Skip to main content

Validate and lint your gitlab ci files using ShellCheck, the Gitlab API and curated checks

Project description

gitlab-ci-verify

GitHub Release PyPI version DockerHub Pulls GitHub all releases download count CircleCI codecov Renovate Quality Gate Status Maintainability Rating Go Report Card Security Rating


Validate and lint your gitlab ci files using ShellCheck, the Gitlab API and curated checks

Features

  • ShellCheck for scripts
  • Validation against Pipeline Editor API for project
  • Curated checks for common mistakes (feel free to contribute new ones)
  • Automatic detection of the current gitlab project with an option to overwrite
  • Available as pre-commit hook
  • Use to valid dynamically generated pipelines using the python wrapper
  • Support for gitlab.com and self-hosted instances

Example output

Format Screenshot
text Text output screenshot
json JSON output screenshot
table Table output screenshot

Installation

pre-commit

docker

Install with pipx

Using pipx you can just use the following command use gitlab-ci-verify as it is:

pipx install gitlab-ci-verify

Install as library using pip

If you want to use it directly using the subprocess module you can install it with pip:

pip install gitlab-ci-verify

And use the package like this:

from gitlab_ci_verify import verify_file

# Verify .gitlab-ci.yml in /path/to/repo is valid
valid, findings = verify_file("/path/to/repo")

# verify include.yml in /path/to/repo is valid
valid, findings = verify_file("/path/to/repo", "include.yml")

# or if you want to verify file content for a given repository
# valid, findings = verify_content("/path/to/repo","ci-yaml content")

print(f"Valid:    {valid}")
print(f"Findings: {findings}")

Also see the python wrapper documentation

Manual

Linux (64-bit)

curl -LO https://github.com/timo-reymann/gitlab-ci-verify/releases/download/$(curl -Lso /dev/null -w %{url_effective} https://github.com/timo-reymann/gitlab-ci-verify/releases/latest | grep -o '[^/]*$')/gitlab-ci-verify_linux-amd64 && \
chmod +x gitlab-ci-verify_linux-amd64 && \
sudo mv gitlab-ci-verify_linux-amd64 /usr/local/bin/gitlab-ci-verify

Darwin (Intel)

curl -LO https://github.com/timo-reymann/gitlab-ci-verify/releases/download/$(curl -Lso /dev/null -w %{url_effective} https://github.com/timo-reymann/gitlab-ci-verify/releases/latest | grep -o '[^/]*$')/gitlab-ci-verify_darwin-amd64 && \
chmod +x gitlab-ci-verify_darwin-amd64 && \
sudo mv gitlab-ci-verify_darwin-amd64 /usr/local/bin/gitlab-ci-verify

Windows

Download the latest release for Windows and put in your PATH.

Install with go

go install github.com/timo-reymann/gitlab-ci-verify@latest

Supported platforms

The following platforms are supported (and have prebuilt binaries / ready to use integration):

  • Linux
    • 64-bit
    • ARM 64-bit
  • Darwin
    • 64-bit
    • ARM (M1/M2)
  • Windows
    • 64-bit
  • pre-commit (x86 & ARM)
  • Docker (x86 & ARM)

Where to find the latest release for your platform

Binaries

Binaries for all of these can be found on the latest release page.

Docker

For the docker image, check the docker hub.

Usage

Command Line

gitlab-ci-verify --help

Containerized

docker run --rm -it -v $PWD:/workspace -e GITLAB_TOKEN="your token" timoreymann/gitlab-ci-verify

As pre-commit hook

- repo: https://github.com/timo-reymann/gitlab-ci-verify
  rev: 0.4.1
  hooks:
    - id: gitlab-ci-verify

Authentication with GitLab

The tool takes a few sources into consideration in the following order when authenticating with GitLab:

  • --gitlab-token commandline flag
  • netrc in your home folder
  • Vault token specified via --gitlab-token vault://<path>#<field> with environment variable VAULT_ADDR set to base url for vault, and either VAULT_TOKEN set or ~/.vault-token present
  • GITLAB_TOKEN environment variable

For the project detection, all git remote URLs of the repository are tried, and the first URL that returns a valid API response is used. In case you cloned via SSH it tries to convert it to the HTTPs host automatically. If the ssh URL differs from the HTTPs url you should specify it manually using the --gitlab-base-url, without protocol e.g. --gitlab-base-url git.example.com

Motivation

Unfortunately, GitLab didn't provide a tool to validate CI configuration for quite a while. Now that changed with the glab CLI providing glab ci lint but it is quite limited and under the hood just calls the new CI Lint API.

Throughout the years quite some tools evolved, but most of them are either outdated, painful to use or install, and basically also provide the lint functionality from the API.

As most of the logic in pipelines is written in shell scripts via the *script attributes these are lacking completely from all tools out there as well as the official lint API.

The goal of gitlab-ci-verify is to provide the stock CI Lint functionality plus shellcheck. Completed in the future some rules to lint that common patterns are working as intended by GitLab and void them from being pushed and leading to unexpected behavior.

Contributing

I love your input! I want to make contributing to this project as easy and transparent as possible, whether it's:

  • Reporting a bug
  • Discussing the current state of the configuration
  • Submitting a fix
  • Proposing new features
  • Becoming a maintainer

To get started please read the Contribution Guidelines.

Development

Requirements

Test

make test-coverage-report

Build

make build

Credits

This whole project wouldn't be possible with the great work of the following libraries/tools:

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

gitlab_ci_verify-0.4.1.tar.gz (13.5 kB view details)

Uploaded Source

Built Distribution

gitlab_ci_verify-0.4.1-py3-none-any.whl (10.3 kB view details)

Uploaded Python 3

File details

Details for the file gitlab_ci_verify-0.4.1.tar.gz.

File metadata

  • Download URL: gitlab_ci_verify-0.4.1.tar.gz
  • Upload date:
  • Size: 13.5 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? No
  • Uploaded via: twine/5.1.1 CPython/3.12.7

File hashes

Hashes for gitlab_ci_verify-0.4.1.tar.gz
Algorithm Hash digest
SHA256 14a991be54bbc0a18c6c4490f482a9488dcb3ea451bf0594a09a75a035f16b34
MD5 5620df8f5fe1b8f5b1e781ff10a4fe6a
BLAKE2b-256 3adfbfac09b8d9d21ba51f5af20556e6dd252f535af957687edc3f45c3ac416b

See more details on using hashes here.

File details

Details for the file gitlab_ci_verify-0.4.1-py3-none-any.whl.

File metadata

File hashes

Hashes for gitlab_ci_verify-0.4.1-py3-none-any.whl
Algorithm Hash digest
SHA256 f30b11cbedb05497b0d73cc9c81f15a77abfb7f4faf61679dd7c7a9bc45d030d
MD5 2f3faa82d442ebe6388371cebe74aa44
BLAKE2b-256 01930d850e731f1e48f4afa7f08bb95b535a36cee45a7a9b8d243d3c14250a4f

See more details on using hashes here.

Supported by

AWS AWS Cloud computing and Security Sponsor Datadog Datadog Monitoring Fastly Fastly CDN Google Google Download Analytics Microsoft Microsoft PSF Sponsor Pingdom Pingdom Monitoring Sentry Sentry Error logging StatusPage StatusPage Status page