Lint Rules
The GCP lexicon ships lint rules that run during chant lint and post-synth checks that validate the serialized YAML after chant build.
Lint rules
Section titled “Lint rules”Lint rules analyze your TypeScript source code before build.
| Rule | Description |
|---|---|
| WGC001 | Hardcoded project ID in resource constructors |
| WGC002 | Hardcoded region in resource constructors |
| WGC003 | Public IAM member (allUsers/allAuthenticatedUsers) |
Post-synth checks
Section titled “Post-synth checks”Post-synth checks run against the serialized YAML after build.
Security
Section titled “Security”| Rule | Description |
|---|---|
| WGC101 | Missing encryption on StorageBucket or SQLInstance |
| WGC102 | Public IAM member detected in output |
| WGC104 | Missing uniform bucket-level access |
| WGC105 | Cloud SQL with public 0.0.0.0/0 in authorizedNetworks |
| WGC109 | ComputeFirewall allowing all sources (0.0.0.0/0) |
| WGC110 | KMS CryptoKey without rotation period |
Best practices
Section titled “Best practices”| Rule | Description |
|---|---|
| WGC103 | Missing project annotation (uses namespace default) |
| WGC106 | Missing deletion policy annotation |
| WGC107 | StorageBucket without versioning |
| WGC108 | SQLInstance without backup configuration |
| WGC201 | Missing managed-by label |
| WGC202 | GKE cluster without workload identity |
| WGC203 | GKE node pool with overly broad cloud-platform OAuth scope |
| WGC204 | ComputeInstance without shielded VM config |
Compliance
Section titled “Compliance”| Rule | Description |
|---|---|
| WGC301 | No IAMAuditConfig resource in output |
| WGC302 | No Service (API enablement) resource in output |
| WGC303 | No VPC Service Controls perimeter |
Running lint
Section titled “Running lint”# Lint your chant projectchant lint
# Build (also runs post-synth checks)chant buildTo suppress a rule on a specific line:
// chant-disable-next-line WGC001const bucket = new StorageBucket({ metadata: { annotations: { "cnrm.cloud.google.com/project-id": "my-project" } } });