GitLab CI
Basic Pipeline
Section titled “Basic Pipeline”Add to .gitlab-ci.yml:
stages: - scan
redactyl: stage: scan image: golang:1.21 script: - go install github.com/varalys/redactyl@latest - redactyl scan --json > redactyl-findings.json artifacts: paths: - redactyl-findings.json reports: sast: redactyl-findings.jsonSAST Report Integration
Section titled “SAST Report Integration”GitLab supports SAST report format for security findings:
redactyl: stage: scan image: golang:1.21 script: - go install github.com/varalys/redactyl@latest - redactyl scan --sarif > gl-sast-report.json artifacts: reports: sast: gl-sast-report.jsonContainer Scanning
Section titled “Container Scanning”Scan images in your pipeline:
stages: - build - scan
build: stage: build script: - docker build -t $CI_REGISTRY_IMAGE:$CI_COMMIT_SHA . - docker push $CI_REGISTRY_IMAGE:$CI_COMMIT_SHA
scan-image: stage: scan image: golang:1.21 services: - docker:dind variables: DOCKER_HOST: tcp://docker:2375 script: - go install github.com/varalys/redactyl@latest - docker pull $CI_REGISTRY_IMAGE:$CI_COMMIT_SHA - docker save $CI_REGISTRY_IMAGE:$CI_COMMIT_SHA > image.tar - redactyl scan image.tar --json > findings.json artifacts: paths: - findings.jsonMerge Request Scanning
Section titled “Merge Request Scanning”Only scan on merge requests:
redactyl: stage: scan rules: - if: $CI_PIPELINE_SOURCE == "merge_request_event" script: - go install github.com/varalys/redactyl@latest - redactyl scan --no-tuiHelm Chart Scanning
Section titled “Helm Chart Scanning”scan-helm: stage: scan script: - go install github.com/varalys/redactyl@latest - redactyl scan --helm ./charts --json > helm-findings.json artifacts: paths: - helm-findings.jsonScheduled Pipelines
Section titled “Scheduled Pipelines”redactyl-scheduled: stage: scan rules: - if: $CI_PIPELINE_SOURCE == "schedule" script: - go install github.com/varalys/redactyl@latest - redactyl scan --deep --json > findings.json artifacts: paths: - findings.jsonUsing Variables
Section titled “Using Variables”variables: REDACTYL_SEVERITY: high REDACTYL_BASELINE: .redactyl-baseline.json
redactyl: script: - redactyl scan --severity $REDACTYL_SEVERITY --baseline $REDACTYL_BASELINECache Go Modules
Section titled “Cache Go Modules”Speed up pipelines:
redactyl: cache: key: go-modules paths: - .go/pkg/mod variables: GOPATH: $CI_PROJECT_DIR/.go script: - go install github.com/varalys/redactyl@latest - redactyl scan --no-tuiAllow Failure
Section titled “Allow Failure”Continue pipeline on findings:
redactyl: script: - redactyl scan --no-tui allow_failure: true