Quality Rules (Q01-Q35)

35 rules for pipeline quality and reliability. Deducts from the Quality Score.

Versioning & Reproducibility (Q01-Q05)

ID	Sev	Pts	Description	Fix
Q01	HIGH	3	Docker image without version tag	Pin image version: image: node:20-alpine
Q02	MED	3	Service image using :latest tag	Pin service versions: postgres:15-alpine
Q03	MED	2	Using ubuntu-latest in GitHub Actions	Pin runner: runs-on: ubuntu-22.04
Q04	MED	2	GitHub Action using @main or @master	Pin to specific version: uses: actions/checkout@v4
Q05	MED	3	No caching configured for dependencies	Add dependency caching for your package manager

Job Dependencies & Flow (Q06-Q10)

ID	Sev	Pts	Description	Fix
Q06	MED	3	No job dependency chain defined	Add needs: [job_name] for proper dependency chains
Q07	MED	2	Artifacts without expire_in or retention	Add expire_in: 1 week to artifacts section
Q08	LOW	2	No retry configuration for flaky steps	Add retry: 2 on jobs with external dependencies
Q09	MED	3	Using deprecated only/except syntax	Replace only/except with rules: syntax
Q10	MED	2	Using deprecated set-output in GitHub Actions	Replace with echo "key=value" >> $GITHUB_OUTPUT

Performance & Optimization (Q11-Q15)

ID	Sev	Pts	Description	Fix
Q11	MED	3	No interruptible flag on non-critical jobs	Add interruptible: true on build and test jobs
Q12	MED	2	No concurrency control in GitHub Actions	Add concurrency group with cancel-in-progress: true
Q13	MED	3	No resource group for deployment jobs	Add resource_group: production on deploy jobs
Q14	LOW	2	No parallel execution configured	Use parallel: or matrix strategy for test splitting
Q15	LOW	2	Pipeline exceeds 15 stages	Consolidate stages - aim for 5-8 maximum

DRY & Maintainability (Q16-Q20)

ID	Sev	Pts	Description	Fix
Q16	MED	3	No template/extends usage for DRY	Use extends: .template or YAML anchors
Q17	MED	2	Script block exceeds 10 lines	Extract long scripts to .sh files
Q18	MED	2	Hardcoded URLs or IPs in pipeline	Use CI/CD variables: $DEPLOY_URL
Q19	HIGH	3	Script without proper error handling	Add set -eo pipefail at start of scripts
Q20	MED	2	No runner/tag specification	Add tags: [docker] or runs-on: to specify runner

Cleanup & Lifecycle (Q21-Q25)

ID	Sev	Pts	Description	Fix
Q21	MED	2	No after_script or post-job cleanup	Add after_script: to clean up temp files
Q22	MED	3	allow_failure on critical security jobs	Set allow_failure: false on all security jobs
Q23	MED	2	No test coverage reporting in pipeline	Add coverage reporting to test stage
Q24	LOW	2	Echo or print of environment secrets	Remove echo/print referencing secret variables
Q25	MED	2	No variable scoping (global variables everywhere)	Move variables to job-level scope where possible

Triggers & Workflow Control (Q26-Q30)

ID	Sev	Pts	Description	Fix
Q26	MED	3	No path-based trigger filtering	Add path filters: only build when src/ changes
Q27	MED	3	Per-job timeout not configured	Add timeout per job: 10 min for scans, 30 for builds
Q28	LOW	2	Artifacts with overly broad paths	Be specific: artifacts: paths: ["dist/", "reports/"]
Q29	MED	3	No YAML anchors or extends for duplicated config	Use .template: + extends: .template for shared config
Q30	MED	3	Manual trigger on non-deploy stages	Remove when: manual from non-production stages

Advanced Quality (Q31-Q35)

ID	Sev	Pts	Description	Fix
Q31	LOW	2	No pipeline duration monitoring	Track duration and alert if exceeding 30 minutes
Q32	HIGH	4	Docker-in-Docker without TLS or pinned version	Use docker:24.0-dind with DOCKER_TLS_CERTDIR
Q33	MED	3	No YAML validation or linting in pipeline	Add yamllint or actionlint as pre-commit hook
Q34	MED	3	No notification on pipeline status change	Add notification on status changes
Q35	MED	2	No rootless container build alternative	Consider Kaniko or Buildah for rootless builds

Total: 35 rules across 7 sections. All deduct from the Quality Score.