depmedic weekly #2

2026-04-28 · issue 2 ci-doctor-action azure

Two big shipments since last week. The free CLI portfolio is now four distinct CI systems wide, and there's finally a one-line "drop into your workflow" GitHub Action that wraps the whole thing.

1. ci-doctor-action - the easiest way to put ci-doctor on a PR

Until now you'd have to write a workflow that ran npx ci-doctor, piped output to tee, then either uploaded SARIF or posted a comment. That's three steps, and most people never got past step one.

ci-doctor-action is a composite Action that does it all in three lines:

name: ci-doctor
on:
  pull_request:
    paths:
      - '.github/workflows/**'
permissions:
  contents: read
  pull-requests: write
  security-events: write
jobs:
  audit:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - uses: depmedicdev-byte/ci-doctor-action@v1

You get:

a sticky markdown PR comment with the findings table - one comment per PR, updated in place when you push fixes
SARIF uploaded to GitHub Code Scanning so findings show under the Security tab
a configurable fail-on threshold (default error; bump to warn for stricter teams)
pinnable down to a SHA for fully reproducible audits

Repo: depmedicdev-byte/ci-doctor-action. Marketplace listing toggles on shortly. v1 mutable tag is already pushed at the same commit so consumers can use @v1.

2. azure-pipelines-ci-doctor - the fourth sister

The portfolio now covers GitHub Actions, GitLab CI, Bitbucket Pipelines, and as of this week, Azure Pipelines. azure-pipelines-ci-doctor ships with eight rules tuned to the quirks of Azure DevOps:

expensive-vm-image — flags macOS-latest (~10x cost) and windows-latest (~2x) when the steps don't actually need them
container-no-pin — floating container.image tags
missing-timeout-in-minutes — default is 60 min hosted, 360 min self-hosted; one hang can burn the whole window
missing-cache — npm/pip/maven/gradle/cargo/go/bundler installs without a Cache@2 task
wide-trigger — unscoped trigger: or pr:
inline-secret-leak — $(SECRET_NAME) macros that expand inline in build logs (the #1 Azure secret-handling mistake)
legacy-task-version — outdated built-in task majors (e.g. UseNode@1)
unbounded-parallelism — strategy.parallel >= 5 without maxParallel

$ npx azure-pipelines-ci-doctor              # audit current repo
$ npx azure-pipelines-ci-doctor --markdown   # PR-comment friendly
$ npx azure-pipelines-ci-doctor --rules      # list all 8

And the in-browser scanner is up at /scan-azure.html alongside scan, scan-gitlab, and scan-bitbucket.

3. By the numbers

Free CLIs: 5 (depmedic, ci-doctor, gha-budget, gitlab-ci-doctor, bitbucket-ci-doctor) → 6 with azure-pipelines-ci-doctor
Free GitHub Actions: 1 (ci-doctor-action)
Browser scanners: 4 (GitHub, GitLab, Bitbucket, Azure)
Sitemap: 65 → 69 URLs
Lines of audit logic across all four engines: < 5,000 (most of it shared)

4. Pattern of the week: pin the action, pin its CLI

If you adopt ci-doctor-action for production gating, pin both the action and the CLI it runs:

- uses: depmedicdev-byte/ci-doctor-action@1bd71901bbe5b1630ceea73d27597364c9af683 # v1.0.0
  with:
    ci-doctor-version: '0.5.0'

That way, an upstream npm publish can't change what your gate flags or silently bump severity. Reproducible audits are the only audits worth gating on.

5. Coming next

A long-form comparison: depmedic vs actionlint vs zizmor vs woodpecker. Honest about who wins where.
Azure Pipelines benchmark: scan the top 30 OSS repos that publish their azure-pipelines.yml, publish a Pin Bar equivalent for Azure.
The CircleCI sister CLI (circleci-ci-doctor) - drafting now.

Get the next issue Sunday

Eight subscribers, no spam, no ads (unless you sponsor — $75 / issue).

Subscribe Read issue #1