| name | pipeline-auditor |
| description | Use this skill to review, audit, or optimize CI/CD pipelines.
MANDATORY TRIGGERS: CI/CD, pipeline, GitHub Actions, GitLab CI, Jenkinsfile,
.github/workflows, .gitlab-ci.yml, build pipeline, deployment pipeline,
review pipeline, pipeline optimization, CI audit.
Also use when: checking pipeline security, looking for missing stages,
optimizing build times, reviewing workflow YAML files.
Do NOT use for: codebase architecture (use architecture-analyzer) or
infrastructure configs like Dockerfiles (use infra-config-analyzer).
|
| metadata | {"author":"N.V","version":"1.0"} |
| context | fork |
| agent | Explore |
| allowed-tools | Read, Grep, Glob, Bash |
Overview
Audits CI/CD pipeline configurations (GitHub Actions, GitLab CI, Jenkins, CircleCI,
Azure Pipelines) for completeness, security, performance, and best practices.
Produces a structured audit report with severity-rated findings.
When to Use This Skill
- Reviewing existing pipeline configs for issues or improvements
- Checking if a pipeline follows CI/CD best practices
- Optimizing slow build/deploy pipelines
- Auditing pipeline security (secrets handling, permissions, supply chain)
- Comparing pipeline setup against industry standards
Workflow
Quick Version (single pipeline file)
- Read the pipeline config file
- Check against the audit checklist
- Output findings sorted by severity
Full Version (full CI/CD audit)
- Discover —
Glob for pipeline files: .github/workflows/*.yml, .gitlab-ci.yml, Jenkinsfile, .circleci/config.yml, azure-pipelines.yml
- Map stages — identify all stages/jobs and their dependencies
- Check completeness — lint, test, build, security scan, deploy, notify
- Check security — secret handling, permissions, pinned actions/images
- Check performance — caching, parallelism, conditional execution, artifact sizes
- Check reliability — retry logic, timeout settings, failure notifications
- Generate report — findings with severity, location, and fix suggestions
Audit Checklist
Completeness
□ Lint/format stage present
□ Unit test stage present
□ Integration test stage present (if applicable)
□ Build/compile stage present
□ Security/SAST scan present
□ Deploy stage(s) present (staging, production)
□ Notification on failure (Slack, email, etc.)
Security
□ Secrets use pipeline secret store (not hardcoded)
□ Third-party actions/images pinned to SHA (not floating tags)
□ Minimal permissions (principle of least privilege)
□ No secrets printed in logs
□ Dependency scanning enabled
□ Pipeline triggers restricted (no unauthorized PRs running deploy)
Performance
□ Dependency caching enabled (npm, pip, maven, etc.)
□ Parallel jobs where independent stages exist
□ Conditional execution (skip unnecessary steps on docs-only changes)
□ Artifact sizes reasonable
□ Build matrix used efficiently
□ Timeout limits set
Reliability
□ Retry on flaky steps (network calls, deployments)
□ Timeout configured per job
□ Manual approval gate before production deploy
□ Rollback strategy documented or automated
□ Branch protection rules aligned with pipeline
Critical Rules
- Check ALL pipeline files — projects often have multiple workflows
- Rate every finding — use ⛔ Critical / ⚠️ Warning / 💡 Suggestion
- Give fix examples — don't just list problems, show the YAML fix
- NEVER modify pipeline files — this is an audit-only skill
- Check for environment-specific configs — dev, staging, prod may differ
Output Format
# Pipeline Audit Report: [Project Name]
## Pipeline Inventory
| File | Platform | Triggers | Stages |
|------|----------|----------|--------|
| .github/workflows/ci.yml | GitHub Actions | push, PR | lint, test, build |
## Pipeline Flow
\`\`\`mermaid
graph LR
A[Lint] --> B[Test]
B --> C[Build]
C --> D[Deploy Staging]
D --> E{Manual Approval}
E --> F[Deploy Production]
\`\`\`
## Findings
### ⛔ Critical
- **[Finding]** — file:line — [explanation + fix]
### ⚠️ Warning
- **[Finding]** — file:line — [explanation + fix]
### 💡 Suggestion
- **[Finding]** — file:line — [explanation + fix]
## Score: X/10