Lint Rules
The Kubernetes lexicon ships lint rules that run during chant lint and post-synth checks that validate the serialized YAML after chant build.
Lint rules
Section titled “Lint rules”Lint rules analyze your TypeScript source code before build.
WK8001 — Hardcoded namespace
Section titled “WK8001 — Hardcoded namespace”Severity: warning | Category: correctness
Flags hardcoded namespace strings in resource constructors. Namespaces should be parameterized or derived from configuration.
// Bad — hardcoded namespacenew Deployment({ metadata: { namespace: "production" } });
// Good — parameterizednew Deployment({ metadata: { namespace: config.namespace } });Post-synth checks
Section titled “Post-synth checks”Post-synth checks run against the serialized YAML after build.
Security
Section titled “Security”| Rule | Description |
|---|---|
| WK8005 | Hardcoded secrets in environment variables |
| WK8041 | API keys detected in env values |
| WK8042 | Private keys in ConfigMaps or Secrets |
| WK8202 | Privileged container (privileged: true) |
| WK8203 | Writable root filesystem (readOnlyRootFilesystem not set) |
| WK8204 | Container running as root (runAsNonRoot not set) |
| WK8205 | Capabilities not dropped (drop: ["ALL"] missing) |
| WK8207 | Host network access (hostNetwork: true) |
| WK8208 | Host PID namespace (hostPID: true) |
| WK8209 | Host IPC namespace (hostIPC: true) |
Best practices
Section titled “Best practices”| Rule | Description |
|---|---|
| WK8006 | Latest image tag or untagged image |
| WK8101 | Deployment selector doesn’t match template labels |
| WK8102 | Resource missing metadata.labels |
| WK8103 | Container missing name |
| WK8104 | Unnamed container ports |
| WK8105 | Missing imagePullPolicy |
Reliability
Section titled “Reliability”| Rule | Description |
|---|---|
| WK8201 | Container missing resource limits |
| WK8301 | Port-serving container missing health probes (skips Jobs/CronJobs and port-less workers) |
| WK8302 | Single replica Deployment |
| WK8303 | HA Deployment without PodDisruptionBudget |
Argo CD
Section titled “Argo CD”Quality checks for the Argo CD composites. ARGO001/ARGO004 are declarative (source AST); ARGO002/003/005 are post-synth (cross-resource / filesystem).
| Rule | Description |
|---|---|
| ARGO001 | Production Application enables automated prune without the argocd.chant.dev/allow-prune override |
| ARGO002 | Application.spec.project references an undeclared AppProject |
| ARGO003 | Application.spec.destination references an unregistered cluster |
| ARGO004 | ApplicationSet template doesn’t scope to a single static AppProject |
| ARGO005 | Application source.path doesn’t resolve to a directory (warn) |
Running lint
Section titled “Running lint”# Lint your chant projectchant lint
# Build (also runs post-synth checks)chant buildTo suppress a rule on a specific line:
// chant-disable-next-line WK8001export const deploy = new Deployment({ metadata: { namespace: "prod" } });To suppress globally in chant.config.ts:
export default { lint: { rules: { WK8001: "off", }, },};