Checks playbooks for practices and behaviour that could potentially be improved.

Check local CloudFormation templates against policy-as-code rules and generate rules from existing templates.

AWS Labs CloudFormation linter.

A linter for AWS CloudFormation templates.

Static analysis tool for Terraform files (tf>=v0.12), preventing cloud misconfigs at build time.

Cookstyle is a linting tool based on the RuboCop Ruby linting tool for Chef cookbooks.

A lint tool that checks Chef cookbooks for common problems.

Check that your Puppet manifests conform to the style guide.

A lightweight, compliance- and security focused, BDD test framework against Terraform.

Collection of security and best practice tests for static code analysis of Terraform templates.

A Terraform linter for detecting errors that can not be detected by terraform plan.

Secure DevOps kit for Azure (AzSK) provides security IntelliSense, Security Verification Tests (SVTs), CICD scan vulnerabilities, compliance issues, and infrastructure misconfiguration in your infrastructure-as-code. Supports Azure via ARM.

In-depth static analysis to find issues in verticals of bug risks, security, anti-patterns, performance, documentation and style. Native integrations with GitHub, GitLab and Bitbucket. Less than 5% false positives.

Find security vulnerabilities, compliance issues, and infrastructure misconfigurations in your infrastructure-as-code. Supports Terraform, Kubernetes, Docker, AWS CloudFormation and Ansible

Mega-Linter can handle any type of project thanks to its 70+ embedded Linters, its advanced reporting, runnable on any CI system or locally, with assisted installation and configuration, able to apply formatting and fixes

Tool to check the validity of Puppet metadata.json files.

Identify vulnerabilities that are unique to your code base before they reach production. Leverages the Code Property Graph (CPG) to run its analyses concurrently in a single graph of graphs. Automatically finds business logic flaws in dev like hardcoded secrets and logic bombs

A fast, open-source, static analysis tool for finding bugs and enforcing code standards at editor, commit, and CI time. Its rules look like the code you already write; no abstract syntax trees or regex wrestling. Supports 17+ languages.

Scan is a free open-source DevSecOps platform for detecting security issues in source code and dependencies. It supports a broad range of languages and CI/CD pipelines.

Combination of multiple linters to install as a GitHub Action.

Terraform static analysis tool that prevents potential security issues by checking cloud misconfigurations at build time and directly integrates with the HCL parser for better results. Checks for violations of AWS, Azure and GCP security best practice recommendations.