[DOCS] Inconsistent Permission Syntax for Bash Catch-all in GitLab CI/CD Guide
Documentation Type
Missing documentation (feature not documented)
Documentation Location
https://code.claude.com/docs/en/settings-https://code.claude.com/docs/en/gitlab-ci-cd
Section/Topic
- Permission rule syntax for Bash and file tools.
Current Documentation
- In Settings (
https://code.claude.com/docs/en/settings#permission-rule-syntax):
"Note that Bash(*) does not match all Bash commands. Use Bash without parentheses to match all uses."
- In GitLab CI/CD (
https://code.claude.com/docs/en/gitlab-ci-cd#quick-setup):
The example .gitlab-ci.yml uses: --allowedTools "Bash(*) Read(*) Edit(*) Write(*) mcp__gitlab"
What's Wrong or Missing?
There is a direct contradiction between the core "Settings" reference and the practical "GitLab CI/CD" example. According to the reference documentation, the pattern provided in the GitLab guide is invalid or ineffective for matching all commands. Furthermore, the use of Read(*), Edit(*), and Write(*) in that same example likely follows the same incorrect logic, as those tools also recommend bare names or specific glob patterns (like Read(/**)) for broad access.
Suggested Improvement
Update the code snippets in the GitLab CI/CD documentation (and any other CI/CD templates) to use the correct "bare tool name" syntax for catch-all permissions.
Suggested Text for GitLab example:
- >
claude
-p "${AI_FLOW_INPUT:-'Review this MR and implement the requested changes'}"
--permission-mode acceptEdits
--allowedTools "Bash Read Edit Write mcp__gitlab"
--debug
Impact
High - Prevents users from using a feature
Additional Context
- Related Documentation:
https://code.claude.com/docs/en/iam#tool-specific-permission-rulesalso reinforces thatBashmatches all commands, andBash(*)only matches within the specifier context. - Impact: Users setting up automation in GitLab following the current "Quick Setup" guide will likely encounter permission denied errors or unexpected prompts because the
Bash(*)pattern does not actually grant broad shell access as the example implies.
This issue has 3 comments on GitHub. Read the full discussion on GitHub ↗