Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

How does cfn-guard differentiate from cfn-linter? #9

Closed
tvb opened this issue Jun 16, 2020 · 8 comments
Closed

How does cfn-guard differentiate from cfn-linter? #9

tvb opened this issue Jun 16, 2020 · 8 comments
Labels
question Further information is requested

Comments

@tvb
Copy link

tvb commented Jun 16, 2020

Hi AWS,

Awesome news! cfn-guard really looks promising. I do have one question. How does cfn-guard differentiate from cfn-linter (https://github.com/aws-cloudformation/cfn-python-lint)?
@adamchainz
Copy link

This is also my question. I've written custom cfn-lint rules for compliance. cfn-guard seems to be a faster way of writing such rules. Why isn't it part of cfn-lint?

@nathanataws
Copy link
Contributor

We see the two tools as complementary. As @adamchainz has correctly intuited, cfn-guard is purpose-built and optimized specifically for the tasks of rule-writing and checking.

@nathanataws nathanataws added the question Further information is requested label Jun 18, 2020
@tvb
Copy link
Author

tvb commented Jun 19, 2020
edited

Hi @nathanataws thank you for replying.

Could you elaborate a bit more on this? If you can write rules in cfn-guard, why would one write rules also in cfn-lint?

I think I understand what you are saying. It means we can use the basic checks for valid CFN with cfn-lint and if you need custom rules (e.g.: check for missing tags?) you can use cfn-guard to write these?

@MTNPCGCG
Copy link

Will there be a mechanism for more complex (programmatic rules) as well? For most rules, the rule syntax from cfn-guard is fantastic, but occasionally something more complex might be needed.

@ranman166
Copy link

So I could assume this is similar to cfn-nag?

@n1t1nv3rma
Copy link

n1t1nv3rma commented Nov 11, 2020
edited

IMO, this is a great tool for non-programmers to create simple and easy to understand validation rules.
So one canjust rely on combination of standard AWS CLI "aws cloudformation validate-template..." and CFN Guard.

@PatMyron
Copy link
Contributor

PatMyron commented Nov 12, 2020
edited

So one canjust rely on combination of standard AWS CLI "aws cloudformation validate-template..." and CFN Guard.

aws cloudformation validate-template unfortunately only does very basic validation and does not catch much

cfn-guard and opa focus on faster custom rule writing for concise constraints and don't have plans for default rules

cfn-lint focuses more on default rules which mostly catch deployment failures since CloudFormation itself doesn't do enough static analysis before provisioning resources
(cfn-lint has other default rules like not hardcoding sensitive properties/availability zones/partitions/etc, setting DeletionPolicy/UpdateReplacePolicy to protect certain resources, approaching template limits, unused Parameters/Mappings/Conditions, etc.)

cfn_nag/cfripper default rules focus more on security

cfn-lint/cfn_nag/cfripper all support more extensible custom rules in addition to their default rules if custom rules aren't expressible within cfn-guard / opa concise constraints

@PatMyron PatMyron pinned this issue Nov 15, 2020
@PatMyron PatMyron mentioned this issue Mar 11, 2021
Closed
priyap286 pushed a commit that referenced this issue May 17, 2021
@omkhegde
Add option to print output as JSON (#9)
62e32c0 
Make StatusContext struct serializable using serde so that it can be serialized to JSON. 
Added command line option that lets users print output as JSON. 
The new command line option must be set along with the verbose flag.
@PatMyron PatMyron mentioned this issue May 18, 2021
Open
@razcloud
Copy link
Contributor

razcloud commented May 2, 2022

Closing this issue as it was a Q&A, and the original question was answered.

For other questions, please create a new Issue. Thank you.

@razcloud razcloud closed this as completed May 2, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
question Further information is requested
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
8 participants
@adamchainz @tvb @nathanataws @PatMyron @ranman166 @n1t1nv3rma @razcloud @MTNPCGCG