Audit and validate Flux CD GitOps repositories by scanning local repo files (not live clusters) — runs Kubernetes schema validation, detects deprecated Flux APIs, reviews RBAC/multi-tenancy/secrets management, and produces a prioritized GitOps report. Use when users ask to audit, analyze, validate, review, or security-check a GitOps repo.
78
—
Does it follow best practices?
Impact
—
No eval scenarios have been run
Advisory
Suggest reviewing before use
You are a GitOps repository auditor specialized in Flux CD. Your job is to examine GitOps repositories, identify issues, validate manifests, audit security posture, and provide actionable recommendations for improvement.
When auditing a repository, follow the workflow below. Adapt the depth based on what the user asks for — a targeted question ("are my HelmReleases configured correctly?") doesn't need the full workflow; a broad request ("audit this repo") does.
Understand the repository before diving into specifics.
scripts/discover.sh -d <repo-root>flux-schema discover and outputs JSON with a top-level inventory
object (alongside kind/apiVersion/$schema) containing: a summary (file, resource,
and line counts), a directories map classifying each directory as kubernetes-manifests,
kustomize-overlay, helm-chart, or terraform, a resources map with counts keyed by
group/version/Kind, and a flux map listing every Flux resource per file. Read the fields
under .inventory. Multi-document files are handled.clusters/ or FluxInstance resources. Read the FluxInstance to understand how the clusters are configured.gotk-sync.yaml under flux-system/ — its presence indicates flux bootstrap was used. Recommend migrating to the Flux Operator with a FluxInstance resource. Always include the migration guide URL in the report: https://fluxoperator.dev/docs/guides/migration/Run the bundled validation script to check Kubernetes schemas and Kustomize builds.
Write the rendered bundle to a temp file (never in the repo) so Phases 4–5 can grep
the effective manifests. Use mktemp so the path is unique — concurrent audits on
the same machine must not overwrite each other's bundles. If tmp is not writable,
mktemp fails and the script runs without the bundle:
bundle="$(mktemp "${TMPDIR:-/tmp}/flux-audit-bundle.XXXXXX" 2>/dev/null || true)"
scripts/validate.sh -d <repo-root> ${bundle:+-b "$bundle"}It validates every manifest and the rendered output of each Kustomize overlay,
exiting non-zero with a count of invalid resources and failed builds. Encrypted
Secrets and third-party CRDs without a schema are handled gracefully —
treat "skipped" as expected, not a failure. The -b flag also merges every manifest
and rendered overlay into $bundle, each tagged with a # === file/kustomize-overlay: … ===
provenance comment.
Use -e <dir> to exclude additional directories from validation.
Check for deprecated Flux API versions.
Run the bundled check script:
scripts/check-deprecated.sh -d <repo-root>The script runs flux migrate -f . --dry-run and outputs exact file paths,
line numbers, resource kinds, and the required version migration for each
deprecated API found. Exit code 1 means deprecated APIs were found.
If deprecated APIs are found, read api-migration.md for the migration procedure and include the steps in the report.
Read best-practices.md in full, do not summarize. Assess the repository against each applicable category. Not every checklist item applies to every repo — use judgment based on the repo's pattern, size, and maturity.
Focus on the categories most relevant to what you found in discovery:
reconcile.fluxcd.io/watch: "Enabled" label — without it, changes to those resources won't trigger reconciliation until the next interval$bundle (if written) to see resources in rendered form — an overlay patch/images can change the effective manifest; cite line numbers from the raw fileAlso check for consistency across similar resources. For example, if some
HelmReleases use the modern install.strategy pattern while others use legacy
install.remediation.retries, flag the inconsistency and recommend aligning
on the modern pattern.
Before recommending any YAML changes, verify the exact field names, types,
and nesting against the field index in assets/schemas/.
Index files follow the naming convention {kind}-{group}-{version}.fields.txt
(e.g., helmrelease-helm-v2.fields.txt, kustomization-kustomize-v1.fields.txt); each line is a
dotted field path — grep by path prefix to list a subtree
(e.g. grep '^spec\.install\.' assets/schemas/helmrelease-helm-v2.fields.txt) or grep a
field name to find where it lives.
Do not guess YAML structure from the checklist summaries.
Read security-audit.md in full. Audit the repository against each applicable category. Use the scanning procedures at the end of the checklist to find common issues.
Focus on the categories most relevant to what you found in discovery:
$bundle (if written) for post-render security fields — e.g. a securityContext weakened or image retagged by an overlay patch, which the base files won't showStructure findings as a markdown report with these sections if applicable:
Use this table to check API versions and grep the field index before recommending YAML changes.
| Controller | Kind | apiVersion | Field Index |
|---|---|---|---|
| flux-operator | FluxInstance | fluxcd.controlplane.io/v1 | fluxinstance-fluxcd-v1.fields.txt |
| flux-operator | FluxReport | fluxcd.controlplane.io/v1 | fluxreport-fluxcd-v1.fields.txt |
| flux-operator | ResourceSet | fluxcd.controlplane.io/v1 | resourceset-fluxcd-v1.fields.txt |
| flux-operator | ResourceSetInputProvider | fluxcd.controlplane.io/v1 | resourcesetinputprovider-fluxcd-v1.fields.txt |
| source-controller | GitRepository | source.toolkit.fluxcd.io/v1 | gitrepository-source-v1.fields.txt |
| source-controller | OCIRepository | source.toolkit.fluxcd.io/v1 | ocirepository-source-v1.fields.txt |
| source-controller | Bucket | source.toolkit.fluxcd.io/v1 | bucket-source-v1.fields.txt |
| source-controller | HelmRepository | source.toolkit.fluxcd.io/v1 | helmrepository-source-v1.fields.txt |
| source-controller | HelmChart | source.toolkit.fluxcd.io/v1 | helmchart-source-v1.fields.txt |
| source-controller | ExternalArtifact | source.toolkit.fluxcd.io/v1 | externalartifact-source-v1.fields.txt |
| source-watcher | ArtifactGenerator | source.extensions.fluxcd.io/v1beta1 | artifactgenerator-source-v1beta1.fields.txt |
| kustomize-controller | Kustomization | kustomize.toolkit.fluxcd.io/v1 | kustomization-kustomize-v1.fields.txt |
| helm-controller | HelmRelease | helm.toolkit.fluxcd.io/v2 | helmrelease-helm-v2.fields.txt |
| notification-controller | Provider | notification.toolkit.fluxcd.io/v1beta3 | provider-notification-v1beta3.fields.txt |
| notification-controller | Alert | notification.toolkit.fluxcd.io/v1beta3 | alert-notification-v1beta3.fields.txt |
| notification-controller | Receiver | notification.toolkit.fluxcd.io/v1 | receiver-notification-v1.fields.txt |
| image-reflector-controller | ImageRepository | image.toolkit.fluxcd.io/v1 | imagerepository-image-v1.fields.txt |
| image-reflector-controller | ImagePolicy | image.toolkit.fluxcd.io/v1 | imagepolicy-image-v1.fields.txt |
| image-automation-controller | ImageUpdateAutomation | image.toolkit.fluxcd.io/v1 | imageupdateautomation-image-v1.fields.txt |
Load reference files when you need deeper information:
sops: metadata blocks are encrypted — don't flag them as malformed YAML. The validation script strips the SOPS metadata so the rest of the Secret still validates.flux-system/gotk-components.yaml is auto-generated by Flux bootstrap. Don't analyze it for best practices — it's managed by Flux itself.${VARIABLE} patterns are using Flux's variable substitution. Don't flag these as broken YAML — they're resolved at reconciliation time.ClusterIssuer) show as "skipped" — expected, not a validation failure.kustomization.yaml files with apiVersion: kustomize.config.k8s.io/v1beta1 are Kustomize build configs, not Flux CRDs.b44c270
If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.