Commit 279f213c authored by Samuel Henrique's avatar Samuel Henrique

New upstream version 4.1.0

parent 14073d9c
ref-names: tag: v4.1.0, refs/pull/482/head
# Force LF line endings for text files
* text=auto eol=lf
# Needed for setuptools-scm-git-archive
.git_archival.txt export-subst
hooks.yaml @webknjaz @webknjaz
setup.cfg @webknjaz @webknjaz
test-deps.txt @webknjaz
tox.ini @webknjaz
.gitattributes @webknjaz
.github/* @webknjaz
.gitignore @webknjaz
.git_archival.txt @webknjaz
.pre-commit-hooks.yaml @webknjaz
.travis.yml @webknjaz
# Community Code of Conduct
Please see the official [Ansible Community Code of Conduct](
......@@ -17,6 +17,8 @@ ansible-lint --version
Please give some details of the feature being requested
or what should happen if providing a bug report
Possible security bugs should be reported via email to ``
# Actual Behaviour (Bug report only)
Please give some details of what is actually happening.
......@@ -25,3 +25,13 @@ pip-log.txt
# Unit test / coverage reports
# Needed for CLI tests
# pyenv
# Coverage artifacts
conditions: v1
dist: xenial
depth: 100
pip: true
- $HOME/.cache/pre-commit
- $HOME/.pre-commit
- $HOME/virtualenv/python$(python -c 'import platform; print(platform.python_version())')
- $HOME/Library/Caches/Homebrew
language: python
- "2.7"
.mixtures: # is not used by Travis CI, but helps avoid duplication
- &if-cron-or-manual-run-or-tagged
if: type IN (cron, api) OR tag IS present
- &reset-prerequisites
before_install: []
fast_finish: true
- python: "3.7"
<<: *reset-prerequisites
name: Running flake8 linting checks
TOXENV: flake8
- python: "3.7"
<<: *reset-prerequisites
name: Running docs building checks
TOXENV: docs
- python: "3.7"
- python: "3.6"
<<: *if-cron-or-manual-run-or-tagged
- python: "3.5"
<<: *if-cron-or-manual-run-or-tagged
- python: "2.7"
- python: "3.7"
- python: "3.6"
<<: *if-cron-or-manual-run-or-tagged
- python: "3.5"
<<: *if-cron-or-manual-run-or-tagged
- python: "2.7"
- python: "3.7"
- python: "3.6"
<<: *if-cron-or-manual-run-or-tagged
- python: "3.5"
<<: *if-cron-or-manual-run-or-tagged
- python: "2.7"
- python: "3.7"
<<: *if-cron-or-manual-run-or-tagged
- python: "3.6"
<<: *if-cron-or-manual-run-or-tagged
- python: "3.5"
<<: *if-cron-or-manual-run-or-tagged
- python: "2.7"
<<: *if-cron-or-manual-run-or-tagged
- &deploy-job
<<: *reset-prerequisites
stage: Deploy
name: Publishing current Git tagged version of dist to PyPI
if: repo == "ansible/ansible-lint" AND tag IS present
python: "3.7"
env: &deploy-env
TOXENV: metadata-validation
deploy: &deploy-step
provider: pypi
user: ansible-lint
secure: >
distributions: dists
skip-cleanup: true
all_branches: true
- <<: *deploy-job
if: repo == "ansible/ansible-lint" AND type NOT IN (cron, pull_request) # Always run, except if PR or cron
name: Publishing current (unstable) Git revision of dist to Test PyPI
<<: *deploy-env
<<: *deploy-step
- export TOXENV=$(echo $TOXENV_TMPL | envsubst)
- pip install -r test-deps.txt
script: tox
- pip install -U tox
- tox --notest # Pre-populate virtualenv
- tox -v
4.1.0 - Released 11-Feb-2019
- Support skipping specific rule(s) for a specific task `#460 <>`_
- Lint all yaml in tasks/ and handlers/ regardless of import or include `#462 <>`_
- New rule: shell task uses pipeline without pipefail `#199 <>`_
- Remove rule 405 checking for retry on package modules `#465 <>`_
- Limit env var check to command, not shell `#477 <>`_
- Extend max line length rule from 120 to 160 `#474 <>`_
- Do not flag octal file mode permission when it is a string `#480 <>`_
- Check ANSIBLE_ROLES_PATH before basedir `#478 <>`_
- Fix crash on indexing empty cmd arguments `#473 <>`_
- Handle argv syntax for the command module `#424 <>`_
- Add another possible license default with SPDX `#472 <>`_
- Ignore comments for line-based rules `#453 <>`_
- Allow config skip_list to have rule number id not in quotes `#463 <>`_
4.0.1 - Released 04-Jan-2019
Bugfix release
- Allow install with python35 and add to tox testing `#452 <>`_
- Fix 503 UseHandlerRatherThanWhenChangedRule attempt to iterate on bool `#455 <>`_
- Improve regex on rule 602 `#454 <>`_
- Refactor RoleRelativePathRule, fix keyerror `#446 <>`_
- Rule 405 now ignore case of 'yum: list=package' `#444 <>`_
- Allow jinja escaping in variables `#440 <>`_
4.0.0 - Released 18-Dec-2018
* New documentation site ` <>`_
* Additional default rules for ansible-lint, listed in `docsite default rules <>`_
* Fixed running with role path containing single or multiple dirs #390
* Fixed double sudo rule output #393
* Severity property added to rules to be used by Galaxy #379
* Packaging: consistency and automation #389
* Updated rule to remove carriage return char #323
* Allow snake_case module names for rules #82
* Suggest tempfile module instead of mktemp command #422
* Update tox to run with only supported ansible versions #406
* GitHub repository edits: move to ansible org, add CODE_OF_CONDUCT, add ROADMAP, label edits
Use ``yaml.safe_load`` for loading the configuration file
* New ids and tags, add doc generator. Old tag names remain backwardly compatible (awcrosby)
* Add more package formats to PackageIsNotLatestRule (simon04)
* Improve handling of meta/main.yml dependencies (MatrixCrawler)
* Correctly handle role argument trailing slash (zoredache)
* Handle ``include_task`` and ``import_task`` (zeot)
* Add a new rule to detect jinja in when clauses (greg-hellings)
* Suggest ``replace`` as another alternative to ``sed`` (inponomarev)
* YAML syntax highlighting for false positives (gundalow)
Fix bug with using comma-separated ``skip_list`` arguments
* Allow ``include_role`` and ``import_role`` (willthames)
* Support arbitrary number of exclude flags (KellerFuchs)
* Fix task has name check for empty name fields (ekeih)
* Allow vault encrypted variables in YAML files (mozz)
* Octal permission check improvements - readability, test
coverage and bug fixes (willthames)
* Fix very weird bug with line numbers in some test environments (kouk)
* Python 3 fixes for octal literals in tests (willthames)
......@@ -3,25 +3,29 @@ Contributing to Ansible-lint
To contribute to ansible-lint, please use pull requests on a branch of your own fork.
After creating your fork on github, you can do:
After [creating your fork on GitHub](, you can do:
git clone
cd ansible-lint
git checkout -b your-branch-name
git add your new files
git commit
git commit --signoff
git push origin your-branch-name
You will then be able to create a pull request from your commit.
Contributors to ansible-lint must agree to [DCO 1.1](./
You will then be able to create a pull request from your commit.
All fixes to core functionality (i.e. anything except rules or examples) should
be accompanied by tests that fail prior to your change and succeed afterwards.
be accompanied by tests that fail prior to your change and succeed afterwards.
Feel free to raise issues in the repo if you don't feel able to contribute a code fix.
ansible-lint is flake8 compliant with `max-line-length` set to 100
(see [setup.cfg](setup.cfg)).
......@@ -32,3 +36,18 @@ with both.
Automated tests will be run against all PRs for flake8 compliance and Ansible
compatibility - to check before pushing commits, just use `tox`.
Talk to us
Discussion around ansible-lint happens in `#ansible-galaxy` IRC channel on Freenode and the [Ansible Development List](!forum/ansible-devel)
For the full list of Ansible IRC and Mailing list, please see the [Ansible Communication]( page
Release announcements will be made to the [Ansible Announce](!forum/ansible-announce) list.
Possible security bugs should be reported via email to ``
Code of Conduct
As with all Ansible projects, we have a [Code of Conduct](
All contributors must use `git commit --signoff` for any
commit to be merged, and agree that usage of --signoff constitutes
agreement with the terms of DCO 1.1, which appears below:
Developer Certificate of Origin
Version 1.1
Copyright (C) 2004, 2006 The Linux Foundation and its contributors.
1 Letterman Drive
Suite D4700
San Francisco, CA, 94129
Everyone is permitted to copy and distribute verbatim copies of this
license document, but changing it is not allowed.
Developer's Certificate of Origin 1.1
By making a contribution to this project, I certify that:
(a) The contribution was created in whole or in part by me and I
have the right to submit it under the open source license
indicated in the file; or
(b) The contribution is based upon previous work that, to the best
of my knowledge, is covered under an appropriate open source
license and I have the right under that license to submit that
work with modifications, whether created in whole or in part
by me, under the same open source license (unless I am
permitted to submit under a different license), as indicated
in the file; or
(c) The contribution was provided directly to me by some other
person who certified (a), (b) or (c) and I have not modified
(d) I understand and agree that this project and the contribution
are public and that a record of the contribution (including all
personal information I submit with it, including my sign-off) is
maintained indefinitely and may be redistributed consistent with
this project or the open source license(s) involved.
Copyright (c) 2013-2014 Will Thames <>
Copyright (c) 2013-2018 Will Thames <>
Copyright (c) 2018 Ansible by Red Hat
Permission is hereby granted, free of charge, to any person obtaining a copy
of this software and associated documentation files (the "Software"), to deal
include LICENSE
ansible-lint checks playbooks for practices and behaviour that could
potentially be improved
[![PyPI version](](
[![Build Status](](
Using pip:
pip2 install ansible-lint
From source:
git clone
export PYTHONPATH=$PYTHONPATH:`pwd`/ansible-lint/lib
export PATH=$PATH:`pwd`/ansible-lint/bin
Usage: ansible-lint playbook.yml|roledirectory ...
--version show program's version number and exit
-h, --help show this help message and exit
-L list all the rules
-q quieter, although not silent output
-p parseable output in the format of pep8
-r RULESDIR specify one or more rules directories using one or
more -r arguments. Any -r flags override the default
rules in ['/path/to/ansible-
lint/lib/ansiblelint/rules'], unless -R is also used.
-R Use default rules ['/path/to/ansible-
lint/lib/ansiblelint/rules'] in addition to any extra
rules directories specified with -r. There is no need
to specify this if no -r flags are used
-t TAGS only check rules whose id/tags match these values
-T list all the tags
-x SKIP_LIST only check rules whose id/tags do not match these
path to directories or files to skip. This option is
--force-color Try force colored output (relying on ansible's code)
--nocolor disable colored output
-c /path/to/file Specify configuration file to use. Defaults to
False positives
Some rules are a bit of a rule of thumb. Advanced git, yum or apt usage,
for example, is typically difficult to achieve through the modules. In
this case, you should mark the task so that warnings aren't produced.
There are two mechanisms for this - one works with all tasks, the other
works with the command checking modules.
Use the `warn` parameter with the command or shell module.
Use `skip_ansible_lint` tag with any task that you want to skip.
I recommend commenting the reasons why you're skipping the check.
Unfortunately ansible-lint is unable to check for such comments
at this time! (patches welcome)
- name: this would typically fire CommandsInsteadOfArgumentRule
command: warn=no chmod 644 X
- name: this would typically fire CommandsInsteadOfModuleRule
command: git pull --rebase
warn: False
- name: this would typically fire GitHasVersionRule
git: src=/path/to/git/repo dest=checkout
- skip_ansible_lint
Rules are described using a class file per rule.
Default rules are named ``, etc.
Each rule definition should have the following:
* ID: A unique identifier
* Short description: Brief description of the rule
* Description: Behaviour the rule is looking for
* Tags: one or more tags that may be used to include or exclude the rule
* At least one of the following methods:
* `match` that takes a line and returns `None` or `False` if
the line doesn't match the test and `True` or a custom message (this
allows one rule to test multiple behaviours - see e.g. the
* `matchblock` that takes the details about the file and a block.
It returns `None` or `False` if the line doesn't match the test
and `True` or a custom message.
* `matchtask` operates on a single task or handler. Such a task
get standardized to always contain a `module` key and
`module_arguments` key. Other common task modifiers such as
`when`, `with_items` etc. are also available as keys if present
in the task.
An example rule using `match` is:
from ansiblelint import AnsibleLintRule
class DeprecatedVariableRule(AnsibleLintRule):
id = 'ANSIBLE0001'
shortdesc = 'Deprecated variable declarations'
description = 'Check for lines that have old style ${var} ' + \
tags = { 'deprecated' }
def match(self, file, line):
return '${' in line
An example rule using `matchtask` is:
import ansiblelint.utils
from ansiblelint import AnsibleLintRule
class TaskHasTag(AnsibleLintRule):
id = 'ANSIBLE0008'
shortdesc = 'Tasks must have tag'
description = 'Tasks must have tag'
tags = ['productivity']
def matchtask(self, file, task):
# If the task include another task or make the playbook fail
# Don't force to have a tag
if not set(task.keys()).isdisjoint(['include','fail']):
return False
# Task should have tags
if not task.has_key('tags'):
return True
return False
The `task` argument to `matchtask` contains a number of keys - the critical one is `action`.
The value of `task['action']` contains the module being used, and the arguments passed, both
as key-value pairs and a list of other arguments (e.g. the command used with `shell`)
In ansible-lint 2.0.0, `task['action']['args']` was renamed `task['action']['module_arguments']`
to avoid a clash when a module actually takes `args` as a parameter key (e.g. `ec2_tag`)
In ansible-lint 3.0.0 `task['action']['module']` was renamed
`task['action']['__ansible_module__']` to avoid a clash when a module take
`module` as an argument. As a precaution, `task['action']['module_arguments']`
was renamed `task['action']['__ansible_arguments__']`
There are some example playbooks with undesirable features. Running
ansible-lint on them works:
$ ansible-lint examples/example.yml
[ANSIBLE0004] Git checkouts must contain explicit version
Task/Handler: git check
[ANSIBLE0004] Git checkouts must contain explicit version
Task/Handler: git check 2
[ANSIBLE0004] Git checkouts must contain explicit version
Task/Handler: using git module
[ANSIBLE0002] Trailing whitespace
action: do nothing
[ANSIBLE0002] Trailing whitespace
[ANSIBLE0006] git used in place of git module
Task/Handler: executing git through command
[ANSIBLE0006] git used in place of git module
Task/Handler: executing git through command
[ANSIBLE0006] git used in place of git module
Task/Handler: executing git through command
If playbooks include other playbooks, or tasks, or handlers or roles, these
are also handled:
$ bin/ansible-lint examples/include.yml
[ANSIBLE0004] Checkouts must contain explicit version
action: git a=b c=d
As of version 2.4.0, ansible-lint now works just on roles (this is useful
for CI of roles)
Configuration File
Ansible-lint supports local configuration via a `.ansible-lint` configuration file. Ansible-lint checks the working directory for the presence of this file and applies any configuration found there. The configuration file location can also be overridden via the `-c path/to/file` CLI flag.
The following values are supported and function identically to their CLI counterparts.
If a value is provided on both the command line and via a config file, the values will be merged (if a list like `exclude_paths`), or the "True" value will be preferred, in the case of something like `quiet`.
- ./my/excluded/directory/
- ./my/other/excluded/directory/
- ./last/excluded/directory/
parseable: true
quiet: true
- ./rule/directory/
- skip_this_tag
- and_this_one_too
- run_this_tag
use_default_rules: true
verbosity: 1
To use ansible-lint with [pre-commit](, just
add the following to your local repo's `.pre-commit-config.yaml` file.
Make sure to change `sha:` to be either a git commit sha or tag of
ansible-lint containing `hooks.yaml`.
- repo:
sha: v3.3.1
- id: ansible-lint
files: \.(yaml|yml)$
Please read
[]( if you wish to contribute.
This diff is collapsed.
- Check for file or directory presence #378
- Add `matchvar` method to lint vars in vars.yml #354
- Add support for include_tasks which currently are skipped #362
- Consider adopting/absorbing ansible-lint-junit #396