GitLab CI

Integrate Inkog into your GitLab CI/CD pipeline.

An API key is required for all scans. Set INKOG_API_KEY as a CI/CD variable before running pipelines: Settings → CI/CD → Variables → Add INKOG_API_KEY

Basic Pipeline

Add to .gitlab-ci.yml:


stages:
  - test
  - security
 
inkog-scan:
  stage: security
  image: ubuntu:latest
  script:
    - apt-get update && apt-get install -y curl
    - curl -fsSL https://inkog.io/install.sh | sh
    - inkog -output json . > inkog-report.json
  variables:
    INKOG_API_KEY: $INKOG_API_KEY
  artifacts:
    paths:
      - inkog-report.json
    reports:
      security: inkog-report.json
    when: always

Alternative: Using Go Image

If you prefer using Go:


inkog-scan:
  stage: security
  image: golang:1.21
  script:
    - go install github.com/inkog-io/inkog/cmd/inkog@latest
    - inkog -output json . > inkog-report.json
  variables:
    INKOG_API_KEY: $INKOG_API_KEY
  artifacts:
    paths:
      - inkog-report.json
    when: always

With Severity Threshold

Fail pipeline only on critical or high findings:


inkog-scan:
  stage: security
  image: ubuntu:latest
  script:
    - apt-get update && apt-get install -y curl
    - curl -fsSL https://inkog.io/install.sh | sh
    - inkog -output json -severity high .
  variables:
    INKOG_API_KEY: $INKOG_API_KEY
  allow_failure: false

Merge Request Pipeline

Scan only on merge requests:


inkog-scan:
  stage: security
  image: ubuntu:latest
  rules:
    - if: $CI_PIPELINE_SOURCE == "merge_request_event"
  script:
    - apt-get update && apt-get install -y curl
    - curl -fsSL https://inkog.io/install.sh | sh
    - inkog -output json . > report.json
  variables:
    INKOG_API_KEY: $INKOG_API_KEY
  artifacts:
    paths:
      - report.json
    when: always

With HTML Report

Generate both JSON and HTML reports:


inkog-scan:
  stage: security
  image: ubuntu:latest
  script:
    - apt-get update && apt-get install -y curl
    - curl -fsSL https://inkog.io/install.sh | sh
    - inkog -output json . > inkog-report.json
    - inkog -output html . > inkog-report.html
  variables:
    INKOG_API_KEY: $INKOG_API_KEY
  artifacts:
    paths:
      - inkog-report.json
      - inkog-report.html
    expose_as: 'Security Reports'
    when: always

Scheduled Pipeline

Run scans on a schedule:


inkog-scheduled:
  stage: security
  image: ubuntu:latest
  rules:
    - if: $CI_PIPELINE_SOURCE == "schedule"
  script:
    - apt-get update && apt-get install -y curl jq
    - curl -fsSL https://inkog.io/install.sh | sh
    - inkog -output json . > report.json
    - |
      CRITICAL=$(jq '.summary.critical' report.json)
      if [ "$CRITICAL" -gt 0 ]; then
        echo "Critical vulnerabilities found!"
        exit 1
      fi
  variables:
    INKOG_API_KEY: $INKOG_API_KEY

To set up the schedule:

Go to CI/CD → Schedules
Create a new schedule (e.g., daily at 9 AM)

Security Dashboard Integration

GitLab’s Security Dashboard can display Inkog findings when using the reports:sast artifact:


inkog-scan:
  stage: security
  image: ubuntu:latest
  script:
    - apt-get update && apt-get install -y curl
    - curl -fsSL https://inkog.io/install.sh | sh
    - inkog -output json . > gl-sast-report.json
  variables:
    INKOG_API_KEY: $INKOG_API_KEY
  artifacts:
    reports:
      sast: gl-sast-report.json

Protected Branches

Configure merge request approvals based on security scan results:

Go to Settings → Merge requests
Enable Pipelines must succeed
Optionally require approval from security team when vulnerabilities are found