Skip to Content
CI/CDGitLab CI

GitLab CI

Integrate Inkog into your GitLab CI/CD pipeline.

Basic Pipeline

Add to .gitlab-ci.yml:

stages:
  - test
  - security
 
inkog-scan:
  stage: security
  image: golang:1.21
  script:
    - go install github.com/inkog-io/inkog@latest
    - inkog -output json . > inkog-report.json
  artifacts:
    paths:
      - inkog-report.json
    reports:
      security: inkog-report.json
    when: always

With Severity Threshold

Fail pipeline only on critical or high findings:

inkog-scan:
  stage: security
  image: golang:1.21
  script:
    - go install github.com/inkog-io/inkog@latest
    - inkog -output json -severity high .
  allow_failure: false

Merge Request Pipeline

Scan only on merge requests:

inkog-scan:
  stage: security
  image: golang:1.21
  rules:
    - if: $CI_PIPELINE_SOURCE == "merge_request_event"
  script:
    - go install github.com/inkog-io/inkog@latest
    - inkog -output json . > report.json
  artifacts:
    paths:
      - report.json
    when: always

With HTML Report

Generate both JSON and HTML reports:

inkog-scan:
  stage: security
  image: golang:1.21
  script:
    - go install github.com/inkog-io/inkog@latest
    - inkog -output json . > inkog-report.json
    - inkog -output html . > inkog-report.html
  artifacts:
    paths:
      - inkog-report.json
      - inkog-report.html
    expose_as: 'Security Reports'
    when: always

Scheduled Pipeline

Run scans on a schedule:

inkog-scheduled:
  stage: security
  image: golang:1.21
  rules:
    - if: $CI_PIPELINE_SOURCE == "schedule"
  script:
    - go install github.com/inkog-io/inkog@latest
    - inkog -output json . > report.json
    - |
      CRITICAL=$(cat report.json | grep -o '"critical":[0-9]*' | grep -o '[0-9]*')
      if [ "$CRITICAL" -gt 0 ]; then
        echo "Critical vulnerabilities found!"
        exit 1
      fi

To set up the schedule:

  1. Go to CI/CDSchedules
  2. Create a new schedule (e.g., daily at 9 AM)

Caching

Cache the Go module to speed up builds:

inkog-scan:
  stage: security
  image: golang:1.21
  variables:
    GOPATH: $CI_PROJECT_DIR/.go
  cache:
    paths:
      - .go/pkg/mod/
  script:
    - go install github.com/inkog-io/inkog@latest
    - inkog -output json .

Security Dashboard Integration

GitLab’s Security Dashboard can display Inkog findings when using the reports:security artifact:

inkog-scan:
  stage: security
  image: golang:1.21
  script:
    - go install github.com/inkog-io/inkog@latest
    - inkog -output json . > gl-sast-report.json
  artifacts:
    reports:
      sast: gl-sast-report.json

Protected Branches

Configure merge request approvals based on security scan results:

  1. Go to SettingsMerge requests
  2. Enable Pipelines must succeed
  3. Optionally require approval from security team when vulnerabilities are found
Last updated on
GitHub ActionsPre-commit Hooks