions
84pub use config::KubelintConfig;
85pub use formatter::{OutputFormat, format_result, format_result_to_string};
86pub use lint::{LintResult, LintSummary, lint, lint_content, lint_file};
87pub use types::{CheckFailure, Diagnostic, RuleCode, Severity};