diff --git a/pkg/yaml/lint.go b/pkg/yaml/lint.go
index 07b779365..9141549af 100644
--- a/pkg/yaml/lint.go
+++ b/pkg/yaml/lint.go
@@ -22,6 +22,7 @@ var lintRules = [...]lintRule{
 	expectTrustedPublish,
 	expectTrustedDeploy,
 	expectTrustedNotify,
+	expectCacheInWorkspace,
 }
 
 // Lint runs all lint rules against the Yaml Config.
@@ -105,6 +106,26 @@ func expectTrustedNotify(c *common.Config) error {
 	return nil
 }
 
+// lint rule that fails if the cache directories are not contained
+// in the workspace.
+func expectCacheInWorkspace(c *common.Config) error {
+	for _, step := range c.Build.Cache {
+		if strings.Index(step, ":") != -1 {
+			return fmt.Errorf("Cache cannot contain : in the path")
+		}
+
+		cleaned := filepath.Clean(step)
+
+		if strings.Index(cleaned, "../") != -1 {
+			return fmt.Errorf("Cache must point to a path in the workspace")
+		} else if cleaned == "." {
+			return fmt.Errorf("Cannot cache the workspace")
+		}
+	}
+
+	return nil
+}
+
 func LintPlugins(c *common.Config, opts *Opts) error {
 	if len(opts.Whitelist) == 0 {
 		return nil
diff --git a/pkg/yaml/lint_test.go b/pkg/yaml/lint_test.go
index 3afde444f..d446f684a 100644
--- a/pkg/yaml/lint_test.go
+++ b/pkg/yaml/lint_test.go
@@ -88,6 +88,41 @@ func Test_Linter(t *testing.T) {
 			g.Assert(Lint(c) == nil).IsTrue()
 		})
 
+		g.It("Should pass with path inside workspace", func() {
+			c := &common.Config{
+				Build: &common.Step{
+					Cache: []string{".git","/.git","/.git/../.git/../.git"},
+				},
+			}
+			g.Assert(expectCacheInWorkspace(c) == nil).IsTrue()
+		})
+
+		g.It("Should fail with path outside workspace", func() {
+			c := &common.Config{
+				Build: &common.Step{
+					Cache: []string{".git","/.git","../../.git"},
+				},
+			}
+			g.Assert(expectCacheInWorkspace(c) != nil).IsTrue()
+		})
+
+		g.It("Should fail when caching workspace directory", func() {
+			c := &common.Config{
+				Build: &common.Step{
+					Cache: []string{".git",".git/../"},
+				},
+			}
+			g.Assert(expectCacheInWorkspace(c) != nil).IsTrue()
+		})
+
+		g.It("Should fail when : is in the path", func() {
+			c := &common.Config{
+				Build: &common.Step{
+					Cache: []string{".git",".git:/../"},
+				},
+			}
+			g.Assert(expectCacheInWorkspace(c) != nil).IsTrue()
+		})
 	})
 }