Output Formats

The reliably scan command supports different output formats, depending on your needs.

Apart from the standard list output, we support YAML and JSON structured content, SARIF and CodeCLimate formats for your CI/CD workflows, an extended output that displays best practice for each suggestions, and a table output ideal for human eyes.

The output format selection is made with the -f or --format flags.

The --format or -f flag supports the following options, which are described in the rest of this guide:

  • text
  • json
  • yaml
  • sarif
  • codeclimate
  • extended
  • table

Standard output with text

The -f text flag is the standard output. It is equivalent to not using the format flag at all.

reliably scan kubernetes . -f text
Pod:chaostoolkit:0:0 [warning] You shall not use the default 'latest' image tag. It causes ambiguity and leads to the cluster not pulling the new image.
Pod:nginx-deployment-5bf87f5f59-q9xsp:0:0 [warning] Only images from approved registry can be run.
Deployment:hello-node:0:0 [error] Not setting a cpu requests means the pod will be allowed to consume the entire available CPU (unless the cluster has set a global limit)
Deployment:hello-node:0:0 [warning] A rollout strategy can reduce the risk of downtime
Deployment:hello-node:0:0 [warning] Without the 'minReadySeconds' property set, pods are considered available from the first time the readiness probe is valid. Settings this value indicates how long it the pod should be ready for before being considered available.
Deployment:nginx-deployment:0:0 [error] Setting a high cpu request may render pod scheduling difficult or starve other pods
Deployment:nginx-deployment:0:0 [warning] Without the 'minReadySeconds' property set, pods are considered available from the first time the readiness probe is valid. Settings this value indicates how long it the pod should be ready for before being considered available.
7 suggestions found

If you want to remove the colors, you can use the global --no-color flag.

reliably scan kubernetes . -f text --no-color
Pod:chaostoolkit:0:0 [warning] You shall not use the default 'latest' image tag. It causes ambiguity and leads to the cluster not pulling the new image.
Pod:nginx-deployment-5bf87f5f59-q9xsp:0:0 [warning] Only images from approved registry can be run.
Deployment:hello-node:0:0 [error] Not setting a cpu requests means the pod will be allowed to consume the entire available CPU (unless the cluster has set a global limit)
Deployment:hello-node:0:0 [warning] A rollout strategy can reduce the risk of downtime
Deployment:hello-node:0:0 [warning] Without the 'minReadySeconds' property set, pods are considered available from the first time the readiness probe is valid. Settings this value indicates how long it the pod should be ready for before being considered available.
Deployment:nginx-deployment:0:0 [error] Setting a high cpu request may render pod scheduling difficult or starve other pods
Deployment:nginx-deployment:0:0 [warning] Without the 'minReadySeconds' property set, pods are considered available from the first time the readiness probe is valid. Settings this value indicates how long it the pod should be ready for before being considered available.
7 suggestions found

Table output with table

The table output is the more visual one, aiming at being easy to scan and understand. It's output is sorted in a decreasing Error, Warning, Info order. Lines might be truncated to prevent wrapping.

reliably scan kubernetes --format table
Results:
  manifests/deployment.yaml  Kubernetes:Deployment         K8S-DPL-0007  Setting a high cpu request may render pod scheduling difficult or starve other pods
  manifests/deployment.yaml  Kubernetes:Deployment         K8S-DPL-0009  Not setting a cpu requests means the pod will be allowed to consume the entire available CPU (unless the cluster has set a global limit)
  manifests/deployment.yaml  Kubernetes:Deployment         K8S-DPL-0013  A rollout strategy can reduce the risk of downtime
  manifests/deployment.yaml  Kubernetes:Deployment         K8S-DPL-0014  Without the 'minReadySeconds' property set, pods are considered available from the first time the readiness probe is valid. Settings this value indicates how long it the pod should be ready for before being considered available.
  manifests/deployment.yaml  Kubernetes:Deployment         K8S-DPL-0001  You should specify a number of replicas
  manifests/pod.yaml         Kubernetes:Pod                K8S-POD-0001  You should not use the default 'latest' image tag. It causes ambiguity and leads to the cluster not pulling the new image
  manifests/pod.yaml         Kubernetes:Pod                K8S-POD-0003  Only images from an approved registry can be run
  manifests/deployment.yaml  Kubernetes:Deployment         K8S-DPL-0012  Image pull policy should usually not be set to 'Always'
  test-manifest.yaml:92:1    Kubernetes:PodSecurityPolicy  K8S-PSP-0001  Enabling privileged can lead to unwanted escalation from the container's process
  test-manifest.yaml:92:1    Kubernetes:PodSecurityPolicy  K8S-PSP-0007  To reduce risk of accessing files outside of an allowed paths, it's best to make them read only
Summary:
  10 suggestions found
   3 info -  5 warning -  2 error

The table output supports the --no-color global flag, but it pretty much defeats its purpose!

Best practice examples with extended

When running a CLI scan, the resulting suggestions can be displayed with an optional example of a best practice to be applied. To do so, you'll need to run the scan command with the specific extended format. The CLI will output the list of suggestions with examples, as well as a recap summary:

reliably scan kubernetes --format extended
Results:

> test-manifest.yaml:92:1 [info] Enabling privileged can lead to unwanted escalation from the container's process
Rule: K8S-PSP-0001, Platform: Kubernetes, Kind: PodSecurityPolicy

# Example:
apiVersion: policy/v1beta1
kind: PodSecurityPolicy
spec:
  privileged: false  # Prevents creation of privileged Pods


> manifests/deployment.yaml:1:1 [warning] You should specify a number of replicas
Rule: K8S-DPL-0001, Platform: Kubernetes, Kind: Deployment

# Example:
apiVersion: apps/v1
kind: Deployment
spec:
  replicas: 3


> manifests/deployment.yaml:1:1 [error] Setting a high cpu request may render pod scheduling difficult or starve other pods
Rule: K8S-DPL-0007, Platform: Kubernetes, Kind: Deployment

# Example:
spec:
  containers:
  - name: some-container
    resources:
      requests:
        cpu: "0.5"


> manifests/deployment.yaml:1:1 [warning] A rollout strategy can reduce the risk of downtime
Rule: K8S-DPL-0013, Platform: Kubernetes, Kind: Deployment

# Example:
apiVersion: apps/v1
kind: Deployment
spec:
  replicas: 3
  strategy:
    type: RollingUpdate
    rollingUpdate:
      maxSurge: 2        # how many pods we can add at a time
      maxUnavailable: 0  # maxUnavailable define how many pods can be unavailable
                         # during the rolling update


Summary:
  4 suggestions found
   1 info -  2 warning -  1 error

Structured data with json and yaml

Should you need to pass (semi-)structured data to an other application, the CLI can output JSON or YAML.

Following is a (truncated) JSON output example:

reliably scan kubernetes . -f json
{
  "suggestions": [
    {
      "rule_id": "K8S-DPL-0001",
      "rule_definition": "Missing replicas",
      "details": "You should specify a number of replicas",
      "level": "warning",
      "file": "tests/manifests/deployment.yaml",
      "line": 1,
      "column": 1,
      "platform": "Kubernetes",
      "type": "Deployment",
      "name": "myapp"
    },
    ...
  ],
  "Counters": {
    "error": 2,
    "info": 1,
    "warning": 5
  }
}

And here is a (equally truncated) YAML output example:

reliably scan kubernetes . -f yaml
suggestions:
- ruleid: K8S-DPL-0001
  ruledef: Missing replicas
  message: You should specify a number of replicas
  level: warning
  file: tests/manifests/deployment.yaml
  line: 1
  col: 1
  platform: Kubernetes
  kind: Deployment
  name: myapp
...
counters:
  error: 2
  info: 1
  warning: 5

Code Quality with SARIF and CodeClimate

The CLI can output suggestions in the SARIF and CodeClimate formats. We use those formats to display suggestions in GitHub and GitLab, respectively. You can use them to pass your suggestions to any other compatible application.

reliably scan kubernetes . -f sarif

Here is an example of a suggestion displayed in GitHub Code Scanning alerts, using the SARIF format.

Screenshot of a suggestion in GitHub

Read more about running Reliably in your GitHub Actions

reliably scan kubernetes . -f codeclimate

Here is an example of a suggestion displayed in GitLab Code Quality, which uses CodeClimate.

Screenshot of a suggestions list in GitLab

Read more about running Reliably in GitLab CI