pipelinelint

v1.0.0

CI/CD pipeline anti-pattern analyzer -- detects hardcoded secrets, missing cache configs, skipped tests, unsafe deployments, no approval gates, and environme...

⭐ 0· 73·0 current·0 all-time

by@suhteevah

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for suhteevah/pipelinelint.

Previewing Install & Setup.

Prompt PreviewInstall & Setup

Install the skill "pipelinelint" (suhteevah/pipelinelint) from ClawHub.
Skill page: https://clawhub.ai/suhteevah/pipelinelint
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Required binaries: git, bash
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Bare skill slug

openclaw skills install pipelinelint

ClawHub CLI

Package manager switcher

npx clawhub@latest install pipelinelint

Security Scan

Capability signals

Requires OAuth token

These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.

VirusTotal

Benign

View report →

OpenClaw

Benign

high confidence

✓

Purpose & Capability

Name/description (CI/CD anti-pattern analyzer) matches the code and metadata. Required binaries (git, bash) and the primary credential (PIPELINELINT_LICENSE_KEY) are appropriate for a local scanner that integrates with git and supports licensed tiers. The brew install of lefthook is coherent with the advertised git-hook integration.

ℹ

Instruction Scope

Runtime instructions and scripts focus on local file discovery, regex pattern matching, scoring, and report generation. The SKILL.md and lefthook config instruct installing pre-commit and pre-push hooks that source the skill's scripts from a skill directory (defaults to $HOME/.openclaw/skills/pipelinelint). This is expected behaviour for a hooks-integrated linter, but note that installing hooks modifies repository configuration and will run scans on commits/pushes.

✓

Install Mechanism

Install spec uses a Homebrew formula (lefthook) — a standard package manager + known tool — and included scripts are plain shell files bundled with the skill. No downloads from untrusted URLs or archives are present in the provided manifest.

✓

Credentials

Only the license key (PIPELINELINT_LICENSE_KEY) is declared as required. The license module also optionally reads ~/.openclaw/openclaw.json to find a stored key (a reasonable convenience). The scripts do not request unrelated secrets or multiple external credentials.

ℹ

Persistence & Privilege

always:false and user-invocable:true — no forced global presence. The skill can install lefthook repo hooks and will write/append lefthook.yml in a repository, which is appropriate for a git-hook linter but is a persistent change to a repo until removed. The skill does not modify other skills or system-wide agent settings.

Assessment

This skill appears to do what it claims: local regex-based scans and optional git-hook integration. Before installing, review and accept that: (1) installing lefthook via Homebrew is required to enable repo hooks; (2) running the hooks installer will create or append a lefthook.yml in your repository and register pre-commit/pre-push hooks that run the scanner on commits/pushes (this changes repo config and can add scan latency); (3) the license check reads a license key from the PIPELINELINT_LICENSE_KEY env var or ~/.openclaw/openclaw.json — ensure you are comfortable storing your key there. If you do not want repo hooks, you can use the one-shot scan commands instead. As always, review the included shell scripts (analyzer.sh, dispatcher.sh, patterns.sh, license.sh) yourself before enabling hooks to confirm they match your security policies.

Like a lobster shell, security has layers — review code before you run it.

Runtime requirements

🔧 Clawdis

OSmacOS · Linux · Windows

Binsgit, bash

Primary envPIPELINELINT_LICENSE_KEY

Install

Install lefthook (git hooks manager)

Bins: lefthook

brew install lefthook

latestvk971xez8w1rxzw8h84t5pafb5984v1j5

73downloads

0stars

1versions

Updated 1w ago

v1.0.0

MIT-0

macOS, Linux, Windows

PipelineLint -- CI/CD Pipeline Anti-Pattern Analyzer

PipelineLint scans codebases for CI/CD pipeline anti-patterns, hardcoded secrets, missing cache configurations, skipped tests, unsafe deployments, no approval gates, unpinned dependencies, and environment configuration issues. It uses regex-based pattern matching against 90 pipeline-specific patterns across 6 categories, lefthook for git hook integration, and produces markdown reports with actionable remediation guidance. 100% local. Zero telemetry.

Commands

Free Tier (No license required)

`pipelinelint scan [file|directory]`

One-shot pipeline quality scan of files or directories.

How to execute:

bash "<SKILL_DIR>/scripts/dispatcher.sh" --path [target]

What it does:

Accepts a file path or directory (defaults to current directory)
Discovers all source files (skips .git, node_modules, binaries, images, .min.js)
Runs 30 pipeline quality patterns against each file (free tier limit)
Calculates a pipeline quality score (0-100) per file and overall
Grades: A (90-100), B (80-89), C (70-79), D (60-69), F (<60)
Outputs findings with: file, line number, check ID, severity, description, recommendation
Exit code 0 if score >= 70, exit code 1 if pipeline quality is poor
Free tier limited to first 30 patterns (SE + CF categories)

Example usage scenarios:

"Scan my pipeline for security issues" -> runs pipelinelint scan .
"Check this workflow file for anti-patterns" -> runs pipelinelint scan .github/workflows/ci.yml
"Find hardcoded secrets in my CI config" -> runs pipelinelint scan .
"Audit my CI/CD pipeline configuration" -> runs pipelinelint scan .
"Check for missing cache configs" -> runs pipelinelint scan .

Pro Tier ($19/user/month -- requires PIPELINELINT_LICENSE_KEY)

`pipelinelint scan --tier pro [file|directory]`

Extended scan with 60 patterns covering secrets, caching, testing, and dependency safety.

How to execute:

bash "<SKILL_DIR>/scripts/dispatcher.sh" --path [target] --tier pro

What it does:

Validates Pro+ license
Runs 60 pipeline patterns (SE, CF, TS, AR categories)
Detects skipped tests and disabled quality checks
Identifies unsafe dependency management practices
Full category breakdown reporting

`pipelinelint scan --format json [directory]`

Generate JSON output for CI/CD integration.

bash "<SKILL_DIR>/scripts/dispatcher.sh" --path [directory] --format json

`pipelinelint scan --format html [directory]`

Generate HTML report for browser viewing.

bash "<SKILL_DIR>/scripts/dispatcher.sh" --path [directory] --format html

`pipelinelint scan --category SE [directory]`

Filter scan to a specific check category (SE, CF, TS, AR, DP, EN).

bash "<SKILL_DIR>/scripts/dispatcher.sh" --path [directory] --category SE

Team Tier ($39/user/month -- requires PIPELINELINT_LICENSE_KEY with team tier)

`pipelinelint scan --tier team [directory]`

Full scan with all 90 patterns across all 6 categories including deployment safety and environment configuration.

How to execute:

bash "<SKILL_DIR>/scripts/dispatcher.sh" --path [directory] --tier team

What it does:

Validates Team+ license
Runs all 90 patterns across 6 categories
Includes deployment safety checks (no approval gates, force push, destructive operations)
Includes environment configuration checks (hardcoded values, no timeouts, plain HTTP)
Full category breakdown with per-file results

`pipelinelint scan --verbose [directory]`

Verbose output showing every matched line and pattern details.

bash "<SKILL_DIR>/scripts/dispatcher.sh" --path [directory] --verbose

`pipelinelint status`

Show license and configuration information.

bash "<SKILL_DIR>/scripts/dispatcher.sh" status

Check Categories

PipelineLint detects 90 CI/CD pipeline anti-patterns across 6 categories:

Category	Code	Patterns	Description	Severity Range
Secrets & Security	SE	15	Hardcoded passwords, API keys in YAML, tokens in logs, credentials in curl commands, SSH keys inline	high -- critical
Caching & Performance	CF	15	No cache for npm/pip/maven, redundant installs, missing dependency caching, slow Docker builds	low -- medium
Testing & Quality	TS	15	Skipped tests, disabled linting, no coverage enforcement, --no-verify flags, continue-on-error abuse	medium -- high
Artifacts & Dependencies	AR	15	Unpinned Docker tags, curl-to-shell, unverified downloads, disabled SSL, GitHub Actions on branch refs	medium -- high
Deployment Safety	DP	15	No approval gates, force push, auto-approve terraform, destructive SQL, no rollback strategy	high -- critical
Environment & Configuration	EN	15	Hardcoded localhost, no timeouts, no retries, plain HTTP URLs, hardcoded database connection strings	low -- high

Tier-Based Pattern Access

Tier	Patterns	Categories
Free	30	SE, CF
Pro	60	SE, CF, TS, AR
Team	90	SE, CF, TS, AR, DP, EN
Enterprise	90	SE, CF, TS, AR, DP, EN + priority support

Scoring

PipelineLint uses a deductive scoring system starting at 100 (perfect):

Severity	Point Deduction	Description
Critical	-25 per finding	Security vulnerability or deployment safety risk
High	-15 per finding	Significant pipeline problem (skipped tests, insecure deps)
Medium	-8 per finding	Moderate concern (missing caching, env misconfiguration)
Low	-3 per finding	Informational / best practice suggestion

Grading Scale

Grade	Score Range	Meaning
A	90-100	Excellent pipeline configuration
B	80-89	Good configuration with minor issues
C	70-79	Acceptable but needs improvement
D	60-69	Poor pipeline quality
F	Below 60	Critical pipeline problems

Pass threshold: 70 (Grade C or better)
Exit code 0 = pass (score >= 70)
Exit code 1 = fail (score < 70)

Configuration

Users can configure PipelineLint in ~/.openclaw/openclaw.json:

{
  "skills": {
    "entries": {
      "pipelinelint": {
        "enabled": true,
        "apiKey": "YOUR_LICENSE_KEY_HERE",
        "config": {
          "severityThreshold": "medium",
          "ignorePatterns": ["**/test/**", "**/fixtures/**", "**/*.test.*"],
          "ignoreChecks": [],
          "reportFormat": "text"
        }
      }
    }
  }
}

Important Notes

Free tier works immediately with no configuration
All scanning happens locally -- no code is sent to external servers
License validation is offline -- no phone-home or network calls
Pattern matching only -- no AST parsing, no external dependencies beyond bash
Supports scanning all file types in a single pass
Git hooks use lefthook which must be installed (see install metadata above)
Exit codes: 0 = pass (score >= 70), 1 = fail (for CI/CD integration)
Output formats: text (default), json, html

Error Handling

If lefthook is not installed and user tries hooks, prompt to install it
If license key is invalid or expired, show clear message with link to https://pipelinelint.pages.dev/renew
If a file is binary, skip it automatically with no warning
If no scannable files found in target, report clean scan with info message
If an invalid category is specified with --category, show available categories

When to Use PipelineLint

The user might say things like:

"Scan my CI/CD pipeline for issues"
"Check my GitHub Actions workflow"
"Find hardcoded secrets in my pipeline config"
"Detect unsafe deployment practices"
"Are there any missing cache configurations?"
"Check for skipped tests in my CI"
"Audit my pipeline security"
"Find unpinned dependencies in my workflow"
"Check for deployment safety issues"
"Scan for pipeline anti-patterns"
"Run a pipeline quality audit"
"Generate a pipeline quality report"
"Check if my Jenkinsfile has security issues"
"Find force push commands in my CI config"
"Check my GitLab CI for best practices"

Comments

Loading comments...