[DOCS] Inconsistent Permission Syntax for Bash Catch-all in GitLab CI/CD Guide

Resolved 💬 3 comments Opened Jan 19, 2026 by coygeek Closed Feb 27, 2026

Documentation Type

Missing documentation (feature not documented)

Documentation Location

  • https://code.claude.com/docs/en/settings - https://code.claude.com/docs/en/gitlab-ci-cd

Section/Topic

  • Permission rule syntax for Bash and file tools.

Current Documentation

  • In Settings (https://code.claude.com/docs/en/settings#permission-rule-syntax):

"Note that Bash(*) does not match all Bash commands. Use Bash without parentheses to match all uses."

  • In GitLab CI/CD (https://code.claude.com/docs/en/gitlab-ci-cd#quick-setup):

The example .gitlab-ci.yml uses: --allowedTools "Bash(*) Read(*) Edit(*) Write(*) mcp__gitlab"

What's Wrong or Missing?

There is a direct contradiction between the core "Settings" reference and the practical "GitLab CI/CD" example. According to the reference documentation, the pattern provided in the GitLab guide is invalid or ineffective for matching all commands. Furthermore, the use of Read(*), Edit(*), and Write(*) in that same example likely follows the same incorrect logic, as those tools also recommend bare names or specific glob patterns (like Read(/**)) for broad access.

Suggested Improvement

Update the code snippets in the GitLab CI/CD documentation (and any other CI/CD templates) to use the correct "bare tool name" syntax for catch-all permissions.

Suggested Text for GitLab example:

    - >
      claude
      -p "${AI_FLOW_INPUT:-'Review this MR and implement the requested changes'}"
      --permission-mode acceptEdits
      --allowedTools "Bash Read Edit Write mcp__gitlab"
      --debug

Impact

High - Prevents users from using a feature

Additional Context

  • Related Documentation: https://code.claude.com/docs/en/iam#tool-specific-permission-rules also reinforces that Bash matches all commands, and Bash(*) only matches within the specifier context.
  • Impact: Users setting up automation in GitLab following the current "Quick Setup" guide will likely encounter permission denied errors or unexpected prompts because the Bash(*) pattern does not actually grant broad shell access as the example implies.

View original on GitHub ↗

This issue has 3 comments on GitHub. Read the full discussion on GitHub ↗