depmedic / start

Get started in 60 seconds

Pick your CI provider, copy the snippet, push. ci-doctor runs in <1s and reports cost waste, security gaps, and reliability bugs. Free, MIT, no signup. Five CI providers covered.

Step 1. Pick your CI provider

Recommended: drop in the Action (3 lines)

- uses: depmedicdev-byte/ci-doctor-action@v1
  with:
    severity-threshold: warn
    comment-on-pr: true
    upload-sarif: true

Or run the CLI directly:

- run: npx --yes ci-doctor --markdown

Other useful pages: Action docs · scan a workflow in your browser · public leaderboard.

Drop into your pipeline (1 job)

ci-audit:
  stage: lint
  image: node:20-alpine
  script:
    - npx --yes gitlab-ci-doctor --markdown | tee ci-doctor.md
  artifacts:
    paths: [ci-doctor.md]
    expire_in: 1 week
  allow_failure: true

Other useful pages: gitlab-ci-doctor docs · scan in browser.

Drop into your pipeline (1 step)

image: node:20-alpine
pipelines:
  default:
    - step:
        name: ci-audit
        script:
          - npx --yes bitbucket-ci-doctor --markdown

Other useful pages: bitbucket-ci-doctor docs · scan in browser.

Drop into your pipeline (1 task)

- task: Bash@3
  displayName: ci-doctor
  inputs:
    targetType: inline
    script: npx --yes azure-pipelines-ci-doctor --markdown

Other useful pages: azure-pipelines-ci-doctor docs · scan in browser.

Drop into your workflow (1 job)

version: 2.1
jobs:
  ci-audit:
    docker:
      - image: cimg/node:20.10
    steps:
      - checkout
      - run:
          name: ci-doctor
          command: npx --yes circleci-ci-doctor --markdown
          no_output_timeout: 2m
workflows:
  audit:
    jobs: [ci-audit]

Other useful pages: circleci-ci-doctor docs · scan in browser.

Step 2. Push and look at the output

On the next CI run, ci-doctor will print a Markdown table of findings (and write a SARIF file on GitHub if you used the Action). On the GitHub side, you also get a sticky PR comment that updates on every push - no comment-spam.

Step 3. (Optional) Lock it in

  1. Add ci-doctor to your required checks so it gates merges. Start with severity-threshold: error to avoid blocking on warnings.
  2. Set --baseline against the current report so you only get failures on new findings (great for legacy repos).
  3. Embed the live ci-doctor badge in your README to show your hygiene score publicly.

Need more than the free CLI?

The CLI is free forever. The optional Pro tier ($5/mo) adds per-org rule overrides, Slack/Webhook delivery of the weekly digest, the hosted GitHub App with one-click install, and priority support on issues.

Pro tier ($5/mo) → GitHub App (hosted) Just say thanks

What did I just install?

ci-doctor is a small Node CLI (no native deps) that parses your workflow YAML, runs 16 rules against the AST, and prints a report. It does not phone home, does not collect telemetry, and does not require any auth tokens (the Action only needs GITHUB_TOKEN, scoped to PR comments + SARIF upload).

Source: github.com/depmedicdev-byte/ci-doctor (MIT) · npmjs.com/package/ci-doctor · how it compares to actionlint / zizmor / octoscan / super-linter.

Frequently-skipped questions

Does it support self-hosted runners?

Yes - the audit runs against the workflow YAML, regardless of where the runner lives. See our self-hosted runner playbook.

Does it support reusable workflows?

Yes - it follows uses: references and audits the referenced workflow if it lives in the same repo. Cross-repo references are flagged for manual review.

Does it work in monorepos?

Yes - point it at a directory and it audits every workflow file under it (including nested .github/workflows/ trees from packages inside the monorepo).

I don't see an issue I expected to see flagged.

File a GitHub issue with a minimal reproducing snippet. Same-day response on most bugs. Open an issue →

Have a usage question instead of a bug?

Browse or ask in GitHub Discussions. Common topics already answered: setup, monorepos, reusable workflows, how it compares to other linters.