Skip to main content
CI Integration

GitLab CI

Integrate Vibgrate with GitLab CI/CD pipelines and SAST reports.

Overview

Integrate Vibgrate with GitLab CI/CD for automated drift governance. SARIF output integrates with GitLab's SAST reports.


Basic Pipeline

Minimal configuration with SAST integration:

stages:
  - test

vibgrate:
  stage: test
  image: node:22
  script:
    - npx @vibgrate/cli scan --format sarif --out vibgrate.sarif --fail-on error
  artifacts:
    reports:
      sast: vibgrate.sarif

Tip: GitLab automatically displays SARIF findings in merge request security reports.


With Vibgrate Cloud Push

Track drift trends across your organization:

vibgrate:
  stage: test
  image: node:22
  script:
    - npx @vibgrate/cli scan --format sarif --out vibgrate.sarif --fail-on error
    - npx @vibgrate/cli@latest push --file .vibgrate/scan_result.json --strict
  variables:
    VIBGRATE_DSN: $VIBGRATE_DSN
  artifacts:
    reports:
      sast: vibgrate.sarif
  rules:
    - if: $CI_COMMIT_BRANCH == "main"

Note: Use rules: to only push from main branch for clean trend data.


With Baseline Gates

Prevent drift regression on merge requests:

vibgrate:
  stage: test
  image: node:22
  script:
    - |
      npx @vibgrate/cli scan \
        --baseline .vibgrate/baseline.json \
        --drift-budget 40 \
        --drift-worsening 5 \
        --format sarif \
        --out vibgrate.sarif \
        --fail-on error
  artifacts:
    reports:
      sast: vibgrate.sarif
GateEffect
--drift-budget 40Block MR if score > 40
--drift-worsening 5Block if drift increased > 5%
--fail-on errorBlock on critical findings

With Caching

Speed up repeat scans with GitLab caching:

vibgrate:
  stage: test
  image: node:22
  cache:
    key: vibgrate-${CI_COMMIT_REF_SLUG}
    paths:
      - .vibgrate/
      - node_modules/
  script:
    - npx @vibgrate/cli scan --format sarif --out vibgrate.sarif --fail-on error
  artifacts:
    reports:
      sast: vibgrate.sarif

Production-Ready Pipeline

Complete template with all features:

stages:
  - test
  - publish

variables:
  NODE_VERSION: "20"
  DRIFT_BUDGET: "40"
  DRIFT_WORSENING: "5"

.vibgrate-base:
  image: node:${NODE_VERSION}
  cache:
    key: vibgrate-${CI_COMMIT_REF_SLUG}
    paths:
      - .vibgrate/

vibgrate-scan:
  extends: .vibgrate-base
  stage: test
  script:
    - |
      npx @vibgrate/cli scan \
        --baseline .vibgrate/baseline.json \
        --drift-budget ${DRIFT_BUDGET} \
        --drift-worsening ${DRIFT_WORSENING} \
        --format sarif \
        --out vibgrate.sarif \
        --fail-on error
  artifacts:
    reports:
      sast: vibgrate.sarif
    paths:
      - .vibgrate/scan_result.json
    expire_in: 1 week

vibgrate-push:
  extends: .vibgrate-base
  stage: publish
  script:
    - npx @vibgrate/cli@latest push --file .vibgrate/scan_result.json --strict
  variables:
    VIBGRATE_DSN: $VIBGRATE_DSN
  rules:
    - if: $CI_COMMIT_BRANCH == "main"
  needs:
    - vibgrate-scan

Setting Up CI/CD Variables

Add your DSN as a protected variable:

  1. Go to SettingsCI/CDVariables
  2. Click Add variable
  3. Key: VIBGRATE_DSN
  4. Value: Your DSN from vg dsn create
  5. Check: Protect variable, Mask variable

SAST Report Integration

GitLab displays Vibgrate findings in merge request security reports:

Finding TypeGitLab Display
ErrorHigh severity vulnerability
WarningMedium severity
InfoLow severity

Related

Related Documentation