yamllint VS cfn_nag

Compare yamllint vs cfn_nag and see what are their differences.

Our great sponsors
  • Scout APM - Less time debugging, more time building
  • SonarLint - Deliver Cleaner and Safer Code - Right in Your IDE of Choice!
  • SaaSHub - Software Alternatives and Reviews
yamllint cfn_nag
7 6
1,917 1,025
- 2.8%
5.7 5.1
24 days ago 6 days ago
Python Ruby
GNU General Public License v3.0 only MIT License
The number of mentions indicates the total number of mentions that we've tracked plus the number of user suggested alternatives.
Stars - the number of stars that a project has on GitHub. Growth - month over month growth in stars.
Activity is a relative number indicating how actively a project is being developed. Recent commits have higher weight than older ones.
For example, an activity of 9.0 indicates that a project is amongst the top 10% of the most actively developed projects that we are tracking.


Posts with mentions or reviews of yamllint. We have used some of these posts to build our list of alternatives and similar projects. The last one was on 2022-03-09.
  • Anyone actually fluent in YAML?
    1 project | reddit.com/r/devops | 20 Mar 2022
  • Let CI check & fix your yamls
    8 projects | dev.to | 9 Mar 2022
    yamlfixer automates the fixing of problems reported by yamllint by parsing its output.
  • Modern Python setup for quality development
    11 projects | dev.to | 7 Jan 2022
    repos: - repo: https://github.com/pre-commit/pre-commit-hooks rev: v4.0.1 hooks: - id: check-added-large-files - id: check-ast - id: check-builtin-literals - id: check-case-conflict - id: check-docstring-first - id: check-executables-have-shebangs - id: check-json - id: check-merge-conflict - id: check-symlinks - id: check-toml - id: check-vcs-permalinks - id: check-xml - id: check-yaml args: [--allow-multiple-documents] - id: debug-statements - id: detect-aws-credentials args: [--allow-missing-credentials] - id: destroyed-symlinks - id: end-of-file-fixer - id: fix-byte-order-marker - id: fix-encoding-pragma args: [--remove] - id: forbid-new-submodules - id: mixed-line-ending args: [--fix=auto] - id: name-tests-test args: [--django] - id: requirements-txt-fixer - id: trailing-whitespace - repo: local hooks: - id: black name: black entry: poetry run black language: system types: [python] - id: flake8 name: flake8 entry: poetry run flake8 language: system types: [python] - repo: https://github.com/pycqa/isort rev: "5.9.1" hooks: - id: isort args: - --profile - black - --filter-files - repo: https://github.com/adrienverge/yamllint.git rev: v1.26.1 hooks: - id: yamllint args: [-c=.yamllint.yaml] - repo: https://gitlab.com/devopshq/gitlab-ci-linter rev: v1.0.2 hooks: - id: gitlab-ci-linter args: - "--server" - "https://your.gitlab.server" # Need env var GITLAB_PRIVATE_TOKEN with gitlab api read token - repo: https://github.com/commitizen-tools/commitizen rev: v2.17.11 hooks: - id: commitizen stages: [commit-msg] - repo: https://github.com/jumanjihouse/pre-commit-hooks rev: 2.1.5 # or specific git tag hooks: - id: forbid-binary - id: shellcheck - id: shfmt
  • YAML formatter recommendation
    1 project | reddit.com/r/commandline | 3 Dec 2021
    If you wanted a linter.
  • CloudFormation Noob - using YAML
    2 projects | reddit.com/r/AWS_Certified_Experts | 9 Oct 2021
    Or, run Yamllint externally. I do this, because I have more control: https://github.com/adrienverge/yamllint
  • The Norway Problem
    18 projects | news.ycombinator.com | 3 Apr 2021
    You can catch this with yamllint (https://github.com/adrienverge/yamllint):

        % cat countries.yml
  • New to Saltstack
    1 project | reddit.com/r/saltstack | 18 Mar 2021
    A tool like yamllint online (don't send any confidential data to it)/offline might help you in writing syntactically correct YAML.


Posts with mentions or reviews of cfn_nag. We have used some of these posts to build our list of alternatives and similar projects. The last one was on 2022-05-19.
  • Source Control your AWS CloudFormation templates with GitHub
    3 projects | dev.to | 19 May 2022
    There is another tool called cfn_nag that can check your code for potentially any insecure infrastructure. When you read the documentation around this tool, the author says it can check for things such as:
  • Install cfn_nag on Windows
    1 project | dev.to | 17 May 2022
    I recently wanted to use the cfn-nag tool on some templates I was writing but couldn't find any instructions to install on Windows, but I have found a way to do it.
  • Static Analysis for Cloud Formation
    2 projects | dev.to | 29 Dec 2021
    cfn-nag: Verify that there is no code that poses a security risk.
  • Container security best practices: Comprehensive guide
    17 projects | dev.to | 16 Nov 2021
    If you are using infrastructure as code, incorporate IaC scanning tools like Apolicy, Checkov, tfsec, or cfn_nag to validate the configuration of your infrastructure before it is created or updated. Similar to other linting tools, apply IaC scanning tools locally and in your pipeline, and consider blocking changes that introduce security issues.
  • CloudFormation Noob - using YAML
    2 projects | reddit.com/r/AWS_Certified_Experts | 9 Oct 2021
    Or, run a higher-level CloudFormation linter, like: https://github.com/stelligent/cfn_nag
  • CloudFormation Best Practices
    2 projects | dev.to | 5 Jan 2021
    cfn_nag is an open source command-line tool that performs static analysis of CloudFormation templates. It will search for insecure infrastructure like:

What are some alternatives?

When comparing yamllint and cfn_nag you can also consider the following projects:

checkov - Prevent cloud misconfigurations during build-time for Terraform, CloudFormation, Kubernetes, Serverless framework and other infrastructure-as-code-languages with Checkov by Bridgecrew.

cfn-python-lint - CloudFormation Linter

cue - CUE has moved to https://github.com/cue-lang/cue

pyyaml - Canonical source repository for PyYAML

aws-secure-environment-accelerator - The AWS Secure Environment Accelerator is a tool designed to help deploy and operate secure multi-account, multi-region AWS environments on an ongoing basis. The power of the solution is the configuration file which enables the completely automated deployment of customizable architectures within AWS without changing a single line of code.

kubernetes - Production-Grade Container Scheduling and Management

SonarQube - Continuous Inspection

vscode-cloudformation-snippets - This extension adds snippets for all the AWS CloudFormation resources into Visual Studio Code.

pre-commit - A framework for managing and maintaining multi-language pre-commit hooks.

tfsec - Security scanner for your Terraform code

edn - Extensible Data Notation

docker-bench-security - The Docker Bench for Security is a script that checks for dozens of common best-practices around deploying Docker containers in production.