\u672c\u6587\u662fAnsible lint Advent Calendar 2022\u7684\u7b2c\u4e8c\u7bc7\u6587\u7ae0\u3002<\/p>\n
\u8fd9\u6b21\u6211\u4eec\u5c06\u89e3\u91ca\u4e00\u4e0bAnsible lint\u547d\u4ee4\u3002<\/p>\n
$ <\/span>ansible-lint --help<\/span>\r\nusage: ansible-lint [<\/span>-h<\/span>]<\/span> [<\/span>-L<\/span> | -T<\/span>]<\/span>\r\n [<\/span>-f<\/span> {<\/span>rich,plain,md,json,codeclimate,quiet,pep8,sarif,docs}]<\/span>\r\n [<\/span>-q<\/span>]<\/span>\r\n [<\/span>-P<\/span> [{<\/span>min,basic,moderate,safety,shared,production}<\/span> ...]]\r\n [<\/span>-p<\/span>]<\/span> [<\/span>--progressive<\/span>]<\/span> [<\/span>--project-dir<\/span> PROJECT_DIR]\r\n [<\/span>-r<\/span> RULESDIR] [<\/span>-R<\/span>]<\/span> [<\/span>-s<\/span>]<\/span> [<\/span>--write<\/span> [<\/span>WRITE_LIST]]\r\n [<\/span>--show-relpath<\/span>]<\/span> [<\/span>-t<\/span> TAGS] [<\/span>-v<\/span>]<\/span> [<\/span>-x<\/span> SKIP_LIST]\r\n [<\/span>-w<\/span> WARN_LIST] [<\/span>--enable-list<\/span> ENABLE_LIST] [<\/span>--nocolor<\/span>]<\/span>\r\n [<\/span>--force-color<\/span>]<\/span> [<\/span>--exclude<\/span> EXCLUDE_PATHS] [<\/span>-c<\/span> CONFIG_FILE]\r\n [<\/span>--offline<\/span>]<\/span> [<\/span>--version<\/span>]<\/span>\r\n [<\/span>lintables ...]\r\n\r\npositional arguments:\r\n lintables One or more files or paths. When missing it will\r\n enable <\/span>auto-detection mode.\r\n\r\noptions:\r\n -h<\/span>, --help<\/span> show this help <\/span>message and exit<\/span>\r\n -L<\/span>, --list-rules<\/span> List all the rules. For listing rules only the\r\n following formats for <\/span>argument -f<\/span> are supported:\r\n {<\/span>plain, rich, md}<\/span>\r\n -T<\/span>, --list-tags<\/span> List all the tags and the rules they cover. Increase\r\n the verbosity level with `<\/span>-v<\/span>`<\/span> to include 'opt-in'<\/span> tag\r\n and its rules.\r\n -f<\/span> {<\/span>rich,plain,md,json,codeclimate,quiet,pep8,sarif,docs}<\/span>, --format<\/span> {<\/span>rich,plain,md,json,codeclimate,quiet,pep8,sarif,docs}<\/span>\r\n stdout formatting, json being an alias <\/span>for\r\n <\/span>codeclimate. (<\/span>default: rich)<\/span>\r\n -q<\/span> quieter, reduce verbosity, can be specified twice.\r\n -P<\/span> [{<\/span>min,basic,moderate,safety,shared,production}<\/span> ...], --profile<\/span> [{<\/span>min,basic,moderate,safety,shared,production}<\/span> ...]\r\n Specify which rules profile to be used, or displays\r\n available profiles when no argument is given.\r\n -p<\/span>, --parseable<\/span> parseable output, same as '-f pep8'<\/span>\r\n --progressive<\/span> Return success if <\/span>it detects a reduction in <\/span>number of\r\n violations compared with previous git commit. This\r\n feature works only in <\/span>git repositories.\r\n --project-dir<\/span> PROJECT_DIR\r\n Location of project\/repository, autodetected based on\r\n location of configuration file.\r\n -r<\/span> RULESDIR, --rules-dir<\/span> RULESDIR\r\n Specify custom rule directories. Add -R<\/span> to keep using\r\n embedded rules from \/home\/docs\/checkouts\/readthedocs.o\r\n rg\/user_builds\/ansible-\r\n lint\/envs\/latest\/lib\/python3.10\/site-\r\n packages\/ansiblelint\/rules\r\n -R<\/span> Keep default rules when using -r<\/span>\r\n -s<\/span>, --strict<\/span> Return non-zero exit <\/span>code on warnings as well as\r\n errors\r\n --write<\/span> [<\/span>WRITE_LIST] Allow ansible-lint to reformat YAML files and run rule\r\n transforms (<\/span>Reformatting YAML files standardizes\r\n spacing, quotes, etc. A rule transform can fix or\r\n simplify fixing issues identified by that rule)<\/span>.<\/span> You\r\n can limit the effective rule transforms (<\/span>the\r\n 'write_list'<\/span>)<\/span> by passing a keywords 'all'<\/span> or 'none'<\/span> or\r\n a comma separated list of rule ids or rule tags. YAML\r\n reformatting happens whenever '--write'<\/span> or '--write='<\/span>\r\n is used. '--write'<\/span> and '--write=all'<\/span> are equivalent:\r\n they allow all transforms to run. The effective list\r\n of transforms comes from 'write_list'<\/span> in <\/span>the config\r\n file, followed whatever '--write'<\/span> args are provided on\r\n the commandline. '--write=none'<\/span> resets the list of\r\n transforms to allow reformatting YAML without running\r\n any of the transforms (<\/span>ie '--write=none,rule-id'<\/span> will\r\n ignore write_list in <\/span>the config file and only run the\r\n rule-id transform)<\/span>.<\/span>\r\n --show-relpath<\/span> Display path relative to CWD\r\n -t<\/span> TAGS, --tags<\/span> TAGS only check rules whose id<\/span>\/tags match these values\r\n -v<\/span> Increase verbosity level (<\/span>-vv<\/span> for <\/span>more)<\/span>\r\n -x<\/span> SKIP_LIST, --skip-list<\/span> SKIP_LIST\r\n only check rules whose id<\/span>\/tags do <\/span>not match these\r\n values\r\n -w<\/span> WARN_LIST, --warn-list<\/span> WARN_LIST\r\n only warn about these rules, unless overridden in\r\n <\/span>config file. Current version default value is: avoid-\r\n implicit, experimental, fqcn[action], fqcn[redirect],\r\n jinja[spacing], name[casing], name[play], role-name,\r\n warning[empty-playbook], role-name[path]\r\n --enable-list<\/span> ENABLE_LIST\r\n activate optional rules by their tag name\r\n --nocolor<\/span> disable colored output, same as NO_COLOR<\/span>=<\/span>1\r\n --force-color<\/span> Force colored output, same as FORCE_COLOR<\/span>=<\/span>1\r\n --exclude<\/span> EXCLUDE_PATHS\r\n path to directories or files to skip. This option is\r\n repeatable.\r\n -c<\/span> CONFIG_FILE, --config-file<\/span> CONFIG_FILE\r\n Specify configuration file to use. By default it will\r\n look for<\/span> '.ansible-lint'<\/span> or '.config\/ansible-lint.yml'<\/span>\r\n --offline<\/span> Disable installation of requirements.yml\r\n --version<\/span>\r\n<\/code><\/pre>\n\u57fa\u672c\u7684\u547d\u4ee4 de<\/h3>\nansible-lint <\u30d5\u30a1\u30a4\u30eb\u540d>\r\n<\/code><\/pre>\n\u5982\u679c\u6587\u4ef6\u540d\u88ab\u7701\u7565\uff0cAnsible lint\u4f1a\u81ea\u52a8\u68c0\u6d4bplaybook\u3001role\u3001collection\u7b49\u6587\u4ef6\uff0c\u5e76\u6267\u884clint\u5904\u7406\u3002<\/p>\n
\u663e\u793a\u6240\u6709\u89c4\u5219\u3010-L\uff0c–list-rules\u3011\u3002<\/h3>\nansible-lint -L<\/span>\r\n## \u3082\u3057\u304f\u306f <\/span>\r\n## ansible-lint --list-rules<\/span>\r\n<\/code><\/pre>\n\u60c5\u5831\u91cf\u304c\u591a\u3044\u3067\u3059\u3002
\navoid-implicit \u2502 Avoid implicit behaviors
\n\u2576\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2574
\ndescription \u2502 # avoid-implicit
\n\u2502
\n\u2502 This rule identifies the use of dangerous implicit behaviors, often also undocumented.
\n\u2502
\n\u2502 This rule will produce the following type of error messages:
\n\u2502
\n\u2502 \u2022 avoid-implicit[copy-content] is not a string as copy modules also accept these, but without
\n\u2502 documenting them.
\n\u2502
\n\u2502 ## Problematic Code
\n\u2502
\n\u2502 —
\n\u2502 – name: Example playbook
\n\u2502 hosts: localhost
\n\u2502 tasks:
\n\u2502 – name: Write file content
\n\u2502 ansible.builtin.copy:
\n\u2502 content: { “foo”: “bar” } # <– should use explicit jinja template
\n\u2502 dest: \/tmp\/foo.txt
\n\u2502
\n\u2502 ## Correct Code
\n\u2502
\n\u2502 —
\n\u2502 – name: Example playbook
\n\u2502 hosts: localhost
\n\u2502 tasks:
\n\u2502 – name: Write file content
\n\u2502 vars:
\n\u2502 content: { “foo”: “bar” }
\n\u2502 ansible.builtin.copy:
\n\u2502 content: “{{ content | to_json }}” # explicit better than implicit!
\n\u2502 dest: \/tmp\/foo.txt
\nversion_added \u2502 v6.8.0
\ntags \u2502 unpredictability, experimental
\nseverity \u2502 MEDIUM
\n\u2575
\n\u2577
\ncommand-instead-of-module \u2502 Using command rather than module.
\n\u2576\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2574
\ndescription \u2502 # command-instead-of-module
\n\u2502
\n\u2502 This rule will recommend you to use a specific ansible module instead for tasks that are better served
\n\u2502 by a module, as these are more reliable, provide better messaging and usually have additional features
\n\u2502 like the ability to retry.
\n\u2502
\n\u2502 In the unlikely case that the rule triggers false positives, you can disable it by adding a comment like
\n\u2502 # noqa: command-instead-of-module to the same line.
\n\u2502
\n\u2502 You can check the source of the rule for all the known commands that trigger the rule and their allowed
\n\u2502 list arguments of exceptions and raise a pull request to improve them.
\n\u2502
\n\u2502 ## Problematic Code
\n\u2502
\n\u2502 —
\n\u2502 – name: Update apt cache
\n\u2502 hosts: all
\n\u2502 tasks:
\n\u2502 – name: Run apt-get update
\n\u2502 ansible.builtin.command: apt-get update # <– better to use ansible.builtin.apt module
\n\u2502
\n\u2502 ## Correct Code
\n\u2502
\n\u2502 —
\n\u2502 – name: Update apt cache
\n\u2502 hosts: all
\n\u2502 tasks:
\n\u2502 – name: Run apt-get update
\n\u2502 ansible.builtin.apt:
\n\u2502 update_cache: true
\nversion_added \u2502 historic
\ntags \u2502 command-shell, idiom
\nseverity \u2502 HIGH
\n\u2575
\n\u2577
\ncommand-instead-of-shell \u2502 Use shell only when shell functionality is required.
\n\u2576\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2574
\ndescription \u2502 # command-instead-of-shell
\n\u2502
\n\u2502 This rule identifies uses of shell modules instead of a command one when this is not really needed.
\n\u2502 Shell is considerably slower than command and should be avoided unless there is a special need for using
\n\u2502 shell features, like environment variable expansion or chaining multiple commands using pipes.
\n\u2502
\n\u2502 ## Problematic Code
\n\u2502
\n\u2502 —
\n\u2502 – name: Problematic example
\n\u2502 hosts: localhost
\n\u2502 tasks:
\n\u2502 – name: Echo a message
\n\u2502 ansible.builtin.shell: echo hello # <– command is better in this case
\n\u2502 changed_when: false
\n\u2502
\n\u2502 ## Correct Code
\n\u2502
\n\u2502 —
\n\u2502 – name: Correct example
\n\u2502 hosts: localhost
\n\u2502 tasks:
\n\u2502 – name: Echo a message
\n\u2502 ansible.builtin.command: echo hello
\n\u2502 changed_when: false
\nversion_added \u2502 historic
\ntags \u2502 command-shell, idiom
\nseverity \u2502 HIGH
\n\u2575
\n\u2577
\ndeprecated-bare-vars \u2502 Using bare variables is deprecated.
\n\u2576\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2574
\ndescription \u2502 # deprecated-bare-vars
\n\u2502
\n\u2502 This rule identifies possible confusing expressions where it is not clear if a variable or string is to
\n\u2502 be used and asks for clarification.
\n\u2502
\n\u2502 You should either use the full variable syntax (‘{{{{ {0} }}}}’) or, whenever possible, convert it to a
\n\u2502 list of strings.
\n\u2502
\n\u2502 ## Problematic code
\n\u2502
\n\u2502 —
\n\u2502 – ansible.builtin.debug:
\n\u2502 msg: “{{ item }}”
\n\u2502 with_items: foo # <– deprecated-bare-vars
\n\u2502
\n\u2502 ## Correct code
\n\u2502
\n\u2502 —
\n\u2502 # if foo is not really a variable:
\n\u2502 – ansible.builtin.debug:
\n\u2502 msg: “{{ item }}”
\n\u2502 with_items:
\n\u2502 – foo
\n\u2502
\n\u2502 # if foo is a variable:
\n\u2502 – ansible.builtin.debug:
\n\u2502 msg: “{{ item }}”
\n\u2502 with_items: “{{ foo }}”
\nversion_added \u2502 historic
\ntags \u2502 deprecations
\nseverity \u2502 VERY_HIGH
\n\u2575
\n\u2577
\ndeprecated-command-syntax \u2502 Using command rather than an argument to e.g. file.
\n\u2576\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2574
\ndescription \u2502 # deprecated-command-syntax
\n\u2502
\n\u2502 This rule identifies the use of shorthand (free-form) syntax as this is highly discouraged inside
\n\u2502 playbooks, mainly because it can easily lead to bugs that are hard to identify.
\n\u2502
\n\u2502 While using the free-form from the command line is ok, it should never be used inside playbooks.
\n\u2502
\n\u2502 ## Problematic Code
\n\u2502
\n\u2502 —
\n\u2502 – name: Example playbook
\n\u2502 hosts: localhost
\n\u2502 tasks:
\n\u2502 – name: Perform chmod
\n\u2502 ansible.builtin.command: creates=B chmod 644 A # <– do not use shorthand
\n\u2502
\n\u2502 ## Correct Code
\n\u2502
\n\u2502 —
\n\u2502 – name: Example playbook
\n\u2502 hosts: localhost
\n\u2502 tasks:
\n\u2502 – name: Perform chmod
\n\u2502 ansible.builtin.command: chmod 644 A
\n\u2502 args:
\n\u2502 creates: B
\nversion_added \u2502 historic
\ntags \u2502 command-shell, deprecations
\nseverity \u2502 VERY_HIGH
\n\u2575
\n\u2577
\ndeprecated-local-action \u2502 Do not use ‘local_action’, use ‘delegate_to: localhost’.
\n\u2576\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2574
\ndescription \u2502 # deprecated-local-action
\n\u2502
\n\u2502 This rule recommends using delegate_to: localhost instead of the local_action.
\n\u2502
\n\u2502 ## Problematic Code
\n\u2502
\n\u2502 —
\n\u2502 – name: Task example
\n\u2502 local_action: # <– this is deprecated
\n\u2502 module: boto3_facts
\n\u2502
\n\u2502 ## Correct Code
\n\u2502
\n\u2502 – name: Task example
\n\u2502 boto3_facts:
\n\u2502 delegate_to: localhost # <– recommended way to run on localhost
\nversion_added \u2502 v4.0.0
\ntags \u2502 deprecations
\nseverity \u2502 MEDIUM
\n\u2575
\n\u2577
\ndeprecated-module \u2502 Deprecated module.
\n\u2576\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2574
\ndescription \u2502 # deprecated-module
\n\u2502
\n\u2502 This rule identifies deprecated modules in playbooks. You should avoid using deprecated modules because
\n\u2502 they are not maintained, which can pose a security risk. Additionally when a module is deprecated it is
\n\u2502 available temporarily with a plan for future removal.
\n\u2502
\n\u2502 Refer to the Ansible module index for information about replacements and removal dates for deprecated
\n\u2502 modules.
\n\u2502
\n\u2502 ## Problematic Code
\n\u2502
\n\u2502 —
\n\u2502 – name: Example playbook
\n\u2502 hosts: localhost
\n\u2502 tasks:
\n\u2502 – name: Configure VLAN ID
\n\u2502 ansible.netcommon.net_vlan: # <- Uses a deprecated module.
\n\u2502 vlan_id: 20
\n\u2502
\n\u2502 ## Correct Code
\n\u2502
\n\u2502 —
\n\u2502 – name: Example playbook
\n\u2502 hosts: localhost
\n\u2502 tasks:
\n\u2502 – name: Configure VLAN ID
\n\u2502 dellemc.enterprise_sonic.sonic_vlans: # <- Uses a platform specific module. \u2502 config: \u2502 – vlan_id: 20 \u2502 \u2502 (more) version_added \u2502 v4.0.0 tags \u2502 deprecations severity \u2502 HIGH \u2575 \u2577 empty-string-compare \u2502 Don’t compare to empty string. \u2576\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2574 description \u2502 # empty-string-compare \u2502 \u2502 This rule checks for empty string comparison in playbooks. To ensure code clarity you should avoid using \u2502 empty strings in conditional statements with the when clause. \u2502 \u2502 \u2022 Use when: var | length > 0 instead of when: var != “”.
\n\u2502 \u2022 Use when: var | length == 0 instead of when: var == “”.
\n\u2502
\n\u2502 This is an opt-in rule. You must enable it in your Ansible-lint configuration as follows:
\n\u2502
\n\u2502 enable_list:
\n\u2502 – empty-string-compare
\n\u2502
\n\u2502 ## Problematic Code
\n\u2502
\n\u2502 —
\n\u2502 – name: Example playbook
\n\u2502 hosts: all
\n\u2502 tasks:
\n\u2502 – name: Shut down
\n\u2502 ansible.builtin.command: \/sbin\/shutdown -t now
\n\u2502 when: ansible_os_family == “” # <- Compares with an empty string.
\n\u2502 – name: Shut down
\n\u2502 ansible.builtin.command: \/sbin\/shutdown -t now
\n\u2502 when: ansible_os_family !=”” # <- Compares with an empty string.
\n\u2502
\n\u2502 ## Correct Code
\n\u2502
\n\u2502 —
\n\u2502 – name: Example playbook
\n\u2502 hosts: all
\n\u2502 tasks:
\n\u2502 – name: Shut down
\n\u2502 ansible.builtin.shell: |
\n\u2502 \/sbin\/shutdown -t now
\n\u2502 echo $var ==
\n\u2502 when: ansible_os_family
\nversion_added \u2502 v4.0.0
\ntags \u2502 idiom, opt-in
\nseverity \u2502 HIGH
\n\u2575
\n\u2577
\nfqcn \u2502 Use FQCN for builtin actions.
\n\u2576\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2574
\ndescription \u2502 # fqcn
\n\u2502
\n\u2502 This rule checks for fully-qualified collection names (FQCN) in Ansible content.
\n\u2502
\n\u2502 Declaring an FQCN ensures that an action uses code from the correct namespace. This avoids ambiguity and
\n\u2502 conflicts that can cause operations to fail or produce unexpected results.
\n\u2502
\n\u2502 The fqcn rule has the following checks:
\n\u2502
\n\u2502 \u2022 fqcn[action] – Use FQCN for module actions, such …
\n\u2502 \u2022 fqcn[action-core] – Checks for FQCNs from the ansible.legacy or ansible.builtin collection.
\n\u2502 \u2022 fqcn[canonical] – You should use canonical module name … instead of …
\n\u2502
\n\u2502 In most cases you should declare the `ansible.builtin` collection for internal Ansible actions.
\n\u2502 You should declare the `ansible.legacy` collection if you use local overrides with actions, such with as
\n\u2502 the “shell“ module.
\n\u2502
\n\u2502 This rule does not take [`collections`
\n\u2502 keyword](https:\/\/docs.ansible.com\/ansible\/latest\/user_guide\/collections_using.html#simplifying-module-n\u2026
\n\u2502 into consideration.
\n\u2502 The `collections` keyword provided a temporary mechanism transitioning to Ansible 2.9.
\n\u2502 You should rewrite any content that uses the `collections:` key and avoid it where possible.
\n\u2502
\n\u2502 ## Canonical module names
\n\u2502
\n\u2502 Canonical module names are also known as resolved module names and they are to be preferred for most
\n\u2502 cases. Many Ansible modules have multiple aliases and redirects, as these were created over time while
\n\u2502 the content was refactored. Still, all of them do finally resolve to the same module name, but not
\n\u2502 without adding some performance overhead. As very old aliases are at some point removed, it makes to
\n\u2502 just refresh the content to make it point to the current canonical name.
\n\u2502
\n\u2502 The only exception for using a canonical name is if your code still needs to be compatible with a very
\n\u2502 old version of Ansible, one that does not know how to resolve that name. If you find yourself in such a
\n\u2502 situation, feel free to add this rule to the ignored list.
\n\u2502
\n\u2502 ## Problematic Code
\n\u2502
\n\u2502 —
\n\u2502 – name: Example playbook
\n\u2502 hosts: all
\n\u2502 tasks:
\n\u2502 – name: Create an SSH connection
\n\u2502 shell: ssh ssh_user@{{ ansible_ssh_host }} # <- Does not use the FQCN for the shell module.
\n\u2502
\n\u2502 ## Correct Code
\n\u2502
\n\u2502 —
\n\u2502 – name: Example playbook (1st solution)
\n\u2502 hosts: all
\n\u2502 tasks:
\n\u2502 – name: Create an SSH connection
\n\u2502 # Use the FQCN for the legacy shell module and allow local overrides.
\n\u2502 ansible.legacy.shell: ssh ssh_user@{{ ansible_ssh_host }} -o IdentityFile=path\/to\/my_rsa
\n\u2502
\n\u2502 —
\n\u2502 – name: Example playbook (2nd solution)
\n\u2502 hosts: all
\n\u2502 tasks:
\n\u2502 – name: Create an SSH connection
\n\u2502 # Use the FQCN for the builtin shell module.
\n\u2502 ansible.builtin.shell: ssh ssh_user@{{ ansible_ssh_host }}
\nversion_added \u2502 v6.8.0
\ntags \u2502 formatting
\nseverity \u2502 MEDIUM
\n\u2575
\n\u2577
\ngalaxy \u2502 Rule for checking collection version is greater than 1.0.0.
\n\u2576\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2574
\ndescription \u2502 # galaxy
\n\u2502
\n\u2502 This rule identifies if the collection version mentioned in galaxy.yml is ideal in terms of the version
\n\u2502 number being greater than or equal to 1.0.0.
\n\u2502
\n\u2502 This rule can produce messages such:
\n\u2502
\n\u2502 \u2022 galaxy[version-missing] – galaxy.yaml should have version tag.
\n\u2502 \u2022 galaxy[version-incorrect] – collection version should be greater than or equal to 1.0.0
\n\u2502
\n\u2502 If you want to ignore some of the messages above, you can add any of them to the ignore_list.
\n\u2502
\n\u2502 ## Problematic code
\n\u2502
\n\u2502 # galaxy.yml
\n\u2502 —
\n\u2502 name: foo
\n\u2502 namespace: bar
\n\u2502 version: 0.2.3 # <– collection version should be >= 1.0.0
\n\u2502 authors:
\n\u2502 – John
\n\u2502 readme: ..\/README.md
\n\u2502 description: “…”
\n\u2502
\n\u2502 ## Correct code
\n\u2502
\n\u2502 # galaxy.yml
\n\u2502 —
\n\u2502 name: foo
\n\u2502 namespace: bar
\n\u2502 version: 1.0.0
\n\u2502 authors:
\n\u2502 – John
\n\u2502 readme: ..\/README.md
\n\u2502 description: “…”
\nversion_added \u2502 v6.6.0 (last update)
\ntags \u2502 metadata, opt-in, experimental
\nseverity \u2502 MEDIUM
\n\u2575
\n\u2577
\nignore-errors \u2502 Use failed_when and specify error conditions instead of using ignore_errors.
\n\u2576\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2574
\ndescription \u2502 # ignore-errors
\n\u2502
\n\u2502 This rule checks that playbooks do not use the ignore_errors directive to ignore all errors. Ignoring
\n\u2502 all errors in a playbook hides actual failures, incorrectly mark tasks as failed, and result in
\n\u2502 unexpected side effects and behavior.
\n\u2502
\n\u2502 Instead of using the ignore_errors: true directive, you should do the following:
\n\u2502
\n\u2502 \u2022 Ignore errors only when using the {{ ansible_check_mode }} variable.
\n\u2502 \u2022 Use register to register errors.
\n\u2502 \u2022 Use failed_when: and specify acceptable error conditions.
\n\u2502
\n\u2502 ## Problematic Code
\n\u2502
\n\u2502 —
\n\u2502 – name: Example playbook
\n\u2502 hosts: all
\n\u2502 tasks:
\n\u2502 – name: Run apt-get update
\n\u2502 ansible.builtin.command: apt-get update
\n\u2502 ignore_errors: true # <- Ignores all errors, including important failures.
\n\u2502
\n\u2502 ## Correct Code
\n\u2502
\n\u2502 —
\n\u2502 – name: Example playbook
\n\u2502 hosts: all
\n\u2502 tasks:
\n\u2502 – name: Run apt-get update
\n\u2502 ansible.builtin.command: apt-get update
\n\u2502 ignore_errors: “{{ ansible_check_mode }}” # <- Ignores errors in check mode.
\n\u2502
\n\u2502 —
\n\u2502 – name: Example playbook
\n\u2502 hosts: all
\n\u2502 tasks:
\n\u2502 – name: Run apt-get update
\n\u2502 ansible.builtin.command: apt-get update
\n\u2502 ignore_errors: true
\n\u2502 register: ignore_errors_register # <- Stores errors and failures for evaluation.
\n\u2502
\n\u2502 —
\n\u2502 – name: Example playbook
\n\u2502 hosts: all
\n\u2502 tasks:
\n\u2502 – name: Disable apport
\n\u2502 become: “yes”
\n\u2502 lineinfile:
\n\u2502 line: “enabled=0”
\n\u2502 dest: \/etc\/default\/apport
\n\u2502 mode: 0644
\n\u2502 state: present
\n\u2502 register: default_apport
\n\u2502 failed_when: default_apport.rc !=0 and not default_apport.rc == 257 # <- Defines conditions that
\n\u2502 constitute a failure.
\nversion_added \u2502 v5.0.7
\ntags \u2502 unpredictability, experimental
\nseverity \u2502 LOW
\n\u2575
\n\u2577
\ninline-env-var \u2502 Command module does not accept setting environment variables inline.
\n\u2576\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2574
\ndescription \u2502 # inline-env-var
\n\u2502
\n\u2502 This rule checks that playbooks do not set environment variables in the ansible.builtin.command module.
\n\u2502
\n\u2502 You should set environment variables with the ansible.builtin.shell module or the environment keyword.
\n\u2502
\n\u2502 ## Problematic Code
\n\u2502
\n\u2502 —
\n\u2502 – name: Example playbook
\n\u2502 hosts: all
\n\u2502 tasks:
\n\u2502 – name: Set environment variable
\n\u2502 ansible.builtin.command: MY_ENV_VAR=my_value # <- Sets an environment variable in the command
\n\u2502 module.
\n\u2502
\n\u2502 ## Correct Code
\n\u2502
\n\u2502 —
\n\u2502 – name: Example playbook
\n\u2502 hosts: all
\n\u2502 tasks:
\n\u2502 – name: Set environment variable
\n\u2502 ansible.builtin.shell: echo $MY_ENV_VAR
\n\u2502 environment:
\n\u2502 MY_ENV_VAR: my_value # <- Sets an environment variable with the environment keyword.
\n\u2502
\n\u2502 —
\n\u2502 – name: Example playbook
\n\u2502 hosts: all
\n\u2502 tasks:
\n\u2502 – name: Set environment variable
\n\u2502 ansible.builtin.shell: MY_ENV_VAR=my_value # <- Sets an environment variable with the shell
\n\u2502 module.
\nversion_added \u2502 historic
\ntags \u2502 command-shell, idiom
\nseverity \u2502 VERY_HIGH
\n\u2575
\n\u2577
\ninternal-error \u2502 Unexpected internal error.
\n\u2576\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2574
\ndescription \u2502 # internal-error
\n\u2502
\n\u2502 This error can also be caused by internal bugs but also by custom rules. Instead of just stopping tool
\n\u2502 execution, we generate the errors and continue processing other files. This allows users to add this
\n\u2502 rule to their warn_list until the root cause is fixed.
\n\u2502
\n\u2502 Keep in mind that once an internal-error is found on a specific file, no other rules will be executed on
\n\u2502 that same file.
\n\u2502
\n\u2502 In almost all cases you will see more detailed information regarding the original error or runtime
\n\u2502 exception that triggered this rule.
\n\u2502
\n\u2502 If these files are broken on purpose, like some test fixtures, you need to add them to the
\n\u2502 exclude_paths.
\n\u2502
\n\u2502 ## Problematic code
\n\u2502
\n\u2502 —
\n\u2502 – name: Some title {{ # <– Ansible will not load this invalid jinja template
\n\u2502 hosts: localhost
\n\u2502 tasks: []
\n\u2502
\n\u2502 ## Correct code
\n\u2502
\n\u2502 —
\n\u2502 – name: Some title
\n\u2502 hosts: localhost
\n\u2502 tasks: []
\n\u2502
\n\u2502 ## ERROR! No hosts matched the subscripted pattern
\n\u2502
\n\u2502 If you see this error, it means that you tried to index a host group variable that is using an index
\n\u2502 above its size.
\n\u2502
\n\u2502 Instead of doing something like hosts: all[1] which assumes that you have at least two hosts in your
\n\u2502 current inventory, you better write something like hosts: “{{ all[1] | default([]) }}, which is safe and
\n\u2502 do not produce runtime errors. Use safe fallbacks to make your code more resilient.
\nversion_added \u2502 v5.0.0
\ntags \u2502 core
\nseverity \u2502 VERY_HIGH
\n\u2575
\n\u2577
\njinja \u2502 Rule that looks inside jinja2 templates.
\n\u2576\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2574
\ndescription \u2502 # jinja
\n\u2502
\n\u2502 This rule can report problems related to jinja2 string templates. The current version can report:
\n\u2502
\n\u2502 \u2022 jinja[spacing] when there are no spaces between variables and operators, including filters, like {{
\n\u2502 var_name | filter }}. This improves readability and makes it less likely to introduce typos.
\n\u2502 \u2022 jinja[invalid] when the jinja2 template is invalid, like {{ {{ ‘1’ }} }}, which would result in a
\n\u2502 runtime error if you try to use it with Ansible, even if it does pass the Ansible syntax check.
\n\u2502
\n\u2502 As jinja2 syntax is closely following Python one we aim to follow black formatting rules. If you are
\n\u2502 curious how black would reformat a small sniped feel free to visit online black formatter site. Keep in
\n\u2502 mind to not include the entire jinja2 template, so instead of {{ 1+2==3 }}, do paste only 1+2==3.
\n\u2502
\n\u2502 In ansible, changed_when, failed_when, until, when are considered to use implicit jinja2 templating,
\n\u2502 meaning that they do not require {{ }}. Our rule will suggest the removal of the braces for these
\n\u2502 fields.
\n\u2502
\n\u2502 ## Problematic code
\n\u2502
\n\u2502 —
\n\u2502 – name: Some task
\n\u2502 vars:
\n\u2502 foo: “{{some|dict2items}}” # <– jinja[spacing]
\n\u2502 bar: “{{ & }}” # <– jinja[invalid]
\n\u2502 when: “{{ foo | bool }}” # <– jinja[spacing] – ‘when’ has implicit templating
\n\u2502
\n\u2502 ## Correct code
\n\u2502
\n\u2502 —
\n\u2502 – name: Some task
\n\u2502 vars:
\n\u2502 foo: “{{ some | dict2items }}”
\n\u2502 bar: “{{ ‘&’ }}”
\n\u2502 when: foo | bool
\n\u2502
\n\u2502 ## Current limitations
\n\u2502
\n\u2502 In its current form, this rule presents the following limitations:
\n\u2502
\n\u2502 \u2022 Jinja2 blocks that have newlines in them will not be reformatted because we consider that the user
\n\u2502 deliberately wanted to format them in a particular way.
\n\u2502 \u2022 Jinja2 blocks that use tilde as a binary operation are ignored because black does not support tilde
\n\u2502 as a binary operator. Example: {{ a ~ b }}.
\n\u2502 \u2022 Jinja2 blocks that use dot notation with numbers are ignored because python and black do not allow
\n\u2502 it. Example: {{ foo.0.bar }}
\nversion_added \u2502 v6.5.0
\ntags \u2502 formatting
\nseverity \u2502 LOW
\n\u2575
\n\u2577
\nkey-order \u2502 Ensure specific order of keys in mappings.
\n\u2576\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2574
\ndescription \u2502 # key-order
\n\u2502
\n\u2502 This rule recommends reordering key names in ansible content to make code easier to maintain and less
\n\u2502 prone to errors.
\n\u2502
\n\u2502 Here are some examples of common ordering checks done for tasks and handlers:
\n\u2502
\n\u2502 \u2022 name must always be the first key for plays, tasks and handlers
\n\u2502 \u2022 on tasks, the block, rescue and always keys must be the last keys, as this would avoid accidental
\n\u2502 miss-indentation errors between the last task and the parent level.
\n\u2502
\n\u2502 ## Problematic code
\n\u2502
\n\u2502 —
\n\u2502 – hosts: localhost
\n\u2502 name: This is a playbook # <– name key should be the first one
\n\u2502 tasks:
\n\u2502 – name: A block
\n\u2502 block:
\n\u2502 – name: Display a message
\n\u2502 debug:
\n\u2502 msg: “Hello world!”
\n\u2502 when: true # <– when key should be before block
\n\u2502
\n\u2502 ## Correct code
\n\u2502
\n\u2502 —
\n\u2502 – name: This is a playbook
\n\u2502 hosts: localhost
\n\u2502 tasks:
\n\u2502 – name: A block
\n\u2502 when: true
\n\u2502 block:
\n\u2502 – name: Display a message
\n\u2502 debug:
\n\u2502 msg: “Hello world!”
\n\u2502
\n\u2502 ## Reasoning
\n\u2502
\n\u2502 Making decisions about the optimal order of keys for ansible tasks or plays is no easy task, as we had a
\n\u2502 huge number of combinations to consider. This is also the reason why we started with a minimal sorting
\n\u2502 rule (name to be the first), and aimed to gradually add more fields later, and only when we find the
\n\u2502 proofs that one approach is likely better than the other.
\n\u2502
\n\u2502 ### Why I no longer can put when after a block?
\n\u2502
\n\u2502 Try to remember that in real life, block\/rescue\/always have the habit to grow due to the number of tasks
\n\u2502 they host inside, making them exceed what a single screen. This would move the when task further away
\n\u2502 from the rest of the task properties. A when from the last task inside the block can easily be confused
\n\u2502 as being at the block level, or the reverse. When tasks are moved from one location to another, there is
\n\u2502 a real risk of moving the block level when with it.
\n\u2502
\n\u2502 By putting the when before the block, we avoid that kind of risk. The same risk applies to any simple
\n\u2502 property at the task level, so that is why we concluded that the block keys must be the last ones.
\n\u2502
\n\u2502 Another common practice was to put tags as the last property. Still, for the same reasons, we decided
\n\u2502 that they should not be put after block keys either.
\nversion_added \u2502 v6.6.2
\ntags \u2502 formatting, experimental
\nseverity \u2502 LOW
\n\u2575
\n\u2577
\nlatest \u2502 Result of the command may vary on subsequent runs.
\n\u2576\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2574
\ndescription \u2502 # latest
\n\u2502
\n\u2502 The latest rule checks that module arguments like those used for source control checkout do not have
\n\u2502 arguments that might generate different results based on context.
\n\u2502
\n\u2502 This more generic rule replaced two older rules named git-latest and hg-latest.
\n\u2502
\n\u2502 We are aware that there are genuine cases where getting the tip of the main branch is not accidental.
\n\u2502 For these cases, just add a comment such as # noqa: latest to the same line to prevent it from
\n\u2502 triggering.
\n\u2502
\n\u2502 ## Possible errors messages:
\n\u2502
\n\u2502 \u2022 latest[git]
\n\u2502 \u2022 latest[hg]
\n\u2502
\n\u2502 ## Problematic code
\n\u2502
\n\u2502 —
\n\u2502 – name: Example for `latest` rule
\n\u2502 hosts: localhost
\n\u2502 tasks:
\n\u2502 – name: Risky use of git module
\n\u2502 ansible.builtin.git:
\n\u2502 repo: “https:\/\/foosball.example.org\/path\/to\/repo.git”
\n\u2502 version: HEAD # <– HEAD value is triggering the rule
\n\u2502
\n\u2502 ## Correct code
\n\u2502
\n\u2502 —
\n\u2502 – name: Example for `latest` rule
\n\u2502 hosts: localhost
\n\u2502 tasks:
\n\u2502 – name: Safe use of git module
\n\u2502 ansible.builtin.git:
\n\u2502 repo: “https:\/\/foosball.example.org\/path\/to\/repo.git”
\n\u2502 version: abcd1234… # <– that is safe
\nversion_added \u2502 v6.5.2
\ntags \u2502 idempotency
\nseverity \u2502 MEDIUM
\n\u2575
\n\u2577
\nliteral-compare \u2502 Don’t compare to literal True\/False.
\n\u2576\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2574
\ndescription \u2502 # literal-compare
\n\u2502
\n\u2502 This rule checks for literal comparison with the when clause. Literal comparison, like when: var ==
\n\u2502 True, is unnecessarily complex. Use when: var to keep your playbooks simple.
\n\u2502
\n\u2502 ## Problematic Code
\n\u2502
\n\u2502 —
\n\u2502 – name: Example playbook
\n\u2502 hosts: all
\n\u2502 tasks:
\n\u2502 – name: Print environment variable to stdout
\n\u2502 ansible.builtin.command: echo $MY_ENV_VAR
\n\u2502 when: ansible_os_family == True # <- Adds complexity to your playbook.
\n\u2502
\n\u2502 ## Correct Code
\n\u2502
\n\u2502 —
\n\u2502 – name: Example playbook
\n\u2502 hosts: all
\n\u2502 tasks:
\n\u2502 – name: Print environment variable to stdout
\n\u2502 ansible.builtin.command: echo $MY_ENV_VAR
\n\u2502 when: ansible_os_family # <- Keeps your playbook simple.
\nversion_added \u2502 v4.0.0
\ntags \u2502 idiom
\nseverity \u2502 HIGH
\n\u2575
\n\u2577
\nload-failure \u2502 Failed to load or parse file.
\n\u2576\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2574
\ndescription \u2502 # load-failure
\n\u2502
\n\u2502 Linter failed to process a YAML file, probably because it is either:
\n\u2502
\n\u2502 \u2022 contains unsupported encoding (only UTF-8 is supported)
\n\u2502 \u2022 not an Ansible file
\n\u2502 \u2022 it contains some unsupported custom YAML objects (!! prefix)
\n\u2502 \u2022 it was not able to decrypt an inline !vault block.
\n\u2502
\n\u2502 This violation is not skippable, so it cannot be added to the warn_list or the skip_list. If a vault
\n\u2502 decryption issue cannot be avoided, the offending file can be added to exclude_paths configuration.
\nversion_added \u2502 v4.3.0
\ntags \u2502 core, unskippable
\nseverity \u2502 VERY_HIGH
\n\u2575
\n\u2577
\nloop-var-prefix \u2502 Role loop_var should use configured prefix.
\n\u2576\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2574
\ndescription \u2502 # loop-var-prefix
\n\u2502
\n\u2502 This rule avoids conflicts with nested looping tasks by configuring a variable prefix with loop_var.
\n\u2502 Ansible sets item as the loop variable. You can use loop_var to specify a prefix for loop variables and
\n\u2502 ensure they are unique to each task.
\n\u2502
\n\u2502 This rule can produce the following messages:
\n\u2502
\n\u2502 \u2022 [loop-var-prefix[missing] – Replace any unsafe implicit item loop variable by adding loop_var:
\n\u2502 ….
\n\u2502 \u2022 [loop-var-prefix[wrong] – Ensure loop variables start with .
\n\u2502
\n\u2502 This is an opt-in rule. You must enable it in your Ansible-lint configuration as follows:
\n\u2502
\n\u2502 enable_list:
\n\u2502 – loop-var-prefix
\n\u2502
\n\u2502 ## Problematic Code
\n\u2502
\n\u2502 —
\n\u2502 – name: Example playbook
\n\u2502 hosts: localhost
\n\u2502 tasks:
\n\u2502 – name: Does not set a prefix for loop variables.
\n\u2502 ansible.builtin.debug:
\n\u2502 var: item
\n\u2502 loop:
\n\u2502 – foo
\n\u2502 – bar # <- These items do not have a unique prefix.
\n\u2502 – name: Sets a prefix that is not unique.
\n\u2502 ansible.builtin.debug:
\n\u2502 var: zz_item
\n\u2502 loop:
\n\u2502 – foo
\n\u2502 – bar
\n\u2502 loop_control:
\n\u2502 loop_var: zz_item # <- This prefix is not unique.
\n\u2502
\n\u2502 ## Correct Code
\n\u2502
\n\u2502 —
\n\u2502 – name: Example playbook
\n\u2502 hosts: localhost
\n\u2502 tasks:
\n\u2502 – name: Sets a unique prefix for loop variables.
\n\u2502 ansible.builtin.debug:
\n\u2502 var: zz_item
\n\u2502 loop:
\n\u2502 – foo
\n\u2502 – bar
\n\u2502 loop_control:
\n\u2502 loop_var: my_prefix # <- Specifies a unique prefix for loop variables.
\n\u2502
\n\u2502 (more)
\ntags \u2502 idiom
\nseverity \u2502 MEDIUM
\n\u2575
\n\u2577
\nmeta-incorrect \u2502 meta\/main.yml default values should be changed.
\n\u2576\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2574
\ndescription \u2502 # meta-incorrect
\n\u2502
\n\u2502 This rule checks role metadata for fields with undefined or default values. Always set appropriate
\n\u2502 values for the following metadata fields in the meta\/main.yml file:
\n\u2502
\n\u2502 \u2022 author
\n\u2502 \u2022 description
\n\u2502 \u2022 company
\n\u2502 \u2022 license
\n\u2502
\n\u2502 ## Problematic Code
\n\u2502
\n\u2502 —
\n\u2502 # Metadata fields for the role contain default values.
\n\u2502 galaxy_info:
\n\u2502 author: your name
\n\u2502 description: your role description
\n\u2502 company: your company (optional)
\n\u2502 license: license (GPL-2.0-or-later, MIT, etc)
\n\u2502
\n\u2502 ## Correct Code
\n\u2502
\n\u2502 —
\n\u2502 galaxy_info:
\n\u2502 author: Leroy Jenkins
\n\u2502 description: This role will set you free.
\n\u2502 company: Red Hat
\n\u2502 license: Apache
\nversion_added \u2502 v4.0.0
\ntags \u2502 metadata
\nseverity \u2502 HIGH
\n\u2575
\n\u2577
\nmeta-no-info \u2502 meta\/main.yml should contain relevant info.
\n\u2576\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2574
\ndescription \u2502 # meta-no-info
\n\u2502
\n\u2502 This rule checks role metadata for missing information. Always set appropriate values for the following
\n\u2502 metadata fields in the meta\/main.yml file, under galaxy_info key:
\n\u2502
\n\u2502 \u2022 platforms
\n\u2502 \u2022 min_ansible_version
\n\u2502
\n\u2502 ## Problematic Code
\n\u2502
\n\u2502 —
\n\u2502 # The metadata fields for minimum Ansible version and supported platforms are not set.
\n\u2502 galaxy_info:
\n\u2502 min_ansible_version:
\n\u2502
\n\u2502 ## Correct Code
\n\u2502
\n\u2502 —
\n\u2502 galaxy_info:
\n\u2502 min_ansible_version: “2.8”
\n\u2502 platforms:
\n\u2502 – name: Fedora
\n\u2502 versions:
\n\u2502 – all
\nversion_added \u2502 v4.0.0
\ntags \u2502 metadata
\nseverity \u2502 HIGH
\n\u2575
\n\u2577
\nmeta-no-tags \u2502 Tags must contain lowercase letters and digits only.
\n\u2576\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2574
\ndescription \u2502 # meta-no-tags
\n\u2502
\n\u2502 This rule checks role metadata for tags with special characters. Always use lowercase numbers and
\n\u2502 letters for tags in the meta\/main.yml file.
\n\u2502
\n\u2502 ## Problematic Code
\n\u2502
\n\u2502 —
\n\u2502 # Metadata tags contain upper-case letters and special characters.
\n\u2502 galaxy_info:
\n\u2502 galaxy_tags: [MyTag#1, MyTag&^-]
\n\u2502
\n\u2502 ## Correct Code
\n\u2502
\n\u2502 —
\n\u2502 # Metadata tags contain only lowercase letters and numbers.
\n\u2502 galaxy_info:
\n\u2502 galaxy_tags: [mytag1, mytag2]
\nversion_added \u2502 v4.0.0
\ntags \u2502 metadata
\nseverity \u2502 HIGH
\n\u2575
\n\u2577
\nmeta-video-links \u2502 meta\/main.yml video_links should be formatted correctly.
\n\u2576\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2574
\ndescription \u2502 # meta-video-links
\n\u2502
\n\u2502 This rule checks formatting for video links in metadata. Always use dictionaries for items in the
\n\u2502 meta\/main.yml file.
\n\u2502
\n\u2502 Items in the video_links section must be in a dictionary and use the following keys:
\n\u2502
\n\u2502 \u2022 url
\n\u2502 \u2022 title
\n\u2502
\n\u2502 The value of the url key must be a shared link from YouTube, Vimeo, or Google Drive.
\n\u2502
\n\u2502 ## Problematic Code
\n\u2502
\n\u2502 —
\n\u2502 galaxy_info:
\n\u2502 video_links:
\n\u2502 – https:\/\/youtu.be\/this_is_not_a_dictionary # <- Does not use the url key.
\n\u2502 – my_bad_key: https:\/\/youtu.be\/aWmRepTSFKs # <- Uses an unsupported key.
\n\u2502 title: Incorrect key.
\n\u2502 – url: www.acme.com\/vid # <- Uses an unsupported url format.
\n\u2502 title: Incorrect url format.
\n\u2502
\n\u2502 ## Correct Code
\n\u2502
\n\u2502 —
\n\u2502 galaxy_info:
\n\u2502 video_links:
\n\u2502 – url: https:\/\/youtu.be\/aWmRepTSFKs # <- Uses a supported shared link with the url key.
\n\u2502 title: Correctly formatted video link.
\nversion_added \u2502 v4.0.0
\ntags \u2502 metadata
\nseverity \u2502 LOW
\n\u2575
\n\u2577
\nname \u2502 Rule for checking task and play names.
\n\u2576\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2574
\ndescription \u2502 # name
\n\u2502
\n\u2502 This rule identifies several problems related to the naming of tasks and plays. This is important
\n\u2502 because these names are the primary way to identify and document executed operations on console, logs or
\n\u2502 web interface.
\n\u2502
\n\u2502 This rule can produce messages such:
\n\u2502
\n\u2502 \u2022 name[casing] – All names should start with an uppercase letter for languages that support it.
\n\u2502 \u2022 name[missing] – All tasks should be named.
\n\u2502 \u2022 name[play] – All plays should be named.
\n\u2502 \u2022 name[template] – Jinja templates should only be at the end of ‘name’. This helps with the
\n\u2502 identification of tasks inside the source code when they fail. The use of templating inside name keys
\n\u2502 is discouraged as there are multiple cases where the rendering of the name template is not possible.
\n\u2502
\n\u2502 If you want to ignore some of the messages above, you can add any of them to the skip_list.
\n\u2502
\n\u2502 ## Problematic code
\n\u2502
\n\u2502 —
\n\u2502 – hosts: localhost # <– playbook missing a name key
\n\u2502 tasks:
\n\u2502 – name: create placefolder file # <– not starting with a capital letter
\n\u2502 ansible.builtin.command: touch \/tmp\/.placeholder
\n\u2502
\n\u2502 ## Correct code
\n\u2502
\n\u2502 —
\n\u2502 – name: Play for creating playholder
\n\u2502 hosts: localhost
\n\u2502 tasks:
\n\u2502 – name: Create placeholder file
\n\u2502 ansible.builtin.command: touch \/tmp\/.placeholder
\nversion_added \u2502 v6.5.0 (last update)
\ntags \u2502 idiom
\nseverity \u2502 MEDIUM
\n\u2575
\n\u2577
\nno-changed-when \u2502 Commands should not change things if nothing needs doing.
\n\u2576\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2574
\ndescription \u2502 # no-changed-when
\n\u2502
\n\u2502 This rule checks that tasks return changes to results or conditions. Unless tasks only read information,
\n\u2502 you should ensure that they return changes in the following ways:
\n\u2502
\n\u2502 \u2022 Register results or conditions and use the changed_when clause.
\n\u2502 \u2022 Use the creates or removes argument.
\n\u2502
\n\u2502 You should use the when clause to run tasks only if a check returns a particular result.
\n\u2502
\n\u2502 ## Problematic Code
\n\u2502
\n\u2502 —
\n\u2502 – name: Example playbook
\n\u2502 hosts: localhost
\n\u2502 tasks:
\n\u2502 – name: Does not handle any output or return codes
\n\u2502 ansible.builtin.command: cat {{ my_file | quote }} # <- Does not handle the command output.
\n\u2502
\n\u2502 ## Correct Code
\n\u2502
\n\u2502 —
\n\u2502 – name: Example playbook
\n\u2502 hosts: localhost
\n\u2502 tasks:
\n\u2502 – name: Handle shell output with return code
\n\u2502 ansible.builtin.command: cat {{ my_file | quote }}
\n\u2502 register: my_output # <- Registers the command output.
\n\u2502 changed_when: my_output.rc != 0 # <- Uses the return code to define when the task has changed.
\nversion_added \u2502 historic
\ntags \u2502 command-shell, idempotency
\nseverity \u2502 HIGH
\n\u2575
\n\u2577
\nno-free-form \u2502 Rule for detecting discouraged free-form syntax for action modules.
\n\u2576\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2574
\ndescription \u2502 # no-free-form
\n\u2502
\n\u2502 This rule identifies any use of free-form module calling syntax and asks for switching to the full
\n\u2502 syntax.
\n\u2502
\n\u2502 Free-form syntax, also known as inline or shorthand, can produce subtle bugs. It can also prevent
\n\u2502 editors and IDEs from providing feedback, autocomplete and validation for the edited line.
\n\u2502
\n\u2502 As long you just pass a YAML string that contains a `=` character inside as the
\n\u2502 parameter to the action module name, we consider this as using free-formsyntax.
\n\u2502 Be sure you pass a dictionary to the module, so the free-form parsing
\n\u2502 is never triggered.
\n\u2502
\n\u2502 As raw module only accepts free-form, we trigger no-free-form[raw] only if we detect the presence of
\n\u2502 executable= inside raw calls. We advice the explicit use of args: dictionary for configuring the
\n\u2502 executable to be run.
\n\u2502
\n\u2502 ## Problematic code
\n\u2502
\n\u2502 —
\n\u2502 – name: Example with discouraged free-form syntax
\n\u2502 hosts: localhost
\n\u2502 tasks:
\n\u2502 – name: Create a placefolder file
\n\u2502 ansible.builtin.command: chdir=\/tmp touch foo # <– don’t use free-form
\n\u2502 – name: Use raw to echo
\n\u2502 ansible.builtin.raw: executable=\/bin\/bash echo foo # <– don’t use executable=
\n\u2502 changed_when: false
\n\u2502
\n\u2502 ## Correct code
\n\u2502
\n\u2502 —
\n\u2502 – name: Example that avoids free-form syntax
\n\u2502 hosts: localhost
\n\u2502 tasks:
\n\u2502 – name: Create a placefolder file
\n\u2502 ansible.builtin.command:
\n\u2502 cmd: touch foo # <– ansible will not touch it
\n\u2502 chdir: \/tmp
\n\u2502 – name: Use raw to echo
\n\u2502 ansible.builtin.raw: echo foo
\n\u2502 args:
\n\u2502 executable: \/bin\/bash # <– explicit is better
\n\u2502 changed_when: false
\nversion_added \u2502 v6.8.0
\ntags \u2502 syntax, risk, experimental
\nseverity \u2502 MEDIUM
\n\u2575
\n\u2577
\nno-handler \u2502 Tasks that run when changed should likely be handlers.
\n\u2576\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2574
\ndescription \u2502 # no-handler
\n\u2502
\n\u2502 This rule checks for the correct handling of changes to results or conditions.
\n\u2502
\n\u2502 If a task has a when: result.changed condition, it effectively acts as a handler. The recommended
\n\u2502 approach is to use notify and move tasks to handlers. If necessary you can silence the rule by add a #
\n\u2502 noqa: no-handler comment at the end of the line.
\n\u2502
\n\u2502 ## Problematic Code
\n\u2502
\n\u2502 —
\n\u2502 – name: Example of no-handler rule
\n\u2502 hosts: localhost
\n\u2502 tasks:
\n\u2502 – name: Register result of a task
\n\u2502 ansible.builtin.copy:
\n\u2502 dest: “\/tmp\/placeholder”
\n\u2502 content: “Ansible made this!”
\n\u2502 mode: 0600
\n\u2502 register: result # <– Registers the result of the task.
\n\u2502 – name: Second command to run
\n\u2502 ansible.builtin.debug:
\n\u2502 msg: The placeholder file was modified!
\n\u2502 when: result.changed # <– Triggers the no-handler rule.
\n\u2502
\n\u2502 —
\n\u2502 # Optionally silences the rule.
\n\u2502 when: result.changed # noqa: no-handler
\n\u2502
\n\u2502 ## Correct Code
\n\u2502
\n\u2502 The following code includes the same functionality as the problematic code without recording a result
\n\u2502 variable.
\n\u2502
\n\u2502 —
\n\u2502 – name: Example of no-handler rule
\n\u2502 hosts: localhost
\n\u2502 tasks:
\n\u2502 – name: Register result of a task
\n\u2502 ansible.builtin.copy:
\n\u2502 dest: “\/tmp\/placeholder”
\n\u2502 content: “Ansible made this!”
\n\u2502 mode: 0600
\n\u2502 notify:
\n\u2502 – Second command to run # <– Handler runs only when the file changes.
\n\u2502 handlers:
\n\u2502 – name: Second command to run
\n\u2502 ansible.builtin.debug:
\n\u2502 msg: The placeholder file was modified!
\n\u2502
\n\u2502 (more)
\nversion_added \u2502 historic
\ntags \u2502 idiom
\nseverity \u2502 MEDIUM
\n\u2575
\n\u2577
\nno-jinja-when \u2502 No Jinja2 in when.
\n\u2576\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2574
\ndescription \u2502 # no-jinja-when
\n\u2502
\n\u2502 This rule checks conditional statements for Jinja expressions in curly brackets {{ }}. Ansible processes
\n\u2502 conditionals statements that use the when, failed_when, and changed_when clauses as Jinja expressions.
\n\u2502
\n\u2502 An Ansible rule is to always use {{ }} except with when keys. Using {{ }} in conditionals creates a
\n\u2502 nested expression, which is an Ansible anti-pattern and does not produce expected results.
\n\u2502
\n\u2502 ## Problematic Code
\n\u2502
\n\u2502 —
\n\u2502 – name: Example playbook
\n\u2502 hosts: localhost
\n\u2502 tasks:
\n\u2502 – name: Shut down Debian systems
\n\u2502 ansible.builtin.command: \/sbin\/shutdown -t now
\n\u2502 when: “{{ ansible_facts[‘os_family’] == ‘Debian’ }}” # <- Nests a Jinja expression in a
\n\u2502 conditional statement.
\n\u2502
\n\u2502 ## Correct Code
\n\u2502
\n\u2502 —
\n\u2502 – name: Example playbook
\n\u2502 hosts: localhost
\n\u2502 tasks:
\n\u2502 – name: Shut down Debian systems
\n\u2502 ansible.builtin.command: \/sbin\/shutdown -t now
\n\u2502 when: ansible_facts[‘os_family’] == “Debian” # <- Uses facts in a conditional statement.
\nversion_added \u2502 historic
\ntags \u2502 deprecations
\nseverity \u2502 HIGH
\n\u2575
\n\u2577
\nno-log-password \u2502 Password should not be logged.
\n\u2576\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2574
\ndescription \u2502 # no-log-password
\n\u2502
\n\u2502 This rule ensures playbooks do not write passwords to logs when using loops. Always set the no_log: true
\n\u2502 attribute to protect sensitive data.
\n\u2502
\n\u2502 While most Ansible modules mask sensitive data, using secrets inside a loop can result in those secrets
\n\u2502 being logged. Explicitly adding no_log: true prevents accidentally exposing secrets.
\n\u2502
\n\u2502 ## Problematic Code
\n\u2502
\n\u2502 —
\n\u2502 – name: Example playbook
\n\u2502 hosts: localhost
\n\u2502 tasks:
\n\u2502 – name: Log user passwords
\n\u2502 ansible.builtin.user:
\n\u2502 name: john_doe
\n\u2502 comment: John Doe
\n\u2502 uid: 1040
\n\u2502 group: admin
\n\u2502 password: “{{ item }}”
\n\u2502 with_items:
\n\u2502 – wow
\n\u2502 no_log: false # <- Sets the no_log attribute to false.
\n\u2502
\n\u2502 ## Correct Code
\n\u2502
\n\u2502 —
\n\u2502 – name: Example playbook
\n\u2502 hosts: localhost
\n\u2502 tasks:
\n\u2502 – name: Do not log user passwords
\n\u2502 ansible.builtin.user:
\n\u2502 name: john_doe
\n\u2502 comment: John Doe
\n\u2502 uid: 1040
\n\u2502 group: admin
\n\u2502 password: “{{ item }}”
\n\u2502 with_items:
\n\u2502 – wow
\n\u2502 no_log: true # <- Sets the no_log attribute to a non-false value.
\nversion_added \u2502 v5.0.9
\ntags \u2502 opt-in, security, experimental
\nseverity \u2502 LOW
\n\u2575
\n\u2577
\nno-prompting \u2502 Disallow prompting.
\n\u2576\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2574
\ndescription \u2502 # no-prompting
\n\u2502
\n\u2502 This rule checks for vars_prompt or the ansible.builtin.pause module in playbooks. You should enable
\n\u2502 this rule to ensure that playbooks can run unattended and in CI\/CD pipelines.
\n\u2502
\n\u2502 This is an opt-in rule. You must enable it in your Ansible-lint configuration as follows:
\n\u2502
\n\u2502 enable_list:
\n\u2502 – no-prompting
\n\u2502
\n\u2502 ## Problematic Code
\n\u2502
\n\u2502 —
\n\u2502 – name: Example playbook
\n\u2502 hosts: all
\n\u2502 vars_prompt: # <- Prompts the user to input credentials.
\n\u2502 – name: username
\n\u2502 prompt: What is your username?
\n\u2502 private: false
\n\u2502
\n\u2502 – name: password
\n\u2502 prompt: What is your password?
\n\u2502 tasks:
\n\u2502 – name: Pause for 5 minutes
\n\u2502 ansible.builtin.pause:
\n\u2502 minutes: 5 # <- Pauses playbook execution for a set period of time.
\n\u2502
\n\u2502 ## Correct Code
\n\u2502
\n\u2502 Correct code for this rule is to omit vars_prompt and the ansible.builtin.pause module from your
\n\u2502 playbook.
\nversion_added \u2502 v6.0.3
\ntags \u2502 opt-in, experimental
\nseverity \u2502 VERY_LOW
\n\u2575
\n\u2577
\nno-relative-paths \u2502 The src argument should not use a relative path.
\n\u2576\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2574
\ndescription \u2502 # no-relative-paths
\n\u2502
\n\u2502 This rule checks for relative paths in the ansible.builtin.copy and ansible.builtin.template modules.
\n\u2502
\n\u2502 Relative paths in a task most often direct Ansible to remote files and directories on managed nodes. In
\n\u2502 the ansible.builtin.copy and ansible.builtin.template modules, the src argument refers to local files
\n\u2502 and directories on the control node.
\n\u2502
\n\u2502 The recommended locations to store files are as follows:
\n\u2502
\n\u2502 \u2022 Use the files\/ folder in the playbook or role directory for the copy module.
\n\u2502 \u2022 Use the templates\/ folder in the playbook or role directory for the template module.
\n\u2502
\n\u2502 These folders allow you to omit the path or use a sub-folder when specifying files with the src
\n\u2502 argument.
\n\u2502
\n\u2502 If resources are outside your Ansible playbook or role directory you should use an absolute path with
\n\u2502 the `src` argument.
\n\u2502
\n\u2502 Do not store resources at the same directory level as your Ansible playbook or tasks files.
\n\u2502 Doing this can result in disorganized projects and cause user confusion when distinguishing between
\n\u2502 resources of the same type, such as YAML.
\n\u2502
\n\u2502 See task paths in the Ansible documentation for more information.
\n\u2502
\n\u2502 ## Problematic Code
\n\u2502
\n\u2502 —
\n\u2502 – name: Example playbook
\n\u2502 hosts: all
\n\u2502 tasks:
\n\u2502 – name: Template a file to \/etc\/file.conf
\n\u2502 ansible.builtin.template:
\n\u2502 src: ..\/my_templates\/foo.j2 # <- Uses a relative path in the src argument.
\n\u2502 dest: \/etc\/file.conf
\n\u2502 owner: bin
\n\u2502 group: wheel
\n\u2502 mode: “0644”
\n\u2502
\n\u2502 – name: Example playbook
\n\u2502 hosts: all
\n\u2502 vars:
\n\u2502 source_path: ..\/..\/my_templates\/foo.j2 # <- Sets a variable to a relative path.
\n\u2502 tasks:
\n\u2502 – name: Copy a file to \/etc\/file.conf
\n\u2502 ansible.builtin.copy:
\n\u2502 src: “{{ source_path }}” # <- Uses the variable in the src argument.
\n\u2502 dest: \/etc\/foo.conf
\n\u2502 owner: foo
\n\u2502 group: foo
\n\u2502 mode: “0644”
\n\u2502
\n\u2502 ## Correct Code
\n\u2502
\n\u2502 —
\n\u2502 – name: Example playbook
\n\u2502 hosts: all
\n\u2502 tasks:
\n\u2502 – name: Template a file to \/etc\/file.conf
\n\u2502 ansible.builtin.template:
\n\u2502 src: foo.j2 # <- Uses a path from inside templates\/ directory.
\n\u2502 dest: \/etc\/file.conf
\n\u2502 owner: bin
\n\u2502 group: wheel
\n\u2502 mode: “0644”
\n\u2502
\n\u2502 – name: Example playbook
\n\u2502 hosts: all
\n\u2502 vars:
\n\u2502 source_path: foo.j2 # <- Uses a path from inside files\/ directory.
\n\u2502 tasks:
\n\u2502 – name: Copy a file to \/etc\/file.conf
\n\u2502 ansible.builtin.copy:
\n\u2502 src: “{{ source_path }}” # <- Uses the variable in the src argument.
\n\u2502 dest: \/etc\/foo.conf
\n\u2502 owner: foo
\n\u2502 group: foo
\n\u2502 mode: “0644”
\nversion_added \u2502 v4.0.0
\ntags \u2502 idiom
\nseverity \u2502 HIGH
\n\u2575
\n\u2577
\nno-same-owner \u2502 Do not preserve the owner and group when transferring files across hosts.
\n\u2576\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2574
\ndescription \u2502 # no-same-owner
\n\u2502
\n\u2502 This rule checks that the owner and group do not transfer across hosts.
\n\u2502
\n\u2502 In many cases the owner and group on remote hosts do not match the owner and group assigned to source
\n\u2502 files. Preserving the owner and group during transfer can result in errors with permissions or leaking
\n\u2502 sensitive information.
\n\u2502
\n\u2502 When you synchronize files, you should avoid transferring the owner and group by setting owner: false
\n\u2502 and group: false arguments. When you unpack archives with the ansible.builtin.unarchive module you
\n\u2502 should set the –no-same-owner option.
\n\u2502
\n\u2502 This is an opt-in rule. You must enable it in your Ansible-lint configuration as follows:
\n\u2502
\n\u2502 enable_list:
\n\u2502 – no-same-owner
\n\u2502
\n\u2502 ## Problematic Code
\n\u2502
\n\u2502 —
\n\u2502 – name: Example playbook
\n\u2502 hosts: all
\n\u2502 tasks:
\n\u2502 – name: Synchronize conf file
\n\u2502 ansible.posix.synchronize:
\n\u2502 src: \/path\/conf.yaml
\n\u2502 dest: \/path\/conf.yaml # <- Transfers the owner and group for the file.
\n\u2502 – name: Extract tarball to path
\n\u2502 ansible.builtin.unarchive:
\n\u2502 src: “{{ file }}.tar.gz”
\n\u2502 dest: \/my\/path\/ # <- Transfers the owner and group for the file.
\n\u2502
\n\u2502 ## Correct Code
\n\u2502
\n\u2502 —
\n\u2502 – name: Example playbook
\n\u2502 hosts: all
\n\u2502 tasks:
\n\u2502 – name: Synchronize conf file
\n\u2502 ansible.posix.synchronize:
\n\u2502 src: \/path\/conf.yaml
\n\u2502 dest: \/path\/conf.yaml
\n\u2502 owner: false
\n\u2502 group: false # <- Does not transfer the owner and group for the file.
\n\u2502 – name: Extract tarball to path
\n\u2502 ansible.builtin.unarchive:
\n\u2502 src: “{{ file }}.tar.gz”
\n\u2502 dest: \/my\/path\/
\n\u2502 extra_opts:
\n\u2502 – –no-same-owner # <- Does not transfer the owner and group for the file.
\ntags \u2502 opt-in
\nseverity \u2502 LOW
\n\u2575
\n\u2577
\nno-tabs \u2502 Most files should not contain tabs.
\n\u2576\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2574
\ndescription \u2502 # no-tabs
\n\u2502
\n\u2502 This rule checks for the tab character. The \\t tab character can result in unexpected display or
\n\u2502 formatting issues. You should always use spaces instead of tabs.
\n\u2502
\n\u2502 This rule does not trigger alerts for tab characters in the “ansible.builtin.lineinfile“ module.
\n\u2502
\n\u2502 ## Problematic Code
\n\u2502
\n\u2502 —
\n\u2502 – name: Example playbook
\n\u2502 hosts: all
\n\u2502 tasks:
\n\u2502 – name: Do not trigger the rule
\n\u2502 ansible.builtin.lineinfile:
\n\u2502 path: some.txt
\n\u2502 regexp: ‘^\\t$’
\n\u2502 line: ‘string with \\t inside’
\n\u2502 – name: Trigger the rule with a debug message
\n\u2502 ansible.builtin.debug:
\n\u2502 msg: “Using the \\t character can cause formatting issues.” # <- Includes the tab character.
\n\u2502
\n\u2502 ## Correct Code
\n\u2502
\n\u2502 —
\n\u2502 – name: Example playbook
\n\u2502 hosts: all
\n\u2502 tasks:
\n\u2502 – name: Do not trigger the no-tabs rule
\n\u2502 ansible.builtin.debug:
\n\u2502 msg: “Using space characters avoids formatting issues.”
\nversion_added \u2502 v4.0.0
\ntags \u2502 formatting
\nseverity \u2502 LOW
\n\u2575
\n\u2577
\nonly-builtins \u2502 Use only builtin actions.
\n\u2576\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2574
\ndescription \u2502 # only-builtins
\n\u2502
\n\u2502 This rule checks that playbooks use actions from the ansible.builtin collection only.
\n\u2502
\n\u2502 This is an opt-in rule. You must enable it in your Ansible-lint configuration as follows:
\n\u2502
\n\u2502 enable_list:
\n\u2502 – only-builtins
\n\u2502
\n\u2502 ## Problematic Code
\n\u2502
\n\u2502 —
\n\u2502 – name: Example playbook
\n\u2502 hosts: all
\n\u2502 tasks:
\n\u2502 – name: Deploy a Helm chart for Prometheus
\n\u2502 kubernetes.core.helm: # <- Uses a non-builtin collection.
\n\u2502 name: test
\n\u2502 chart_ref: stable\/prometheus
\n\u2502 release_namespace: monitoring
\n\u2502 create_namespace: true
\n\u2502
\n\u2502 ## Correct Code
\n\u2502
\n\u2502 – name: Example playbook
\n\u2502 hosts: localhost
\n\u2502 tasks:
\n\u2502 – name: Run a shell command
\n\u2502 ansible.builtin.shell: echo This playbook uses actions from the builtin collection only.
\ntags \u2502 opt-in, experimental
\nseverity \u2502 MEDIUM
\n\u2575
\n\u2577
\npackage-latest \u2502 Package installs should not use latest.
\n\u2576\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2574
\ndescription \u2502 # package-latest
\n\u2502
\n\u2502 This rule checks that package managers install software in a controlled, safe manner.
\n\u2502
\n\u2502 Package manager modules, such as ansible.builtin.yum, include a state parameter that configures how
\n\u2502 Ansible installs software. In production environments, you should set state to present and specify a
\n\u2502 target version to ensure that packages are installed to a planned and tested version.
\n\u2502
\n\u2502 Setting state to latest not only installs software, it performs an update and installs additional
\n\u2502 packages. This can result in performance degradation or loss of service. If you do want to update
\n\u2502 packages to the latest version, you should also set the update_only parameter to true to avoid
\n\u2502 installing additional packages.
\n\u2502
\n\u2502 ## Problematic Code
\n\u2502
\n\u2502 —
\n\u2502 – name: Example playbook
\n\u2502 hosts: localhost
\n\u2502 tasks:
\n\u2502 – name: Install Ansible
\n\u2502 ansible.builtin.yum:
\n\u2502 name: ansible
\n\u2502 state: latest # <- Installs the latest package.
\n\u2502
\n\u2502 – name: Install Ansible-lint
\n\u2502 ansible.builtin.pip:
\n\u2502 name: ansible-lint
\n\u2502 args:
\n\u2502 state: latest # <- Installs the latest package.
\n\u2502
\n\u2502 – name: Install some-package
\n\u2502 ansible.builtin.package:
\n\u2502 name: some-package
\n\u2502 state: latest # <- Installs the latest package.
\n\u2502
\n\u2502 – name: Install Ansible with update_only to false
\n\u2502 ansible.builtin.yum:
\n\u2502 name: sudo
\n\u2502 state: latest
\n\u2502 update_only: false # <- Updates and installs packages.
\n\u2502
\n\u2502 ## Correct Code
\n\u2502
\n\u2502 —
\n\u2502 – name: Example playbook
\n\u2502 hosts: localhost
\n\u2502 tasks:
\n\u2502 – name: Install Ansible
\n\u2502 ansible.builtin.yum:
\n\u2502 name: ansible-2.12.7.0
\n\u2502 state: present # <- Pins the version to install with yum.
\n\u2502
\n\u2502 – name: Install Ansible-lint
\n\u2502 ansible.builtin.pip:
\n\u2502 name: ansible-lint
\n\u2502 args:
\n\u2502 state: present
\n\u2502 version: 5.4.0 # <- Pins the version to install with pip.
\n\u2502
\n\u2502 – name: Install some-package
\n\u2502 ansible.builtin.package:
\n\u2502 name: some-package
\n\u2502 state: present # <- Ensures the package is installed.
\n\u2502
\n\u2502 – name: Update Ansible with update_only to true
\n\u2502 ansible.builtin.yum:
\n\u2502 name: sudo
\n\u2502 state: latest
\n\u2502 update_only: true # <- Updates but does not install additional packages.
\nversion_added \u2502 historic
\ntags \u2502 idempotency
\nseverity \u2502 VERY_LOW
\n\u2575
\n\u2577
\nparser-error \u2502 AnsibleParserError.
\n\u2576\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2574
\ndescription \u2502 Ansible parser fails; this usually indicates an invalid file.
\nversion_added \u2502 v5.0.0
\ntags \u2502 core
\nseverity \u2502 VERY_HIGH
\n\u2575
\n\u2577
\npartial-become \u2502 become_user requires become to work as expected.
\n\u2576\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2574
\ndescription \u2502 # partial-become
\n\u2502
\n\u2502 This rule checks that privilege escalation is activated when changing users.
\n\u2502
\n\u2502 To perform an action as a different user with the become_user directive, you must set become: true.
\n\u2502
\n\u2502 While Ansible inherits have of `become` and `become_user` from upper levels,
\n\u2502 like play level or command line, we do not look at these values. This rule
\n\u2502 requires you to be explicit and always define both in the same place, mainly
\n\u2502 in order to prevent accidents when some tasks are moved from one location to
\n\u2502 another one.
\n\u2502
\n\u2502 ## Problematic Code
\n\u2502
\n\u2502 —
\n\u2502 – name: Example playbook
\n\u2502 hosts: localhost
\n\u2502 tasks:
\n\u2502 – name: Start the httpd service as the apache user
\n\u2502 ansible.builtin.service:
\n\u2502 name: httpd
\n\u2502 state: started
\n\u2502 become_user: apache # <- Does not change the user because “become: true” is not set.
\n\u2502
\n\u2502 ## Correct Code
\n\u2502
\n\u2502 – name: Example playbook
\n\u2502 hosts: localhost
\n\u2502 tasks:
\n\u2502 – name: Start the httpd service as the apache user
\n\u2502 ansible.builtin.service:
\n\u2502 name: httpd
\n\u2502 state: started
\n\u2502 become: true # <- Activates privilege escalation.
\n\u2502 become_user: apache # <- Changes the user with the desired privileges.
\nversion_added \u2502 historic
\ntags \u2502 unpredictability
\nseverity \u2502 VERY_HIGH
\n\u2575
\n\u2577
\nplaybook-extension \u2502 Use “.yml” or “.yaml” playbook extension.
\n\u2576\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2574
\ndescription \u2502 # playbook-extension
\n\u2502
\n\u2502 This rule checks the file extension for playbooks is either .yml or .yaml. Ansible playbooks are
\n\u2502 expressed in YAML format with minimal syntax.
\n\u2502
\n\u2502 The YAML syntax reference provides additional detail.
\n\u2502
\n\u2502 ## Problematic Code
\n\u2502
\n\u2502 This rule is triggered if Ansible playbooks do not have a file extension or use an unsupported file
\n\u2502 extension such as playbook.json or playbook.xml.
\n\u2502
\n\u2502 ## Correct Code
\n\u2502
\n\u2502 Save Ansible playbooks as valid YAML with the .yml or .yaml file extension.
\nversion_added \u2502 v4.0.0
\ntags \u2502 formatting
\nseverity \u2502 MEDIUM
\n\u2575
\n\u2577
\nrisky-file-permissions \u2502 File permissions unset or incorrect.
\n\u2576\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2574
\ndescription \u2502 # risky-file-permissions
\n\u2502
\n\u2502 This rule is triggered by various modules that could end up creating new files on disk with permissions
\n\u2502 that might be too open, or unpredictable. Please read the documentation of each module carefully to
\n\u2502 understand the implications of using different argument values, as these make the difference between
\n\u2502 using the module safely or not. The fix depends on each module and also your particular situation.
\n\u2502
\n\u2502 Some modules have a create argument that defaults to true. For those you either need to set create:
\n\u2502 false or provide some permissions like mode: 0600 to make the behavior predictable and not dependent on
\n\u2502 the current system settings.
\n\u2502
\n\u2502 Modules that are checked:
\n\u2502
\n\u2502 \u2022 ansible.builtin.assemble
\n\u2502 \u2022 ansible.builtin.copy
\n\u2502 \u2022 ansible.builtin.file
\n\u2502 \u2022 ansible.builtin.get_url
\n\u2502 \u2022 ansible.builtin.replace
\n\u2502 \u2022 ansible.builtin.template
\n\u2502 \u2022 community.general.archive
\n\u2502 \u2022 community.general.ini_file
\n\u2502
\n\u2502 This rule does not take
\n\u2502 [module_defaults](https:\/\/docs.ansible.com\/ansible\/latest\/user_guide\/playbooks_module_defaults.html)
\n\u2502 configuration into account.
\n\u2502 There are currently no plans to implement this feature because changing task location can also change
\n\u2502 task behavior.
\n\u2502
\n\u2502 ## Problematic code
\n\u2502
\n\u2502 —
\n\u2502 – name: Unsafe example of using ini_file
\n\u2502 community.general.ini_file:
\n\u2502 path: foo
\n\u2502 create: true
\n\u2502 mode: preserve
\n\u2502
\n\u2502 ## Correct code
\n\u2502
\n\u2502 —
\n\u2502 – name: Safe example of using ini_file (1st solution)
\n\u2502 community.general.ini_file:
\n\u2502 path: foo
\n\u2502 create: false # prevents creating a file with potentially insecure permissions
\n\u2502 mode: preserve
\n\u2502
\n\u2502 – name: Safe example of using ini_file (2nd solution)
\n\u2502 community.general.ini_file:
\n\u2502 path: foo
\n\u2502 mode: 0600 # explicitly sets the desired permissions, to make the results predictable
\n\u2502 mode: preserve
\n\u2502
\n\u2502 (more)
\nversion_added \u2502 v4.3.0
\ntags \u2502 unpredictability, experimental
\nseverity \u2502 VERY_HIGH
\n\u2575
\n\u2577
\nrisky-octal \u2502 Octal file permissions must contain leading zero or be a string.
\n\u2576\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2574
\ndescription \u2502 # risky-octal
\n\u2502
\n\u2502 This rule checks that octal file permissions either contain a leading zero or are a string value.
\n\u2502
\n\u2502 Modules that are checked:
\n\u2502
\n\u2502 \u2022 ansible.builtin.assemble
\n\u2502 \u2022 ansible.builtin.copy
\n\u2502 \u2022 ansible.builtin.file
\n\u2502 \u2022 ansible.builtin.replace
\n\u2502 \u2022 ansible.builtin.template
\n\u2502
\n\u2502 ## Problematic Code
\n\u2502
\n\u2502 —
\n\u2502 – name: Example playbook
\n\u2502 hosts: localhost
\n\u2502 tasks:
\n\u2502 – name: Unsafe example of declaring Numeric file permissions
\n\u2502 ansible.builtin.file:
\n\u2502 path: \/etc\/foo.conf
\n\u2502 owner: foo
\n\u2502 group: foo
\n\u2502 mode: 644
\n\u2502
\n\u2502 ## Correct Code
\n\u2502
\n\u2502 —
\n\u2502 – name: Example playbook
\n\u2502 hosts: localhost
\n\u2502 tasks:
\n\u2502 – name: Safe example of declaring Numeric file permissions (1st solution)
\n\u2502 ansible.builtin.file:
\n\u2502 path: \/etc\/foo.conf
\n\u2502 owner: foo
\n\u2502 group: foo
\n\u2502 mode: 0644 # <- Leading zero will prevent Numeric file permissions to behave in unexpected ways.
\n\u2502 – name: Safe example of declaring Numeric file permissions (2nd solution)
\n\u2502 ansible.builtin.file:
\n\u2502 path: \/etc\/foo.conf
\n\u2502 owner: foo
\n\u2502 group: foo
\n\u2502 mode: “644” # <- Being in a string will prevent Numeric file permissions to behave in unexpected
\n\u2502 ways.
\n\u2502
\n\u2502 (more)
\nversion_added \u2502 historic
\ntags \u2502 formatting
\nseverity \u2502 VERY_HIGH
\n\u2575
\n\u2577
\nrisky-shell-pipe \u2502 Shells that use pipes should set the pipefail option.
\n\u2576\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2574
\ndescription \u2502 # risky-shell-pipe
\n\u2502
\n\u2502 This rule checks for the bash pipefail option with the Ansible shell module.
\n\u2502
\n\u2502 You should always set pipefail when piping output from a command to another. The return status of a
\n\u2502 pipeline is the exit status of the command. The pipefail option ensures that tasks fail as expected if
\n\u2502 the first command fails.
\n\u2502
\n\u2502 ## Problematic Code
\n\u2502
\n\u2502 —
\n\u2502 – name: Example playbook
\n\u2502 hosts: localhost
\n\u2502 tasks:
\n\u2502 – name: Pipeline without pipefail
\n\u2502 shell: false | cat
\n\u2502
\n\u2502 ## Correct Code
\n\u2502
\n\u2502 —
\n\u2502 – name: Example playbook
\n\u2502 hosts: localhost
\n\u2502 become: no
\n\u2502 tasks:
\n\u2502 – name: Pipeline with pipefail
\n\u2502 shell: set -o pipefail && false | cat
\n\u2502
\n\u2502 – name: Pipeline with pipefail, multi-line
\n\u2502 shell: |
\n\u2502 set -o pipefail # <– adding this will prevent surprises
\n\u2502 false | cat
\nversion_added \u2502 v4.1.0
\ntags \u2502 command-shell
\nseverity \u2502 MEDIUM
\n\u2575
\n\u2577
\nrole-name \u2502 Role name {0} does not match ^[a-z][a-z0-9_]*$ pattern.
\n\u2576\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2574
\ndescription \u2502 # role-name
\n\u2502
\n\u2502 This rule checks role names to ensure they conform with requirements.
\n\u2502
\n\u2502 Role names must contain only lowercase alphanumeric characters and the underscore _ character. Role
\n\u2502 names must also start with an alphabetic character.
\n\u2502
\n\u2502 For more information see the roles directory topic in Ansible documentation.
\n\u2502
\n\u2502 ## Problematic Code
\n\u2502
\n\u2502 —
\n\u2502 – name: Example playbook
\n\u2502 hosts: localhost
\n\u2502 roles:
\n\u2502 – 1myrole # <- Does not start with an alphabetic character.
\n\u2502 – myrole2[*^ # <- Contains invalid special characters.
\n\u2502 – myRole_3 # <- Contains uppercase alphabetic characters.
\n\u2502
\n\u2502 ## Correct Code
\n\u2502
\n\u2502 —
\n\u2502 – name: Example playbook
\n\u2502 hosts: localhost
\n\u2502 roles:
\n\u2502 – myrole1 # <- Starts with an alphabetic character.
\n\u2502 – myrole2 # <- Contains only alphanumeric characters.
\n\u2502 – myrole_3 # <- Contains only lowercase alphabetic characters.
\n\u2502
\n\u2502 (more)
\nversion_added \u2502 v4.3.0
\ntags \u2502 deprecations, metadata
\nseverity \u2502 HIGH
\n\u2575
\n\u2577
\nrun-once \u2502 Run once should use strategy other than free.
\n\u2576\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2574
\ndescription \u2502 # run-once
\n\u2502
\n\u2502 This rule warns against the use of run_once when strategy is set to free.
\n\u2502
\n\u2502 This rule can produce the following messages:
\n\u2502
\n\u2502 \u2022 run_once[play]: Play uses strategy: free.
\n\u2502 \u2022 run_once[task]: Using run_once may behave differently if strategy is set to free.
\n\u2502
\n\u2502 For more information see the following topics in Ansible documentation:
\n\u2502
\n\u2502 \u2022 free strategy
\n\u2502 \u2022 selecting a strategy
\n\u2502 \u2022 run_once(playbook keyword) more info
\n\u2502
\n\u2502 ## Problematic Code
\n\u2502
\n\u2502 —
\n\u2502 – name: “Example with run_once”
\n\u2502 hosts: all
\n\u2502 strategy: free # <– avoid use of strategy as free
\n\u2502 gather_facts: false
\n\u2502 tasks:
\n\u2502 – name: Task with run_once
\n\u2502 ansible.builtin.debug:
\n\u2502 msg: “Test”
\n\u2502 run_once: true # <– avoid use of strategy as free at play level when using run_once at task level
\n\u2502
\n\u2502 ## Correct Code
\n\u2502
\n\u2502 – name: “Example without run_once”
\n\u2502 hosts: all
\n\u2502 gather_facts: false
\n\u2502 tasks:
\n\u2502 – name: Task without run_once
\n\u2502 ansible.builtin.debug:
\n\u2502 msg: “Test”
\n\u2502
\n\u2502 (more)
\ntags \u2502 idiom, experimental
\nseverity \u2502 MEDIUM
\n\u2575
\n\u2577
\nschema \u2502 Perform JSON Schema Validation for known lintable kinds.
\n\u2576\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2574
\ndescription \u2502 # schema
\n\u2502
\n\u2502 The schema rule validates Ansible metadata files against JSON schemas. These schemas ensure the
\n\u2502 compatibility of Ansible syntax content across versions.
\n\u2502
\n\u2502 This schema rule is mandatory. You cannot use inline noqa comments to ignore it.
\n\u2502
\n\u2502 Ansible-lint validates the schema rule before processing other rules. This prevents unexpected syntax
\n\u2502 from triggering multiple rule violations.
\n\u2502
\n\u2502 ## Validated schema
\n\u2502
\n\u2502 Ansible-lint currently validates several schemas that are maintained in separate projects and updated
\n\u2502 independently to ansible-lint.
\n\u2502
\n\u2502 \u258c Report bugs related to schema in their respective repository and not in the ansible-lint project.
\n\u2502
\n\u2502 Maintained in the ansible-lint project:
\n\u2502
\n\u2502 \u2022 schema[ansible-lint-config] validates ansible-lint configuration
\n\u2502
\n\u2502 Maintained in the ansible-navigator project:
\n\u2502
\n\u2502 \u2022 schema[ansible-navigator] validates ansible-navigator configuration
\n\u2502
\n\u2502 Maintained in the Ansible schemas project:
\n\u2502
\n\u2502 \u2022 schema[arg_specs] validates module argument specs
\n\u2502 \u2022 schema[execution-environment] validates execution environments
\n\u2502 \u2022 schema[galaxy] validates collection metadata.
\n\u2502 \u2022 schema[inventory] validates inventory files that match inventory\/*.yml.
\n\u2502 \u2022 schema[meta-runtime] validates runtime information that matches meta\/runtime.yml
\n\u2502 \u2022 schema[meta] validates metadata for roles that match meta\/main.yml. See role-dependencies or
\n\u2502 role\/metadata.py) for details.
\n\u2502 \u2022 schema[playbook] validates Ansible playbooks.
\n\u2502 \u2022 schema[requirements] validates Ansible requirements files that match requirements.yml.
\n\u2502 \u2022 schema[tasks] validates Ansible task files that match tasks\/**\/*.yml.
\n\u2502 \u2022 schema[vars] validates Ansible variables that match vars\/*.yml and defaults\/*.yml.
\n\u2502
\n\u2502 ## schema
\n\u2502
\n\u2502 For meta\/main.yml files, Ansible-lint requires a galaxy_info.standalone property that clarifies if a
\n\u2502 role is an old standalone one or a new one, collection based:
\n\u2502
\n\u2502 galaxy_info:
\n\u2502 standalone: true # <– this is a standalone role (not part of a collection)
\n\u2502
\n\u2502 Ansible-lint requires the standalone key to avoid confusion and provide more specific error messages.
\n\u2502 For example, the meta schema will require some properties only for standalone roles or prevent the use
\n\u2502 of some properties that are not supported by collections.
\n\u2502
\n\u2502 You cannot use an empty meta\/main.yml file or use only comments in the meta\/main.yml file.
\nversion_added \u2502 v6.1.0
\ntags \u2502 core, experimental
\nseverity \u2502 VERY_HIGH
\n\u2575
\n\u2577
\nsyntax-check \u2502 Ansible syntax check failed.
\n\u2576\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2574
\ndescription \u2502 # syntax-check
\n\u2502
\n\u2502 Our linter runs ansible-playbook –syntax-check on all playbooks, and if any of these reports a syntax
\n\u2502 error, this stops any further processing of these files.
\n\u2502
\n\u2502 This error cannot be disabled due to being a prerequisite for other steps. You can exclude these files
\n\u2502 from linting, but it is better to make sure they can be loaded by Ansible. This is often achieved by
\n\u2502 editing the inventory file and\/or ansible.cfg so ansible can load required variables.
\n\u2502
\n\u2502 If undefined variables cause the failure, you can use the jinja default() filter to provide fallback
\n\u2502 values, like in the example below.
\n\u2502
\n\u2502 This rule is among the few unskippable rules that cannot be added to skip_list or warn_list. One
\n\u2502 possible workaround is to add the entire file to the exclude_paths. This is a valid approach for special
\n\u2502 cases, like testing fixtures that are invalid on purpose.
\n\u2502
\n\u2502 One of the most common sources of errors is failure to assert the presence of various variables at the
\n\u2502 beginning of the playbook.
\n\u2502
\n\u2502 ## Problematic code
\n\u2502
\n\u2502 —
\n\u2502 – name: Bad use of variable inside hosts block (wrong assumption of it being defined)
\n\u2502 hosts: “{{ my_hosts }}”
\n\u2502 tasks: []
\n\u2502
\n\u2502 ## Correct code
\n\u2502
\n\u2502 —
\n\u2502 – name: Good use of variable inside hosts, without assumptions
\n\u2502 hosts: “{{ my_hosts | default([]) }}”
\n\u2502 tasks: []
\nversion_added \u2502 v5.0.0
\ntags \u2502 core
\nseverity \u2502 VERY_HIGH
\n\u2575
\n\u2577
\nvar-naming \u2502 All variables should be named using only lowercase and underscores.
\n\u2576\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2574
\ndescription \u2502 # var-naming
\n\u2502
\n\u2502 This rule checks variable names to ensure they conform with requirements.
\n\u2502
\n\u2502 Variable names must contain only lowercase alphanumeric characters and the underscore _ character.
\n\u2502 Variable names must also start with either an alphabetic or underscore _ character.
\n\u2502
\n\u2502 For more information see the creating valid variable names topic in Ansible documentation.
\n\u2502
\n\u2502 ## Problematic Code
\n\u2502
\n\u2502 —
\n\u2502 – name: Example playbook
\n\u2502 hosts: localhost
\n\u2502 vars:
\n\u2502 CamelCase: true # <- Contains a mix of lowercase and uppercase characters.
\n\u2502 ALL_CAPS: bar # <- Contains only uppercase characters.
\n\u2502 v@r!able: baz # <- Contains special characters.
\n\u2502
\n\u2502 ## Correct Code
\n\u2502
\n\u2502 —
\n\u2502 – name: Example playbook
\n\u2502 hosts: localhost
\n\u2502 vars:
\n\u2502 lowercase: true # <- Contains only lowercase characters.
\n\u2502 no_caps: bar # <- Does not contains uppercase characters.
\n\u2502 variable: baz # <- Does not contain special characters. version_added \u2502 v5.0.10 tags \u2502 idiom, experimental severity \u2502 MEDIUM \u2575 \u2577 warning \u2502 Other warnings detected during run. \u2576\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2574 description \u2502 # warning \u2502 \u2502 warning is a special type of internal rule that is used to report generic runtime warnings found during \u2502 execution. As stated by its name, they are not counted as errors, so they do not influence the final \u2502 outcome. \u2502 \u2502 \u2022 warning[empty-playbook] is raised when a playbook file has no content. \u2502 \u2022 warning[raw-non-string] indicates that you are using \u2502 [raw](http:\/\/docs.ansible.com\/ansible\/latest\/collections\/ansible\/builtin\/raw_module.html#ansible-col\u2026 \u2502 module with non-string arguments, which is not supported by Ansible. version_added \u2502 v6.8.0 tags \u2502 core, experimental severity \u2502 LOW \u2575 \u2577 yaml \u2502 Violations reported by yamllint. \u2576\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2574 description \u2502 # yaml \u2502 \u2502 This rule checks YAML syntax and is an implementation of yamllint. \u2502 \u2502 You can disable YAML syntax violations by adding yaml to the skip_list in your Ansible-lint \u2502 configuration as follows: \u2502 \u2502 skip_list: \u2502 – yaml \u2502 \u2502 For more fine-grained control, disable violations for specific rules using tag identifiers in the \u2502 yaml[yamllint_rule] format as follows: \u2502 \u2502 skip_list: \u2502 – yaml[trailing-spaces] \u2502 – yaml[indentation] \u2502 \u2502 If you want Ansible-lint to report YAML syntax violations as warnings, and not fatal errors, add tag \u2502 identifiers to the warn_list in your configuration, for example: \u2502 \u2502 warn_list: \u2502 – yaml[document-start] \u2502 \u2502 See the list of yamllint rules for more information. \u2502 \u2502 Some of the detailed error codes that you might see are: \u2502 \u2502 \u2022 yaml[brackets] – too few spaces inside empty brackets, or too many spaces inside brackets \u2502 \u2022 yaml[colons] – too many spaces before colon, or too many spaces after colon \u2502 \u2022 yaml[commas] – too many spaces before comma, or too few spaces after comma \u2502 \u2022 yaml[comments-indentation] – Comment not indented like content \u2502 \u2022 yaml[comments] – Too few spaces before comment, or Missing starting space in comment \u2502 \u2022 yaml[document-start] – missing document start “—” or found forbidden document start “—” \u2502 \u2022 yaml[empty-lines] – too many blank lines (…> …)
\n\u2502 \u2022 yaml[indentation] – Wrong indentation: expected … but found …
\n\u2502 \u2022 yaml[key-duplicates] – Duplication of key “…” in mapping
\n\u2502 \u2022 yaml[new-line-at-end-of-file] – No new line character at the end of file
\n\u2502 \u2022 yaml[syntax] – YAML syntax is broken
\n\u2502 \u2022 yaml[trailing-spaces] – Spaces are found at the end of lines
\n\u2502 \u2022 yaml[truthy] – Truthy value should be one of …
\n\u2502
\n\u2502 ## Problematic code
\n\u2502
\n\u2502 # Missing YAML document start.
\n\u2502 foo: …
\n\u2502 foo: … # <– Duplicate key.
\n\u2502 bar: … # <– Incorrect comment indentation
\n\u2502
\n\u2502 ## Correct code
\n\u2502
\n\u2502 —
\n\u2502 foo: …
\n\u2502 bar: … # Correct comment indentation.
\n\u2502
\n\u2502 (more)
\nversion_added \u2502 v5.0.0
\ntags \u2502 formatting, yaml
\nseverity \u2502 VERY_LOW<\/details>\n\u8f93\u51fa\u683c\u5f0f\u53ef\u4ee5\u6307\u5b9a\u4e3a”rich\u3001plain\u3001md”\u3002\u5982\u679c\u4e0d\u6307\u5b9a\uff0c\u5219\u9ed8\u8ba4\u4e3arich\u683c\u5f0f\u7684\u8f93\u51fa\u3002<\/p>\n
\u5c55\u793a\u663e\u793a\u7531\u6807\u7b7e\u5b9a\u4e49\u7684\u89c4\u5219\uff08\u663e\u793a\u89c4\u5219\u7684\u7ec6\u5206\u7c7b\u522b\uff09\u3010-T, –\u5217\u51fa\u6807\u7b7e\u3011<\/h3>\n
\u5c55\u793a\u6bcf\u4e2a\u89c4\u5219\u662f\u5982\u4f55\u5206\u7c7b\u7684\u3002\u540c\u65f6\uff0c\u53ef\u4ee5\u901a\u8fc7\u6307\u5b9a\u6807\u7b7e\u6765\u4ec5\u5bf9\u6307\u5b9a\u6807\u7b7e\u7684\u89c4\u5219\u6267\u884cAnsible lint\u3002\u8fd9\u80fd\u8ba9\u4f60\u4e86\u89e3Ansible lint\u89c4\u5219\u7684\u57fa\u672c\u601d\u60f3\u3002<\/p>\n
ansible-lint -T<\/span>\r\n## \u3082\u3057\u304f\u306f<\/span>\r\nansible-lint --list-tags<\/span>\r\n\r\n# List of tags and rules they cover<\/span>\r\ncommand-shell: # Specific to use of command and shell modules<\/span>\r\n - command-instead-of-module\r\n - command-instead-of-shell\r\n - deprecated-command-syntax\r\n - inline-env-var\r\n - no-changed-when\r\n - risky-shell-pipe\r\ncore: # Related to internal implementation of the linter<\/span>\r\n - internal-error\r\n - load-failure\r\n - parser-error\r\n - syntax-check\r\n - warning\r\n - schema\r\ndeprecations: # Indicate use of features that are removed from Ansible<\/span>\r\n - deprecated-bare-vars\r\n - deprecated-command-syntax\r\n - deprecated-local-action\r\n - deprecated-module\r\n - no-jinja-when\r\n - role-name\r\nexperimental: # Newly introduced rules, by default triggering only warnings<\/span>\r\n - warning\r\n - avoid-implicit\r\n - galaxy\r\n - ignore-errors\r\n - key-order\r\n - no-free-form\r\n - no-log-password\r\n - no-prompting\r\n - only-builtins\r\n - risky-file-permissions\r\n - run-once\r\n - schema\r\n - var-naming\r\nformatting: # Related to code-style<\/span>\r\n - yaml\r\n - fqcn\r\n - jinja\r\n - key-order\r\n - no-tabs\r\n - playbook-extension\r\n - risky-octal\r\nidempotency: # Possible indication that consequent runs would produce different results<\/span>\r\n - latest\r\n - no-changed-when\r\n - package-latest\r\nidiom: # Anti-pattern detected, likely to cause undesired behavior<\/span>\r\n - command-instead-of-module\r\n - command-instead-of-shell\r\n - empty-string-compare\r\n - inline-env-var\r\n - literal-compare\r\n - loop-var-prefix\r\n - name\r\n - no-handler\r\n - no-relative-paths\r\n - run-once\r\n - var-naming\r\nmetadata: # Invalid metadata, likely related to galaxy, collections or roles<\/span>\r\n - galaxy\r\n - meta-incorrect\r\n - meta-no-info\r\n - meta-no-tags\r\n - meta-video-links\r\n - role-name\r\nopt-in: # Rules that are not used unless manually added to `enable_list`<\/span>\r\n - empty-string-compare\r\n - galaxy\r\n - no-log-password\r\n - no-prompting\r\n - no-same-owner\r\n - only-builtins\r\nrisk:\r\n - no-free-form\r\nsecurity: # Rules related o potentially security issues, like exposing credentials<\/span>\r\n - no-log-password\r\nsyntax:\r\n - no-free-form\r\nunpredictability: # Warn about code that might not work in a predictable way<\/span>\r\n - avoid-implicit\r\n - ignore-errors\r\n - partial-become\r\n - risky-file-permissions\r\nunskippable: # Indicate a fatal error that cannot be ignored or disabled<\/span>\r\n - load-failure\r\nyaml: # External linter which will also produce its own rule codes<\/span>\r\n - yaml\r\n<\/code><\/pre>\n\u6307\u5b9a\u8f93\u51fa\u683c\u5f0f\u3010-f\uff0c–format\u3011\u3002<\/h3>\n
\u201c\u6307\u5b9a\u8f93\u51fa\u547d\u4ee4\u7ed3\u679c\u7684\u683c\u5f0f\u3002\u53ef\u6307\u5b9a\u7684\u683c\u5f0f\u6709\u4ee5\u4e0b\u51e0\u79cd\u3002\u201d<\/p>\n
\n- \n
rich<\/ul>\n<\/li>\n<\/ul>\n <\/p>\n
\n- \n
plain<\/ul>\n<\/li>\n<\/ul>\n <\/p>\n
\n- \n
md<\/ul>\n<\/li>\n<\/ul>\n <\/p>\n
\n- \n
json<\/ul>\n<\/li>\n<\/ul>\n <\/p>\n
\n- \n
codeclimate<\/ul>\n<\/li>\n<\/ul>\n <\/p>\n
\n- \n
quiet<\/ul>\n<\/li>\n<\/ul>\n <\/p>\n
\n- \n
pep8<\/ul>\n<\/li>\n<\/ul>\n <\/p>\n
\n- \n
sarif<\/ul>\n<\/li>\n<\/ul>\n <\/p>\n
docs<\/ul>\n\u6210\u4e3a\u3002<\/p>\n
ansible-lint\r\nWARNING Listing 1 violation(<\/span>s)<\/span> that are fatal\r\nroles\/create-backup:1: role-name: Role name create-backup does not match ``<\/span>^*<\/span>$`<\/span>`<\/span> pattern. (<\/span>warning)<\/span>\r\n\r\n Rule Violation Summary \r\n count tag profile rule associated tags \r\n 1 role-name basic deprecations, metadata (<\/span>warning)<\/span> \r\n\r\nPassed with min profile: 0 failure(<\/span>s)<\/span>, 1 warning(<\/span>s)<\/span> on 15 files.\r\nA new release of ansible-lint is available: 6.8.4 \u2192 6.8.5 Upgrade by running: pip3 install<\/span> --user<\/span> --upgrade<\/span> ansible-lint\r\n<\/code><\/pre>\nansible-lint<\/span> -f<\/span> json<\/span>\r\n[{<\/span>\"type\"<\/span>