Conversation
Add comprehensive Kubernetes and Helm chart linting capabilities with ~20,000 lines of new Rust code, translated from StackRox's Go implementations. ## New Analyzers ### KubeLint (src/analyzer/kubelint/) Native Rust translation of stackrox/kube-linter with: - 63 built-in security and best practice checks - Kubernetes manifest validation (Deployments, Services, RBAC, etc.) - Helm chart rendering support (shells to `helm template`) - Kustomize directory support - Annotation-based rule ignoring (@ignore-check.kube-linter.io) - Multiple output formats (JSON, SARIF, plain text) - Graceful fallback to raw YAML parsing when Helm render fails Security checks include: - Privileged containers, privilege escalation - Run as non-root, read-only root filesystem - Linux capabilities (NET_RAW, etc.) - Host namespace access (network, PID, IPC) - RBAC wildcards, secrets access, cluster-admin bindings - Resource limits and requests - Health probes (liveness, readiness) - Service account configuration ### Helmlint (src/analyzer/helmlint/) Native Rust implementation inspired by stackrox/helmtest with: - Chart.yaml validation (apiVersion, metadata, dependencies) - values.yaml validation (types, unused values detection) - Go template syntax analysis (unclosed blocks, undefined variables) - Security checks for rendered templates - Best practice validation (resource limits, probes, deprecated APIs) - Inline pragma support for ignoring rules Rule categories (HL1xxx-HL5xxx): - HL1xxx: Chart structure validation - HL2xxx: Values file validation - HL3xxx: Template syntax checking - HL4xxx: Security checks - HL5xxx: Kubernetes best practices ## Agent Tool Integration - KubelintTool: Agent tool with AI-optimized JSON output - Priority-based issue categorization (critical/high/medium/low) - Category tagging (security/rbac/best-practice/validation) - Quick fixes and remediation guidance - Decision context for AI reasoning - HelmlintTool: Agent tool for Helm chart validation - Structured output with action plans - File-level issue grouping - Template error highlighting ## Terminal UI (Claude Code style) - Rich inline preview in tool call display - Priority indicators with emoji (🔴🟠🟡🟢) - Category badges ([SEC], [RBAC], [BP], [VAL], [TPL]) - Kubernetes (☸) and Helm (⎈) icons - Collapsible output with "+N more" indicators - Quick fix hints for high-priority issues ## Bug Fixes - Fixed double-encoding bug in hooks.rs where Rig framework's JSON serialization caused kubelint/helmlint to always show "OK - no issues found" even when issues existed - Added graceful fallback for broken Helm charts that can't be rendered - now parses raw template YAML files instead of failing ## Attribution Both tools are derivative works under Apache-2.0 license: - kubelint: https://github.com/stackrox/kube-linter - helmlint: https://github.com/stackrox/helmtest Original copyright: StackRox, Inc. (now part of Red Hat) See THIRD_PARTY_NOTICES.md for full attribution details. ## Test Files Added test fixtures in tests/test-lint/: - helm-chart/: Intentionally broken Helm chart for testing - k8s/: Insecure Kubernetes manifests with 46 total issues 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com>
Merged
Alex793x
added a commit
that referenced
this pull request
Mar 28, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
No description provided.