All resources
GitLab CI · Cheat sheet

GitLab CI/CD cheat sheet

The .gitlab-ci.yml reference, beginner to advanced: stages and jobs, rules and workflow, artifacts/cache/needs, variables and OIDC secrets, environments, includes/extends/anchors, security scanning, and the glab CLI — with examples.

Pipeline basicsBeginner
stages: [build, test, deploy]
Declare the ordered stages.
build: stage: build script: [make]
A job: a name, a stage, and a script.
image: node:20
Container image the job runs in.
tags: [docker]
Route the job to runners with these tags.
before_script / after_script
Commands run before/after every job’s script.
default: image: alpine
Defaults inherited by all jobs.
Rules & workflowIntermediate
rules: - if: '$CI_COMMIT_BRANCH == "main"'
Run the job only on certain conditions.
rules: - changes: [src/**/*]
Run only when matching files changed.
rules: - if: $CI_MERGE_REQUEST_ID when: manual
Gate a job behind a manual click.
workflow: rules: [...]
Decide whether the WHOLE pipeline runs.
only / except
Legacy branch filtering (prefer rules).
Artifacts, cache & DAGIntermediate
artifacts: paths: [dist/] expire_in: 1 week
Pass build output to later jobs.
artifacts: reports: junit: report.xml
Surface test/scan reports in the MR.
cache: key: $CI_COMMIT_REF_SLUG paths: [node_modules/]
Reuse deps across runs.
needs: [build]
Start as soon as a dependency finishes (DAG).
dependencies: [build]
Choose which jobs’ artifacts to download.
parallel: 5
Fan a job out into N instances.
parallel: matrix: - REGION: [us, eu]
Run a job across a value matrix.
Variables & secretsIntermediate
variables: APP_ENV: prod
Define variables at pipeline or job scope.
$CI_COMMIT_SHA $CI_PIPELINE_ID
Built-in predefined variables.
id_tokens: AWS: aud: https://aws
Mint an OIDC JWT — keyless auth to cloud/Vault.
secrets: DB: vault: prod/db/pass@ops
Pull a secret from Vault at job start.
Environments & deployAdvanced
environment: name: production url: https://app.io
Track a deployment target.
environment: name: review/$CI_COMMIT_REF_SLUG on_stop: teardown
Dynamic review apps.
resource_group: production
Serialize deploys so they never overlap.
when: manual allow_failure: false
Require a human to trigger a prod deploy.
Reuse & templatesAdvanced
include: - local: ci/build.yml
Pull in local/project/remote/template YAML.
extends: .base_job
Inherit and override a hidden template job.
.def: &anchor { image: node } job: { <<: *anchor }
YAML anchors to share config.
script: - !reference [.setup, script]
Reuse a snippet from another job.
trigger: include: child.yml
Child / multi-project pipelines.
Security scanningAdvanced
include: - template: Jobs/SAST.gitlab-ci.yml
Add static application security testing.
- template: Jobs/Dependency-Scanning.gitlab-ci.yml
Scan dependencies for CVEs.
- template: Jobs/Secret-Detection.gitlab-ci.yml
Catch committed secrets.
- template: Jobs/Container-Scanning.gitlab-ci.yml
Scan built images.
glab CLIIntermediate
glab ci lint
Validate .gitlab-ci.yml locally.
✓ CI/CD YAML is valid!
glab ci status
Live status of the current pipeline.
glab ci trace
Stream a running job’s logs.
glab pipeline run
Trigger a pipeline from the terminal.
Go deeper
Full, hands-on DevSecOps courses
Browse courses