Skip to main content

GitLab CI

Drop Vulkro into a GitLab pipeline as a test-stage job that publishes JUnit so findings render in the MR's test-report tab.

One-liner: the includable template

Vulkro ships a reusable template at integrations/gitlab-ci/.gitlab-ci.template.yml. Pull it in via include: to skip the manual binary fetch + gate wiring:

.gitlab-ci.yml
include:
- remote: 'https://raw.githubusercontent.com/OrignalLazyCoder/vulkro/main/integrations/gitlab-ci/.gitlab-ci.template.yml'

variables:
VULKRO_VERSION: "v1.0.0" # pin in production
VULKRO_SCAN_PATH: "."
VULKRO_FAIL_THRESHOLD: "high" # critical | high | medium | low

The template runs two jobs in the test stage:

  • vulkro:scan emits SARIF, JUnit, and GitLab Code Quality JSON. The Code Quality report renders findings inline on the MR's Changes tab; the SARIF feeds the Vulnerability Report tab on GitLab Ultimate; JUnit feeds the pipeline summary widget.
  • vulkro:gate runs only on merge_request_event and fails on new findings vs the target branch. Pre-existing tech debt does not block merges.

The template defaults VULKRO_OFFLINE=1 so the scanner makes no outbound network calls from CI.

Manual pipeline (no template)

If you'd rather inline the steps:

Minimal pipeline

.gitlab-ci.yml
vulkro:
stage: test
image: ubuntu:24.04
script:
- curl -fsSL https://dist.vulkro.com/install.sh | bash
- vulkro scan . --format junit > vulkro-junit.xml
- vulkro scan . --min-confidence high
artifacts:
when: always
reports:
junit: vulkro-junit.xml
paths:
- vulkro-junit.xml
expire_in: 30 days

The two vulkro scan calls are intentional:

  1. The first run produces JUnit (always succeeds because we don't gate on its exit code) - the reports.junit artefact path makes it light up in the MR UI.
  2. The second run is the gate.

Caching the binary

vulkro:
stage: test
image: ubuntu:24.04
cache:
key: vulkro-v0.3.0
paths:
- .vulkro-cache/
before_script:
- mkdir -p .vulkro-cache
- export VULKRO_BIN_DIR="$CI_PROJECT_DIR/.vulkro-cache"
- export PATH="$VULKRO_BIN_DIR:$PATH"
- test -x "$VULKRO_BIN_DIR/vulkro" || curl -fsSL https://dist.vulkro.com/install.sh | bash
script:
- vulkro scan . --format junit > vulkro-junit.xml
- vulkro scan . --min-confidence high

SARIF artefact (for external dashboards)

GitLab doesn't natively render SARIF in MRs, but the artefact is useful for downstream consumers:

script:
- vulkro scan . --format sarif > vulkro.sarif
artifacts:
paths:
- vulkro.sarif

Air-gapped runner

vulkro:
variables:
VULKRO_OFFLINE: "1"
VULKRO_CDN_BASE_URL: "https://artifacts.internal/vulkro-cve"
before_script:
- curl -fsSL https://artifacts.internal/vulkro/install.sh | bash