diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml
index 5180c6f663b550c9013b729d7c2a6c04c477ada3..b2ae923780b304f50a6a9dac311fa6b68f50a372 100644
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@@ -8,16 +8,20 @@ workflow:
     - if: $CI_COMMIT_REF_PROTECTED == 'true'
     - if: $CI_MERGE_REQUEST_ID
 
-# TODO: replace with https://docs.gitlab.com/ee/api/lint.html
-#lint:
-#  stage: lint
-#  image: node:lts-alpine
-#  script:
-#    - npm install -g gitlab-ci-lint
-#    - find . \( -name '*.yaml' -o -name '*.yml' \) -print -exec gitlab-ci-lint --url https://gitlab.astro-wise.org "{}" \;
+lint:
+  stage: lint
+  # Note: the ci-tools image has to be build and pushed manually once to bootstrap this job
+  # since this job comes before the build_containers job.
+  image: ${CI_REGISTRY_IMAGE}/ci-tools:master
+  script:
+    # Note: we cannot use the GitLab API https://docs.gitlab.com/ee/api/lint.html
+    # for this since that does not support local includes.
+    - shopt -s globstar dotglob
+    - check-jsonschema --builtin-schema vendor.gitlab-ci **/*.yml
 
 build_containers:
   stage: build
+  # Note: the docker-builder image has to be build and pushed manually once to bootstrap this job.
   image: ${CI_REGISTRY_IMAGE}/docker-builder:master
   script:
     # Find the directories that contain a file named 'Dockerfile'
diff --git a/dockerfiles/ci-tools/Dockerfile b/dockerfiles/ci-tools/Dockerfile
new file mode 100644
index 0000000000000000000000000000000000000000..3003d8a818a0ffbb2d9b80b2d57bed77b6e5c43d
--- /dev/null
+++ b/dockerfiles/ci-tools/Dockerfile
@@ -0,0 +1,38 @@
+FROM python:3
+
+LABEL description="Various tools that come in handy during (GitLab) CI"
+
+# Install via apt
+RUN apt-get update && apt-get -y install \
+    jq \
+    rsync \
+    s-nail \
+    gettext \
+    && apt-get clean
+# Install via pip
+RUN pip install \
+    check-jsonschema \
+    black==22.3.0 \
+    autopep8 \
+    python-gitlab \
+    python-compare-ast \
+    coverage-fixpaths
+
+# Install Gitlab release-cli
+RUN curl --location --output /usr/local/bin/release-cli "https://gitlab.com/gitlab-org/release-cli/-/releases/permalink/latest/downloads/bin/release-cli-linux-amd64" \
+    && chmod +x /usr/local/bin/release-cli
+
+# Install git-scripts
+RUN git clone https://gitlab.astro-wise.org/omegacen/git-scripts.git ~/git-scripts \
+    && mv ~/git-scripts/bin/* /usr/local/bin/ \
+    && rm -rf ~/git-scripts
+
+# Install ssh-addkey
+RUN mkdir -p ~/.ssh
+RUN echo "Host *\n\tStrictHostKeyChecking no" > ~/.ssh/config
+COPY ssh-addkey.sh /usr/local/bin/ssh-addkey
+COPY python-gitlab-set-private-token.sh /usr/local/bin/python-gitlab-set-private-token
+
+COPY entrypoint.sh /usr/local/bin/entrypoint
+ENTRYPOINT [ "/bin/bash", "/usr/local/bin/entrypoint" ]
+CMD [ "/bin/bash" ]
diff --git a/dockerfiles/ci-tools/entrypoint.sh b/dockerfiles/ci-tools/entrypoint.sh
new file mode 100755
index 0000000000000000000000000000000000000000..d6cc6d7aafd35bbee045581f60bdb08fd20728ad
--- /dev/null
+++ b/dockerfiles/ci-tools/entrypoint.sh
@@ -0,0 +1,25 @@
+#!/bin/sh
+
+# Propagate GitLab CI variables to Git.
+if [ -n "${GITLAB_USER_EMAIL}" ]; then
+    git config --global user.email "${GITLAB_USER_EMAIL}"
+fi
+if [ -n "${GITLAB_USER_NAME}" ]; then
+    git config --global user.name "${GITLAB_USER_NAME}"
+fi
+
+# Set python-gitlab configuration.
+if [ -n "${GITLAB_CI}" ]; then
+  cat << EOF > ~/.python-gitlab.cfg
+[global]
+default = current-ci-server
+
+[current-ci-server]
+url = ${CI_SERVER_URL}
+job_token = ${CI_JOB_TOKEN}
+api_version = 4
+EOF
+fi
+
+# Run whatever the user wants to.
+exec "$@"
\ No newline at end of file
diff --git a/dockerfiles/ci-tools/python-gitlab-set-private-token.sh b/dockerfiles/ci-tools/python-gitlab-set-private-token.sh
new file mode 100755
index 0000000000000000000000000000000000000000..d7a895d10b5ab344252c629f632aead05f109b32
--- /dev/null
+++ b/dockerfiles/ci-tools/python-gitlab-set-private-token.sh
@@ -0,0 +1,16 @@
+#!/bin/bash
+
+if [ -z "${GITLAB_CI}" ]; then
+  echo "Not running during GitLab CI, exiting."
+  exit 1
+fi
+
+cat << EOF > ~/.python-gitlab.cfg
+[global]
+default = current-ci-server
+
+[current-ci-server]
+url = ${CI_SERVER_URL}
+private_token = $1
+api_version = 4
+EOF
\ No newline at end of file
diff --git a/dockerfiles/ci-tools/ssh-addkey.sh b/dockerfiles/ci-tools/ssh-addkey.sh
new file mode 100755
index 0000000000000000000000000000000000000000..5218ddb35cd84314c7e4b59062cb4ba76e0e8060
--- /dev/null
+++ b/dockerfiles/ci-tools/ssh-addkey.sh
@@ -0,0 +1,16 @@
+#!/bin/bash
+
+# Find a non-existing filename for the private key
+fileprefix="${HOME}/.ssh/id_"
+i=0
+while [[ -e ${fileprefix}${i} ]] ; do
+    (( i++ ))
+done
+file="${fileprefix}${i}"
+
+# Put the key in the file and make it read-only
+echo "$1" > "${file}"
+chmod 600 "${file}"
+
+# Make SSH aware of the private key
+echo -e "\tIdentityFile ${file}" >> ~/.ssh/config
\ No newline at end of file
diff --git a/dockerfiles/docker-builder/Dockerfile b/dockerfiles/docker-builder/Dockerfile
index fef215ae1c4377987026a2b21863de21746cb0e3..5fed2fbd76ad6117a2e78b02880571a179da1b1a 100644
--- a/dockerfiles/docker-builder/Dockerfile
+++ b/dockerfiles/docker-builder/Dockerfile
@@ -1,5 +1,7 @@
 FROM gcr.io/kaniko-project/executor:debug
 
+LABEL description="Convenience wrapper around kaniko for building images in GitLab CI"
+
 RUN mkdir -p /kaniko/.docker
 COPY entrypoint.sh /usr/local/bin/entrypoint
 COPY buildimage.sh /usr/local/bin/buildimage