Quality Rules (Q01-Q35)
35 rules for pipeline quality and reliability. Deducts from the Quality Score.
Versioning & Reproducibility (Q01-Q05)
| ID | Sev | Pts | Description | Fix |
| Q01 | HIGH | 3 | Docker image without version tag | Pin image version: image: node:20-alpine |
| Q02 | MED | 3 | Service image using :latest tag | Pin service versions: postgres:15-alpine |
| Q03 | MED | 2 | Using ubuntu-latest in GitHub Actions | Pin runner: runs-on: ubuntu-22.04 |
| Q04 | MED | 2 | GitHub Action using @main or @master | Pin to specific version: uses: actions/checkout@v4 |
| Q05 | MED | 3 | No caching configured for dependencies | Add dependency caching for your package manager |
Job Dependencies & Flow (Q06-Q10)
| ID | Sev | Pts | Description | Fix |
| Q06 | MED | 3 | No job dependency chain defined | Add needs: [job_name] for proper dependency chains |
| Q07 | MED | 2 | Artifacts without expire_in or retention | Add expire_in: 1 week to artifacts section |
| Q08 | LOW | 2 | No retry configuration for flaky steps | Add retry: 2 on jobs with external dependencies |
| Q09 | MED | 3 | Using deprecated only/except syntax | Replace only/except with rules: syntax |
| Q10 | MED | 2 | Using deprecated set-output in GitHub Actions | Replace with echo "key=value" >> $GITHUB_OUTPUT |
Performance & Optimization (Q11-Q15)
| ID | Sev | Pts | Description | Fix |
| Q11 | MED | 3 | No interruptible flag on non-critical jobs | Add interruptible: true on build and test jobs |
| Q12 | MED | 2 | No concurrency control in GitHub Actions | Add concurrency group with cancel-in-progress: true |
| Q13 | MED | 3 | No resource group for deployment jobs | Add resource_group: production on deploy jobs |
| Q14 | LOW | 2 | No parallel execution configured | Use parallel: or matrix strategy for test splitting |
| Q15 | LOW | 2 | Pipeline exceeds 15 stages | Consolidate stages - aim for 5-8 maximum |
DRY & Maintainability (Q16-Q20)
| ID | Sev | Pts | Description | Fix |
| Q16 | MED | 3 | No template/extends usage for DRY | Use extends: .template or YAML anchors |
| Q17 | MED | 2 | Script block exceeds 10 lines | Extract long scripts to .sh files |
| Q18 | MED | 2 | Hardcoded URLs or IPs in pipeline | Use CI/CD variables: $DEPLOY_URL |
| Q19 | HIGH | 3 | Script without proper error handling | Add set -eo pipefail at start of scripts |
| Q20 | MED | 2 | No runner/tag specification | Add tags: [docker] or runs-on: to specify runner |
Cleanup & Lifecycle (Q21-Q25)
| ID | Sev | Pts | Description | Fix |
| Q21 | MED | 2 | No after_script or post-job cleanup | Add after_script: to clean up temp files |
| Q22 | MED | 3 | allow_failure on critical security jobs | Set allow_failure: false on all security jobs |
| Q23 | MED | 2 | No test coverage reporting in pipeline | Add coverage reporting to test stage |
| Q24 | LOW | 2 | Echo or print of environment secrets | Remove echo/print referencing secret variables |
| Q25 | MED | 2 | No variable scoping (global variables everywhere) | Move variables to job-level scope where possible |
Triggers & Workflow Control (Q26-Q30)
| ID | Sev | Pts | Description | Fix |
| Q26 | MED | 3 | No path-based trigger filtering | Add path filters: only build when src/ changes |
| Q27 | MED | 3 | Per-job timeout not configured | Add timeout per job: 10 min for scans, 30 for builds |
| Q28 | LOW | 2 | Artifacts with overly broad paths | Be specific: artifacts: paths: ["dist/", "reports/"] |
| Q29 | MED | 3 | No YAML anchors or extends for duplicated config | Use .template: + extends: .template for shared config |
| Q30 | MED | 3 | Manual trigger on non-deploy stages | Remove when: manual from non-production stages |
Advanced Quality (Q31-Q35)
| ID | Sev | Pts | Description | Fix |
| Q31 | LOW | 2 | No pipeline duration monitoring | Track duration and alert if exceeding 30 minutes |
| Q32 | HIGH | 4 | Docker-in-Docker without TLS or pinned version | Use docker:24.0-dind with DOCKER_TLS_CERTDIR |
| Q33 | MED | 3 | No YAML validation or linting in pipeline | Add yamllint or actionlint as pre-commit hook |
| Q34 | MED | 3 | No notification on pipeline status change | Add notification on status changes |
| Q35 | MED | 2 | No rootless container build alternative | Consider Kaniko or Buildah for rootless builds |
Total: 35 rules across 7 sections. All deduct from the Quality Score.