GitLab CI
Drop Vulkro into a GitLab pipeline as a test-stage job that publishes
JUnit so findings render in the MR's test-report tab.
One-liner: the includable template
Vulkro ships a reusable template at
integrations/gitlab-ci/.gitlab-ci.template.yml.
Pull it in via include: to skip the manual binary fetch + gate
wiring:
.gitlab-ci.yml
include:
- remote: 'https://raw.githubusercontent.com/OrignalLazyCoder/vulkro/main/integrations/gitlab-ci/.gitlab-ci.template.yml'
variables:
VULKRO_VERSION: "v1.0.0" # pin in production
VULKRO_SCAN_PATH: "."
VULKRO_FAIL_THRESHOLD: "high" # critical | high | medium | low
The template runs two jobs in the test stage:
vulkro:scanemits SARIF, JUnit, and GitLab Code Quality JSON. The Code Quality report renders findings inline on the MR's Changes tab; the SARIF feeds the Vulnerability Report tab on GitLab Ultimate; JUnit feeds the pipeline summary widget.vulkro:gateruns only onmerge_request_eventand fails on new findings vs the target branch. Pre-existing tech debt does not block merges.
The template defaults VULKRO_OFFLINE=1 so the scanner makes no
outbound network calls from CI.
Manual pipeline (no template)
If you'd rather inline the steps:
Minimal pipeline
.gitlab-ci.yml
vulkro:
stage: test
image: ubuntu:24.04
script:
- curl -fsSL https://dist.vulkro.com/install.sh | bash
- vulkro scan . --format junit > vulkro-junit.xml
- vulkro scan . --min-confidence high
artifacts:
when: always
reports:
junit: vulkro-junit.xml
paths:
- vulkro-junit.xml
expire_in: 30 days
The two vulkro scan calls are intentional:
- The first run produces JUnit (always succeeds because we don't gate
on its exit code) - the
reports.junitartefact path makes it light up in the MR UI. - The second run is the gate.
Caching the binary
vulkro:
stage: test
image: ubuntu:24.04
cache:
key: vulkro-v0.3.0
paths:
- .vulkro-cache/
before_script:
- mkdir -p .vulkro-cache
- export VULKRO_BIN_DIR="$CI_PROJECT_DIR/.vulkro-cache"
- export PATH="$VULKRO_BIN_DIR:$PATH"
- test -x "$VULKRO_BIN_DIR/vulkro" || curl -fsSL https://dist.vulkro.com/install.sh | bash
script:
- vulkro scan . --format junit > vulkro-junit.xml
- vulkro scan . --min-confidence high
SARIF artefact (for external dashboards)
GitLab doesn't natively render SARIF in MRs, but the artefact is useful for downstream consumers:
script:
- vulkro scan . --format sarif > vulkro.sarif
artifacts:
paths:
- vulkro.sarif
Air-gapped runner
vulkro:
variables:
VULKRO_OFFLINE: "1"
VULKRO_CDN_BASE_URL: "https://artifacts.internal/vulkro-cve"
before_script:
- curl -fsSL https://artifacts.internal/vulkro/install.sh | bash