Develop

Cargo.toml

@@ -6,7 +6,18 @@ authors = ["Syncable Team"]
 description = "A Rust-based CLI that analyzes code repositories and generates Infrastructure as Code configurations"
 license = "GPL-3.0"
 repository = "https://github.com/syncable-dev/syncable-cli"
-keywords = ["iac", "infrastructure", "docker", "terraform", "cli"]
+keywords = [
+  "cli",
+  "devops",
+  "ai",
+  "ai-agent",
+  "infrastructure",
+  "iac",
+  "terraform",
+  "kubernetes",
+  "docker",
+  "security"
+]
 categories = ["command-line-utilities", "development-tools"]
 readme = "README.md"
 

THIRD_PARTY_NOTICES.md

@@ -83,6 +83,88 @@ original project.
 
 ---
 
+## KubeLint (kube-linter)
+
+The Kubernetes manifest linting functionality in `src/analyzer/kubelint/` is a Rust
+translation of the original kube-linter project by StackRox (Red Hat).
+
+**Original Project:** [kube-linter](https://github.com/stackrox/kube-linter)
+
+**Original Authors:**
+- StackRox, Inc. (now part of Red Hat)
+- And all contributors to the kube-linter project
+
+**Original License:** Apache License 2.0
+
+**Original Copyright:**
+```
+Copyright (c) 2020-2024 StackRox, Inc.
+```
+
+**What was translated:**
+- Kubernetes manifest parsing and validation logic (originally in Go)
+- 63 built-in security and best practice checks
+- Pragma/ignore directive handling via annotations
+- Helm chart rendering integration
+- Kustomize directory support
+- Check severity and priority system
+- SARIF and JSON output formats
+
+**Modifications made:**
+- Complete rewrite from Go to Rust
+- Integration with Syncable-CLI's agent and tool system
+- Native async support for streaming output
+- Adaptation to Rust error handling patterns
+- Graceful fallback for broken Helm charts
+- Additional rules and improvements specific to Syncable's use cases
+
+**License Notice:**
+This derivative work maintains compatibility with the Apache-2.0 license.
+The full text of the Apache-2.0 license can be found at:
+https://www.apache.org/licenses/LICENSE-2.0
+
+---
+
+## Helmlint (helmtest)
+
+The Helm chart linting functionality in `src/analyzer/helmlint/` is a Rust
+implementation inspired by and partially derived from the helmtest project
+by StackRox (Red Hat).
+
+**Original Project:** [helmtest](https://github.com/stackrox/helmtest)
+
+**Original Authors:**
+- StackRox, Inc. (now part of Red Hat)
+- And all contributors to the helmtest project
+
+**Original License:** Apache License 2.0
+
+**Original Copyright:**
+```
+Copyright (c) 2020-2024 StackRox, Inc.
+```
+
+**What was implemented:**
+- Helm chart structure validation (Chart.yaml, values.yaml)
+- Go template syntax analysis
+- Values validation and unused value detection
+- Security checks for rendered templates
+- Best practice validation patterns
+
+**Modifications made:**
+- Complete implementation in Rust (original was Go)
+- Integration with Syncable-CLI's agent and tool system
+- Native async support for streaming output
+- Adaptation to Rust error handling patterns
+- Additional rules (HL1xxx-HL5xxx series) specific to Syncable's use cases
+
+**License Notice:**
+This derivative work maintains compatibility with the Apache-2.0 license.
+The full text of the Apache-2.0 license can be found at:
+https://www.apache.org/licenses/LICENSE-2.0
+
+---
+
 ## ShellCheck (Rule Concepts)
 
 Some shell-related lint rules are inspired by ShellCheck.
@@ -101,11 +183,17 @@ concepts and documentation.
 
 ## Acknowledgments
 
-We are grateful to the open source community and the authors of Hadolint and
-docker-compose-linter for creating and maintaining excellent container configuration
-linting tools. These Rust implementations allow native integration with Syncable-CLI
-while preserving the valuable rule definitions and linting logic developed by the
-original authors.
+We are grateful to the open source community and the authors of:
+
+- **Hadolint** - For the comprehensive Dockerfile linting rules
+- **docker-compose-linter** - For Docker Compose best practices
+- **kube-linter (StackRox/Red Hat)** - For the extensive Kubernetes security checks
+- **helmtest (StackRox/Red Hat)** - For Helm chart validation patterns
+
+These Rust implementations allow native integration with Syncable-CLI while
+preserving the valuable rule definitions and linting logic developed by the
+original authors. Special thanks to StackRox (now part of Red Hat) for their
+excellent Kubernetes and Helm security tooling.
 
 If you are the author of any software mentioned here and believe the attribution
 is incorrect or incomplete, please open an issue at:

src/agent/mod.rs

@@ -362,6 +362,8 @@ pub async fn run_interactive(
                         .tool(VulnerabilitiesTool::new(project_path_buf.clone()))
                         .tool(HadolintTool::new(project_path_buf.clone()))
                         .tool(DclintTool::new(project_path_buf.clone()))
+                        .tool(KubelintTool::new(project_path_buf.clone()))
+                        .tool(HelmlintTool::new(project_path_buf.clone()))
                         .tool(TerraformFmtTool::new(project_path_buf.clone()))
                         .tool(TerraformValidateTool::new(project_path_buf.clone()))
                         .tool(TerraformInstallTool::new())
@@ -438,6 +440,8 @@ pub async fn run_interactive(
                         .tool(VulnerabilitiesTool::new(project_path_buf.clone()))
                         .tool(HadolintTool::new(project_path_buf.clone()))
                         .tool(DclintTool::new(project_path_buf.clone()))
+                        .tool(KubelintTool::new(project_path_buf.clone()))
+                        .tool(HelmlintTool::new(project_path_buf.clone()))
                         .tool(TerraformFmtTool::new(project_path_buf.clone()))
                         .tool(TerraformValidateTool::new(project_path_buf.clone()))
                         .tool(TerraformInstallTool::new())
@@ -518,6 +522,8 @@ pub async fn run_interactive(
                         .tool(VulnerabilitiesTool::new(project_path_buf.clone()))
                         .tool(HadolintTool::new(project_path_buf.clone()))
                         .tool(DclintTool::new(project_path_buf.clone()))
+                        .tool(KubelintTool::new(project_path_buf.clone()))
+                        .tool(HelmlintTool::new(project_path_buf.clone()))
                         .tool(TerraformFmtTool::new(project_path_buf.clone()))
                         .tool(TerraformValidateTool::new(project_path_buf.clone()))
                         .tool(TerraformInstallTool::new())
@@ -1410,6 +1416,8 @@ pub async fn run_query(
                 .tool(VulnerabilitiesTool::new(project_path_buf.clone()))
                 .tool(HadolintTool::new(project_path_buf.clone()))
                 .tool(DclintTool::new(project_path_buf.clone()))
+                .tool(KubelintTool::new(project_path_buf.clone()))
+                .tool(HelmlintTool::new(project_path_buf.clone()))
                 .tool(TerraformFmtTool::new(project_path_buf.clone()))
                 .tool(TerraformValidateTool::new(project_path_buf.clone()))
                 .tool(TerraformInstallTool::new())
@@ -1453,6 +1461,8 @@ pub async fn run_query(
                 .tool(VulnerabilitiesTool::new(project_path_buf.clone()))
                 .tool(HadolintTool::new(project_path_buf.clone()))
                 .tool(DclintTool::new(project_path_buf.clone()))
+                .tool(KubelintTool::new(project_path_buf.clone()))
+                .tool(HelmlintTool::new(project_path_buf.clone()))
                 .tool(TerraformFmtTool::new(project_path_buf.clone()))
                 .tool(TerraformValidateTool::new(project_path_buf.clone()))
                 .tool(TerraformInstallTool::new())
@@ -1499,6 +1509,8 @@ pub async fn run_query(
                 .tool(VulnerabilitiesTool::new(project_path_buf.clone()))
                 .tool(HadolintTool::new(project_path_buf.clone()))
                 .tool(DclintTool::new(project_path_buf.clone()))
+                .tool(KubelintTool::new(project_path_buf.clone()))
+                .tool(HelmlintTool::new(project_path_buf.clone()))
                 .tool(TerraformFmtTool::new(project_path_buf.clone()))
                 .tool(TerraformValidateTool::new(project_path_buf.clone()))
                 .tool(TerraformInstallTool::new())

src/agent/prompts/mod.rs

@@ -146,12 +146,23 @@ You have access to tools to help analyze and understand the project:
 - analyze_project - Detect languages, frameworks, dependencies, and architecture
 - security_scan - Find potential vulnerabilities and secrets
 - check_vulnerabilities - Check dependencies for known CVEs
-- hadolint - Lint Dockerfiles for best practices
-- terraform_fmt - Format Terraform configuration files
-- terraform_validate - Validate Terraform configurations
 - read_file - Read file contents
 - list_directory - List files and directories
 
+**Linting Tools (use NATIVE tools, not shell commands):**
+- hadolint - Lint Dockerfiles for best practices and security
+- dclint - Lint docker-compose files for best practices
+- kubelint - Lint Kubernetes manifests for SECURITY and BEST PRACTICES
+  • Use for: raw YAML files, Helm charts (renders them), Kustomize directories
+  • Checks: privileged containers, missing probes, RBAC issues, resource limits
+- helmlint - Lint Helm chart STRUCTURE and TEMPLATES (before rendering)
+  • Use for: Chart.yaml validation, values.yaml, Go template syntax
+  • Checks: chart metadata, template errors, undefined values, unclosed blocks
+
+**Terraform Tools:**
+- terraform_fmt - Format Terraform configuration files
+- terraform_validate - Validate Terraform configurations
+
 **Generation Tools:**
 - write_file - Write content to a file (creates parent directories automatically)
 - write_files - Write multiple files at once
@@ -220,6 +231,12 @@ pub fn get_code_development_prompt(project_path: &std::path::Path) -> String {
 - read_file - Read file contents
 - list_directory - List files and directories
 
+**Linting Tools (for DevOps artifacts):**
+- hadolint - Lint Dockerfiles
+- dclint - Lint docker-compose files
+- kubelint - Lint K8s manifests (security, best practices)
+- helmlint - Lint Helm charts (structure, templates)
+
 **Development Tools:**
 - write_file - Write or update a single file
 - write_files - Write multiple files at once
@@ -296,16 +313,29 @@ pub fn get_devops_prompt(project_path: &std::path::Path) -> String {
 - analyze_project - Detect languages, frameworks, dependencies, build commands
 - security_scan - Find potential vulnerabilities
 - check_vulnerabilities - Check dependencies for known CVEs
-- hadolint - Native Dockerfile linter (use this, NOT shell hadolint)
 - read_file - Read file contents
 - list_directory - List files and directories
 
+**Linting Tools (use NATIVE tools, not shell commands):**
+- hadolint - Native Dockerfile linter for best practices and security
+- dclint - Native docker-compose linter for best practices
+- kubelint - Native Kubernetes manifest linter for SECURITY and BEST PRACTICES
+  • Use for: K8s YAML files, Helm charts (renders them first), Kustomize directories
+  • Checks: privileged containers, missing probes, RBAC wildcards, resource limits
+- helmlint - Native Helm chart linter for STRUCTURE and TEMPLATES
+  • Use for: Chart.yaml, values.yaml, Go template syntax validation
+  • Checks: missing apiVersion, unused values, undefined template variables
+
+**Terraform Tools:**
+- terraform_fmt - Format Terraform configuration files
+- terraform_validate - Validate Terraform configurations
+
 **Generation Tools:**
 - write_file - Write Dockerfile, terraform config, helm values, etc.
 - write_files - Write multiple files (Terraform modules, Helm charts)
 
-**Validation Tools:**
-- shell - Execute validation commands (docker build, terraform validate, helm lint)
+**Shell Tool:**
+- shell - Execute build/test commands (docker build, terraform init)
 
 **Plan Execution Tools:**
 - plan_list - List available plans in plans/ directory
@@ -358,16 +388,24 @@ When the user says "execute the plan" or similar:
 1. **Analyze**: Use analyze_project to understand the project
 2. **Plan**: Determine what files need to be created
 3. **Generate**: Use write_file or write_files to create artifacts
-4. **Validate**:
-   - Docker: hadolint tool FIRST, then shell docker build
-   - Terraform: shell terraform init && terraform validate
-   - Helm: shell helm lint ./chart
+4. **Validate** (use NATIVE linting tools, not shell commands):
+   - **Docker**: hadolint tool FIRST, then shell docker build
+   - **docker-compose**: dclint tool
+   - **Terraform**: terraform_validate tool (or shell terraform init && terraform validate)
+   - **Helm charts**: helmlint tool for chart structure/templates
+   - **K8s manifests**: kubelint tool for security/best practices
+   - **Helm + K8s**: Use BOTH helmlint (structure) AND kubelint (security on rendered output)
 5. **Self-Correct**: If validation fails, analyze error, fix files, re-validate
 
-**CRITICAL for hadolint**: If hadolint finds ANY errors or warnings:
+**CRITICAL for linting tools**: If ANY linter finds errors or warnings:
 1. STOP and report ALL issues to the user FIRST
-2. Show each violation with line number, rule code, message
-3. DO NOT proceed to docker build until user acknowledges
+2. Show each violation with line number, rule code, message, and fix recommendation
+3. DO NOT proceed to build/deploy until user acknowledges or issues are fixed
+
+**When to use helmlint vs kubelint:**
+- helmlint: Chart.yaml issues, values.yaml unused values, template syntax errors
+- kubelint: Security (privileged, RBAC), best practices (probes, limits), after Helm renders
+- For Helm charts: Run BOTH - helmlint catches template issues, kubelint catches security issues
 </work_protocol>
 
 <error_handling>
@@ -554,7 +592,14 @@ Task status markers:
 - list_directory - List files and directories
 - shell - Run read-only commands only (ls, cat, grep, find, git status/log/diff)
 - analyze_project - Analyze project architecture, dependencies
-- hadolint - Lint Dockerfiles (read-only analysis)
+
+**Linting Tools (read-only analysis):**
+- hadolint - Lint Dockerfiles for best practices
+- dclint - Lint docker-compose files
+- kubelint - Lint K8s manifests for security/best practices (works on YAML, Helm charts, Kustomize)
+- helmlint - Lint Helm chart structure and templates
+
+**Planning Tools:**
 - **plan_create** - Create structured plan files with task checkboxes
 - **plan_list** - List existing plans in plans/ directory