Lint CI/CD pipelines for 22 providers against OWASP Top 10 CI/CD Risks and 14 other compliance frameworks. 810+ rules, inline in your editor: severity-graded gutter squiggles, hover descriptions with --explain prose, and recommended-action hints. Built on the same rule registry as the pipeline-check CLI, so editor findings match pipeline_check --output json byte-for-byte (modulo position translation).
- Inline diagnostics — gutter squiggles + the Problems panel get a row per finding, severity-graded so CRITICAL and HIGH read red, MEDIUM yellow, LOW info-blue. Hover shows the rule title, the
--explainprose, and a link to the rule documentation. - Findings panel — dedicated slot in the activity bar with a Pipeline-Check pipeline glyph. Re-groups findings by severity (default), file, or rule via the title-bar Change Grouping button; activity-bar icon carries a live count badge.
- Status bar item — bottom-left of the window, shows the top two severity counts at a glance (e.g.
🛡 3C 1H). Click reveals the Findings panel. - CodeLens summary — every scanned file carries a
Pipeline-Check: 2 critical · 1 highlens at line 1. Click navigates to the Findings panel. - Keyboard navigation —
Alt+F8/Shift+Alt+F8jump between findings, with wrap at both ends. Mirrors VS Code'sF8for "next problem" so muscle memory carries over. - Tunable signal —
pipelineCheck.severityThresholdquiets the editor surface (low/medium/high/critical) without restarting the server;pipelineCheck.disabledProviderssilences whole providers in a monorepo where Pipeline-Check would otherwise lint files belonging to a sub-project.
Pilot provider coverage (single-file workflow providers plus Dockerfile):
| Provider | Trigger file(s) |
|---|---|
| GitHub Actions | .github/workflows/*.yml |
| GitLab CI | .gitlab-ci.yml |
| Azure DevOps | azure-pipelines.yml |
| Bitbucket Pipelines | bitbucket-pipelines.yml |
| CircleCI | .circleci/config.yml |
| Google Cloud Build | cloudbuild.yaml |
| Buildkite | .buildkite/pipeline.yml |
| Drone CI | .drone.yml / .drone.yaml |
| Jenkins | Jenkinsfile (Declarative and Scripted) |
| Dockerfile | Dockerfile / Containerfile |
Multi-file and context-heavy providers (Kubernetes, Helm, Terraform plans, live AWS, CloudFormation, SCM posture) ship in a later release; the CLI already covers them.
Search for Pipeline-Check in the extensions panel, or install from the command line:
# Microsoft VS Code Marketplace
code --install-extension greylag-ci.pipeline-check
# Open VSX (VSCodium, Gitpod, code-server, Cursor)
codium --install-extension greylag-ci.pipeline-checkThe extension is a thin LSP client; the rule engine itself runs in Python and must be installed separately:
pip install "pipeline-check[lsp]"- VS Code 1.85 or newer.
- Python 3.11 or newer on
PATH, withpipeline-check[lsp]installed.
| Setting | Default | Description |
|---|---|---|
pipelineCheck.serverCommand |
python |
Command used to launch the language server. Override if pipeline_check is installed under a different interpreter. Marked machine-overridable: workspace overrides require an explicit prompt. |
pipelineCheck.serverArgs |
["-m", "pipeline_check.lsp"] |
Arguments passed to the server command. Marked machine-overridable for the same reason. |
pipelineCheck.severityThreshold |
low |
Lowest severity that produces a diagnostic. One of low, medium, high, critical. Mirrors the CLI's --severity-threshold. |
pipelineCheck.disabledProviders |
[] |
Provider IDs to silence entirely. Diagnostics for files matching a disabled provider's path glob are dropped before they reach the editor. One of github-actions, gitlab, azure, bitbucket, circleci, cloud-build, buildkite, drone, jenkins, dockerfile (covers Containerfile too). |
pipelineCheck.trace.server |
off |
Traces LSP traffic. Set to verbose when debugging. |
All commands appear in the Command Palette under the Pipeline-Check category.
| Command | Default keybinding |
|---|---|
| Restart language server — kills and respawns the LSP process | |
Show language server output — focuses the output channel (LSP server logs + [client] client-side breadcrumbs) |
|
| Go to Next Finding | Alt+F8 |
| Go to Previous Finding | Shift+Alt+F8 |
| Change Grouping (Findings view) — Quick Pick: Severity / File / Rule | |
| Refresh (Findings view) — re-render from the current diagnostic stream |
Pipeline-Check spawns the configured Python interpreter to analyze workflow files. To keep that subprocess from running on first-open of a freshly-cloned repository, the extension declares capabilities.untrustedWorkspaces: "limited" — it stays inactive until the workspace is trusted. The serverCommand / serverArgs settings are machine-overridable, so a malicious .vscode/settings.json can't silently swap the interpreter or inject arbitrary args even after trust is granted.
npm install
npm run compile # typecheck + esbuild dev bundle
npm run watch # bundle on change
npm test # vitest unit suite
npm run test:integration # @vscode/test-electron — boots a real extension host
npm run smoke # loads dist/extension.js with a vscode stub
npm run lintPress F5 in VS Code with this folder open to launch an extension-host instance with the extension loaded. Two debug profiles ship in .vscode/launch.json:
- Run Extension: opens a fresh window with no workspace. Use this when iterating on the client wiring against a checkout of your own code.
- Run Extension (sample workflow): opens
test-fixtures/sample-workflow/as the workspace. The fixture is a deliberately-vulnerable GitHub Actions workflow and should produce four diagnostics (GHA-001, GHA-004, GHA-015, GHA-016) the moment you open the file. Quickest way to confirm the client → server round-trip works end-to-end.
npm run package # delegates to `vsce package`, produces pipeline-check-<version>.vsixPublishing is fully automated by .github/workflows/publish.yml. Tag a commit with vX.Y.Z matching package.json#version, push the tag, and the workflow packages the .vsix, publishes to both the VS Code Marketplace and Open VSX, and attaches the artifact to a GitHub Release with the matching CHANGELOG.md section as release notes.
git tag v0.1.2
git push origin v0.1.2Tag-naming convention:
vX.Y.Z→ stable marketplace channel.vX.Y.Z-rc.N(or any version with a-after the semver core) → pre-release channel; the GitHub release is also markedprerelease.
Two repo secrets gate the publish jobs, both stored as environment secrets on the production GitHub Environment (required reviewer must approve before the publish steps run):
| Secret | Where it comes from |
|---|---|
VSCE_PAT |
Azure DevOps PAT scoped to Marketplace → Manage, bound to the greylag-ci publisher. |
OVSX_PAT |
Open VSX access token from the user-settings page, bound to the greylag-ci namespace. |
Every PR and every push to main is gated by .github/workflows/ci.yml running across [ubuntu-latest, windows-latest, macos-latest] with: lint, typecheck, unit tests (vitest), bundle smoke (loads dist/extension.js against a vscode stub to verify the package is loadable), npm audit --omit=dev --audit-level=high, vsce package, and on Linux the @vscode/test-electron integration suite. Release-day surprises stay rare.
Architecture
┌──────────────────────┐ stdio JSON-RPC ┌──────────────────────────┐
│ VS Code extension │ ◀─────────────────────▶ │ pipeline_check.lsp │
│ (TypeScript, this │ │ (Python, pygls; lives in │
│ repo) │ │ dmartinochoa/pipeline- │
│ │ │ check) │
└──────────────────────┘ └──────────────────────────┘
The extension spawns python -m pipeline_check.lsp as a child process and exchanges Language Server Protocol messages over stdin / stdout. The server reads the same rule registry that powers the CLI, so editor findings match pipeline_check --output json byte-for-byte (modulo position translation).
Report vulnerabilities privately via GitHub's Private vulnerability reporting — see SECURITY.md for the response SLA and threat model.
MIT.