home / skills / akin-ozer / cc-devops-skills / azure-pipelines-validator
This skill validates, lints, and secures Azure Pipelines configurations, helping you catch syntax errors, enforce best practices, and audit security before
npx playbooks add skill akin-ozer/cc-devops-skills --skill azure-pipelines-validatorReview the files below or copy the command above to add this skill to your agents.
---
name: azure-pipelines-validator
description: Comprehensive toolkit for validating, linting, and securing Azure DevOps Pipeline configurations.
---
# Azure Pipelines Validator
Comprehensive toolkit for validating, linting, testing, and securing Azure DevOps Pipeline configurations (azure-pipelines.yml, azure-pipelines.yaml files). Use this skill when working with Azure Pipelines, validating pipeline syntax, debugging configuration issues, implementing best practices, or performing security audits.
## When to Use This Skill
Use the **azure-pipelines-validator** skill in the following scenarios:
- ✅ Working with `azure-pipelines.yml` or `azure-pipelines.yaml` files
- ✅ Validating Azure Pipelines YAML syntax and structure
- ✅ Debugging pipeline configuration errors
- ✅ Implementing Azure Pipelines best practices
- ✅ Performing security audits on pipeline configurations
- ✅ Checking for hardcoded secrets or credentials
- ✅ Optimizing pipeline performance (caching, parallelization)
- ✅ Ensuring compliance with security standards
- ✅ Code review of Azure DevOps CI/CD configurations
- ✅ Migrating or refactoring pipeline configurations
## Features
### 0. YAML Linting (Optional)
- ✅ YAML formatting validation with yamllint
- ✅ Indentation checking (2-space standard)
- ✅ Line length validation
- ✅ Trailing spaces detection
- ✅ Custom Azure Pipelines YAML rules
- ✅ Automatic venv management (no manual install required)
### 1. Syntax Validation
- ✅ YAML syntax checking
- ✅ Azure Pipelines schema validation
- ✅ Required fields verification
- ✅ Stages/Jobs/Steps hierarchy validation
- ✅ Task format validation (TaskName@version)
- ✅ Pool/agent specification validation
- ✅ Deployment job strategy validation
- ✅ Trigger and PR configuration validation
- ✅ Resource definitions validation
- ✅ Variable and parameter declarations
- ✅ Dependency validation (dependsOn)
### 2. Best Practices Checking
- ✅ displayName usage for readability
- ✅ Task version pinning (specific @N not @0)
- ✅ Pool vmImage specific versions (not 'latest')
- ✅ Cache usage for package managers
- ✅ Timeout configuration for long-running jobs
- ✅ Deployment job conditions
- ✅ Artifact retention settings
- ✅ Parallel execution opportunities
- ✅ Template usage recommendations
- ✅ Variable group organization
- ✅ Deployment strategy best practices
### 3. Security Scanning
- ✅ Hardcoded secrets and credentials detection
- ✅ API keys and tokens in variables
- ✅ Task version security
- ✅ Container image security (:latest tags)
- ✅ Dangerous script patterns (curl | bash, eval)
- ✅ Service connection security
- ✅ Secret exposure in logs
- ✅ Checkout security settings
- ✅ Variable security (isSecret flag)
- ✅ Azure credential hardcoding
- ✅ SSL/TLS verification bypasses
## Usage
### Basic Validation
To validate an Azure Pipelines configuration file:
```bash
bash .claude/skills/azure-pipelines-validator/scripts/validate_azure_pipelines.sh <file-path>
```
**Example:**
```bash
bash .claude/skills/azure-pipelines-validator/scripts/validate_azure_pipelines.sh azure-pipelines.yml
```
This runs all four validation layers:
0. YAML lint (yamllint) - optional, auto-installed in venv if needed
1. Syntax validation
2. Best practices check
3. Security scan
### Validation Options
```bash
# Run only syntax validation
bash scripts/validate_azure_pipelines.sh azure-pipelines.yml --syntax-only
# Run only best practices check
bash scripts/validate_azure_pipelines.sh azure-pipelines.yml --best-practices
# Run only security scan
bash scripts/validate_azure_pipelines.sh azure-pipelines.yml --security-only
# Skip YAML linting (yamllint)
bash scripts/validate_azure_pipelines.sh azure-pipelines.yml --skip-yaml-lint
# Skip best practices check
bash scripts/validate_azure_pipelines.sh azure-pipelines.yml --no-best-practices
# Skip security scan
bash scripts/validate_azure_pipelines.sh azure-pipelines.yml --no-security
# Strict mode (fail on warnings)
bash scripts/validate_azure_pipelines.sh azure-pipelines.yml --strict
```
### Individual Validators
You can also run individual validation scripts:
```bash
# Syntax validation
python3 scripts/validate_syntax.py azure-pipelines.yml
# Best practices check
python3 scripts/check_best_practices.py azure-pipelines.yml
# Security scan
python3 scripts/check_security.py azure-pipelines.yml
```
## Output Example
```
════════════════════════════════════════════════════════════════════════════════
Azure Pipelines Validator
════════════════════════════════════════════════════════════════════════════════
File: azure-pipelines.yml
[1/3] Running syntax validation...
✓ Syntax validation passed
[2/3] Running best practices check...
SUGGESTIONS (2):
──────────────────────────────────────────────────────────────────────────────
INFO: Line 15: Job 'BuildJob' should have displayName for better readability [missing-displayname]
💡 Suggestion: Add 'displayName: "Your Job Description"' to job 'BuildJob'
WARNING: Line 25: Task 'Npm@1' in job 'BuildJob' could benefit from caching [missing-cache]
💡 Suggestion: Add Cache@2 task to cache dependencies and speed up builds
ℹ Best practices check completed with suggestions
[3/3] Running security scan...
MEDIUM SEVERITY (1):
──────────────────────────────────────────────────────────────────────────────
MEDIUM: Line 8: Container 'linux' uses ':latest' tag [container-latest-tag]
🔒 Remediation: Pin container images to specific versions or SHA digests
✓ Security scan passed
════════════════════════════════════════════════════════════════════════════════
Validation Summary
════════════════════════════════════════════════════════════════════════════════
Syntax Validation: PASSED
Best Practices: WARNINGS
Security Scan: PASSED
════════════════════════════════════════════════════════════════════════════════
✓ All validation checks passed
```
## Common Validation Scenarios
### Scenario 1: Validating a New Pipeline
```bash
# Validate syntax and structure
bash scripts/validate_azure_pipelines.sh new-pipeline.yml
```
### Scenario 2: Security Audit Before Merge
```bash
# Run security scan only with strict mode
bash scripts/validate_azure_pipelines.sh azure-pipelines.yml --security-only --strict
```
### Scenario 3: Pipeline Optimization
```bash
# Check for best practices and optimization opportunities
bash scripts/validate_azure_pipelines.sh azure-pipelines.yml --best-practices
```
### Scenario 4: CI/CD Integration
```yaml
# In your Azure Pipeline
trigger:
branches:
include:
- main
pool:
vmImage: 'ubuntu-22.04'
steps:
- script: |
pip3 install PyYAML
bash .claude/skills/azure-pipelines-validator/scripts/validate_azure_pipelines.sh azure-pipelines.yml --strict
displayName: 'Validate Pipeline Configuration'
```
## Integration with Claude Code
When Claude Code invokes this skill, it will:
1. **Auto-detect Azure Pipelines files** - Run the validator without arguments to auto-detect `azure-pipelines*.yml` files in the current directory (up to 3 levels deep)
2. **Run validation** when you ask to validate, check, or review Azure Pipelines configurations
3. **Provide actionable feedback** with line numbers and suggestions
4. **Stage-aware condition checking** - Recognizes when parent stages have conditions, avoiding false positives on deployment jobs
5. **Deduplicated findings** - Reports each security issue once, even if detected by multiple patterns
**Example prompts:**
- "Validate my Azure Pipeline"
- "Check this azure-pipelines.yml for security issues"
- "Review my pipeline configuration for best practices"
- "Why is my Azure Pipeline failing?"
- "Optimize my Azure DevOps pipeline"
### When to Use Context7/WebSearch for Documentation
The validation scripts provide static analysis. For **dynamic documentation lookup**, manually use these tools when you need:
- **Task version information**: "What's the latest version of AzureWebApp task?"
- **Task input parameters**: "What inputs does Docker@2 support?"
- **Feature documentation**: "How do I configure deployment environments in Azure Pipelines?"
- **Troubleshooting**: "Why does my AzureCLI@2 task fail with error X?"
**How to fetch documentation:**
```
# Use Context7 MCP for structured docs
mcp__context7__resolve-library-id("azure-pipelines")
mcp__context7__get-library-docs(context7CompatibleLibraryID, topic="deployment")
# Or use WebSearch/WebFetch for Microsoft Learn docs
WebSearch("Azure Pipelines Docker@2 task documentation 2025")
WebFetch("https://learn.microsoft.com/en-us/azure/devops/pipelines/tasks/reference/docker-v2")
```
**Note**: Documentation lookup is a manual action - the validator scripts focus on static analysis and do not automatically fetch external documentation.
## Validation Rules
### Syntax Rules
- `yaml-syntax`: Valid YAML formatting
- `yaml-invalid-root`: Root must be a dictionary
- `invalid-hierarchy`: Cannot mix stages/jobs/steps at root level
- `task-invalid-format`: Tasks must follow TaskName@version format
- `pool-invalid`: Pool must specify name or vmImage
- `stage-missing-jobs`: Stages must define jobs
- `job-missing-steps`: Regular jobs must define steps
- `deployment-missing-strategy`: Deployment jobs must define strategy
- `variable-invalid-name`: Variables should use valid naming
### Best Practice Rules
- `missing-displayname`: Stages/jobs should have displayName
- `task-version-zero`: Tasks should not use @0 version (except whitelisted tasks where @0 is the only version: GoTool, NodeTool, UsePythonVersion, KubernetesManifest, DockerCompose, HelmInstaller, HelmDeploy)
- `task-missing-version`: Tasks must specify version
- `pool-latest-image`: Avoid 'latest' in vmImage
- `missing-cache`: Package installations should use caching
- `missing-timeout`: Deployment jobs should specify timeout
- `missing-deployment-condition`: Production deployments should have conditions
- `parallel-opportunity`: Test jobs could use parallelization
- `template-opportunity`: Duplicate job patterns could use templates
- `many-inline-variables`: Consider using variable groups
### Security Rules
- `hardcoded-password`: Hardcoded passwords detected
- `hardcoded-api-key`: Hardcoded API keys detected
- `hardcoded-secret`: Hardcoded secrets/tokens detected
- `hardcoded-aws-credentials`: AWS credentials hardcoded
- `hardcoded-azure-ids`: Azure subscription/tenant IDs hardcoded
- `curl-pipe-shell`: Dangerous curl | bash pattern
- `eval-command`: Eval command usage with variables
- `chmod-777`: Overly permissive file permissions
- `insecure-ssl`: SSL/TLS verification disabled
- `secret-in-logs`: Potential secret exposure in logs
- `container-latest-tag`: Container using :latest tag
- `task-no-version`: Task missing version (security risk)
- `hardcoded-service-connection`: Service connection IDs hardcoded
- `checkout-no-clean`: Checkout without clean
- `variable-not-secret`: Sensitive variable not marked as secret
## Requirements
- **Python 3.7+**
- **PyYAML** and **yamllint**: Auto-installed in venv if not available systemwide
- **Bash**: For running the orchestrator script
**No manual installation required!** The validator uses automatic venv management:
- If PyYAML or yamllint are available system-wide, they'll be used
- Otherwise, a persistent `.venv` is created and packages are auto-installed
- The venv is reused across runs for optimal performance
To manually install dependencies system-wide (optional):
```bash
pip3 install PyYAML yamllint
```
## Documentation
Comprehensive documentation is included in the `docs/` directory:
- **`azure-pipelines-reference.md`**: Complete Azure Pipelines YAML syntax reference with examples
## Examples
Example Azure Pipelines configurations are provided in the `examples/` directory:
- **`basic-pipeline.yml`**: Simple CI pipeline with build and test stages
- **`docker-build.yml`**: Docker build and push workflow
- **`deployment-pipeline.yml`**: Multi-environment deployment with approval gates
- **`multi-platform.yml`**: Multi-platform build matrix
- **`template-example.yml`**: Pipeline using reusable templates
Test the skill with examples:
```bash
bash scripts/validate_azure_pipelines.sh examples/basic-pipeline.yml
```
## Fetching Latest Documentation
When encountering specific Azure Pipelines tasks, resources, or version requirements, you can manually use the following tools to get up-to-date information:
1. **Use Context7 MCP** to fetch version-aware Azure Pipelines documentation
2. **Use WebSearch** to find latest Azure DevOps documentation
3. **Use WebFetch** to retrieve specific documentation pages from learn.microsoft.com
**Note**: These tools are not automatically invoked by the validation scripts. Use them manually when you need to look up specific Azure Pipelines tasks, features, or troubleshoot validation errors.
## Extending the Skill
### Adding Custom Validation Rules
Add custom rules to the validation scripts:
1. **Syntax rules**: Edit `scripts/validate_syntax.py`
2. **Best practice rules**: Edit `scripts/check_best_practices.py`
3. **Security rules**: Edit `scripts/check_security.py`
### Custom Rule Example
```python
# In check_best_practices.py
def _check_custom_rule(self):
"""Check for custom organization rule"""
for job in self._get_all_jobs():
job_name = job.get('job') or job.get('deployment')
# Your custom validation logic
if 'tags' not in pool:
self.issues.append(BestPracticeIssue(
'warning',
self._get_line(job_name),
f"Job '{job_name}' should specify agent tags",
'custom-missing-tags',
"Add 'tags' to pool to select appropriate agents"
))
```
## Troubleshooting
### Python Module Not Found
```bash
# Install PyYAML
pip3 install PyYAML
# Or with homebrew Python
python3 -m pip install PyYAML
```
### Permission Denied
```bash
# Make scripts executable
chmod +x scripts/*.sh scripts/*.py
```
### Validation Errors
Check the documentation:
- Review `docs/azure-pipelines-reference.md` for syntax reference
- Consult Azure Pipelines documentation at https://learn.microsoft.com/en-us/azure/devops/pipelines/
## Version History
### v1.0.0 (2025-01-24)
- Initial release
- Syntax validation with comprehensive Azure Pipelines schema checking
- Best practices validation with 10+ rules
- Security scanning with 20+ security checks
- Comprehensive documentation and examples
- Integration with Context7 for latest Azure DevOps docs
## Contributing
To improve this skill:
1. Add new validation rules to appropriate scripts
2. Update documentation with new patterns
3. Add example configurations
4. Test with real-world Azure Pipelines files
## License
This skill is part of the DevOps Skills collection.
## Support
For issues, questions, or contributions:
- Check documentation in `docs/` directory
- Review examples in `examples/` directory
- Consult Azure Pipelines documentation: https://learn.microsoft.com/en-us/azure/devops/pipelines/
---
**Remember**: This skill validates Azure Pipelines configurations but does not execute pipelines. Use Azure DevOps Pipeline validation or Azure CLI for testing actual pipeline execution.This skill is a comprehensive toolkit for validating, linting, testing, and securing Azure DevOps pipeline YAML files (azure-pipelines.yml / azure-pipelines.yaml). It runs layered checks—YAML linting, syntax/schema validation, best-practices guidance, and security scanning—to produce actionable line-numbered feedback. The tool is designed for CI integration and local audits with minimal setup via an automatic virtual environment for dependencies.
The validator inspects pipeline YAML structure and content, validating YAML syntax and Azure Pipelines schema rules, then applies best-practice heuristics and security patterns. It reports problems with line numbers, severity (info/warning/medium/high), and remediation suggestions. You can run full validation or pick individual stages (syntax, best practices, security) via command-line flags or call the individual Python scripts directly.
What dependencies are required?
Python 3.7+, PyYAML and yamllint. The tool auto-creates a persistent virtualenv and installs missing packages if not present system-wide.
Can I run only the security scanner or only syntax checks?
Yes. The orchestrator supports flags like --syntax-only, --best-practices, --security-only, and options to skip specific layers.
How are findings reported?
Output includes file, stage progress (syntax / best practices / security), line numbers, severity, and remediation suggestions. Findings are deduplicated.