Skip to content

GitLab CI

Add to .gitlab-ci.yml:

stages:
- scan
redactyl:
stage: scan
image: golang:1.21
script:
- go install github.com/varalys/redactyl@latest
- redactyl scan --json > redactyl-findings.json
artifacts:
paths:
- redactyl-findings.json
reports:
sast: redactyl-findings.json

GitLab supports SAST report format for security findings:

redactyl:
stage: scan
image: golang:1.21
script:
- go install github.com/varalys/redactyl@latest
- redactyl scan --sarif > gl-sast-report.json
artifacts:
reports:
sast: gl-sast-report.json

Scan images in your pipeline:

stages:
- build
- scan
build:
stage: build
script:
- docker build -t $CI_REGISTRY_IMAGE:$CI_COMMIT_SHA .
- docker push $CI_REGISTRY_IMAGE:$CI_COMMIT_SHA
scan-image:
stage: scan
image: golang:1.21
services:
- docker:dind
variables:
DOCKER_HOST: tcp://docker:2375
script:
- go install github.com/varalys/redactyl@latest
- docker pull $CI_REGISTRY_IMAGE:$CI_COMMIT_SHA
- docker save $CI_REGISTRY_IMAGE:$CI_COMMIT_SHA > image.tar
- redactyl scan image.tar --json > findings.json
artifacts:
paths:
- findings.json

Only scan on merge requests:

redactyl:
stage: scan
rules:
- if: $CI_PIPELINE_SOURCE == "merge_request_event"
script:
- go install github.com/varalys/redactyl@latest
- redactyl scan --no-tui
scan-helm:
stage: scan
script:
- go install github.com/varalys/redactyl@latest
- redactyl scan --helm ./charts --json > helm-findings.json
artifacts:
paths:
- helm-findings.json
redactyl-scheduled:
stage: scan
rules:
- if: $CI_PIPELINE_SOURCE == "schedule"
script:
- go install github.com/varalys/redactyl@latest
- redactyl scan --deep --json > findings.json
artifacts:
paths:
- findings.json
variables:
REDACTYL_SEVERITY: high
REDACTYL_BASELINE: .redactyl-baseline.json
redactyl:
script:
- redactyl scan --severity $REDACTYL_SEVERITY --baseline $REDACTYL_BASELINE

Speed up pipelines:

redactyl:
cache:
key: go-modules
paths:
- .go/pkg/mod
variables:
GOPATH: $CI_PROJECT_DIR/.go
script:
- go install github.com/varalys/redactyl@latest
- redactyl scan --no-tui

Continue pipeline on findings:

redactyl:
script:
- redactyl scan --no-tui
allow_failure: true