GitLab CI Linter
Lint GitLab CI/CD pipeline files for syntax errors, security issues, deprecated patterns, and best practices violations.
Commands
All commands use the bundled Python script at scripts/gitlab_ci_linter.py.
1. Lint a pipeline file
python3 scripts/gitlab_ci_linter.py lint <file-or-directory> [--strict] [--format text|json|markdown]
Runs all lint rules against one or more .gitlab-ci.yml files. If given a directory, scans for *.yml and *.yaml files recursively.
Flags:
--strict-- exit code 1 on any warning (not just errors)--format-- output format:text(default),json,markdown
2. Audit for security issues
python3 scripts/gitlab_ci_linter.py security <file> [--format text|json|markdown]
Focused security audit: hardcoded secrets, unprotected variables, privileged runners, insecure Docker image tags, security jobs with allow_failure.
3. Inspect stages
python3 scripts/gitlab_ci_linter.py stages <file> [--format text|json|markdown]
Show defined stages and which jobs map to each stage. Flags undefined or unused stages.
4. Validate pipeline structure
python3 scripts/gitlab_ci_linter.py validate <file> [--format text|json|markdown]
Structural validation only: required keys, stage definitions, job keywords, dependency graph (circular needs:, missing refs).
Lint Rules (24 total)
Syntax & Structure (8 rules)
- missing-stages -- No
stages:definition - undefined-stage -- Job uses stage not in
stages:list - empty-job -- Job has no
script:section - invalid-job-name -- Job name starts with
.but is not used as a template - missing-script -- Job without
script:,before_script:, ortrigger: - circular-needs -- Circular dependency in
needs:graph - duplicate-job -- Duplicate job names (YAML parser collapses them)
- invalid-keyword -- Unknown top-level or job-level keyword
Security (6 rules)
- hardcoded-secret -- Passwords, tokens, keys in plain text
- unprotected-variable -- Sensitive-looking variable not using
$CI_*references - allow-failure-security -- Security-related job with
allow_failure: true - privileged-runner --
tags:requesting privileged runners - unmasked-variable -- Variable looks sensitive but not described as masked
- insecure-image -- Using
:latesttag for Docker images
Best Practices (10 rules)
- missing-retry -- No
retry:on deploy/test jobs - missing-timeout -- No
timeout:specified - no-cache-key --
cache:without explicitkey: - broad-artifacts -- Overly broad
artifacts: paths:patterns - missing-rules -- Job without
rules:oronly:/except: - deprecated-only-except -- Using
only:/except:instead ofrules: - long-script --
script:block exceeds 30 lines - missing-interruptible -- Long-running job without
interruptible: - no-coverage-regex -- Test job without
coverage:regex - missing-when -- No
when:inrules:entries
Output Formats
Text (default)
.gitlab-ci.yml:12 error [missing-script] Job 'deploy' has no script:, before_script:, or trigger:
.gitlab-ci.yml:25 warning [missing-timeout] Job 'test' has no timeout: specified
.gitlab-ci.yml:31 info [deprecated-only-except] Job 'build' uses only:/except: instead of rules:
3 issues (1 error, 2 warnings)
JSON
{
"file": ".gitlab-ci.yml",
"issues": [...],
"summary": {"errors": 1, "warnings": 2, "info": 0}
}
Markdown
Summary table with severity, rule, location, and message.
CI Integration
# .gitlab-ci.yml
lint-pipeline:
stage: test
script:
- python3 scripts/gitlab_ci_linter.py lint .gitlab-ci.yml --strict
Exit codes: 0 = clean, 1 = errors found (or warnings in --strict mode).