| name | gitlab-ci-validator |
| description | Validate, lint, audit, or fix .gitlab-ci.yml pipelines, stages, and jobs. |
GitLab CI/CD Validator
Comprehensive toolkit for validating, linting, testing, and securing .gitlab-ci.yml configurations.
Trigger Phrases
Use this skill when requests include intent like:
- "Validate this
.gitlab-ci.yml"
- "Why is this GitLab pipeline failing?"
- "Run a security review for our GitLab CI"
- "Check pipeline best practices"
- "Lint GitLab CI config before merge"
Setup And Prerequisites (Run First)
All commands below assume repository root as current working directory.
chmod +x devops-skills-plugin/skills/gitlab-ci-validator/scripts/*.sh \
devops-skills-plugin/skills/gitlab-ci-validator/scripts/*.py
python3 --version
Use one canonical command path for orchestration:
VALIDATOR="bash devops-skills-plugin/skills/gitlab-ci-validator/scripts/validate_gitlab_ci.sh"
Optional local execution tooling (for --test-only):
bash devops-skills-plugin/skills/gitlab-ci-validator/scripts/install_tools.sh
Quick Start Commands
$VALIDATOR .gitlab-ci.yml
$VALIDATOR .gitlab-ci.yml --syntax-only
$VALIDATOR .gitlab-ci.yml --best-practices
$VALIDATOR .gitlab-ci.yml --security-only
$VALIDATOR .gitlab-ci.yml --test-only
$VALIDATOR .gitlab-ci.yml --strict
Deterministic Validation Workflow
Follow these gates in order:
- Run Quick Start command
2 (--syntax-only).
- If syntax fails, stop and fix errors before continuing.
- Run Quick Start command
3 (--best-practices) and apply relevant improvements.
- Run Quick Start command
4 (--security-only) and fix all critical/high findings before merge.
- Optionally run Quick Start command
5 (--test-only) for local execution checks.
- Run Quick Start command
6 (--strict) for final merge gate.
Required gates: syntax + security.
Recommended gate: best practices.
Optional gate: local execution test.
Rule Severity Rationale And Documentation Links
Severity Model
critical: Direct credential/secret exposure or high-confidence compromise path. Block merge.
high: Exploitable unsafe behavior or strong security regression. Fix before merge.
medium: Security hardening gap with realistic risk. Track and fix soon.
low/suggestion: Optimization or maintainability improvement.
Rule Classes And Why They Matter
- Syntax rules (
yaml-syntax, job-stage-undefined, dependencies-undefined-job): prevent pipeline parse and dependency failures.
- Best-practice rules (
cache-missing, artifact-no-expiration, dag-optimization): reduce runtime cost and improve pipeline throughput.
- Security rules (
hardcoded-password, curl-pipe-bash, include-remote-unverified): reduce credential leaks and supply-chain risk.
References
Fallbacks For Tool Or Environment Constraints
- Missing
python3:
- Behavior: validator cannot run.
- Fallback: install Python 3 and rerun.
- Missing
PyYAML:
- Behavior:
python_wrapper.sh auto-creates .venv and installs pyyaml when possible.
- Fallback in restricted/offline environments: pre-install
pyyaml from an internal mirror, then rerun.
- Missing
gitlab-ci-local, node, or docker:
- Behavior:
--test-only reports warning/failure.
- Fallback: skip local execution testing and continue with syntax/best-practice/security gates.
- No execute permission on scripts:
- Behavior: shell permission errors.
- Fallback: rerun the setup
chmod command from the Setup section.
Examples
Example 1: New Pipeline Validation
$VALIDATOR examples/basic-pipeline.gitlab-ci.yml --syntax-only
$VALIDATOR examples/basic-pipeline.gitlab-ci.yml --security-only
Example 2: Pre-Merge Hard Gate
$VALIDATOR .gitlab-ci.yml --strict
Example 3: CI Integration
stages:
- validate
validate_gitlab_ci:
stage: validate
script:
- chmod +x devops-skills-plugin/skills/gitlab-ci-validator/scripts/*.sh devops-skills-plugin/skills/gitlab-ci-validator/scripts/*.py
- bash devops-skills-plugin/skills/gitlab-ci-validator/scripts/validate_gitlab_ci.sh .gitlab-ci.yml --strict
Individual Validators (Advanced)
bash devops-skills-plugin/skills/gitlab-ci-validator/scripts/python_wrapper.sh \
devops-skills-plugin/skills/gitlab-ci-validator/scripts/validate_syntax.py .gitlab-ci.yml
bash devops-skills-plugin/skills/gitlab-ci-validator/scripts/python_wrapper.sh \
devops-skills-plugin/skills/gitlab-ci-validator/scripts/check_best_practices.py .gitlab-ci.yml
bash devops-skills-plugin/skills/gitlab-ci-validator/scripts/python_wrapper.sh \
devops-skills-plugin/skills/gitlab-ci-validator/scripts/check_security.py .gitlab-ci.yml
Done Criteria
- Frontmatter
name and description unchanged.
- One canonical orchestrator path is used consistently.
- Setup and
chmod prerequisites appear before workflow/use examples.
- Quick-start and workflow are non-duplicative (workflow references quick-start gates).
- Severity rationale and rule-to-doc references are explicit.
- Fallback behavior is documented for missing tools and constrained environments.
- Examples are executable from repository root.
Notes
- This skill validates configuration and static patterns; it does not execute production pipelines.
- Use
gitlab-ci-local or GitLab CI Lint for runtime behavior confirmation.