Custom Terraform / IaC lint rules — stdlib, pre-commit-friendly.
Project description
sarj-iac-lint
Custom Terraform / IaC lint rules — stdlib only, line/block based, pre-commit-friendly. Mined from recurring infra review comments across the org.
uv tool install sarj-iac-lint
Rules
| Code | Rule | What it flags |
|---|---|---|
| SARJ201 | require-deletion-protection |
A stateful resource (Cloud SQL, GKE, BigQuery, Spanner, AlloyDB, Bigtable, RDS, DynamoDB, ElastiCache, DocumentDB, Neptune, Azure databases, Cosmos DB, ...) without deletion_protection = true. |
| SARJ202 | no-comment-cruft |
Commented-out Terraform/HCL and section-banner / divider comments. |
.tf, .hcl, and .tfvars files are scanned by all rules; .yaml/.yml
(Helm/k8s/Compose) are scanned by no-comment-cruft for banners only.
Pre-commit
- repo: https://github.com/sarj-ai/standards
rev: iac-v0.2.0
hooks:
- id: sarj-require-deletion-protection
- id: sarj-no-comment-cruft-iac
CLI
sarj-iac-lint check --rule require-deletion-protection iac/
sarj-iac-lint list-rules
Diagnostic format is path:line:col: CODE message — Ruff-compatible.
--exit-zero reports without failing (warn mode).
Adoption
require-deletion-protection and no-comment-cruft have ~zero false positives —
run them as hard (blocking) hooks.
require-deletion-protection treats variable/expression-gated protection
(deletion_protection = var.enabled) and lifecycle { prevent_destroy = true }
as protected — only a literal = false or a total absence is flagged.
Suppression
Inline # sarj-noqa: SARJ201 — <reason> on the offending line (the resource
line for SARJ201).
Project details
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
File details
Details for the file sarj_iac_lint-0.2.0.tar.gz.
File metadata
- Download URL: sarj_iac_lint-0.2.0.tar.gz
- Upload date:
- Size: 8.4 kB
- Tags: Source
- Uploaded using Trusted Publishing? Yes
- Uploaded via: twine/6.1.0 CPython/3.13.13
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
47acbe209ff6590fa463099ba5d4085fb6cdc8db8bceacf85661374024a1c387
|
|
| MD5 |
3d2569d83059524fa87aa1e27b7f2727
|
|
| BLAKE2b-256 |
51c01a6841a7ffd4ff232e1ea175860c38b12847d359ff3947fdd606dd45a394
|
Provenance
The following attestation bundles were made for sarj_iac_lint-0.2.0.tar.gz:
Publisher:
release.yml on sarj-ai/standards
-
Statement:
-
Statement type:
https://in-toto.io/Statement/v1 -
Predicate type:
https://docs.pypi.org/attestations/publish/v1 -
Subject name:
sarj_iac_lint-0.2.0.tar.gz -
Subject digest:
47acbe209ff6590fa463099ba5d4085fb6cdc8db8bceacf85661374024a1c387 - Sigstore transparency entry: 2013687662
- Sigstore integration time:
-
Permalink:
sarj-ai/standards@94e9a5eca8056544d778e251019886dc1fd54d57 -
Branch / Tag:
refs/heads/main - Owner: https://github.com/sarj-ai
-
Access:
internal
-
Token Issuer:
https://token.actions.githubusercontent.com -
Runner Environment:
github-hosted -
Publication workflow:
release.yml@94e9a5eca8056544d778e251019886dc1fd54d57 -
Trigger Event:
push
-
Statement type:
File details
Details for the file sarj_iac_lint-0.2.0-py3-none-any.whl.
File metadata
- Download URL: sarj_iac_lint-0.2.0-py3-none-any.whl
- Upload date:
- Size: 11.7 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? Yes
- Uploaded via: twine/6.1.0 CPython/3.13.13
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
7073f4f75decbf3e367c170f16d61a1024d81cbef2e512a32409a9ad8f3da02d
|
|
| MD5 |
9de547ff14a9736b76693f81191f7de8
|
|
| BLAKE2b-256 |
bd7fc20580a00c57b32489b21ca126325552cd66b4ba4dad252bc497841a3ecb
|
Provenance
The following attestation bundles were made for sarj_iac_lint-0.2.0-py3-none-any.whl:
Publisher:
release.yml on sarj-ai/standards
-
Statement:
-
Statement type:
https://in-toto.io/Statement/v1 -
Predicate type:
https://docs.pypi.org/attestations/publish/v1 -
Subject name:
sarj_iac_lint-0.2.0-py3-none-any.whl -
Subject digest:
7073f4f75decbf3e367c170f16d61a1024d81cbef2e512a32409a9ad8f3da02d - Sigstore transparency entry: 2013687730
- Sigstore integration time:
-
Permalink:
sarj-ai/standards@94e9a5eca8056544d778e251019886dc1fd54d57 -
Branch / Tag:
refs/heads/main - Owner: https://github.com/sarj-ai
-
Access:
internal
-
Token Issuer:
https://token.actions.githubusercontent.com -
Runner Environment:
github-hosted -
Publication workflow:
release.yml@94e9a5eca8056544d778e251019886dc1fd54d57 -
Trigger Event:
push
-
Statement type: