API gateways serve as the final checkpoint for your APIs. As such, gateway configuration is critical to ensuring that your APIs remain secure, available, and responsive. Ensuring that all changes to these configurations are intentional and follow your organization's best practices is key to maintaining a robust API gateway deployment.
decK 1.28 adds a brand new feature that allows you to natively validate your gateway configurations against custom rule sets. This helps ensure that best practices are followed and further fortifies your gateway deployments.
Linting is a common development process for validating code against a set of rules by looking for potential errors, stylistic issues, or deviations from standards. The code is flagged when rule violations are detected, allowing developers to intervene before potentially damaging changes make their way into production systems. Often, linting is performed within code editors and integrated development environments (IDEs). However, its integration into CI/CD pipelines is equally vital, to ensure that all changes — regardless of their source — adhere to established coding standards before merging into the codebase.
We have introduced linting capabilities directly into the decK command line tool, allowing you to perform a linting process for your API gateway configurations without introducing additional tools into your CI/CD pipelines.
deck file lintThe deck file lint command at its core is a flexible JSON/YAML linter that allows you to build rules to validate any file in these formats.
There are a few key concepts to understand for linting with decK:
Rules also provide the flexibility to define severity levels and output formats adding to the command’s versatility. Let’s look at an example usage of the command to validate a common Kong Gateway configuration value.
Kong Gateway services are defined in the services block in the decK file. Services support a number of configuration values including a protocol field which specifies the communication protocol used between the gateway and the upstream service. To ensure this traffic is secure, you may want to validate that only https protocols are used. Here is a sample Ruleset file containing a single Rule that accomplishes this.
In the given field, a JSONPath selector is specified that reads the protocol field in every service under the services key from the incoming file. With each of those values, the pattern function is applied which evaluates the value against a regular expression pattern specified in the match field. In this example, we assert that the string value in the protocol field must match the string https exactly. Let’s assume the example Ruleset file is stored in a file named ruleset.yaml, and look at the deck file lint command in practice.
Assume you have the following decK declarative configuration file (kong.yaml) that defines a service and a route for a simple task tracking system:
Validating this configuration against the example ruleset results in the following violations:
Modifying the declarative configuration as follows resolves this violation:
Notice that the command results in a 0 (Success) return code. In situations where violations are detected, a non-zero return code is emitted allowing you to abort automated processes and help prevent problematic configurations from leaking into your production codebase and systems.
Deck uses the GoLang-based Vacuum library for the linting implementation. For more details on the library's support for Rules, Rulesets, and more examples of what can be done, see the Vacuum documentation. For APIOps and Kong-specific use cases, we hope to add more helpful examples to our APIOps library documentation. Please feel free to reach out in the GitHub repository by filing an issue for any common use cases you’d like to see documented.
Starting with Kong Gateway and decK is easy with Kong Konnect. Try this new decK feature with your Kong Konnect free trial today!
As of September 2025, Kong Gateway Enterprise 3.8 will enter its End Of Life (EOL) phase and will no longer be fully supported by Kong. Following this, Kong Gateway Enterprise 3.8 will enter a 12-month sunset support period, focused on helping cus
We're very excited to announce Kong Mesh 2.12 to the world! Kong Mesh 2.12 delivers two very important features: SPIFFE / SPIRE support, which provides enterprise-class workload identity and trust models for your mesh, as well as a consistent Kuma R
It’s been almost a year since we released our Konnect Terraform provider . In that time we’ve seen over 300,000 installs, have 1.7 times as many resources available, and have expanded the provider to include data sources to enable federated managem
We're happy to announce the 3.5 release of Kong Ingress Controller (KIC). This release includes the graduation of combined services to General Availability, support for connection draining, as well as the start of deprecating support for some Ingre
Update Includes Data Orchestration, CyberArk Support, Solace Integration, and Kafka Schema Validation We’re excited to bring you Kong Gateway Enterprise 3.11 with compelling new features to make your APIs and event streams even more powerful, includ
When we released the beta version of Service Catalog last September, it was in service of a greater API discovery vision we had for Kong Konnect as an API platform. In March of this year, we moved closer to fulfilling that vision when we announced
The new Kong Konnect Dev Portal is now generally available for all users! In March, we announced the public beta version of our reimagined Dev Portal. We set out to fully address the needs of the modern API consumer as well as the needs of the moder