depmedic / bitbucket-ci-doctor

bitbucket-ci-doctor

Audit any bitbucket-pipelines.yml for waste, cost leaks, and security gaps. Eight rules. One command. MIT. Sister project to ci-doctor (GitHub Actions) and gitlab-ci-doctor (GitLab CI).

npm npmjs.com/package/bitbucket-ci-doctor | source github.com/depmedicdev-byte/bitbucket-ci-doctor | try it in-browser scanner

Try it in 5 seconds

$ npx bitbucket-ci-doctor                  # audit current repo
$ npx bitbucket-ci-doctor --markdown       # PR-comment friendly output
$ npx bitbucket-ci-doctor --json           # machine-readable
$ npx bitbucket-ci-doctor --severity=warn  # warn + error only
$ npx bitbucket-ci-doctor --rules          # list checks
$ npx bitbucket-ci-doctor --demo           # smoke-test against bundled bad pipeline

Exit code is 1 when there are error-level findings, so it drops into a Bitbucket Pipelines step (or a pre-commit hook) without ceremony.

The 8 rules

Rule	Severity	What it catches
`image-no-pin`	warn / security	Top-level or step `image:` uses a floating tag (`node:22`, `:latest`) instead of `image@sha256:<digest>`.
`missing-max-time`	warn / cost	Steps without `max-time:` default to 120 minutes. A runaway step burns build minutes.
`expensive-size`	warn / cost	`size: 2x`/`4x`/`8x` doubles, quadruples, octuples build-minute cost. Justify or cut.
`missing-caches`	warn / cost	Step installs deps (`npm`, `pip`, `bundler`, `gradle`...) without declaring the matching built-in cache.
`service-no-pin`	warn / security	`definitions.services.<name>.image` not pinned to a digest.
`deployment-no-environment`	warn / security	`deployment:` value is not `test`/`staging`/`production` - environment protections (manual approvals, secret scoping) may not apply.
`artifact-no-paths`	info / cost	`artifacts:` declared without paths or with a wildcard catch-all (`*/`).
`after-script-leaks`	warn / security	`after-script:` contains `env`, `printenv`, `set -x`, or `echo $...` - secrets may leak to logs.

Drop into a PR pipeline

image: node@sha256:1234567890abcdef1234567890abcdef1234567890abcdef1234567890abcdef
pipelines:
  pull-requests:
    '**':
      - step:
          name: ci-doctor
          max-time: 5
          caches:
            - node
          script:
            - npx --yes bitbucket-ci-doctor --markdown > ci-doctor.md
            - cat ci-doctor.md
          artifacts:
            - ci-doctor.md

Why a third one?

Bitbucket Pipelines bills differently than GitHub Actions or GitLab CI: every plan ships a fixed monthly minute bundle, and size: 2x burns 2 minutes per real minute. There is no built-in cost dashboard. The pricing model rewards short steps with explicit caches and small size - exactly what these 8 rules nudge you toward.

And: pinning node:22 to a digest, declaring deployment: production, and avoiding env in after-script are the same hygiene the other two CIs have - bitbucket-ci-doctor just carries the same opinionation across.

Audit one repo right now

The in-browser scanner takes a paste, runs all 8 rules, and shows the report inline. Nothing leaves your browser.

Open the scanner View source