GitLab CI/CD Validator
Comprehensive toolkit for validating, linting, testing, and securing GitLab CI/CD pipeline configurations (.gitlab-ci.yml files). Use this skill when working with GitLab CI/CD pipelines, validating pipeline syntax, debugging configuration issues, implementing best practices, or performing security audits.
When to Use This Skill
Use the gitlab-ci-validator skill in the following scenarios:
- •✅ Working with
.gitlab-ci.ymlfiles - •✅ Validating GitLab CI/CD pipeline syntax and structure
- •✅ Debugging pipeline configuration errors
- •✅ Implementing GitLab CI/CD best practices
- •✅ Performing security audits on pipeline configurations
- •✅ Checking for hardcoded secrets or credentials
- •✅ Optimizing pipeline performance (cache, DAG, parallel execution)
- •✅ Ensuring compliance with security standards
- •✅ Code review of GitLab CI/CD configurations
- •✅ Migrating or refactoring pipeline configurations
Features
1. Syntax Validation
- •✅ YAML syntax checking
- •✅ GitLab CI schema validation
- •✅ Required fields verification
- •✅ Job naming conventions
- •✅ Stage reference validation
- •✅ Dependency validation (needs, dependencies, extends)
- •✅ Rules and conditional logic validation
- •✅ Artifact and cache configuration validation
2. Best Practices Checking
- •✅ Cache usage for dependency installation
- •✅ Artifact expiration settings
- •✅ Proper use of 'needs' vs 'dependencies'
- •✅ Use of 'rules' vs deprecated 'only'/'except'
- •✅ Interruptible job configuration
- •✅ Retry configuration
- •✅ Timeout settings
- •✅ Docker image version pinning
- •✅ DAG (Directed Acyclic Graph) optimization opportunities
- •✅ Parallel execution opportunities
- •✅ Resource optimization (resource_group)
- •✅ Environment configuration
- •✅ Template usage with 'extends'
3. Security Scanning
- •✅ Hardcoded secrets and credentials detection
- •✅ Secrets exposure in logs
- •✅ Insecure Docker image usage (:latest tags)
- •✅ Dangerous script patterns (curl | bash, eval, chmod 777)
- •✅ Insecure dependency installation
- •✅ Variable security (masked, protected variables)
- •✅ Include security (unpinned references)
- •✅ Artifact security (overly broad paths)
- •✅ SSL/TLS verification bypasses
- •✅ Debug mode warnings
- •✅ NEW: Component include validation (GitLab 17.0+)
- •✅ NEW: All include types (component, project, remote, local, template)
Core Validation Workflow
Follow this workflow when validating GitLab CI/CD pipelines to catch issues early and ensure configuration quality:
1. Initial Validation (Syntax & Schema)
Start with syntax validation to catch YAML errors, schema violations, and structural issues:
# Quick syntax check (fastest) bash scripts/validate_gitlab_ci.sh --syntax-only .gitlab-ci.yml
What it checks:
- •YAML syntax and structure
- •GitLab CI schema compliance
- •Job definitions and required fields
- •Stage references and dependencies
- •Include configurations (component, project, remote, local, template)
- •Component format and version validation
- •Circular dependency detection
- •GitLab limits (500 jobs max, 255 char job names, 50 max needs, 100 max components)
Action: Fix all syntax errors before proceeding.
2. Best Practices Review
After passing syntax validation, check for optimization opportunities and best practices:
# Best practices analysis bash scripts/validate_gitlab_ci.sh --best-practices .gitlab-ci.yml
What it checks:
- •Cache usage for dependency installation
- •Artifact expiration settings
- •DAG optimization with 'needs'
- •Parallel execution opportunities
- •Image version pinning
- •Deprecated syntax (only/except → rules)
- •Resource optimization
- •Missing timeouts and retries
Action: Review suggestions and apply relevant optimizations.
3. Security Audit
Perform a comprehensive security scan to identify vulnerabilities:
# Security scan bash scripts/validate_gitlab_ci.sh --security-only .gitlab-ci.yml
What it checks:
- •Hardcoded secrets and credentials
- •Component security (version pinning, trusted sources)
- •Remote include integrity
- •Insecure script patterns (curl | bash, eval)
- •SSL/TLS verification bypasses
- •Dangerous file permissions
- •Artifact security
- •Variable masking
- •Path traversal in local includes
Action: Fix all critical and high-severity security issues immediately.
4. Local Pipeline Testing (Optional)
For complex changes, test pipeline execution locally before pushing:
# Install gitlab-ci-local first (requires Docker and Node.js) bash scripts/install_tools.sh # Test pipeline locally gitlab-ci-local # Or via the validator script bash scripts/validate_gitlab_ci.sh --test-only .gitlab-ci.yml
What it does:
- •Simulates pipeline execution locally
- •Tests job ordering and dependencies
- •Validates environment setup
- •Catches runtime errors early
Note: Requires Docker and gitlab-ci-local installation.
5. Complete Validation
Run all validators together for comprehensive checking:
# Full validation pipeline bash scripts/validate_gitlab_ci.sh .gitlab-ci.yml # Strict mode (fail on warnings) bash scripts/validate_gitlab_ci.sh .gitlab-ci.yml --strict
Workflow Summary
┌─────────────────────────────────────────────────────────────┐
│ 1. Syntax Validation (Required) │
│ ├─ YAML structure │
│ ├─ Schema compliance │
│ ├─ Include validation (component, project, etc.) │
│ └─ Component format & version │
│ ↓ │
│ Fix errors → Proceed │
└─────────────────────────────────────────────────────────────┘
↓
┌─────────────────────────────────────────────────────────────┐
│ 2. Best Practices (Recommended) │
│ ├─ Cache optimization │
│ ├─ DAG opportunities │
│ ├─ Image pinning │
│ └─ Resource optimization │
│ ↓ │
│ Review & apply → Proceed │
└─────────────────────────────────────────────────────────────┘
↓
┌─────────────────────────────────────────────────────────────┐
│ 3. Security Audit (Required) │
│ ├─ Hardcoded secrets │
│ ├─ Component security │
│ ├─ Include integrity │
│ └─ Dangerous patterns │
│ ↓ │
│ Fix critical issues → Proceed │
└─────────────────────────────────────────────────────────────┘
↓
┌─────────────────────────────────────────────────────────────┐
│ 4. Local Testing (Optional) │
│ └─ gitlab-ci-local execution │
│ ↓ │
│ Test & verify → Push │
└─────────────────────────────────────────────────────────────┘
Usage
Basic Validation
To validate a GitLab CI/CD configuration file:
bash .claude/skills/gitlab-ci-validator/scripts/validate_gitlab_ci.sh <file-path>
Example:
bash .claude/skills/gitlab-ci-validator/scripts/validate_gitlab_ci.sh .gitlab-ci.yml
This runs all three validation layers:
- •Syntax validation
- •Best practices check
- •Security scan
Validation Options
# Run only syntax validation bash scripts/validate_gitlab_ci.sh .gitlab-ci.yml --syntax-only # Run only best practices check bash scripts/validate_gitlab_ci.sh .gitlab-ci.yml --best-practices # Run only security scan bash scripts/validate_gitlab_ci.sh .gitlab-ci.yml --security-only # Skip best practices check bash scripts/validate_gitlab_ci.sh .gitlab-ci.yml --no-best-practices # Skip security scan bash scripts/validate_gitlab_ci.sh .gitlab-ci.yml --no-security # Strict mode (fail on warnings) bash scripts/validate_gitlab_ci.sh .gitlab-ci.yml --strict
Individual Validators
You can also run individual validation scripts:
# Syntax validation python3 scripts/validate_syntax.py .gitlab-ci.yml # Best practices check python3 scripts/check_best_practices.py .gitlab-ci.yml # Security scan python3 scripts/check_security.py .gitlab-ci.yml
Output Example
════════════════════════════════════════════════════════════════════════════════ GitLab CI/CD Validator ════════════════════════════════════════════════════════════════════════════════ File: .gitlab-ci.yml [1/3] Running syntax validation... ✓ Syntax validation passed [2/3] Running best practices check... SUGGESTIONS (2): ────────────────────────────────────────────────────────────────────────────── SUGGESTION: Line 15: Job 'build_app' installs dependencies but doesn't use cache [cache-missing] 💡 Suggestion: Add 'cache' configuration to speed up dependency installation SUGGESTION: Line 42: Job 'deploy_production' should use resource_group [missing-resource-group] 💡 Suggestion: Add 'resource_group' to prevent concurrent deployments ⚠ Best practices check found issues [3/3] Running security scan... MEDIUM SEVERITY (1): ────────────────────────────────────────────────────────────────────────────── MEDIUM: Line 8: Using ':latest' tag in job 'test_job' is a security risk [image-latest-tag] 🔒 Remediation: Pin to specific version or SHA digest ✓ Security scan passed ════════════════════════════════════════════════════════════════════════════════ Validation Summary ════════════════════════════════════════════════════════════════════════════════ Syntax Validation: PASSED Best Practices: WARNINGS Security Scan: PASSED ════════════════════════════════════════════════════════════════════════════════ ✓ All validation checks passed
Common Validation Scenarios
Scenario 1: Validating a New Pipeline
# Validate syntax and structure bash scripts/validate_gitlab_ci.sh new-pipeline.gitlab-ci.yml
Scenario 2: Security Audit Before Merge
# Run security scan only with strict mode bash scripts/validate_gitlab_ci.sh .gitlab-ci.yml --security-only --strict
Scenario 3: Pipeline Optimization
# Check for best practices and optimization opportunities bash scripts/validate_gitlab_ci.sh .gitlab-ci.yml --best-practices
Scenario 4: CI/CD Integration
# In your CI/CD pipeline
stages:
- validate
validate_pipeline:
stage: validate
script:
- pip3 install PyYAML
- bash .claude/skills/gitlab-ci-validator/scripts/validate_gitlab_ci.sh .gitlab-ci.yml --strict
Integration with Claude Code
When Claude Code invokes this skill, it will:
- •Automatically detect
.gitlab-ci.ymlfiles in the project - •Run validation when you ask to validate, check, or review GitLab CI/CD configurations
- •Provide actionable feedback with line numbers and suggestions
- •Fetch additional documentation from Context7 or web sources when needed for custom GitLab features
Example prompts:
- •"Validate my GitLab CI pipeline"
- •"Check this .gitlab-ci.yml for security issues"
- •"Review my pipeline configuration for best practices"
- •"Why is my GitLab pipeline failing?"
- •"Optimize my GitLab CI/CD configuration"
Validation Rules
Syntax Rules
- •
yaml-syntax: Valid YAML formatting - •
job-reserved-keyword: Job names cannot use reserved keywords - •
job-missing-script: Jobs must have script, trigger, or extends - •
job-stage-undefined: Referenced stages must be defined - •
dependencies-undefined-job: Referenced jobs must exist - •
rules-not-list: Rules must be a list - •
cache-invalid-policy: Cache policy must be pull, push, or pull-push
Best Practice Rules
- •
cache-missing: Dependency installation jobs should use cache - •
artifact-no-expiration: Artifacts should have expiration - •
deprecated-only-except: Use 'rules' instead of 'only'/'except' - •
missing-interruptible: Test jobs should be interruptible - •
missing-retry: Potentially flaky jobs should have retry - •
image-latest-tag: Pin Docker images to specific versions - •
dag-optimization: Use 'needs' for faster pipeline execution - •
parallel-opportunity: Tests could benefit from parallelization
Security Rules
- •
hardcoded-password: Hardcoded passwords detected - •
hardcoded-api-key: Hardcoded API keys detected - •
secret-in-logs: Secrets may be exposed in logs - •
curl-pipe-bash: Dangerous curl | bash pattern - •
image-latest-tag: Using :latest is a security risk - •
include-remote-unverified: Remote includes without verification - •
variable-hardcoded-secret: Sensitive variables with hardcoded values - •
artifact-broad-path: Overly broad artifact paths
Requirements
- •Python 3.7+
- •PyYAML: Install with
pip3 install PyYAML - •Bash: For running the orchestrator script
Install dependencies:
pip3 install PyYAML
Documentation
Comprehensive documentation is included in the docs/ directory:
- •
gitlab-ci-reference.md: Complete GitLab CI/CD YAML syntax reference - •
best-practices.md: Detailed best practices guide - •
common-issues.md: Common issues and solutions
Examples
Example GitLab CI/CD configurations are provided in the examples/ directory:
- •
basic-pipeline.gitlab-ci.yml: Simple three-stage pipeline - •
docker-build.gitlab-ci.yml: Docker build and push workflow - •
multi-stage.gitlab-ci.yml: Multi-stage pipeline with DAG - •
complex-workflow.gitlab-ci.yml: Advanced workflow with all features - •
component-pipeline.gitlab-ci.yml: NEW - GitLab 17.0+ pipeline using CI/CD components from the Catalog
Test the skill with examples:
bash scripts/validate_gitlab_ci.sh examples/basic-pipeline.gitlab-ci.yml # Test component validation (GitLab 17.0+) bash scripts/validate_gitlab_ci.sh examples/component-pipeline.gitlab-ci.yml
Fetching Latest Documentation
When encountering custom GitLab features, modules, or specific version requirements, the skill can:
- •Use Context7 MCP to fetch version-aware GitLab documentation
- •Use WebSearch to find latest GitLab CI/CD documentation
- •Use WebFetch to retrieve specific documentation pages from docs.gitlab.com
This ensures validation rules stay current with the latest GitLab CI/CD features.
Extending the Skill
Adding Custom Validation Rules
Add custom rules to the validation scripts:
- •Syntax rules: Edit
scripts/validate_syntax.py - •Best practice rules: Edit
scripts/check_best_practices.py - •Security rules: Edit
scripts/check_security.py
Custom Rule Example
# In check_best_practices.py
def _check_custom_rule(self):
"""Check for custom organization rule"""
for job_name, job in self.config.items():
if not self._is_job(job_name):
continue
# Your custom validation logic
if 'tags' not in job:
self.issues.append(BestPracticeIssue(
'warning',
self._get_line(job_name),
f"Job '{job_name}' should specify runner tags",
'custom-missing-tags',
"Add 'tags' to select appropriate runners"
))
Troubleshooting
Python Module Not Found
# Install PyYAML pip3 install PyYAML # Or with homebrew Python python3 -m pip install PyYAML
Permission Denied
# Make scripts executable chmod +x scripts/*.sh scripts/*.py
Validation Errors
Check the documentation:
- •Review
docs/gitlab-ci-reference.mdfor syntax reference - •Check
docs/common-issues.mdfor known issues - •Consult
docs/best-practices.mdfor recommended patterns
Version History
v1.1.0 (2025-01-27)
- •NEW: Complete include validation for all types (component, project, remote, local, template)
- •NEW: CI/CD Component validation (GitLab 17.0+)
- •Component name format validation (org/project@version)
- •Version format validation (@1.0.0, @~latest, semantic versioning)
- •Component inputs structure validation
- •Component limit validation (max 100 per project)
- •NEW: Enhanced security checks for all include types
- •Component security (version pinning, trusted sources, hardcoded inputs)
- •Remote include integrity and HTTP/HTTPS validation
- •Project include ref pinning and branch detection
- •Local include path traversal detection
- •Template deprecation warnings
- •NEW: gitlab-ci-local integration for local pipeline testing
- •install_tools.sh script for tool installation
- •--test-only mode in validate_gitlab_ci.sh
- •NEW: Core Validation Workflow documentation
- •NEW: component-pipeline.gitlab-ci.yml example
- •Enhanced validation rules: 40+ validation rules (was 25)
- •Improved error messages with detailed remediation steps
v1.0.0 (2025-01-18)
- •Initial release
- •Syntax validation with comprehensive GitLab CI schema checking
- •Best practices validation with 15+ rules
- •Security scanning with 25+ security checks
- •Comprehensive documentation
- •Example pipeline configurations
- •Integration with Context7 for latest GitLab docs
Contributing
To improve this skill:
- •Add new validation rules to appropriate scripts
- •Update documentation with new patterns
- •Add example configurations
- •Test with real-world GitLab CI/CD files
License
This skill is part of the DevOps Skills collection.
Support
For issues, questions, or contributions:
- •Check documentation in
docs/directory - •Review examples in
examples/directory - •Consult GitLab CI/CD documentation: https://docs.gitlab.com/ci/
Remember: This skill validates GitLab CI/CD configurations but does not execute pipelines. Use GitLab's CI Lint tool or gitlab-ci-local for testing actual pipeline execution.