analyze-ci-config

CI Configuration Analyzer

Analyzes CI/CD configurations for issues, optimizations, and best practices.

Analysis Categories

1. Structure Analysis

┌─────────────────────────────────────────────────────────────────┐
│                    CI CONFIG ANALYSIS                           │
├─────────────────────────────────────────────────────────────────┤
│                                                                 │
│  ✓ Stages defined: install → lint → test → build → deploy      │
│  ✓ Jobs properly ordered                                        │
│  ✗ Missing concurrency control                                  │
│  ✗ No timeout configuration                                     │
│                                                                 │
└─────────────────────────────────────────────────────────────────┘

2. Caching Analysis

Issue	Severity	Location	Recommendation
No Composer cache	🟠 Major	`lint` job	Add `actions/cache` for `~/.composer/cache`
Invalid cache key	🟡 Minor	Line 23	Use `hashFiles('composer.lock')`
Missing vendor cache	🟠 Major	All jobs	Share vendor between jobs with artifacts

3. Security Analysis

Issue	Severity	Location	Risk
`pull_request_target` misuse	🔴 Critical	Line 5	Code injection from forks
Secrets in logs	🔴 Critical	Line 45	`echo ${{ secrets.API_KEY }}` exposed
Outdated actions	🟠 Major	Lines 12, 18	Using `@v1` instead of `@v4`
No permissions defined	🟡 Minor	-	Uses default (write-all)

GitHub Actions Analysis

Checklist

## GitHub Actions Analysis Report

### Configuration: `.github/workflows/ci.yml`

#### Structure ✓
- [x] Valid YAML syntax
- [x] Proper job dependencies (needs)
- [ ] Concurrency configuration
- [ ] Timeout defined for jobs
- [x] Workflow triggers appropriate

#### Caching ⚠️
- [ ] Composer dependencies cached
- [ ] Node modules cached (if applicable)
- [x] Docker layer caching
- [ ] Cache keys use file hashes

#### Security 🔴
- [ ] Permissions explicitly defined
- [ ] No secrets echoed
- [x] Actions pinned to SHA
- [ ] pull_request_target safe usage

#### Performance ⚠️
- [ ] Jobs run in parallel where possible
- [x] Matrix strategy for PHP versions
- [ ] Fail-fast disabled for matrix
- [ ] Artifacts shared between jobs

#### Best Practices ✓
- [x] Uses specific action versions
- [x] Environment variables centralized
- [ ] Reusable workflows
- [x] Clear job names

Common Issues

1. Missing Concurrency

# ❌ BAD: No concurrency control
name: CI
on: [push, pull_request]

# ✅ GOOD: Cancel redundant runs
name: CI
on: [push, pull_request]

concurrency:
  group: ${{ github.workflow }}-${{ github.ref }}
  cancel-in-progress: true

2. Inefficient Caching

# ❌ BAD: Cache key doesn't include lock file
- uses: actions/cache@v4
  with:
    path: vendor
    key: vendor-${{ github.sha }}

# ✅ GOOD: Cache key based on lock file
- uses: actions/cache@v4
  with:
    path: |
      ~/.composer/cache
      vendor
    key: composer-${{ hashFiles('composer.lock') }}
    restore-keys: composer-

3. Security Issues

# ❌ BAD: Dangerous with forks
on:
  pull_request_target:
    types: [opened]

jobs:
  build:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
        with:
          ref: ${{ github.event.pull_request.head.sha }}  # Runs untrusted code

# ✅ GOOD: Separate trusted/untrusted
on:
  pull_request:  # Safe: runs in context of base

GitLab CI Analysis

Checklist

## GitLab CI Analysis Report

### Configuration: `.gitlab-ci.yml`

#### Structure ✓
- [x] Valid YAML syntax
- [x] Stages defined
- [x] Jobs assigned to stages
- [ ] Global variables defined
- [x] Default image set

#### Caching ⚠️
- [ ] Cache key uses files hash
- [ ] Cache policy appropriate (pull/push)
- [x] Cache paths correct
- [ ] Artifacts used for job sharing

#### Security ⚠️
- [x] Secrets in CI/CD variables (not code)
- [ ] Protected branches configured
- [ ] No sensitive data in artifacts
- [x] Image from trusted registry

#### Performance ⚠️
- [ ] Jobs run in parallel
- [x] Needs keyword for dependencies
- [ ] Rules/only properly configured
- [ ] DAG mode enabled

#### Best Practices ✓
- [x] Uses extends for reuse
- [x] Clear job names
- [ ] Include for modular config
- [x] Appropriate timeouts

Common Issues

1. Cache Key Without Hash

# ❌ BAD: Cache never invalidates properly
cache:
  key: composer-cache
  paths:
    - vendor/

# ✅ GOOD: Cache invalidates on lock change
cache:
  key:
    files:
      - composer.lock
  paths:
    - vendor/

2. Missing Needs

# ❌ BAD: Sequential stages, no parallelism
stages:
  - lint
  - test

phpstan:
  stage: lint
  script: vendor/bin/phpstan

phpunit:
  stage: test  # Waits for ALL lint jobs

# ✅ GOOD: DAG with needs
phpunit:
  stage: test
  needs: [composer-install]  # Only waits for install

Analysis Output Format

# CI/CD Configuration Analysis

**File:** `.github/workflows/ci.yml`
**Platform:** GitHub Actions
**Date:** 2024-01-15

## Summary

| Category | Status | Issues |
|----------|--------|--------|
| Structure | ✅ Good | 0 |
| Caching | ⚠️ Warning | 3 |
| Security | 🔴 Critical | 2 |
| Performance | ⚠️ Warning | 4 |
| Best Practices | ✅ Good | 1 |

**Total Issues:** 10 (2 Critical, 4 Major, 4 Minor)

## Critical Issues

### SEC-001: Exposed Secret in Logs
**Location:** Line 45
**Code:**
```yaml
- run: echo "Deploying with ${{ secrets.DEPLOY_KEY }}"

Risk: Secret visible in workflow logs Fix:

- run: echo "Deploying..."
  env:
    DEPLOY_KEY: ${{ secrets.DEPLOY_KEY }}

SEC-002: pull_request_target with Checkout

Location: Lines 3, 15 Risk: Arbitrary code execution from forks Fix: Use pull_request event instead, or don't checkout PR code

Major Issues

CACHE-001: Missing Composer Cache

Location: lint job Impact: +2-3 minutes per run Fix:

- uses: actions/cache@v4
  with:
    path: ~/.composer/cache
    key: composer-${{ hashFiles('composer.lock') }}

PERF-001: Sequential Jobs Could Run Parallel

Location: test-unit, test-integration Impact: +5 minutes total Fix: Remove needs dependency between test jobs

Minor Issues

BP-001: Using Outdated Action Version

Location: Line 12 Current: actions/checkout@v2 Recommended: actions/checkout@v4

Recommendations

Immediate: Fix security issues SEC-001 and SEC-002
Short-term: Implement caching improvements
Long-term: Restructure for parallel execution

Optimized Configuration

See Appendix A for complete optimized configuration.


## Analysis Instructions

1. **Parse configuration:**
   - Validate YAML syntax
   - Identify platform (GitHub/GitLab)
   - Extract jobs, stages, triggers

2. **Check structure:**
   - Proper job ordering
   - Dependencies (needs/stages)
   - Concurrency settings
   - Timeouts

3. **Analyze caching:**
   - Cache keys use file hashes
   - Appropriate cache paths
   - Cache policy (pull/push)
   - Artifacts for job sharing

4. **Security review:**
   - Secret exposure
   - Permissions
   - Unsafe triggers
   - Action versions

5. **Performance audit:**
   - Parallel execution opportunities
   - Unnecessary sequential jobs
   - Matrix optimization
   - Fail-fast settings

## Usage

Provide:
- Path to CI configuration file(s)
- Specific areas to focus on (optional)

The analyzer will:
1. Parse and validate configuration
2. Check against best practices
3. Identify issues by severity
4. Provide specific fixes
5. Generate optimized configuration

CI Configuration Analyzer

Analyzes CI/CD configurations for issues, optimizations, and best practices.

Analysis Categories

1. Structure Analysis

┌─────────────────────────────────────────────────────────────────┐
│                    CI CONFIG ANALYSIS                           │
├─────────────────────────────────────────────────────────────────┤
│                                                                 │
│  ✓ Stages defined: install → lint → test → build → deploy      │
│  ✓ Jobs properly ordered                                        │
│  ✗ Missing concurrency control                                  │
│  ✗ No timeout configuration                                     │
│                                                                 │
└─────────────────────────────────────────────────────────────────┘

2. Caching Analysis

Issue	Severity	Location	Recommendation
No Composer cache	🟠 Major	`lint` job	Add `actions/cache` for `~/.composer/cache`
Invalid cache key	🟡 Minor	Line 23	Use `hashFiles('composer.lock')`
Missing vendor cache	🟠 Major	All jobs	Share vendor between jobs with artifacts

3. Security Analysis

Issue	Severity	Location	Risk
`pull_request_target` misuse	🔴 Critical	Line 5	Code injection from forks
Secrets in logs	🔴 Critical	Line 45	`echo ${{ secrets.API_KEY }}` exposed
Outdated actions	🟠 Major	Lines 12, 18	Using `@v1` instead of `@v4`
No permissions defined	🟡 Minor	-	Uses default (write-all)

GitHub Actions Analysis

Checklist

## GitHub Actions Analysis Report

### Configuration: `.github/workflows/ci.yml`

#### Structure ✓
- [x] Valid YAML syntax
- [x] Proper job dependencies (needs)
- [ ] Concurrency configuration
- [ ] Timeout defined for jobs
- [x] Workflow triggers appropriate

#### Caching ⚠️
- [ ] Composer dependencies cached
- [ ] Node modules cached (if applicable)
- [x] Docker layer caching
- [ ] Cache keys use file hashes

#### Security 🔴
- [ ] Permissions explicitly defined
- [ ] No secrets echoed
- [x] Actions pinned to SHA
- [ ] pull_request_target safe usage

#### Performance ⚠️
- [ ] Jobs run in parallel where possible
- [x] Matrix strategy for PHP versions
- [ ] Fail-fast disabled for matrix
- [ ] Artifacts shared between jobs

#### Best Practices ✓
- [x] Uses specific action versions
- [x] Environment variables centralized
- [ ] Reusable workflows
- [x] Clear job names

Common Issues

1. Missing Concurrency

# ❌ BAD: No concurrency control
name: CI
on: [push, pull_request]

# ✅ GOOD: Cancel redundant runs
name: CI
on: [push, pull_request]

concurrency:
  group: ${{ github.workflow }}-${{ github.ref }}
  cancel-in-progress: true

2. Inefficient Caching

# ❌ BAD: Cache key doesn't include lock file
- uses: actions/cache@v4
  with:
    path: vendor
    key: vendor-${{ github.sha }}

# ✅ GOOD: Cache key based on lock file
- uses: actions/cache@v4
  with:
    path: |
      ~/.composer/cache
      vendor
    key: composer-${{ hashFiles('composer.lock') }}
    restore-keys: composer-

3. Security Issues

# ❌ BAD: Dangerous with forks
on:
  pull_request_target:
    types: [opened]

jobs:
  build:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
        with:
          ref: ${{ github.event.pull_request.head.sha }}  # Runs untrusted code

# ✅ GOOD: Separate trusted/untrusted
on:
  pull_request:  # Safe: runs in context of base

GitLab CI Analysis

Checklist

## GitLab CI Analysis Report

### Configuration: `.gitlab-ci.yml`

#### Structure ✓
- [x] Valid YAML syntax
- [x] Stages defined
- [x] Jobs assigned to stages
- [ ] Global variables defined
- [x] Default image set

#### Caching ⚠️
- [ ] Cache key uses files hash
- [ ] Cache policy appropriate (pull/push)
- [x] Cache paths correct
- [ ] Artifacts used for job sharing

#### Security ⚠️
- [x] Secrets in CI/CD variables (not code)
- [ ] Protected branches configured
- [ ] No sensitive data in artifacts
- [x] Image from trusted registry

#### Performance ⚠️
- [ ] Jobs run in parallel
- [x] Needs keyword for dependencies
- [ ] Rules/only properly configured
- [ ] DAG mode enabled

#### Best Practices ✓
- [x] Uses extends for reuse
- [x] Clear job names
- [ ] Include for modular config
- [x] Appropriate timeouts

Common Issues

1. Cache Key Without Hash

# ❌ BAD: Cache never invalidates properly
cache:
  key: composer-cache
  paths:
    - vendor/

# ✅ GOOD: Cache invalidates on lock change
cache:
  key:
    files:
      - composer.lock
  paths:
    - vendor/

2. Missing Needs

# ❌ BAD: Sequential stages, no parallelism
stages:
  - lint
  - test

phpstan:
  stage: lint
  script: vendor/bin/phpstan

phpunit:
  stage: test  # Waits for ALL lint jobs

# ✅ GOOD: DAG with needs
phpunit:
  stage: test
  needs: [composer-install]  # Only waits for install

Analysis Output Format

# CI/CD Configuration Analysis

**File:** `.github/workflows/ci.yml`
**Platform:** GitHub Actions
**Date:** 2024-01-15

## Summary

| Category | Status | Issues |
|----------|--------|--------|
| Structure | ✅ Good | 0 |
| Caching | ⚠️ Warning | 3 |
| Security | 🔴 Critical | 2 |
| Performance | ⚠️ Warning | 4 |
| Best Practices | ✅ Good | 1 |

**Total Issues:** 10 (2 Critical, 4 Major, 4 Minor)

## Critical Issues

### SEC-001: Exposed Secret in Logs
**Location:** Line 45
**Code:**
```yaml
- run: echo "Deploying with ${{ secrets.DEPLOY_KEY }}"

Risk: Secret visible in workflow logs Fix:

- run: echo "Deploying..."
  env:
    DEPLOY_KEY: ${{ secrets.DEPLOY_KEY }}

SEC-002: pull_request_target with Checkout

Location: Lines 3, 15 Risk: Arbitrary code execution from forks Fix: Use pull_request event instead, or don't checkout PR code

Major Issues

CACHE-001: Missing Composer Cache

Location: lint job Impact: +2-3 minutes per run Fix:

- uses: actions/cache@v4
  with:
    path: ~/.composer/cache
    key: composer-${{ hashFiles('composer.lock') }}

PERF-001: Sequential Jobs Could Run Parallel

Location: test-unit, test-integration Impact: +5 minutes total Fix: Remove needs dependency between test jobs

Minor Issues

BP-001: Using Outdated Action Version

Location: Line 12 Current: actions/checkout@v2 Recommended: actions/checkout@v4

Recommendations

Immediate: Fix security issues SEC-001 and SEC-002
Short-term: Implement caching improvements
Long-term: Restructure for parallel execution

Optimized Configuration

See Appendix A for complete optimized configuration.


## Analysis Instructions

1. **Parse configuration:**
   - Validate YAML syntax
   - Identify platform (GitHub/GitLab)
   - Extract jobs, stages, triggers

2. **Check structure:**
   - Proper job ordering
   - Dependencies (needs/stages)
   - Concurrency settings
   - Timeouts

3. **Analyze caching:**
   - Cache keys use file hashes
   - Appropriate cache paths
   - Cache policy (pull/push)
   - Artifacts for job sharing

4. **Security review:**
   - Secret exposure
   - Permissions
   - Unsafe triggers
   - Action versions

5. **Performance audit:**
   - Parallel execution opportunities
   - Unnecessary sequential jobs
   - Matrix optimization
   - Fail-fast settings

## Usage

Provide:
- Path to CI configuration file(s)
- Specific areas to focus on (optional)

The analyzer will:
1. Parse and validate configuration
2. Check against best practices
3. Identify issues by severity
4. Provide specific fixes
5. Generate optimized configuration