Getting Started • Getting Involved • Getting In Touch
Rules • Usage • Custom Policies • Package
A fast, opinionated linter for OpenTelemetry Collector configurations. Catches misconfigurations, security issues, and performance pitfalls before they hit production.
Built with OPA/Rego — every rule is a plain .rego file you can read, override, or extend.
The OpenTelemetry Collector is flexible, but that flexibility makes it easy to ship configs that silently drop data, leak secrets, or OOM under load. augur encodes hard-won operational knowledge into automated checks:
- No memory limiter? You'll OOM in production.
- Hardcoded API key? It'll end up in version control.
- Batch processor in the wrong position? You're leaving performance on the table.
brew install --cask starkross/tap/augurgo install github.com/starkross/augur/cmd/augur@latestdocker run --rm -v "$(pwd):/work" ghcr.io/starkross/augur:latest config.yamlDownload from GitHub Releases — available for Linux, macOS, and Windows (amd64/arm64).
augur otel-collector-config.yamlotel-collector-config.yaml
FAIL OTEL-001: memory_limiter processor is not configured. Required to prevent OOM in production.
FAIL OTEL-003: batch processor is not configured. Required for efficient data export.
WARN OTEL-011: health_check extension is not configured. Recommended for k8s liveness/readiness probes.
✗ 2 failure(s), 1 warning(s)
Exit code 1 on any failure. Warnings are informational by default.
See docs/RULES.md for the full list of built-in rules.
augur [flags] <config.yaml | -> [config.yaml | -]...
| Flag | Description | Default |
|---|---|---|
-o, --output |
Output format: text, json, github |
text |
-s, --strict |
Treat warnings as errors | false |
-q, --quiet |
Suppress warnings, show only failures | false |
-k, --skip |
Comma-separated rule IDs to skip | |
--no-color |
Disable colored output | false |
-p, --policy |
Additional policy directory (merged with built-in rules) |
When you pass more than one file, augur deep-merges them into a single effective config before linting — the same way the OpenTelemetry Collector combines multiple --config flags. Use - in place of a filename to read from stdin (may only appear once):
augur common.yaml client.yamlMerge rules (matching the collector's confmap):
| Value type | Behavior |
|---|---|
| Map | Deep-merged recursively. Later files add keys and override scalar leaves. |
| Scalar | Later file wins. |
| Slice | Replaced wholesale by the later file. |
To lint several standalone configs independently, invoke augur once per file.
# Merge two files
augur gateway.yaml overrides.yaml
# Strict mode — warnings become errors
augur --strict config.yaml
# JSON output for programmatic consumption
augur -o json config.yaml
# Skip specific rules
augur --skip OTEL-015,OTEL-016 config.yaml
# Use custom policies
augur --policy ./my-policies config.yaml
# Read from stdin
cat config.yaml | augur -
# Mix stdin with file arguments
augur base.yaml - overrides.yaml < patch.yamlAll built-in rules live in rules/policy/ as standard Rego files. To add your own:
- Create a directory with your custom rules:
# my-policies/main/custom.rego
package main
import future.keywords.contains
import future.keywords.if
deny contains msg if {
not input.processors.filter
msg := "CUSTOM-001: filter processor is required by our platform team."
}- Run with
--policy:
augur --policy ./my-policies config.yamlCustom policies are merged with the built-in rules — your rules run alongside all default checks.
Every release is reproducibly built and signed:
- CycloneDX SBOMs for every archive and every container image
- Cosign keyless signatures (sigstore OIDC) on
checksums.txtand on the published OCI image - SLSA Level 3 build provenance for binary artifacts
Quick verification of a release:
cosign verify ghcr.io/starkross/augur:vX.Y.Z \
--certificate-identity-regexp 'https://github.com/starkross/augur/\.github/workflows/release\.yml@refs/tags/v.*' \
--certificate-oidc-issuer 'https://token.actions.githubusercontent.com'See SECURITY.md for the full verification recipe (binaries, images, SLSA provenance, SBOMs) and the vulnerability disclosure process.