@intentius/chant-lexicon-gitlab 0.0.16 → 0.0.22

package/dist/integrity.json

@@ -1,22 +1,35 @@
 {
   "algorithm": "xxhash64",
   "artifacts": {
-    "manifest.json": "2b7f06fc4199f834",
+    "manifest.json": "d334dcb02631ec7e",
     "meta.json": "c663c6c63748a9d0",
     "types/index.d.ts": "64e65524615be023",
     "rules/missing-stage.ts": "6d5379e74209a735",
     "rules/missing-script.ts": "923dde9acb46cc28",
     "rules/deprecated-only-except.ts": "1f5a8c785777fb03",
     "rules/artifact-no-expiry.ts": "26874cb6adfbca26",
+    "rules/wgl018.ts": "6ba77c7fa7a59f25",
     "rules/wgl012.ts": "3d188d13fb2236c0",
+    "rules/wgl024.ts": "54fe7a6aec3d3e23",
+    "rules/wgl020.ts": "eff135a38c29ff2f",
+    "rules/wgl017.ts": "a9d460f549725f85",
+    "rules/wgl023.ts": "d02ea51ac7da06c4",
     "rules/wgl011.ts": "b6b97e5104d91267",
+    "rules/wgl021.ts": "42470ba28e215bae",
     "rules/wgl015.ts": "d7e9e080994f985",
+    "rules/wgl025.ts": "fcdf14c9d296e7b5",
+    "rules/wgl026.ts": "7c7a15478b702349",
     "rules/wgl010.ts": "1548cad287cdf286",
     "rules/wgl013.ts": "3519c933e23fc605",
+    "rules/wgl028.ts": "77c31c05a975bacb",
+    "rules/wgl016.ts": "f76358f42b1f39ea",
+    "rules/wgl022.ts": "adba5b533dc416c9",
+    "rules/wgl019.ts": "5a4ab8ebb115f074",
+    "rules/wgl027.ts": "ea7928f37607a583",
     "rules/wgl014.ts": "6248a852888e8028",
-    "rules/yaml-helpers.ts": "b5416b80369484f2",
-    "skills/chant-gitlab.md": "4393eb63e0b84b7f",
+    "rules/yaml-helpers.ts": "3e414c7affe56728",
+    "skills/chant-gitlab.md": "1203c19da2dc5a53",
     "skills/gitlab-ci-patterns.md": "bdb522359253aac8"
   },
-  "composite": "b56a2a2ac9f9f569"
+  "composite": "5c25b595ef3236c"
 }

package/dist/manifest.json

@@ -1,6 +1,6 @@
 {
   "name": "gitlab",
-  "version": "0.0.16",
+  "version": "0.0.22",
   "chantVersion": ">=0.1.0",
   "namespace": "GitLab",
   "intrinsics": [

package/dist/rules/wgl016.ts

@@ -0,0 +1,82 @@
+/**
+ * WGL016: Secrets in Variables
+ *
+ * Detects hardcoded passwords, tokens, or secrets in `variables:` blocks.
+ * These should use CI/CD masked variables instead.
+ */
+
+import type { PostSynthCheck, PostSynthContext, PostSynthDiagnostic } from "@intentius/chant/lint/post-synth";
+import { getPrimaryOutput } from "./yaml-helpers";
+
+const SECRET_PATTERNS = [
+  /password\s*[:=]\s*['"]?[^\s'"]+/i,
+  /secret\s*[:=]\s*['"]?[^\s'"]+/i,
+  /token\s*[:=]\s*['"]?[^\s'"]+/i,
+  /api[_-]?key\s*[:=]\s*['"]?[^\s'"]+/i,
+  /private[_-]?key\s*[:=]\s*['"]?[^\s'"]+/i,
+];
+
+/** Variable name patterns that indicate credentials. */
+const SECRET_VAR_NAMES = [
+  /password/i,
+  /secret/i,
+  /token/i,
+  /api[_-]?key/i,
+  /private[_-]?key/i,
+  /credentials?/i,
+];
+
+/** Values that are clearly references (not hardcoded secrets). */
+function isReference(value: string): boolean {
+  return value.startsWith("$") || value.startsWith("${");
+}
+
+export function checkSecretsInVariables(yaml: string): PostSynthDiagnostic[] {
+  const diagnostics: PostSynthDiagnostic[] = [];
+
+  // Extract variables blocks (global and per-job)
+  const varBlocks = yaml.matchAll(/^(\s*)variables:\n((?:\1\s+.+\n?)+)/gm);
+
+  for (const block of varBlocks) {
+    const lines = block[2].split("\n");
+    for (const line of lines) {
+      const kv = line.match(/^\s+(\w+):\s+(.+)$/);
+      if (!kv) continue;
+
+      const [, varName, rawValue] = kv;
+      const value = rawValue.trim().replace(/^['"]|['"]$/g, "");
+
+      if (isReference(value)) continue;
+
+      // Check if variable name suggests a secret
+      for (const pattern of SECRET_VAR_NAMES) {
+        if (pattern.test(varName)) {
+          diagnostics.push({
+            checkId: "WGL016",
+            severity: "error",
+            message: `Variable "${varName}" appears to contain a hardcoded secret — use a CI/CD masked variable instead`,
+            entity: varName,
+            lexicon: "gitlab",
+          });
+          break;
+        }
+      }
+    }
+  }
+
+  return diagnostics;
+}
+
+export const wgl016: PostSynthCheck = {
+  id: "WGL016",
+  description: "Secrets in variables — hardcoded passwords or tokens in variables blocks",
+
+  check(ctx: PostSynthContext): PostSynthDiagnostic[] {
+    const diagnostics: PostSynthDiagnostic[] = [];
+    for (const [, output] of ctx.outputs) {
+      const yaml = getPrimaryOutput(output);
+      diagnostics.push(...checkSecretsInVariables(yaml));
+    }
+    return diagnostics;
+  },
+};

package/dist/rules/wgl017.ts

@@ -0,0 +1,54 @@
+/**
+ * WGL017: Insecure Registry
+ *
+ * Detects Docker push/pull to non-HTTPS registries in job scripts.
+ * Using HTTP for container registries is a security risk.
+ */
+
+import type { PostSynthCheck, PostSynthContext, PostSynthDiagnostic } from "@intentius/chant/lint/post-synth";
+import { getPrimaryOutput, extractJobs } from "./yaml-helpers";
+
+const INSECURE_REGISTRY_PATTERN = /docker\s+(push|pull|tag|login)\s+.*http:\/\/[^\s]+/;
+
+export function checkInsecureRegistry(yaml: string): PostSynthDiagnostic[] {
+  const diagnostics: PostSynthDiagnostic[] = [];
+
+  const sections = yaml.split("\n\n");
+  for (const section of sections) {
+    const lines = section.split("\n");
+    if (lines.length === 0) continue;
+
+    const topMatch = lines[0].match(/^(\.?[a-z][a-z0-9_.-]*):/);
+    if (!topMatch) continue;
+    const jobName = topMatch[1];
+
+    for (const line of lines) {
+      if (INSECURE_REGISTRY_PATTERN.test(line)) {
+        diagnostics.push({
+          checkId: "WGL017",
+          severity: "warning",
+          message: `Job "${jobName}" uses an insecure (HTTP) container registry — use HTTPS instead`,
+          entity: jobName,
+          lexicon: "gitlab",
+        });
+        break;
+      }
+    }
+  }
+
+  return diagnostics;
+}
+
+export const wgl017: PostSynthCheck = {
+  id: "WGL017",
+  description: "Insecure registry — Docker push/pull to non-HTTPS registry",
+
+  check(ctx: PostSynthContext): PostSynthDiagnostic[] {
+    const diagnostics: PostSynthDiagnostic[] = [];
+    for (const [, output] of ctx.outputs) {
+      const yaml = getPrimaryOutput(output);
+      diagnostics.push(...checkInsecureRegistry(yaml));
+    }
+    return diagnostics;
+  },
+};

package/dist/rules/wgl018.ts

@@ -0,0 +1,39 @@
+/**
+ * WGL018: Missing Timeout
+ *
+ * Warns about jobs without an explicit `timeout:` setting.
+ * The default (1 hour) may be too long for most jobs.
+ */
+
+import type { PostSynthCheck, PostSynthContext, PostSynthDiagnostic } from "@intentius/chant/lint/post-synth";
+import { isPropertyDeclarable } from "@intentius/chant/declarable";
+
+export const wgl018: PostSynthCheck = {
+  id: "WGL018",
+  description: "Missing timeout — jobs without explicit timeout may run too long",
+
+  check(ctx: PostSynthContext): PostSynthDiagnostic[] {
+    const diagnostics: PostSynthDiagnostic[] = [];
+
+    for (const [entityName, entity] of ctx.entities) {
+      if (isPropertyDeclarable(entity)) continue;
+      const entityType = (entity as Record<string, unknown>).entityType as string;
+      if (entityType !== "GitLab::CI::Job") continue;
+
+      const props = (entity as Record<string, unknown>).props as Record<string, unknown> | undefined;
+      if (!props) continue;
+
+      if (!props.timeout) {
+        diagnostics.push({
+          checkId: "WGL018",
+          severity: "warning",
+          message: `Job "${entityName}" has no explicit timeout — default is 1 hour which may be too long`,
+          entity: entityName,
+          lexicon: "gitlab",
+        });
+      }
+    }
+
+    return diagnostics;
+  },
+};

package/dist/rules/wgl019.ts

@@ -0,0 +1,44 @@
+/**
+ * WGL019: Missing Retry on Deploy Jobs
+ *
+ * Deploy-stage jobs should have a `retry:` strategy to handle transient
+ * infrastructure failures. This is informational, not a hard requirement.
+ */
+
+import type { PostSynthCheck, PostSynthContext, PostSynthDiagnostic } from "@intentius/chant/lint/post-synth";
+import { isPropertyDeclarable } from "@intentius/chant/declarable";
+
+const DEPLOY_STAGES = new Set(["deploy", "deployment", "release", "production", "staging"]);
+
+export const wgl019: PostSynthCheck = {
+  id: "WGL019",
+  description: "Missing retry — deploy jobs without retry strategy",
+
+  check(ctx: PostSynthContext): PostSynthDiagnostic[] {
+    const diagnostics: PostSynthDiagnostic[] = [];
+
+    for (const [entityName, entity] of ctx.entities) {
+      if (isPropertyDeclarable(entity)) continue;
+      const entityType = (entity as Record<string, unknown>).entityType as string;
+      if (entityType !== "GitLab::CI::Job") continue;
+
+      const props = (entity as Record<string, unknown>).props as Record<string, unknown> | undefined;
+      if (!props) continue;
+
+      const stage = props.stage as string | undefined;
+      if (!stage || !DEPLOY_STAGES.has(stage.toLowerCase())) continue;
+
+      if (!props.retry) {
+        diagnostics.push({
+          checkId: "WGL019",
+          severity: "info",
+          message: `Deploy job "${entityName}" (stage: ${stage}) has no retry strategy — consider adding retry for transient failures`,
+          entity: entityName,
+          lexicon: "gitlab",
+        });
+      }
+    }
+
+    return diagnostics;
+  },
+};

package/dist/rules/wgl020.ts

@@ -0,0 +1,56 @@
+/**
+ * WGL020: Duplicate Job Names
+ *
+ * Detects multiple jobs that resolve to the same kebab-case name in
+ * the serialized YAML. GitLab silently merges duplicate keys, which
+ * causes unexpected behavior.
+ */
+
+import type { PostSynthCheck, PostSynthContext, PostSynthDiagnostic } from "@intentius/chant/lint/post-synth";
+import { getPrimaryOutput, extractJobs } from "./yaml-helpers";
+
+export function checkDuplicateJobNames(yaml: string): PostSynthDiagnostic[] {
+  const diagnostics: PostSynthDiagnostic[] = [];
+
+  // Count occurrences of each top-level key (raw line parsing, not extractJobs,
+  // to detect actual YAML key duplication)
+  const keyCounts = new Map<string, number>();
+  const lines = yaml.split("\n");
+
+  for (const line of lines) {
+    const topMatch = line.match(/^(\.?[a-z][a-z0-9_.-]*):/);
+    if (topMatch) {
+      const name = topMatch[1];
+      if (["stages", "default", "workflow", "variables", "include"].includes(name)) continue;
+      keyCounts.set(name, (keyCounts.get(name) ?? 0) + 1);
+    }
+  }
+
+  for (const [name, count] of keyCounts) {
+    if (count > 1) {
+      diagnostics.push({
+        checkId: "WGL020",
+        severity: "error",
+        message: `Duplicate job name "${name}" appears ${count} times — GitLab will silently merge these`,
+        entity: name,
+        lexicon: "gitlab",
+      });
+    }
+  }
+
+  return diagnostics;
+}
+
+export const wgl020: PostSynthCheck = {
+  id: "WGL020",
+  description: "Duplicate job names — multiple jobs resolving to same name",
+
+  check(ctx: PostSynthContext): PostSynthDiagnostic[] {
+    const diagnostics: PostSynthDiagnostic[] = [];
+    for (const [, output] of ctx.outputs) {
+      const yaml = getPrimaryOutput(output);
+      diagnostics.push(...checkDuplicateJobNames(yaml));
+    }
+    return diagnostics;
+  },
+};

package/dist/rules/wgl021.ts

@@ -0,0 +1,62 @@
+/**
+ * WGL021: Unused Variables
+ *
+ * Detects global `variables:` that are not referenced by any job script.
+ * Unused variables add noise and may indicate stale configuration.
+ */
+
+import type { PostSynthCheck, PostSynthContext, PostSynthDiagnostic } from "@intentius/chant/lint/post-synth";
+import { getPrimaryOutput, extractGlobalVariables } from "./yaml-helpers";
+
+export function checkUnusedVariables(yaml: string): PostSynthDiagnostic[] {
+  const diagnostics: PostSynthDiagnostic[] = [];
+
+  const globalVars = extractGlobalVariables(yaml);
+  if (globalVars.size === 0) return diagnostics;
+
+  // Get the rest of the YAML (everything after the global variables block)
+  // to search for references
+  for (const [varName] of globalVars) {
+    // Check if $VARNAME or ${VARNAME} appears anywhere in the YAML (outside the variables block)
+    const refPattern = new RegExp(`\\$\\{?${varName}\\}?`);
+    // Also check for uses in extends, needs, etc. — search all sections
+    const sections = yaml.split("\n\n");
+    let found = false;
+
+    for (const section of sections) {
+      // Skip the global variables section itself
+      if (section.trimStart().startsWith("variables:")) continue;
+
+      if (refPattern.test(section)) {
+        found = true;
+        break;
+      }
+    }
+
+    if (!found) {
+      diagnostics.push({
+        checkId: "WGL021",
+        severity: "warning",
+        message: `Global variable "${varName}" is not referenced in any job script`,
+        entity: varName,
+        lexicon: "gitlab",
+      });
+    }
+  }
+
+  return diagnostics;
+}
+
+export const wgl021: PostSynthCheck = {
+  id: "WGL021",
+  description: "Unused variables — global variables not referenced by any job",
+
+  check(ctx: PostSynthContext): PostSynthDiagnostic[] {
+    const diagnostics: PostSynthDiagnostic[] = [];
+    for (const [, output] of ctx.outputs) {
+      const yaml = getPrimaryOutput(output);
+      diagnostics.push(...checkUnusedVariables(yaml));
+    }
+    return diagnostics;
+  },
+};

package/dist/rules/wgl022.ts

@@ -0,0 +1,44 @@
+/**
+ * WGL022: Missing Artifacts Expiry
+ *
+ * Warns about `artifacts:` without `expire_in:`, which causes disk bloat
+ * on the GitLab instance. Default retention is "never expire" in some
+ * GitLab configurations.
+ */
+
+import type { PostSynthCheck, PostSynthContext, PostSynthDiagnostic } from "@intentius/chant/lint/post-synth";
+import { isPropertyDeclarable } from "@intentius/chant/declarable";
+
+export const wgl022: PostSynthCheck = {
+  id: "WGL022",
+  description: "Missing artifacts expiry — artifacts without expire_in cause disk bloat",
+
+  check(ctx: PostSynthContext): PostSynthDiagnostic[] {
+    const diagnostics: PostSynthDiagnostic[] = [];
+
+    for (const [entityName, entity] of ctx.entities) {
+      if (isPropertyDeclarable(entity)) continue;
+      const entityType = (entity as Record<string, unknown>).entityType as string;
+      if (entityType !== "GitLab::CI::Job") continue;
+
+      const props = (entity as Record<string, unknown>).props as Record<string, unknown> | undefined;
+      if (!props?.artifacts) continue;
+
+      const artifacts = props.artifacts as Record<string, unknown>;
+      // artifacts might be a Declarable with its own props
+      const artProps = (artifacts.props as Record<string, unknown> | undefined) ?? artifacts;
+
+      if (!artProps.expire_in && !artProps.expireIn) {
+        diagnostics.push({
+          checkId: "WGL022",
+          severity: "warning",
+          message: `Job "${entityName}" has artifacts without expire_in — set an expiry to avoid disk bloat`,
+          entity: entityName,
+          lexicon: "gitlab",
+        });
+      }
+    }
+
+    return diagnostics;
+  },
+};

package/dist/rules/wgl023.ts

@@ -0,0 +1,51 @@
+/**
+ * WGL023: Overly Broad Rules
+ *
+ * Flags jobs with a single rule that has only `when: always` and no
+ * conditions (no `if:`, `changes:`, etc.). This effectively disables
+ * all pipeline filtering for the job, which is usually unintended.
+ */
+
+import type { PostSynthCheck, PostSynthContext, PostSynthDiagnostic } from "@intentius/chant/lint/post-synth";
+import { isPropertyDeclarable } from "@intentius/chant/declarable";
+
+export const wgl023: PostSynthCheck = {
+  id: "WGL023",
+  description: "Overly broad rules — job with only when: always rule (no conditions)",
+
+  check(ctx: PostSynthContext): PostSynthDiagnostic[] {
+    const diagnostics: PostSynthDiagnostic[] = [];
+
+    for (const [entityName, entity] of ctx.entities) {
+      if (isPropertyDeclarable(entity)) continue;
+      const entityType = (entity as Record<string, unknown>).entityType as string;
+      if (entityType !== "GitLab::CI::Job") continue;
+
+      const props = (entity as Record<string, unknown>).props as Record<string, unknown> | undefined;
+      if (!props?.rules || !Array.isArray(props.rules)) continue;
+
+      const rules = props.rules as Array<Record<string, unknown>>;
+      if (rules.length !== 1) continue;
+
+      const rule = rules[0];
+      const ruleProps = (rule.props as Record<string, unknown> | undefined) ?? rule;
+
+      const when = ruleProps.when;
+      const hasIf = !!ruleProps.if;
+      const hasChanges = !!ruleProps.changes;
+      const hasExists = !!ruleProps.exists;
+
+      if (when === "always" && !hasIf && !hasChanges && !hasExists) {
+        diagnostics.push({
+          checkId: "WGL023",
+          severity: "info",
+          message: `Job "${entityName}" has a single rule with only "when: always" — this disables all pipeline filtering. Consider adding conditions or removing rules entirely.`,
+          entity: entityName,
+          lexicon: "gitlab",
+        });
+      }
+    }
+
+    return diagnostics;
+  },
+};

package/dist/rules/wgl024.ts

@@ -0,0 +1,46 @@
+/**
+ * WGL024: Manual Without allow_failure
+ *
+ * Warns about jobs with `when: manual` that don't set `allow_failure: true`.
+ * Without it, the manual job blocks the pipeline from progressing past
+ * its stage until someone manually triggers it.
+ */
+
+import type { PostSynthCheck, PostSynthContext, PostSynthDiagnostic } from "@intentius/chant/lint/post-synth";
+import { isPropertyDeclarable } from "@intentius/chant/declarable";
+
+export const wgl024: PostSynthCheck = {
+  id: "WGL024",
+  description: "Manual without allow_failure — manual jobs block pipeline without allow_failure: true",
+
+  check(ctx: PostSynthContext): PostSynthDiagnostic[] {
+    const diagnostics: PostSynthDiagnostic[] = [];
+
+    for (const [entityName, entity] of ctx.entities) {
+      if (isPropertyDeclarable(entity)) continue;
+      const entityType = (entity as Record<string, unknown>).entityType as string;
+      if (entityType !== "GitLab::CI::Job") continue;
+
+      const props = (entity as Record<string, unknown>).props as Record<string, unknown> | undefined;
+      if (!props) continue;
+
+      // Check top-level when: manual
+      const isManual = props.when === "manual";
+      if (!isManual) continue;
+
+      // Check allow_failure
+      const allowFailure = props.allow_failure ?? props.allowFailure;
+      if (allowFailure !== true) {
+        diagnostics.push({
+          checkId: "WGL024",
+          severity: "warning",
+          message: `Job "${entityName}" has when: manual but no allow_failure: true — this will block the pipeline`,
+          entity: entityName,
+          lexicon: "gitlab",
+        });
+      }
+    }
+
+    return diagnostics;
+  },
+};

package/dist/rules/wgl025.ts

@@ -0,0 +1,49 @@
+/**
+ * WGL025: Missing Cache Key
+ *
+ * Warns about `cache:` without `key:`. Without an explicit key, GitLab
+ * uses `default` as the key, which causes cache collisions between
+ * unrelated jobs sharing the same runner.
+ */
+
+import type { PostSynthCheck, PostSynthContext, PostSynthDiagnostic } from "@intentius/chant/lint/post-synth";
+import { isPropertyDeclarable } from "@intentius/chant/declarable";
+
+export const wgl025: PostSynthCheck = {
+  id: "WGL025",
+  description: "Missing cache key — cache without key causes collisions",
+
+  check(ctx: PostSynthContext): PostSynthDiagnostic[] {
+    const diagnostics: PostSynthDiagnostic[] = [];
+
+    for (const [entityName, entity] of ctx.entities) {
+      if (isPropertyDeclarable(entity)) continue;
+      const entityType = (entity as Record<string, unknown>).entityType as string;
+      if (entityType !== "GitLab::CI::Job") continue;
+
+      const props = (entity as Record<string, unknown>).props as Record<string, unknown> | undefined;
+      if (!props?.cache) continue;
+
+      // Cache can be a single object or an array
+      const caches = Array.isArray(props.cache) ? props.cache : [props.cache];
+
+      for (const cache of caches) {
+        const cacheObj = cache as Record<string, unknown>;
+        const cacheProps = (cacheObj.props as Record<string, unknown> | undefined) ?? cacheObj;
+
+        if (!cacheProps.key) {
+          diagnostics.push({
+            checkId: "WGL025",
+            severity: "warning",
+            message: `Job "${entityName}" has cache without a key — this causes cache collisions between jobs`,
+            entity: entityName,
+            lexicon: "gitlab",
+          });
+          break; // One diagnostic per job is enough
+        }
+      }
+    }
+
+    return diagnostics;
+  },
+};

package/dist/rules/wgl026.ts

@@ -0,0 +1,67 @@
+/**
+ * WGL026: Privileged Services Without TLS
+ *
+ * Warns about Docker-in-Docker (DinD) services that don't set
+ * DOCKER_TLS_CERTDIR. Running DinD without TLS exposes the Docker
+ * daemon on an unencrypted socket.
+ */
+
+import type { PostSynthCheck, PostSynthContext, PostSynthDiagnostic } from "@intentius/chant/lint/post-synth";
+import { isPropertyDeclarable } from "@intentius/chant/declarable";
+
+const DIND_IMAGES = ["docker:dind", "docker:stable-dind"];
+
+function isDindImage(image: string): boolean {
+  return DIND_IMAGES.some((dind) => image.includes(dind));
+}
+
+export const wgl026: PostSynthCheck = {
+  id: "WGL026",
+  description: "Privileged services without TLS — DinD services without DOCKER_TLS_CERTDIR",
+
+  check(ctx: PostSynthContext): PostSynthDiagnostic[] {
+    const diagnostics: PostSynthDiagnostic[] = [];
+
+    for (const [entityName, entity] of ctx.entities) {
+      if (isPropertyDeclarable(entity)) continue;
+      const entityType = (entity as Record<string, unknown>).entityType as string;
+      if (entityType !== "GitLab::CI::Job") continue;
+
+      const props = (entity as Record<string, unknown>).props as Record<string, unknown> | undefined;
+      if (!props?.services || !Array.isArray(props.services)) continue;
+
+      for (const service of props.services) {
+        let imageName: string | undefined;
+        let serviceVars: Record<string, unknown> | undefined;
+
+        if (typeof service === "string") {
+          imageName = service;
+        } else if (typeof service === "object" && service !== null) {
+          const svc = service as Record<string, unknown>;
+          const svcProps = (svc.props as Record<string, unknown> | undefined) ?? svc;
+          imageName = svcProps.name as string | undefined;
+          serviceVars = svcProps.variables as Record<string, unknown> | undefined;
+        }
+
+        if (!imageName || !isDindImage(imageName)) continue;
+
+        // Check if DOCKER_TLS_CERTDIR is set in service variables or job variables
+        const jobVars = props.variables as Record<string, unknown> | undefined;
+        const hasTLS = serviceVars?.DOCKER_TLS_CERTDIR !== undefined ||
+          jobVars?.DOCKER_TLS_CERTDIR !== undefined;
+
+        if (!hasTLS) {
+          diagnostics.push({
+            checkId: "WGL026",
+            severity: "warning",
+            message: `Job "${entityName}" uses DinD service without DOCKER_TLS_CERTDIR — the Docker daemon will be unencrypted`,
+            entity: entityName,
+            lexicon: "gitlab",
+          });
+        }
+      }
+    }
+
+    return diagnostics;
+  },
+};