GitLab CI/CD Validator

.gitlab-ci.yml

Trigger Phrases

• "Validate this

  .gitlab-ci.yml

  "
• "Why is this GitLab pipeline failing?"
• "Run a security review for our GitLab CI"
• "Check pipeline best practices"
• "Lint GitLab CI config before merge"

Setup And Prerequisites (Run First)

# Ensure validator scripts are executable
chmod +x devops-skills-plugin/skills/gitlab-ci-validator/scripts/*.sh \
  devops-skills-plugin/skills/gitlab-ci-validator/scripts/*.py

# Required runtime
python3 --version

VALIDATOR="bash devops-skills-plugin/skills/gitlab-ci-validator/scripts/validate_gitlab_ci.sh"

--test-only

bash devops-skills-plugin/skills/gitlab-ci-validator/scripts/install_tools.sh

Quick Start Commands

# 1) Full validation (syntax + best practices + security)
$VALIDATOR .gitlab-ci.yml

# 2) Syntax and schema only (required first gate)
$VALIDATOR .gitlab-ci.yml --syntax-only

# 3) Best-practices only (recommended)
$VALIDATOR .gitlab-ci.yml --best-practices

# 4) Security only (required before merge)
$VALIDATOR .gitlab-ci.yml --security-only

# 5) Optional local pipeline structure test (needs gitlab-ci-local + Docker)
$VALIDATOR .gitlab-ci.yml --test-only

# 6) Strict mode (treat best-practice warnings as failure)
$VALIDATOR .gitlab-ci.yml --strict

Deterministic Validation Workflow

1. Run Quick Start command

   2

   (

   --syntax-only

   ).
2. If syntax fails, stop and fix errors before continuing.
3. Run Quick Start command

   3

   (

   --best-practices

   ) and apply relevant improvements.
4. Run Quick Start command

   4

   (

   --security-only

   ) and fix all

   critical

   /

   high

   findings before merge.
5. Optionally run Quick Start command

   5

   (

   --test-only

   ) for local execution checks.
6. Run Quick Start command

   6

   (

   --strict

   ) for final merge gate.

Rule Severity Rationale And Documentation Links

Severity Model

• critical

  : Direct credential/secret exposure or high-confidence compromise path. Block merge.

• high

  : Exploitable unsafe behavior or strong security regression. Fix before merge.

• medium

  : Security hardening gap with realistic risk. Track and fix soon.

• low

  /

  suggestion

  : Optimization or maintainability improvement.

Rule Classes And Why They Matter

• Syntax rules (

  yaml-syntax

  ,

  job-stage-undefined

  ,

  dependencies-undefined-job

  ): prevent pipeline parse and dependency failures.
• Best-practice rules (

  cache-missing

  ,

  artifact-no-expiration

  ,

  dag-optimization

  ): reduce runtime cost and improve pipeline throughput.
• Security rules (

  hardcoded-password

  ,

  curl-pipe-bash

  ,

  include-remote-unverified

  ): reduce credential leaks and supply-chain risk.

References

• Local syntax reference:

  devops-skills-plugin/skills/gitlab-ci-validator/docs/gitlab-ci-reference.md

• Local best practices:

  devops-skills-plugin/skills/gitlab-ci-validator/docs/best-practices.md

• Local common issues:

  devops-skills-plugin/skills/gitlab-ci-validator/docs/common-issues.md

• GitLab CI YAML reference: https://docs.gitlab.com/ee/ci/yaml/
• GitLab CI/CD components: https://docs.gitlab.com/ee/ci/components/
• GitLab pipeline security guidance: https://docs.gitlab.com/ee/ci/pipelines/settings.html

Fallbacks For Tool Or Environment Constraints

• Missing

  python3

  :
  • Behavior: validator cannot run.
  • Fallback: install Python 3 and rerun.
• Missing

  PyYAML

  :
  • Behavior:

    python_wrapper.sh

    auto-creates

    .venv

    and installs

    pyyaml

    when possible.
  • Fallback in restricted/offline environments: pre-install

    pyyaml

    from an internal mirror, then rerun.
• Missing

  gitlab-ci-local

  ,

  node

  , or

  docker

  :
  • Behavior:

    --test-only

    reports warning/failure.
  • Fallback: skip local execution testing and continue with syntax/best-practice/security gates.
• No execute permission on scripts:
  • Behavior: shell permission errors.
  • Fallback: rerun the setup

    chmod

    command from the Setup section.

Examples

Example 1: New Pipeline Validation

$VALIDATOR examples/basic-pipeline.gitlab-ci.yml --syntax-only
$VALIDATOR examples/basic-pipeline.gitlab-ci.yml --security-only

Example 2: Pre-Merge Hard Gate

$VALIDATOR .gitlab-ci.yml --strict

Example 3: CI Integration

stages:
  - validate

validate_gitlab_ci:
  stage: validate
  script:
    - chmod +x devops-skills-plugin/skills/gitlab-ci-validator/scripts/*.sh devops-skills-plugin/skills/gitlab-ci-validator/scripts/*.py
    - bash devops-skills-plugin/skills/gitlab-ci-validator/scripts/validate_gitlab_ci.sh .gitlab-ci.yml --strict

Individual Validators (Advanced)

# Syntax validator (via wrapper for PyYAML fallback)
bash devops-skills-plugin/skills/gitlab-ci-validator/scripts/python_wrapper.sh \
  devops-skills-plugin/skills/gitlab-ci-validator/scripts/validate_syntax.py .gitlab-ci.yml

# Best-practices validator
bash devops-skills-plugin/skills/gitlab-ci-validator/scripts/python_wrapper.sh \
  devops-skills-plugin/skills/gitlab-ci-validator/scripts/check_best_practices.py .gitlab-ci.yml

# Security validator
bash devops-skills-plugin/skills/gitlab-ci-validator/scripts/python_wrapper.sh \
  devops-skills-plugin/skills/gitlab-ci-validator/scripts/check_security.py .gitlab-ci.yml

Done Criteria

• Frontmatter

  name

  and

  description

  unchanged.
• One canonical orchestrator path is used consistently.
• Setup and

  chmod

  prerequisites appear before workflow/use examples.
• Quick-start and workflow are non-duplicative (workflow references quick-start gates).
• Severity rationale and rule-to-doc references are explicit.
• Fallback behavior is documented for missing tools and constrained environments.
• Examples are executable from repository root.

Notes

• This skill validates configuration and static patterns; it does not execute production pipelines.
• Use

  gitlab-ci-local

  or GitLab CI Lint for runtime behavior confirmation.