aspect lint runs one or more aspect_rules_lint aspects as a standard Bazel build, reads SARIF diagnostic output, and decides whether to fail the CI step based on which findings are in scope. It posts inline review comments on the diff via the GithubLintComments (GitHub) and GitlabLintComments (GitLab) features.
The key design: aspect lint doesn’t re-implement linting. It drives Bazel, which caches lint results the same as any other action. If a file hasn’t changed, its lint results come from the remote cache rather than running the linter again. At scale, aspect lint //... on a large repo is fast because Bazel only re-lints what’s actually changed.
Hold-the-line strategy
The default failure strategy —hold-the-line — is what makes lint practical on large, pre-existing codebases with known violations.
Instead of failing on any finding anywhere, hold-the-line:
- Detects the PR’s changed lines (via GitHub PR Files API or
git diff) - Fails only on error-severity findings on lines you actually changed
| Strategy | When it fails |
|---|---|
hold-the-line (default) | Error-severity findings on changed lines |
hold-the-file | Error-severity findings anywhere in a changed file |
hard | Any error-severity finding in any linted target |
soft | Never (report only) |
Configuration
Lint aspects
aspect lint requires at least one --aspect pointing to an aspect_rules_lint aspect:
config.axl so developers running aspect lint //... locally use the same set as CI:
.aspect/config.axl
config.axl. A CI job that needs only fast linters can pass --aspect= directly without affecting the default config.
Apply auto-fix patches
Some rules_lint linters produce fix patches. Pass--fix to apply them to the working tree:
Changed-file scope
By default,aspect lint runs on all targets and strategy filtering determines which findings fail. To restrict the Bazel build to targets in changed packages:
--base-ref when your main branch isn’t origin/main.
GitHub PR annotations
GithubLintComments posts inline PR review comments for every error-severity finding that holds the line (i.e., would have caused a failure under hold-the-line). Reviewers see the issue directly on the diff line without switching to CI logs.
Enable by authenticating the Aspect Workflows GitHub App and setting ASPECT_API_TOKEN. The feature is always enabled — it just no-ops when not authenticated.
Suggestions from auto-fix linters become one-click “commit suggestion” buttons in the PR review.
GitLab MR comments
GitlabLintComments is the GitLab counterpart: it posts each finding as a position-bound discussion on the merge-request diff (the GitLab equivalent of a GitHub PR review comment), so reviewers see the issue inline in the MR’s Changes view.
Enable by authenticating the Aspect GitLab App and setting ASPECT_API_TOKEN. The feature is always enabled — it no-ops when not in a merge-request pipeline or when not authenticated.
It mirrors the GitHub feature, with three GitLab-specific behaviors:
- Suggestion blocks — auto-fix patches render as GitLab
```suggestionblocks reviewers apply with one click. - Dedup across runs — re-running the lint task replaces a stale discussion at the same position instead of stacking duplicates.
- Thread auto-resolve — on a clean pass (the task finds nothing), discussions Aspect opened on prior runs are marked Resolved rather than deleted, preserving the review history. (GitHub PR review comments have no native resolve, so the GitHub path deletes instead.)
--gitlab-lint-comments:max-pr-comments=<n> (default 25; 0 disables posting while keeping the lint exit code intact). Errors are posted first, then warnings, then notes; any excess is dropped from the MR but still drives the lint verdict.
Routing findings: findings_destination
Where findings land is controlled by the shared LintTrait.findings_destination knob (applies to both the GitHub and GitLab features). The default is auto: auto-fix suggestions post as inline comments, while other findings post as check-run annotations on GitHub — and on GitLab, which has no per-finding annotation surface, auto posts only the auto-fix suggestions.
To post every finding as an inline comment (recommended on GitLab so non-fix findings show up too), set it to comments in .aspect/config.axl:
.aspect/config.axl
| Value | Behavior |
|---|---|
auto (default) | Fix-bearing findings → inline comments; the rest → check-run annotations (GitHub) or no inline surface (GitLab). |
comments | Every finding → inline comment (GitHub PR review comment / GitLab MR discussion). |
annotations | Every finding → check-run annotation; no inline comments. Suggestion blocks are dropped. |
both | Every finding posted to both surfaces. |
The config hook is named
config (def config(ctx: ConfigContext):) — a function named configure is not invoked by the CLI and silently does nothing.How it works under the hood
aspect lint uses two Bazel output groups from aspect_rules_lint:
rules_lint_machine— SARIF JSON and per-target exit codes. Used for CI verdicts and annotation posting.rules_lint_human— Colored terminal output. Streamed to the developer’s terminal.
- Reads every diagnostic from every SARIF file
- Computes the changed-line set for the PR (GitHub PR Files API or
git diff) - Filters diagnostics according to the chosen strategy
- For
hold-the-line, uses±3 line contextaround each changed hunk to catch findings that are technically on adjacent-but-related lines - Posts inline comments for each finding that passed the filter — via
GithubLintCommentson GitHub,GitlabLintCommentson GitLab - Exits 0 or 1 based on whether any filtered findings have error severity
aspect lint after an unrelated change doesn’t re-execute any linter whose inputs haven’t changed. On Aspect Workflows with remote cache, lint is O(changed targets), not O(repo size).