Overview
Integrate Vibgrate with GitLab CI/CD for automated drift governance. SARIF output integrates with GitLab's SAST reports.
Basic Pipeline
Minimal configuration with SAST integration:
stages:
- test
vibgrate:
stage: test
image: node:22
script:
- npx @vibgrate/cli scan --format sarif --out vibgrate.sarif --fail-on error
artifacts:
reports:
sast: vibgrate.sarif
Tip: GitLab automatically displays SARIF findings in merge request security reports.
With Vibgrate Cloud Push
Track drift trends across your organization:
vibgrate:
stage: test
image: node:22
script:
- npx @vibgrate/cli scan --format sarif --out vibgrate.sarif --fail-on error
- npx @vibgrate/cli@latest push --file .vibgrate/scan_result.json --strict
variables:
VIBGRATE_DSN: $VIBGRATE_DSN
artifacts:
reports:
sast: vibgrate.sarif
rules:
- if: $CI_COMMIT_BRANCH == "main"
Note: Use rules: to only push from main branch for clean trend data.
With Baseline Gates
Prevent drift regression on merge requests:
vibgrate:
stage: test
image: node:22
script:
- |
npx @vibgrate/cli scan \
--baseline .vibgrate/baseline.json \
--drift-budget 40 \
--drift-worsening 5 \
--format sarif \
--out vibgrate.sarif \
--fail-on error
artifacts:
reports:
sast: vibgrate.sarif
| Gate | Effect |
|---|---|
--drift-budget 40 | Block MR if score > 40 |
--drift-worsening 5 | Block if drift increased > 5% |
--fail-on error | Block on critical findings |
With Caching
Speed up repeat scans with GitLab caching:
vibgrate:
stage: test
image: node:22
cache:
key: vibgrate-${CI_COMMIT_REF_SLUG}
paths:
- .vibgrate/
- node_modules/
script:
- npx @vibgrate/cli scan --format sarif --out vibgrate.sarif --fail-on error
artifacts:
reports:
sast: vibgrate.sarif
Production-Ready Pipeline
Complete template with all features:
stages:
- test
- publish
variables:
NODE_VERSION: "20"
DRIFT_BUDGET: "40"
DRIFT_WORSENING: "5"
.vibgrate-base:
image: node:${NODE_VERSION}
cache:
key: vibgrate-${CI_COMMIT_REF_SLUG}
paths:
- .vibgrate/
vibgrate-scan:
extends: .vibgrate-base
stage: test
script:
- |
npx @vibgrate/cli scan \
--baseline .vibgrate/baseline.json \
--drift-budget ${DRIFT_BUDGET} \
--drift-worsening ${DRIFT_WORSENING} \
--format sarif \
--out vibgrate.sarif \
--fail-on error
artifacts:
reports:
sast: vibgrate.sarif
paths:
- .vibgrate/scan_result.json
expire_in: 1 week
vibgrate-push:
extends: .vibgrate-base
stage: publish
script:
- npx @vibgrate/cli@latest push --file .vibgrate/scan_result.json --strict
variables:
VIBGRATE_DSN: $VIBGRATE_DSN
rules:
- if: $CI_COMMIT_BRANCH == "main"
needs:
- vibgrate-scan
Setting Up CI/CD Variables
Add your DSN as a protected variable:
- Go to Settings → CI/CD → Variables
- Click Add variable
- Key:
VIBGRATE_DSN - Value: Your DSN from
vg dsn create - Check: Protect variable, Mask variable
SAST Report Integration
GitLab displays Vibgrate findings in merge request security reports:
| Finding Type | GitLab Display |
|---|---|
| Error | High severity vulnerability |
| Warning | Medium severity |
| Info | Low severity |
Related
- CI Integration Overview — Cross-platform CI setup
- GitHub Actions — Alternative CI platform
- vg push — Vibgrate Cloud upload details