Security Scanning in GitLab CI Pipelines

Security Scanning in GitLab CI

Security scanning in CI catches vulnerabilities before they reach production. GitLab offers built-in templates, but you can also use open-source tools directly.

Using GitLab Templates (Ultimate)

include:
  - template: Security/SAST.gitlab-ci.yml
  - template: Security/Dependency-Scanning.gitlab-ci.yml
  - template: Security/Container-Scanning.gitlab-ci.yml
  - template: Security/Secret-Detection.gitlab-ci.yml

Open-Source Alternative (Any Tier)

stages:
  - test
  - security

trivy_scan:
  stage: security
  image: aquasec/trivy:latest
  script:
    - trivy fs --format json --output trivy-report.json .
    - trivy fs --severity HIGH,CRITICAL --exit-code 1 .
  artifacts:
    paths:
      - trivy-report.json
    expire_in: 30 days
  allow_failure: true

gitleaks:
  stage: security
  image: zricethezav/gitleaks:latest
  script:
    - gitleaks detect --source . --report-format json --report-path gitleaks-report.json
  artifacts:
    paths:
      - gitleaks-report.json
    expire_in: 30 days
  allow_failure: true

semgrep:
  stage: security
  image: returntocorp/semgrep
  script:
    - semgrep scan --config auto --json --output semgrep-report.json .
  artifacts:
    paths:
      - semgrep-report.json
    expire_in: 30 days
  allow_failure: true

Container Image Scanning

container_scan:
  stage: security
  image: aquasec/trivy:latest
  script:
    - trivy image --severity HIGH,CRITICAL $CI_REGISTRY_IMAGE:$CI_COMMIT_SHA
  needs:
    - docker_build

Best Practices

1. Start with allow_failure: true: This prevents blocking deployments while you triage initial findings.
2. Scan on merge requests: Use rules to run scans on MR pipelines so developers see results before merging.
3. Fail on HIGH/CRITICAL: Use --exit-code 1 with severity filters to block only serious vulnerabilities.
4. Store reports as artifacts: Keep scan results for auditing and trend analysis.