Agnech

GitLab CI

Pipeline Security Integration

Integrate Bloodhound into GitLab CI/CD pipelines with merge request comments, security dashboard integration, and SAST reports.

Setup

Configure GitLab CI variables and create your pipeline.

1. Add CI/CD Variables

Go to Settings → CI/CD → Variables. Add BLOODHOUND_LICENSEas a masked, protected variable.

2. Create .gitlab-ci.yml

Add the pipeline configuration to your repository root.

Basic Pipeline

.gitlab-ci.yml
YAML
1stages:
2  - security
3  - build
4  - test
5  - deploy
6

7security-scan:
8  stage: security
9  image: node:20
10  variables:
11    BLOODHOUND_LICENSE: $BLOODHOUND_LICENSE
12  before_script:
13    - npm install -g @agnech/cli
14    - bloodhound license activate $BLOODHOUND_LICENSE
15  script:
16    - bloodhound scan --mode advanced --report json,sarif ./src
17    - mv results.json gl-sast-report.json
18  artifacts:
19    reports:
20      sast: gl-sast-report.json
21    paths:
22      - results.sarif
23    expire_in: 1 week
24  rules:
25    - if: $CI_PIPELINE_SOURCE == "merge_request_event"
26    - if: $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH

MR Integration

Configure merge request integration for security feedback.

.gitlab-ci.yml
YAML
1security-scan-mr:
2  stage: security
3  image: node:20
4  script:
5    - npm install -g @agnech/cli
6    - bloodhound license activate $BLOODHOUND_LICENSE
7    - |
8      bloodhound scan \
9        --mode advanced \
10        --report gitlab \
11        --output gl-sast-report.json \
12        ./src
13  artifacts:
14    reports:
15      sast: gl-sast-report.json
16  rules:
17    - if: $CI_MERGE_REQUEST_IID
18

19# Optional: Add comment to MR
20security-comment:
21  stage: security
22  needs: [security-scan-mr]
23  image: alpine:latest
24  before_script:
25    - apk add --no-cache curl jq
26  script:
27    - |
28      CRITICAL=$(jq '.vulnerabilities | map(select(.severity == "Critical")) | length' gl-sast-report.json)
29      HIGH=$(jq '.vulnerabilities | map(select(.severity == "High")) | length' gl-sast-report.json)
30

31      COMMENT="## Security Scan Results\n\n"
32      COMMENT+="${CRITICAL} Critical | ${HIGH} High\n\n"
33

34      if [ "$CRITICAL" -gt 0 ]; then
35        COMMENT+="⚠️ Please fix critical issues before merging."
36      else
37        COMMENT+="✅ No critical vulnerabilities found."
38      fi
39

40      curl --request POST \
41        --header "PRIVATE-TOKEN: $GITLAB_TOKEN" \
42        --header "Content-Type: application/json" \
43        --data "{\"body\": \"$COMMENT\"}" \
44        "$CI_API_V4_URL/projects/$CI_PROJECT_ID/merge_requests/$CI_MERGE_REQUEST_IID/notes"
45  rules:
46    - if: $CI_MERGE_REQUEST_IID

Security Dashboard

Integrate with GitLab's Security Dashboard for vulnerability tracking.

GitLab Ultimate

The Security Dashboard is available in GitLab Ultimate. For other tiers, use the artifacts and pipeline reports.
.gitlab-ci.yml
YAML
1include:
2  - template: Security/SAST.gitlab-ci.yml
3

4bloodhound-sast:
5  stage: security
6  image: node:20
7  script:
8    - npm install -g @agnech/cli
9    - bloodhound license activate $BLOODHOUND_LICENSE
10    - bloodhound scan --report gitlab --output gl-sast-report.json ./src
11  artifacts:
12    reports:
13      sast: gl-sast-report.json
14  rules:
15    - if: $CI_COMMIT_BRANCH