Skip to main content

Validate and lint your gitlab ci files using ShellCheck, the Gitlab API and curated checks

Project description

gitlab-ci-verify

GitHub Release PyPI version DockerHub Pulls GitHub all releases download count CircleCI codecov Renovate Quality Gate Status Maintainability Rating Go Report Card Security Rating


Validate and lint your gitlab ci files using ShellCheck, the Gitlab API and curated checks

Features

  • ShellCheck for scripts
  • Validation against Pipeline Editor API for project
  • Curated checks for common mistakes (feel free to contribute new ones)
  • Automatic detection of the current gitlab project with an option to overwrite
  • Available as pre-commit hook
  • Use to valid dynamically generated pipelines using the python wrapper
  • Support for gitlab.com and self-hosted instances

Example output

Format Screenshot
text Text output screenshot
json JSON output screenshot
table Table output screenshot

Installation

pre-commit

docker

Install with pipx

Using pipx you can just use the following command use gitlab-ci-verify as it is:

pipx install gitlab-ci-verify

Install as library using pip

If you want to use it directly using the subprocess module you can install it with pip:

pip install gitlab-ci-verify

And use the package like this:

from gitlab_ci_verify import verify_file

# Verify .gitlab-ci.yml in /path/to/repo is valid
valid, findings = verify_file("/path/to/repo")

# verify include.yml in /path/to/repo is valid
valid, findings = verify_file("/path/to/repo", "include.yml")

# or if you want to verify file content for a given repository
# valid, findings = verify_content("/path/to/repo","ci-yaml content")

print(f"Valid:    {valid}")
print(f"Findings: {findings}")

Also see the python wrapper documentation

Manual

Linux (64-bit)

curl -LO https://github.com/timo-reymann/gitlab-ci-verify/releases/download/$(curl -Lso /dev/null -w %{url_effective} https://github.com/timo-reymann/gitlab-ci-verify/releases/latest | grep -o '[^/]*$')/gitlab-ci-verify_linux-amd64 && \
chmod +x gitlab-ci-verify_linux-amd64 && \
sudo mv gitlab-ci-verify_linux-amd64 /usr/local/bin/gitlab-ci-verify

Darwin (Intel)

curl -LO https://github.com/timo-reymann/gitlab-ci-verify/releases/download/$(curl -Lso /dev/null -w %{url_effective} https://github.com/timo-reymann/gitlab-ci-verify/releases/latest | grep -o '[^/]*$')/gitlab-ci-verify_darwin-amd64 && \
chmod +x gitlab-ci-verify_darwin-amd64 && \
sudo mv gitlab-ci-verify_darwin-amd64 /usr/local/bin/gitlab-ci-verify

Windows

Download the latest release for Windows and put in your PATH.

Install with go

go install github.com/timo-reymann/gitlab-ci-verify@latest

Supported platforms

The following platforms are supported (and have prebuilt binaries / ready to use integration):

  • Linux
    • 64-bit
    • ARM 64-bit
  • Darwin
    • 64-bit
    • ARM (M1/M2)
  • Windows
    • 64-bit
  • pre-commit (x86 & ARM)
  • Docker (x86 & ARM)

Where to find the latest release for your platform

Binaries

Binaries for all of these can be found on the latest release page.

Docker

For the docker image, check the docker hub.

Usage

Command Line

gitlab-ci-verify --help

Containerized

docker run --rm -it -v $PWD:/workspace -e GITLAB_TOKEN="your token" timoreymann/gitlab-ci-verify

As pre-commit hook

- repo: https://github.com/timo-reymann/gitlab-ci-verify
  rev: v0.5.1
  hooks:
    - id: gitlab-ci-verify

Authentication with GitLab

The tool takes a few sources into consideration in the following order when authenticating with GitLab:

  • --gitlab-token commandline flag
  • netrc in your home folder
  • Vault token specified via --gitlab-token vault://<path>#<field> with environment variable VAULT_ADDR set to base url for vault, and either VAULT_TOKEN set or ~/.vault-token present
  • GITLAB_TOKEN environment variable

For the project detection, all git remote URLs of the repository are tried, and the first URL that returns a valid API response is used. In case you cloned via SSH it tries to convert it to the HTTPs host automatically. If the ssh URL differs from the HTTPs url you should specify it manually using the --gitlab-base-url, without protocol e.g. --gitlab-base-url git.example.com

Motivation

Unfortunately, GitLab didn't provide a tool to validate CI configuration for quite a while. Now that changed with the glab CLI providing glab ci lint but it is quite limited and under the hood just calls the new CI Lint API.

Throughout the years quite some tools evolved, but most of them are either outdated, painful to use or install, and basically also provide the lint functionality from the API.

As most of the logic in pipelines is written in shell scripts via the *script attributes these are lacking completely from all tools out there as well as the official lint API.

The goal of gitlab-ci-verify is to provide the stock CI Lint functionality plus shellcheck. Completed in the future some rules to lint that common patterns are working as intended by GitLab and void them from being pushed and leading to unexpected behavior.

Contributing

I love your input! I want to make contributing to this project as easy and transparent as possible, whether it's:

  • Reporting a bug
  • Discussing the current state of the configuration
  • Submitting a fix
  • Proposing new features
  • Becoming a maintainer

To get started please read the Contribution Guidelines.

Development

Requirements

Test

make test-coverage-report

Build

make build

Credits

This whole project wouldn't be possible with the great work of the following libraries/tools:

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

gitlab_ci_verify-0.5.1.tar.gz (13.5 kB view details)

Uploaded Source

Built Distribution

gitlab_ci_verify-0.5.1-py3-none-any.whl (10.3 kB view details)

Uploaded Python 3

File details

Details for the file gitlab_ci_verify-0.5.1.tar.gz.

File metadata

  • Download URL: gitlab_ci_verify-0.5.1.tar.gz
  • Upload date:
  • Size: 13.5 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? No
  • Uploaded via: twine/5.1.1 CPython/3.12.7

File hashes

Hashes for gitlab_ci_verify-0.5.1.tar.gz
Algorithm Hash digest
SHA256 2845b57790b247bc1d9bc4d0b62db8da8f76710c89bbb891bc0b2e98f8d50ed1
MD5 a61be42204c2e3ee6d626ef0a714c25b
BLAKE2b-256 51b8737032a003f0ed76d9ab07234d98ae7822b520045669ab01c8de4626ad7d

See more details on using hashes here.

File details

Details for the file gitlab_ci_verify-0.5.1-py3-none-any.whl.

File metadata

File hashes

Hashes for gitlab_ci_verify-0.5.1-py3-none-any.whl
Algorithm Hash digest
SHA256 f7e8d886bfcf9f98a4c9acc4f7545af4334067d69d238b9e8ddfe5c22c3285fc
MD5 7b2240a7e1eb2614becd58a92baa61aa
BLAKE2b-256 3fb2658dd86880e1bcb25fd115f28cd5aef3658dc489b10f5db8d334b90b5139

See more details on using hashes here.

Supported by

AWS AWS Cloud computing and Security Sponsor Datadog Datadog Monitoring Fastly Fastly CDN Google Google Download Analytics Microsoft Microsoft PSF Sponsor Pingdom Pingdom Monitoring Sentry Sentry Error logging StatusPage StatusPage Status page