gitlab-ci-validator
Comprehensive toolkit for validating, linting, testing, and securing GitLab CI/CD pipeline configurations. Use this skill when working with GitLab CI/CD pipelines, validating pipeline syntax, debugging configuration issues, or implementing best practices.
Resources
4Install
npx skillscat add akin-ozer/cc-devops-skills/gitlab-ci-validator Install via the SkillsCat registry.
SKILL.md
GitLab CI/CD Validator
Comprehensive toolkit for validating, linting, testing, and securing GitLab CI/CD pipeline configurations (.gitlab-ci.yml files). Use this skill when working with GitLab CI/CD pipelines, validating pipeline syntax, debugging configuration issues, implementing best practices, or performing security audits.
When to Use This Skill
Use the gitlab-ci-validator skill in the following scenarios:
- ✅ Working with
.gitlab-ci.ymlfiles - ✅ Validating GitLab CI/CD pipeline syntax and structure
- ✅ Debugging pipeline configuration errors
- ✅ Implementing GitLab CI/CD best practices
- ✅ Performing security audits on pipeline configurations
- ✅ Checking for hardcoded secrets or credentials
- ✅ Optimizing pipeline performance (cache, DAG, parallel execution)
- ✅ Ensuring compliance with security standards
- ✅ Code review of GitLab CI/CD configurations
- ✅ Migrating or refactoring pipeline configurations
Features
1. Syntax Validation
- ✅ YAML syntax checking
- ✅ GitLab CI schema validation
- ✅ Required fields verification
- ✅ Job naming conventions
- ✅ Stage reference validation
- ✅ Dependency validation (needs, dependencies, extends)
- ✅ Rules and conditional logic validation
- ✅ Artifact and cache configuration validation
2. Best Practices Checking
- ✅ Cache usage for dependency installation
- ✅ Artifact expiration settings
- ✅ Proper use of 'needs' vs 'dependencies'
- ✅ Use of 'rules' vs deprecated 'only'/'except'
- ✅ Interruptible job configuration
- ✅ Retry configuration
- ✅ Timeout settings
- ✅ Docker image version pinning
- ✅ DAG (Directed Acyclic Graph) optimization opportunities
- ✅ Parallel execution opportunities
- ✅ Resource optimization (resource_group)
- ✅ Environment configuration
- ✅ Template usage with 'extends'
3. Security Scanning
- ✅ Hardcoded secrets and credentials detection
- ✅ Secrets exposure in logs
- ✅ Insecure Docker image usage (:latest tags)
- ✅ Dangerous script patterns (curl | bash, eval, chmod 777)
- ✅ Insecure dependency installation
- ✅ Variable security (masked, protected variables)
- ✅ Include security (unpinned references)
- ✅ Artifact security (overly broad paths)
- ✅ SSL/TLS verification bypasses
- ✅ Debug mode warnings
- ✅ NEW: Component include validation (GitLab 17.0+)
- ✅ NEW: All include types (component, project, remote, local, template)
Core Validation Workflow
Follow this workflow when validating GitLab CI/CD pipelines to catch issues early and ensure configuration quality:
1. Initial Validation (Syntax & Schema)
Start with syntax validation to catch YAML errors, schema violations, and structural issues:
# Quick syntax check (fastest)
bash scripts/validate_gitlab_ci.sh --syntax-only .gitlab-ci.ymlWhat it checks:
- YAML syntax and structure
- GitLab CI schema compliance
- Job definitions and required fields
- Stage references and dependencies
- Include configurations (component, project, remote, local, template)
- Component format and version validation
- Circular dependency detection
- GitLab limits (500 jobs max, 255 char job names, 50 max needs, 100 max components)
Action: Fix all syntax errors before proceeding.
2. Best Practices Review
After passing syntax validation, check for optimization opportunities and best practices:
# Best practices analysis
bash scripts/validate_gitlab_ci.sh --best-practices .gitlab-ci.ymlWhat it checks:
- Cache usage for dependency installation
- Artifact expiration settings
- DAG optimization with 'needs'
- Parallel execution opportunities
- Image version pinning
- Deprecated syntax (only/except → rules)
- Resource optimization
- Missing timeouts and retries
Action: Review suggestions and apply relevant optimizations.
3. Security Audit
Perform a comprehensive security scan to identify vulnerabilities:
# Security scan
bash scripts/validate_gitlab_ci.sh --security-only .gitlab-ci.ymlWhat it checks:
- Hardcoded secrets and credentials
- Component security (version pinning, trusted sources)
- Remote include integrity
- Insecure script patterns (curl | bash, eval)
- SSL/TLS verification bypasses
- Dangerous file permissions
- Artifact security
- Variable masking
- Path traversal in local includes
Action: Fix all critical and high-severity security issues immediately.
4. Local Pipeline Testing (Optional)
For complex changes, test pipeline execution locally before pushing:
# Install gitlab-ci-local first (requires Docker and Node.js)
bash scripts/install_tools.sh
# Test pipeline locally
gitlab-ci-local
# Or via the validator script
bash scripts/validate_gitlab_ci.sh --test-only .gitlab-ci.ymlWhat it does:
- Simulates pipeline execution locally
- Tests job ordering and dependencies
- Validates environment setup
- Catches runtime errors early
Note: Requires Docker and gitlab-ci-local installation.
5. Complete Validation
Run all validators together for comprehensive checking:
# Full validation pipeline
bash scripts/validate_gitlab_ci.sh .gitlab-ci.yml
# Strict mode (fail on warnings)
bash scripts/validate_gitlab_ci.sh .gitlab-ci.yml --strictWorkflow Summary
┌─────────────────────────────────────────────────────────────┐
│ 1. Syntax Validation (Required) │
│ ├─ YAML structure │
│ ├─ Schema compliance │
│ ├─ Include validation (component, project, etc.) │
│ └─ Component format & version │
│ ↓ │
│ Fix errors → Proceed │
└─────────────────────────────────────────────────────────────┘
↓
┌─────────────────────────────────────────────────────────────┐
│ 2. Best Practices (Recommended) │
│ ├─ Cache optimization │
│ ├─ DAG opportunities │
│ ├─ Image pinning │
│ └─ Resource optimization │
│ ↓ │
│ Review & apply → Proceed │
└─────────────────────────────────────────────────────────────┘
↓
┌─────────────────────────────────────────────────────────────┐
│ 3. Security Audit (Required) │
│ ├─ Hardcoded secrets │
│ ├─ Component security │
│ ├─ Include integrity │
│ └─ Dangerous patterns │
│ ↓ │
│ Fix critical issues → Proceed │
└─────────────────────────────────────────────────────────────┘
↓
┌─────────────────────────────────────────────────────────────┐
│ 4. Local Testing (Optional) │
│ └─ gitlab-ci-local execution │
│ ↓ │
│ Test & verify → Push │
└─────────────────────────────────────────────────────────────┘Usage
Basic Validation
To validate a GitLab CI/CD configuration file:
bash .claude/skills/gitlab-ci-validator/scripts/validate_gitlab_ci.sh <file-path>Example:
bash .claude/skills/gitlab-ci-validator/scripts/validate_gitlab_ci.sh .gitlab-ci.ymlThis runs all three validation layers:
- Syntax validation
- Best practices check
- Security scan
Validation Options
# Run only syntax validation
bash scripts/validate_gitlab_ci.sh .gitlab-ci.yml --syntax-only
# Run only best practices check
bash scripts/validate_gitlab_ci.sh .gitlab-ci.yml --best-practices
# Run only security scan
bash scripts/validate_gitlab_ci.sh .gitlab-ci.yml --security-only
# Skip best practices check
bash scripts/validate_gitlab_ci.sh .gitlab-ci.yml --no-best-practices
# Skip security scan
bash scripts/validate_gitlab_ci.sh .gitlab-ci.yml --no-security
# Strict mode (fail on warnings)
bash scripts/validate_gitlab_ci.sh .gitlab-ci.yml --strictIndividual Validators
You can also run individual validation scripts:
# Syntax validation
python3 scripts/validate_syntax.py .gitlab-ci.yml
# Best practices check
python3 scripts/check_best_practices.py .gitlab-ci.yml
# Security scan
python3 scripts/check_security.py .gitlab-ci.ymlOutput Example
════════════════════════════════════════════════════════════════════════════════
GitLab CI/CD Validator
════════════════════════════════════════════════════════════════════════════════
File: .gitlab-ci.yml
[1/3] Running syntax validation...
✓ Syntax validation passed
[2/3] Running best practices check...
SUGGESTIONS (2):
──────────────────────────────────────────────────────────────────────────────
SUGGESTION: Line 15: Job 'build_app' installs dependencies but doesn't use cache [cache-missing]
💡 Suggestion: Add 'cache' configuration to speed up dependency installation
SUGGESTION: Line 42: Job 'deploy_production' should use resource_group [missing-resource-group]
💡 Suggestion: Add 'resource_group' to prevent concurrent deployments
⚠ Best practices check found issues
[3/3] Running security scan...
MEDIUM SEVERITY (1):
──────────────────────────────────────────────────────────────────────────────
MEDIUM: Line 8: Using ':latest' tag in job 'test_job' is a security risk [image-latest-tag]
🔒 Remediation: Pin to specific version or SHA digest
✓ Security scan passed
════════════════════════════════════════════════════════════════════════════════
Validation Summary
════════════════════════════════════════════════════════════════════════════════
Syntax Validation: PASSED
Best Practices: WARNINGS
Security Scan: PASSED
════════════════════════════════════════════════════════════════════════════════
✓ All validation checks passedCommon Validation Scenarios
Scenario 1: Validating a New Pipeline
# Validate syntax and structure
bash scripts/validate_gitlab_ci.sh new-pipeline.gitlab-ci.ymlScenario 2: Security Audit Before Merge
# Run security scan only with strict mode
bash scripts/validate_gitlab_ci.sh .gitlab-ci.yml --security-only --strictScenario 3: Pipeline Optimization
# Check for best practices and optimization opportunities
bash scripts/validate_gitlab_ci.sh .gitlab-ci.yml --best-practicesScenario 4: CI/CD Integration
# In your CI/CD pipeline
stages:
- validate
validate_pipeline:
stage: validate
script:
- pip3 install PyYAML
- bash .claude/skills/gitlab-ci-validator/scripts/validate_gitlab_ci.sh .gitlab-ci.yml --strictIntegration with Claude Code
When Claude Code invokes this skill, it will:
- Automatically detect
.gitlab-ci.ymlfiles in the project - Run validation when you ask to validate, check, or review GitLab CI/CD configurations
- Provide actionable feedback with line numbers and suggestions
- Fetch additional documentation from Context7 or web sources when needed for custom GitLab features
Example prompts:
- "Validate my GitLab CI pipeline"
- "Check this .gitlab-ci.yml for security issues"
- "Review my pipeline configuration for best practices"
- "Why is my GitLab pipeline failing?"
- "Optimize my GitLab CI/CD configuration"
Validation Rules
Syntax Rules
yaml-syntax: Valid YAML formattingjob-reserved-keyword: Job names cannot use reserved keywordsjob-missing-script: Jobs must have script, trigger, or extendsjob-stage-undefined: Referenced stages must be defineddependencies-undefined-job: Referenced jobs must existrules-not-list: Rules must be a listcache-invalid-policy: Cache policy must be pull, push, or pull-push
Best Practice Rules
cache-missing: Dependency installation jobs should use cacheartifact-no-expiration: Artifacts should have expirationdeprecated-only-except: Use 'rules' instead of 'only'/'except'missing-interruptible: Test jobs should be interruptiblemissing-retry: Potentially flaky jobs should have retryimage-latest-tag: Pin Docker images to specific versionsdag-optimization: Use 'needs' for faster pipeline executionparallel-opportunity: Tests could benefit from parallelization
Security Rules
hardcoded-password: Hardcoded passwords detectedhardcoded-api-key: Hardcoded API keys detectedsecret-in-logs: Secrets may be exposed in logscurl-pipe-bash: Dangerous curl | bash patternimage-latest-tag: Using :latest is a security riskinclude-remote-unverified: Remote includes without verificationvariable-hardcoded-secret: Sensitive variables with hardcoded valuesartifact-broad-path: Overly broad artifact paths
Requirements
- Python 3.7+
- PyYAML: Install with
pip3 install PyYAML - Bash: For running the orchestrator script
Install dependencies:
pip3 install PyYAMLDocumentation
Comprehensive documentation is included in the docs/ directory:
gitlab-ci-reference.md: Complete GitLab CI/CD YAML syntax referencebest-practices.md: Detailed best practices guidecommon-issues.md: Common issues and solutions
Examples
Example GitLab CI/CD configurations are provided in the examples/ directory:
basic-pipeline.gitlab-ci.yml: Simple three-stage pipelinedocker-build.gitlab-ci.yml: Docker build and push workflowmulti-stage.gitlab-ci.yml: Multi-stage pipeline with DAGcomplex-workflow.gitlab-ci.yml: Advanced workflow with all featurescomponent-pipeline.gitlab-ci.yml: NEW - GitLab 17.0+ pipeline using CI/CD components from the Catalog
Test the skill with examples:
bash scripts/validate_gitlab_ci.sh examples/basic-pipeline.gitlab-ci.yml
# Test component validation (GitLab 17.0+)
bash scripts/validate_gitlab_ci.sh examples/component-pipeline.gitlab-ci.ymlFetching Latest Documentation
When encountering custom GitLab features, modules, or specific version requirements, the skill can:
- Use Context7 MCP to fetch version-aware GitLab documentation
- Use WebSearch to find latest GitLab CI/CD documentation
- Use WebFetch to retrieve specific documentation pages from docs.gitlab.com
This ensures validation rules stay current with the latest GitLab CI/CD features.
Extending the Skill
Adding Custom Validation Rules
Add custom rules to the validation scripts:
- Syntax rules: Edit
scripts/validate_syntax.py - Best practice rules: Edit
scripts/check_best_practices.py - Security rules: Edit
scripts/check_security.py
Custom Rule Example
# In check_best_practices.py
def _check_custom_rule(self):
"""Check for custom organization rule"""
for job_name, job in self.config.items():
if not self._is_job(job_name):
continue
# Your custom validation logic
if 'tags' not in job:
self.issues.append(BestPracticeIssue(
'warning',
self._get_line(job_name),
f"Job '{job_name}' should specify runner tags",
'custom-missing-tags',
"Add 'tags' to select appropriate runners"
))Troubleshooting
Python Module Not Found
# Install PyYAML
pip3 install PyYAML
# Or with homebrew Python
python3 -m pip install PyYAMLPermission Denied
# Make scripts executable
chmod +x scripts/*.sh scripts/*.pyValidation Errors
Check the documentation:
- Review
docs/gitlab-ci-reference.mdfor syntax reference - Check
docs/common-issues.mdfor known issues - Consult
docs/best-practices.mdfor recommended patterns
Version History
v1.1.0 (2025-01-27)
- NEW: Complete include validation for all types (component, project, remote, local, template)
- NEW: CI/CD Component validation (GitLab 17.0+)
- Component name format validation (org/project@version)
- Version format validation (@1.0.0, @~latest, semantic versioning)
- Component inputs structure validation
- Component limit validation (max 100 per project)
- NEW: Enhanced security checks for all include types
- Component security (version pinning, trusted sources, hardcoded inputs)
- Remote include integrity and HTTP/HTTPS validation
- Project include ref pinning and branch detection
- Local include path traversal detection
- Template deprecation warnings
- NEW: gitlab-ci-local integration for local pipeline testing
- install_tools.sh script for tool installation
- --test-only mode in validate_gitlab_ci.sh
- NEW: Core Validation Workflow documentation
- NEW: component-pipeline.gitlab-ci.yml example
- Enhanced validation rules: 40+ validation rules (was 25)
- Improved error messages with detailed remediation steps
v1.0.0 (2025-01-18)
- Initial release
- Syntax validation with comprehensive GitLab CI schema checking
- Best practices validation with 15+ rules
- Security scanning with 25+ security checks
- Comprehensive documentation
- Example pipeline configurations
- Integration with Context7 for latest GitLab docs
Contributing
To improve this skill:
- Add new validation rules to appropriate scripts
- Update documentation with new patterns
- Add example configurations
- Test with real-world GitLab CI/CD files
License
This skill is part of the DevOps Skills collection.
Support
For issues, questions, or contributions:
- Check documentation in
docs/directory - Review examples in
examples/directory - Consult GitLab CI/CD documentation: https://docs.gitlab.com/ci/
Remember: This skill validates GitLab CI/CD configurations but does not execute pipelines. Use GitLab's CI Lint tool or gitlab-ci-local for testing actual pipeline execution.
Install
npx skillscat add akin-ozer/cc-devops-skills/gitlab-ci-validator Install via the SkillsCat registry.