Originally posted by **iliapolo** June 9, 2022
Ability to define manifest validators to be executed after synthesis
There are plenty of pitfalls users may fall into when defining their manifests. Validation tools exist that will help users avoid those. For example:
- https://github.com/datreeio/datree
- https://github.com/zegl/kube-score
- https://github.com/FairwindsOps/polaris
- https://www.checkov.io/
- https://www.aquasec.com/
- https://docs.snyk.io/
- https://docs.paloaltonetworks.com/prisma/prisma-cloud/prisma-cloud-admin-compute/install/install_kubernetes
Since cdk8s allows us to run code during manifest generation, we can integrate these tools into the process, without users having to invoke them explicitly. Our init templates can offer these validations by default, and allow users to opt out, or vise versa.
Add a key in `cdk8s.yaml` to describe what validation should take place:
```yaml
app: ts-node main.ts
validations:
- datree test
```
### Open questions
- Should we be doing this? why and why not?
- Should these only happen when synthesizing with the CLI? Maybe in-process as well?
- What configuration should be exposed? the entire validation command? the validator type?
Discussion resulted in the following tasks:
Discussed in https://github.com/cdk8s-team/cdk8s/discussions/936