Cc-devops-skills gitlab-ci-validator

Validate, lint, audit, or fix .gitlab-ci.yml pipelines, stages, and jobs.

install

source · Clone the upstream repo

git clone https://github.com/akin-ozer/cc-devops-skills

Claude Code · Install into ~/.claude/skills/

T=$(mktemp -d) && git clone --depth=1 https://github.com/akin-ozer/cc-devops-skills "$T" && mkdir -p ~/.claude/skills && cp -r "$T/devops-skills-plugin/skills/gitlab-ci-validator" ~/.claude/skills/akin-ozer-cc-devops-skills-gitlab-ci-validator && rm -rf "$T"

manifest: devops-skills-plugin/skills/gitlab-ci-validator/SKILL.md

source content

GitLab CI/CD Validator

Comprehensive toolkit for validating, linting, testing, and securing

.gitlab-ci.yml

configurations.

Trigger Phrases

Use this skill when requests include intent like:

"Validate this
```
.gitlab-ci.yml
```
"
"Why is this GitLab pipeline failing?"
"Run a security review for our GitLab CI"
"Check pipeline best practices"
"Lint GitLab CI config before merge"

Setup And Prerequisites (Run First)

All commands below assume repository root as current working directory.

# Ensure validator scripts are executable
chmod +x devops-skills-plugin/skills/gitlab-ci-validator/scripts/*.sh \
  devops-skills-plugin/skills/gitlab-ci-validator/scripts/*.py

# Required runtime
python3 --version

Use one canonical command path for orchestration:

VALIDATOR="bash devops-skills-plugin/skills/gitlab-ci-validator/scripts/validate_gitlab_ci.sh"

Optional local execution tooling (for

--test-only

bash devops-skills-plugin/skills/gitlab-ci-validator/scripts/install_tools.sh

Quick Start Commands

# 1) Full validation (syntax + best practices + security)
$VALIDATOR .gitlab-ci.yml

# 2) Syntax and schema only (required first gate)
$VALIDATOR .gitlab-ci.yml --syntax-only

# 3) Best-practices only (recommended)
$VALIDATOR .gitlab-ci.yml --best-practices

# 4) Security only (required before merge)
$VALIDATOR .gitlab-ci.yml --security-only

# 5) Optional local pipeline structure test (needs gitlab-ci-local + Docker)
$VALIDATOR .gitlab-ci.yml --test-only

# 6) Strict mode (treat best-practice warnings as failure)
$VALIDATOR .gitlab-ci.yml --strict

Deterministic Validation Workflow

Follow these gates in order:

Run Quick Start command
```
2
```
(
```
--syntax-only
```
).
If syntax fails, stop and fix errors before continuing.
Run Quick Start command
```
3
```
(
```
--best-practices
```
) and apply relevant improvements.
Run Quick Start command
```
4
```
(
```
--security-only
```
) and fix all
```
critical
```
/
```
high
```
findings before merge.
Optionally run Quick Start command
```
5
```
(
```
--test-only
```
) for local execution checks.
Run Quick Start command
```
6
```
(
```
--strict
```
) for final merge gate.

Required gates: syntax + security. Recommended gate: best practices. Optional gate: local execution test.

Rule Severity Rationale And Documentation Links

Severity Model

```
critical
```
: Direct credential/secret exposure or high-confidence compromise path. Block merge.
```
high
```
: Exploitable unsafe behavior or strong security regression. Fix before merge.
```
medium
```
: Security hardening gap with realistic risk. Track and fix soon.
```
low
```
/
```
suggestion
```
: Optimization or maintainability improvement.

Rule Classes And Why They Matter

Syntax rules (
```
yaml-syntax
```
,
```
job-stage-undefined
```
,
```
dependencies-undefined-job
```
): prevent pipeline parse and dependency failures.
Best-practice rules (
```
cache-missing
```
,
```
artifact-no-expiration
```
,
```
dag-optimization
```
): reduce runtime cost and improve pipeline throughput.
Security rules (
```
hardcoded-password
```
,
```
curl-pipe-bash
```
,
```
include-remote-unverified
```
): reduce credential leaks and supply-chain risk.

References

Local syntax reference:

devops-skills-plugin/skills/gitlab-ci-validator/docs/gitlab-ci-reference.md

Local best practices:

devops-skills-plugin/skills/gitlab-ci-validator/docs/best-practices.md

Local common issues:

devops-skills-plugin/skills/gitlab-ci-validator/docs/common-issues.md

GitLab CI YAML reference: https://docs.gitlab.com/ee/ci/yaml/
GitLab CI/CD components: https://docs.gitlab.com/ee/ci/components/
GitLab pipeline security guidance: https://docs.gitlab.com/ee/ci/pipelines/settings.html

Fallbacks For Tool Or Environment Constraints

Missing
```
python3
```
:
- Behavior: validator cannot run.
- Fallback: install Python 3 and rerun.
Missing
```
PyYAML
```
:
- Behavior:
```
python_wrapper.sh
```
  auto-creates
```
.venv
```
  and installs
```
pyyaml
```
  when possible.
- Fallback in restricted/offline environments: pre-install
```
pyyaml
```
  from an internal mirror, then rerun.
Missing
```
gitlab-ci-local
```
,
```
node
```
, or
```
docker
```
:
- Behavior:
```
--test-only
```
  reports warning/failure.
- Fallback: skip local execution testing and continue with syntax/best-practice/security gates.
No execute permission on scripts:
- Behavior: shell permission errors.
- Fallback: rerun the setup
```
chmod
```
  command from the Setup section.

Examples

Example 1: New Pipeline Validation

$VALIDATOR examples/basic-pipeline.gitlab-ci.yml --syntax-only
$VALIDATOR examples/basic-pipeline.gitlab-ci.yml --security-only

Example 2: Pre-Merge Hard Gate

$VALIDATOR .gitlab-ci.yml --strict

Example 3: CI Integration

stages:
  - validate

validate_gitlab_ci:
  stage: validate
  script:
    - chmod +x devops-skills-plugin/skills/gitlab-ci-validator/scripts/*.sh devops-skills-plugin/skills/gitlab-ci-validator/scripts/*.py
    - bash devops-skills-plugin/skills/gitlab-ci-validator/scripts/validate_gitlab_ci.sh .gitlab-ci.yml --strict

Individual Validators (Advanced)

# Syntax validator (via wrapper for PyYAML fallback)
bash devops-skills-plugin/skills/gitlab-ci-validator/scripts/python_wrapper.sh \
  devops-skills-plugin/skills/gitlab-ci-validator/scripts/validate_syntax.py .gitlab-ci.yml

# Best-practices validator
bash devops-skills-plugin/skills/gitlab-ci-validator/scripts/python_wrapper.sh \
  devops-skills-plugin/skills/gitlab-ci-validator/scripts/check_best_practices.py .gitlab-ci.yml

# Security validator
bash devops-skills-plugin/skills/gitlab-ci-validator/scripts/python_wrapper.sh \
  devops-skills-plugin/skills/gitlab-ci-validator/scripts/check_security.py .gitlab-ci.yml

Done Criteria

Frontmatter
```
name
```
and
```
description
```
unchanged.
One canonical orchestrator path is used consistently.
Setup and
```
chmod
```
prerequisites appear before workflow/use examples.
Quick-start and workflow are non-duplicative (workflow references quick-start gates).
Severity rationale and rule-to-doc references are explicit.
Fallback behavior is documented for missing tools and constrained environments.
Examples are executable from repository root.

Notes

This skill validates configuration and static patterns; it does not execute production pipelines.
Use
```
gitlab-ci-local
```
or GitLab CI Lint for runtime behavior confirmation.