Claude Code Plugins

Community-maintained marketplace

Feedback

GitLab Stack Validator

@rknall/claude-skills
1
0

Validates GitLab stack projects before deployment, ensuring proper architecture patterns, directory structure, secrets management, .env configuration, and Docker best practices. Use when users ask to validate a stack, check stack configuration, verify stack architecture, audit stack setup, or ensure stack deployment readiness.

Install Skill

1Download skill
2Enable skills in Claude

Open claude.ai/settings/capabilities and find the "Skills" section

3Upload to Claude

Click "Upload skill" and select the downloaded ZIP file

Note: Please verify skill by going through its instructions before using it.

SKILL.md

name GitLab Stack Validator
description Validates GitLab stack projects before deployment, ensuring proper architecture patterns, directory structure, secrets management, .env configuration, and Docker best practices. Use when users ask to validate a stack, check stack configuration, verify stack architecture, audit stack setup, or ensure stack deployment readiness.

GitLab Stack Validator

This skill validates GitLab stack projects to ensure they follow proper architecture patterns and are ready for deployment. It focuses on detection and reporting of issues, working alongside companion skills (stack-creator, secrets-manager) for remediation.

When to Use This Skill

Activate this skill when the user requests:

  • Validate a GitLab stack project
  • Check stack configuration before deployment
  • Verify stack architecture and structure
  • Audit stack for best practices compliance
  • Ensure stack follows proper patterns
  • Pre-deployment validation checks
  • Stack health check or readiness verification

Core Validation Principles

This skill validates stacks that follow these architecture principles:

  1. Configuration Management: All configuration through docker-compose.yml and ./config directory
  2. Secrets Management: Secrets stored in ./secrets and referenced via Docker secrets
  3. Environment Variables: .env file with matching .env.example template
  4. Minimal Custom Scripts: docker-entrypoint.sh only when containers don't support native secrets
  5. Proper Ownership: No root-owned files (all files owned by Docker user)
  6. Temporary Files: _temporary directory for transient files that are cleaned up after use
  7. Docker Best Practices: Leverage docker-validation skill for Docker-specific checks

Validation Workflow

When a user requests stack validation, follow this comprehensive workflow:

Phase 1: Pre-flight Checks

Step 1: Verify Stack Project

  1. Check if current directory appears to be a stack project
  2. Look for key indicators:
    • docker-compose.yml exists
    • Presence of ./config, ./secrets, or ./_temporary directories
    • .env file exists
  3. If not a stack project, report findings and ask if user wants to initialize one

Step 2: Gather Context

  1. Ask user for validation scope (if needed):
    • Full validation or targeted checks?
    • Strict mode or permissive mode?
    • Output format preference (text report vs JSON)?
  2. Check if .stack-validator.yml exists for custom rules
  3. Note the working directory for reporting

Phase 2: Directory Structure Validation

Step 1: Required Directories

  1. Check for required directories:
    • ./config - Configuration files directory
    • ./secrets - Secrets storage directory
    • ./_temporary - Temporary files directory
  2. For each missing directory, record:
    • Directory name
    • Purpose and why it's required
    • Impact on stack functionality

Step 2: Directory Permissions

  1. Check ./secrets has restricted permissions (700 or 600)
  2. Verify other directories have appropriate permissions
  3. Report any permission issues with security implications

Step 3: Directory Ownership

  1. Scan all project directories for ownership
  2. Flag any root-owned directories:
    • Directory path
    • Current owner
    • Expected owner (current user or docker user)
  3. Flag any files with unexpected ownership

Step 4: .gitignore Validation

  1. Check if .gitignore exists
  2. Verify it excludes:
    • ./secrets or ./secrets/*
    • ./_temporary or ./_temporary/*
    • .env (should not be in git)
  3. Report missing exclusions with security implications

Phase 3: Environment Variables Validation

Step 1: .env File Validation

  1. Check if .env file exists
  2. Parse .env file for:
    • Syntax errors
    • Duplicate variable definitions
    • Empty values that might be required
  3. Record all environment variable names found

Step 2: .env.example Validation

  1. Check if .env.example exists
  2. If missing, this is a critical issue - document why it's needed
  3. Parse .env.example for variable names

Step 3: .env Synchronization Check

  1. Compare variables in .env with .env.example:
    • Variables in .env but NOT in .env.example
    • Variables in .env.example but NOT in .env
  2. This is a critical validation point - they must match
  3. Report any mismatches with specific variable names

Step 4: Environment Variable Security

  1. Scan .env for potential secrets:
    • Variables with names containing: password, secret, key, token, api
    • Base64-encoded looking values
    • Long random strings
  2. If secrets detected in .env, flag as security issue
  3. Suggest moving to ./secrets and Docker secrets instead

Phase 4: Docker Configuration Validation

Step 1: Invoke docker-validation Skill

  1. Use the docker-validation skill to validate:
    • docker-compose.yml syntax and best practices
    • Dockerfile(s) if present
    • Multi-stage builds
    • Security configurations
  2. Collect all findings from docker-validation
  3. Integrate into overall stack validation report

Step 2: Stack-Specific Docker Checks

  1. Review docker-compose.yml for stack patterns:
    • Secrets are defined in top-level secrets: section
    • Services reference secrets via secrets: key (not environment variables)
    • Volume mounts follow patterns (./config, ./secrets, ./_temporary)
    • Networks are properly defined if multi-service
    • Service dependencies use depends_on correctly

Step 3: Version Check

  1. Ensure docker-compose.yml does NOT have version field at top
  2. This follows modern Docker Compose specification
  3. If version field present, flag for removal

Phase 5: Secrets Management Validation

Step 1: Secrets Directory Check

  1. Verify ./secrets directory exists
  2. Check permissions are restrictive (700)
  3. Verify it's excluded from git

Step 2: Docker Secrets Validation

  1. Parse docker-compose.yml for secrets definitions
  2. For each secret definition:
    • Verify the secret file exists in ./secrets
    • Check file permissions (600 or 400)
    • Verify not tracked by git
  3. Report missing secret files

Step 3: Secret References Validation

  1. Check each service's secrets: section
  2. Verify referenced secrets are defined in top-level secrets
  3. Flag any undefined secret references

Step 4: Environment Variables vs Secrets

  1. Scan service environment variables for potential secrets
  2. Look for patterns like:
    • *_PASSWORD
    • *_SECRET
    • *_KEY
    • *_TOKEN
    • API_*
  3. If sensitive data in environment, suggest using secrets instead

Step 5: Secret Exposure Check

  1. Check for secrets in:
    • docker-compose.yml (hardcoded values)
    • .env file (should be in ./secrets instead)
    • Configuration files in ./config
    • Any shell scripts
  2. Report any exposed secrets as critical security issues

Phase 6: Configuration Files Validation

Step 1: Config Directory Structure

  1. List all files in ./config directory
  2. Organize by service (if applicable)
  3. Check for proper organization

Step 2: Config File Validation

  1. For common config file types, validate syntax:
    • YAML files (.yml, .yaml)
    • JSON files (.json)
    • INI files (.ini, .conf)
    • TOML files (.toml)
  2. Report any syntax errors

Step 3: Config vs Secrets Separation

  1. Scan config files for potential secrets
  2. Look for hardcoded passwords, tokens, keys
  3. Flag any secrets that should be in ./secrets instead

Step 4: Config Ownership

  1. Check all config files for ownership
  2. Flag any root-owned config files
  3. Report expected ownership (current user)

Phase 7: Script Validation

Step 1: docker-entrypoint.sh Detection

  1. Search for docker-entrypoint.sh files
  2. For each found:
    • Document location
    • Check if truly necessary
  3. Validate it's only used when container doesn't support native secrets

Step 2: Script Permissions

  1. Check docker-entrypoint.sh is executable (chmod +x)
  2. Verify ownership (should not be root)
  3. Report permission issues

Step 3: Script Content Validation

  1. Scan script for:
    • Hardcoded secrets (critical issue)
    • Proper secret handling from /run/secrets/
    • Error handling
    • Syntax errors (if bash/sh)
  2. Report any issues found

Step 4: Necessity Check

  1. Review if docker-entrypoint.sh is truly needed
  2. Check if service supports native Docker secrets
  3. Suggest removal if unnecessary

Phase 8: Temporary Directory Validation

Step 1: Directory Check

  1. Verify ./_temporary exists
  2. Check it's in .gitignore
  3. Verify permissions

Step 2: Content Check

  1. List contents of ./_temporary
  2. Check for:
    • Leftover files that should be cleaned
    • Large files consuming space
    • Old files (> 7 days old)
  3. Report if not empty with details

Step 3: Usage Validation

  1. Check if ./_temporary is properly mounted in docker-compose.yml
  2. Verify services use it for temporary files
  3. Flag if not being utilized

Phase 9: File Ownership Audit

Step 1: Comprehensive Ownership Scan

  1. Use find . -type f -user root 2>/dev/null to find root-owned files
  2. Exclude expected directories (.git, node_modules, vendor)
  3. List all root-owned files found

Step 2: Categorize Issues

  1. Group by directory:
    • ./config files owned by root
    • ./secrets files owned by root
    • Application files owned by root
  2. Report with specific paths

Step 3: Impact Assessment

  1. For each root-owned file:
    • Explain why this is problematic
    • Impact on stack operations
    • Potential errors that may occur

Phase 10: Report Generation

Step 1: Compile All Findings

  1. Organize findings by category:
    • Directory Structure
    • Environment Variables (.env sync)
    • Docker Configuration
    • Secrets Management
    • Configuration Files
    • Scripts (docker-entrypoint.sh)
    • Temporary Directory
    • File Ownership
  2. Assign severity levels:
    • CRITICAL: Security issues, missing required components, .env mismatch
    • ⚠️ WARNING: Best practice violations, potential issues
    • PASS: No issues found

Step 2: Generate Validation Report

Create a comprehensive report with this structure:

🔍 GitLab Stack Validation Report
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
Stack: [directory name]
Date: [timestamp]
Mode: [strict/permissive]

📊 SUMMARY
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
✅ Passed: [count]
⚠️  Warnings: [count]
❌ Critical: [count]
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━

📋 DETAILED FINDINGS
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━

[For each validation category]

[Category Icon] [Category Name]: [STATUS]
[If issues found:]
   ❌ [Issue description]
      Location: [file/directory path]
      Impact: [what this affects]
      Details: [specific information]

━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━

🎯 OVERALL STATUS: [PASSED/FAILED/WARNINGS]

[If failures or warnings:]
🔧 RECOMMENDED ACTIONS
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
[Prioritized list of actions needed]
1. [Most critical action]
2. [Next action]
...

💡 NEXT STEPS
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
- Use stack-creator skill to fix structural issues
- Use secrets-manager skill to properly configure secrets
- Re-run validation after fixes

Step 3: Provide Actionable Guidance

  1. For each issue, provide:
    • Clear description of the problem
    • Why it matters
    • Which companion skill can help fix it
    • General guidance (but not actual fix commands)
  2. Prioritize issues by severity
  3. Group related issues together

Step 4: Export Options

  1. If user requested JSON output, export as:
    {
  "stack": "directory-name",
  "timestamp": "ISO-8601",
  "summary": {
    "passed": 5,
    "warnings": 2,
    "critical": 1,
    "status": "failed"
  },
  "findings": [
    {
      "category": "environment-variables",
      "status": "critical",
      "issues": [...]
    }
  ]
}

Validation Categories Reference

1. Directory Structure

  • Required directories exist
  • Proper permissions
  • .gitignore coverage
  • Ownership correctness

2. Environment Variables

  • .env file exists and valid
  • .env.example exists
  • CRITICAL: .env and .env.example are synchronized
  • No secrets in .env

3. Docker Configuration

  • docker-compose.yml valid (via docker-validation skill)
  • No version field
  • Secrets properly defined
  • Volumes follow patterns
  • Service dependencies correct

4. Secrets Management

  • ./secrets directory secure
  • All referenced secrets exist
  • Proper permissions
  • No exposed secrets
  • Environment variables don't contain secrets

5. Configuration Files

  • Proper organization
  • Valid syntax
  • No embedded secrets
  • Correct ownership

6. Scripts

  • docker-entrypoint.sh only when necessary
  • Executable permissions
  • No hardcoded secrets
  • Proper secret handling

7. Temporary Directory

  • Exists and in .gitignore
  • Empty or contains only expected transient files
  • Properly utilized in compose file

8. File Ownership

  • No root-owned files
  • Consistent ownership
  • Proper user/group

Integration with Companion Skills

stack-creator

  • Recommend for: Creating missing directories, initializing structure
  • Handles: Setting up new stacks, fixing structural issues

secrets-manager

  • Recommend for: Secrets configuration, secret file management
  • Handles: Creating/updating secrets, proper secret setup

docker-validation

  • Used directly during validation for Docker-specific checks
  • Provides: Docker Compose and Dockerfile validation
  • Integrated into stack validation report

Validation Modes

Standard Mode (Default)

  • Report all issues as warnings or errors
  • Provide comprehensive findings
  • Suggest improvements

Strict Mode

  • Fail on warnings
  • Require all best practices
  • Zero tolerance for deviations

Permissive Mode

  • Only fail on critical issues
  • Allow warnings
  • More lenient on best practices

Configuration Support

If .stack-validator.yml exists in project root, respect these settings:

# Validation mode
strict_mode: false

# Whether warnings should fail validation
fail_on_warnings: false

# Paths to exclude from validation
exclude_paths:
  - ./vendor
  - ./node_modules
  - ./_temporary/cache

# Custom validation scripts to run
custom_checks:
  - ./scripts/custom-validation.sh

# Specific checks to skip
skip_checks:
  - temporary-directory-empty

Communication Style

When reporting validation results:

  1. Be Clear and Direct: State issues plainly without hedging
  2. Be Specific: Include exact file paths, line numbers, variable names
  3. Be Actionable: Explain what needs to be done (without doing it)
  4. Be Helpful: Point to companion skills that can fix issues
  5. Be Organized: Group related issues, prioritize by severity
  6. Be Educational: Explain why something is an issue
  7. Be Concise: Don't overwhelm with details, but be thorough

Critical Validation Points

These are must-pass criteria for production stacks:

  1. ✅ .env and .env.example are fully synchronized
  2. ✅ No secrets in docker-compose.yml environment variables
  3. ✅ ./secrets directory exists and has restrictive permissions
  4. ✅ All referenced secrets exist
  5. ✅ ./secrets and ./_temporary are in .gitignore
  6. ✅ No root-owned files
  7. ✅ docker-compose.yml passes docker-validation
  8. ✅ No secrets exposed in git
  9. ✅ .env file is not tracked by git

Important Notes

  • Read-Only: This skill NEVER modifies files - validation only
  • Detection-Focused: Report issues, don't fix them
  • Comprehensive: Check all aspects systematically
  • Fast: Complete validation in seconds
  • Integrative: Use docker-validation skill for Docker checks
  • Companion-Aware: Direct users to appropriate skills for fixes

Example Validation Flow

User: "Validate my stack"

1. Check if docker-compose.yml exists ✅
2. Verify directory structure
   - ./config ✅
   - ./secrets ✅
   - ./_temporary ⚠️ (not in .gitignore)
3. Validate .env configuration
   - .env exists ✅
   - .env.example exists ❌ CRITICAL
4. Run docker-validation skill
   - docker-compose.yml syntax ✅
   - Secrets configuration ⚠️ (using environment vars)
5. Check secrets management
   - ./secrets permissions ✅
   - Secret files exist ✅
6. Scan for ownership issues
   - Found 3 root-owned files in ./config ❌
7. Generate report with findings
8. Suggest: Use stack-creator to add .env.example and fix .gitignore

This skill ensures stack quality, security, and deployment readiness through comprehensive validation.