If you zoom out a little bit and look at the entire governance process, linting tools can help you make big steps in shifting-left. This means that you want to report your findings as early in the development phase as possible. In this case linting tests should be run as soon as possible. You want to enforce your requirements before actual deployments are made.
Linting tests can include a large number of validation steps. Most obvious ones are security related, to enforce encryption and enabled auto-patching for example. But you can also think of enforcing best practices, such as mandatory tagging. Last but not least you can also include company specific requirements such as naming conventions.
As per usual AWS doesn’t provide a single tool for a single purpose. For linting CloudFormation another, maybe better known, tool is CloudFormation Linter (cfn-lint). There is a lot of overlap between the two tools, but also some noticeable differences. I believe the biggest differences are that cfn-lint can be solely used to lint CloudFormation templates while cfn-guard can be used to lint any JSON or YAML file. With cfn-guard you can potentially validate Helm Charts (Kubernetes container definitions) or maybe even Terraform JSON files. Another noticeable difference is that cfn-guard doesn’t come with pre-built rules, while cfn-lint is pretty usable off the shelf.
Looking at maturity levels: I find the Unit testing framework in cfn-guard pretty valuable. Nothing is as annoying as linting rules causing false-positives or unpredictable behaviour. Also the fact that you can group rules together. This can help, for example, to distinguish between security and best practices rules. Writing and using unit tests can really help to get that consistent experience among your users.
Finally checkout my GitHub repo for some examples on how to use cfn-guard in a Docker container. It also includes an example rule and Unit test.