Copied to Clipboard
For teams already using Prettier, it supports YAML formatting out of the box:
prettier --write "playbooks/**/*.yml"
Standardizing YAML formatting eliminates the most common source of noisy diff, whitespace-only changes.
Security Scanning Ansible with ansible-lint and Checkov
ansible-lint includes security-focused rules by default, flagging tasks that use shell or command with potentially unsafe inputs, or roles missing proper privilege escalation guards.
Checkov also supports Ansible:
checkov -d . --framework ansible
It flags hardcoded secrets, missing no-log directives on sensitive tasks, and overly permissive file permissions.
Integrating into CI/CD
All of these tools become most valuable when they run automatically on every pull request. Here's a sample GitHub Actions workflow covering both Terraform and Ansible:
# .github/workflows/iac-quality.yml
name: IaC Quality Checks
on: [pull_request]
jobs:
terraform:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: hashicorp/setup-terraform@v3
- name: Terraform Format Check
run: terraform fmt -check -recursive
- name: Terraform Validate
run: |
terraform init -backend=false
terraform validate
- name: TFLint
uses: terraform-linters/setup-tflint@v4
with:
tflint_version: latest
- run: tflint --recursive
- name: Checkov Security Scan
uses: bridgecrewio/checkov-action@master
with:
directory: .
framework: terraform
ansible:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Install tools
run: pip install ansible-lint yamllint
- name: yamllint
run: yamllint playbooks/
- name: ansible-lint
run: ansible-lint playbooks/
Start with warnings before enforcing hard failures β this gives teams time to remediate existing violations without blocking all merges on day one.
Recommended Toolchain Summary
| Tool |
Purpose |
Applies To |
terraform fmt |
Canonical formatting |
Terraform |
terraform validate |
Syntax & semantic validation |
Terraform |
| TFLint |
Provider-aware deep linting |
Terraform |
| Checkov |
Security misconfiguration scanning |
Terraform & Ansible |
| Trivy |
Security scanning (container-friendly) |
Terraform |
| ansible-lint |
Best practice enforcement |
Ansible |
| yamllint |
YAML formatting & structure |
Ansible |
| Prettier |
YAML formatting (if already in stack) |
Ansible |
Conclusion
Infrastructure as Code is not configuration, it's code, and it deserves the same quality standards your application code receives. By integrating terraform fmt, TFLint, Checkov, ansible-lint, and yamllint into your development workflow and CI pipeline, you catch misconfigurations before they reach production, enforce consistent standards across teams, and make infrastructure pull requests actually reviewable.
Start with formatting and basic validation, layer in security scanning, and enforce everything in CI. Your future self, and your on-call rotation, will thank you.
Already using a different IaC tool like Pulumi or OpenTofu? The same principles apply β drop a comment with your preferred linting setup.