Validate and lint your gitlab ci files using ShellCheck, the Gitlab API and curated checks
Validate and lint your gitlab ci files using ShellCheck, the Gitlab API, curated checks or even build your own checks
| Format | Screenshot |
|---|---|
| text |  |
| json |  |
| table |  |
Using pipx you can just use the following command use gitlab-ci-verify as it is:
pipx install gitlab-ci-verify-bin
If you want to use it directly using the subprocess module you can install it with pip:
pip install gitlab-ci-verify
And use the package like this:
from gitlab_ci_verify import verify_file
# Verify .gitlab-ci.yml in /path/to/repo is valid
valid, findings = verify_file("/path/to/repo")
# verify include.yml in /path/to/repo is valid
valid, findings = verify_file("/path/to/repo", "include.yml")
# or if you want to verify file content for a given repository
# valid, findings = verify_content("/path/to/repo","ci-yaml content")
print(f"Valid: {valid}")
print(f"Findings: {findings}")
Also see the python wrapper documentation
curl -LO https://github.com/timo-reymann/gitlab-ci-verify/releases/download/$(curl -Lso /dev/null -w %{url_effective} https://github.com/timo-reymann/gitlab-ci-verify/releases/latest | grep -o '[^/]*$')/gitlab-ci-verify_linux-amd64 && \
chmod +x gitlab-ci-verify_linux-amd64 && \
sudo mv gitlab-ci-verify_linux-amd64 /usr/local/bin/gitlab-ci-verify
curl -LO https://github.com/timo-reymann/gitlab-ci-verify/releases/download/$(curl -Lso /dev/null -w %{url_effective} https://github.com/timo-reymann/gitlab-ci-verify/releases/latest | grep -o '[^/]*$')/gitlab-ci-verify_darwin-amd64 && \
chmod +x gitlab-ci-verify_darwin-amd64 && \
sudo mv gitlab-ci-verify_darwin-amd64 /usr/local/bin/gitlab-ci-verify
Download the latest release for Windows and put in
your PATH.
go install github.com/timo-reymann/gitlab-ci-verify@latest
The following platforms are supported (and have prebuilt binaries / ready to use integration):
Binaries for all of these can be found on the latest release page.
For the docker image, check the docker hub.
gitlab-ci-verify --help
docker run --rm -it -v $PWD:/workspace -e GITLAB_TOKEN="your token" timoreymann/gitlab-ci-verify
- repo: https://github.com/timo-reymann/gitlab-ci-verify
rev: v2.1.7
hooks:
- id: gitlab-ci-verify
The tool takes a few sources into consideration in the following order when authenticating with GitLab:
--gitlab-token commandline flag--gitlab-token vault://<path>#<field> with environment variable VAULT_ADDR set to base
url for
vault, and either VAULT_TOKEN set or ~/.vault-token presentGITLAB_TOKEN environment variableFor the project detection, all git remote URLs of the repository are tried, and the first URL that returns a valid API
response is used. In case you cloned via SSH it tries to convert it to the HTTPs host automatically. If the ssh URL
differs from the HTTPs url you should specify it manually using the --gitlab-base-url, without protocol e.g.
--gitlab-base-url git.example.com
You can ignore findings by adding comments in the format # gitlab-ci-verify: ignore:<check_id> to your CI YAML files.
This works in several places:
pages:
artifacts: {}# gitlab-ci-verify: ignore:GL-201
pages:
# gitlab-ci-verify: ignore:GL-201
artifacts: {}
# gitlab-ci-verify: ignore:GL-201
pages:
artifacts: {}
You can write custom policies for your projects using Rego.
Find more information in the dedicated documentation for custom policies.
Unfortunately, GitLab didn't provide a tool to validate CI configuration for quite a while.
Now that changed with the glab CLI providing glab ci lint but it is quite limited and under the hood just calls the
new CI Lint API.
Throughout the years quite some tools evolved, but most of them are either outdated, painful to use or install, and basically also provide the lint functionality from the API.
As most of the logic in pipelines is written in shell scripts via the *script attributes these are lacking completely
from all tools out there as well as the official lint API.
The goal of gitlab-ci-verify is to provide the stock CI Lint functionality plus shellcheck. Completed in the future some rules to lint that common patterns are working as intended by GitLab and void them from being pushed and leading to unexpected behavior.
I love your input! I want to make contributing to this project as easy and transparent as possible, whether it's:
To get started please read the Contribution Guidelines.
make test-coverage-report
make build
This whole project wouldn't be possible with the great work of the following libraries/tools:
FAQs
Validate and lint your gitlab ci files using ShellCheck, the Gitlab API and curated checks
We found that gitlab-ci-verify demonstrated a healthy version release cadence and project activity because the last version was released less than a year ago. It has 1 open source maintainer collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Research
Security News
Socket’s Threat Research Team has uncovered 60 npm packages using post-install scripts to silently exfiltrate hostnames, IP addresses, DNS servers, and user directories to a Discord-controlled endpoint.
Security News
TypeScript Native Previews offers a 10x faster Go-based compiler, now available on npm for public testing with early editor and language support.
Research
Security News
Malicious npm packages targeting React, Vue, Vite, Node.js, and Quill remained undetected for two years while deploying destructive payloads.