GitLab Runner Integration

GitLab is an open-core company that provides GitLab, a DevOps software package that combines the ability to develop, secure, and operate software in a single application. Its application, GitLab Runner, works with GitLab CI/CD to run jobs in a pipeline.

The following configuration examples show how to install & run the scanner using an API Token stored as a secret named XYGENI_TOKEN. See Generate Xygeni API Token for Scanner or ask your Xygeni administrator to generate it.

See CI/CD variables and using external secrets in CI for details on how to register the Xygeni API token for use in GitLab CI.

Using the installation script

You may automatically install the scanner using the installation script available from https://get.xygeni.io/latest/scanner/TYPE, with TYPE either bash or powershell:

build-job:
  stage: scan
  script:
    - >
      curl -L https://get.xygeni.io/latest/scanner/install.sh |
      /bin/bash -s -- -o -t $XYGENI_TOKEN
    - >
      $HOME/.xygeni/xygeni scan \
         -n ${CI_PROJECT_NAME} --dir ${CI_PROJECT_DIR}

See installation script for more details.

Please refer to the scanner documentation for full details on the scanner command line options and configuration.

Using the docker image

If it is not possible to install the scanner in the GitLab host running the pipeline, you may run the docker image instead:

build-job:
  stage: scan
  script:
    - >
      docker run
        -v $PROJECT_HOME:/app
        -v $DD_CONF:/opt/xygeni_scanner/conf
        -t -rm xygeni_scanner/xygeni scan
        -n $PROJECT_NAME --dir /app

See Xygeni Scanner docker image for more details.

Integrate with Gitlab Security Reports

GitLab provides built-in security reporting capabilities that allow you to view security vulnerabilities directly within your GitLab project. When integrated with Xygeni, security findings can be automatically sent to GitLab's security dashboard, providing a centralized view of your project's security posture.

Sending Xygeni Secrets Findings to GitLab

Xygeni can automatically send secrets detection findings to GitLab's security dashboard using the following command:

build-job:
  stage: scan
  script:
    - >
      curl -L https://get.xygeni.io/latest/scanner/install.sh |
      /bin/bash -s -- -o -t $XYGENI_TOKEN
    - >
      $HOME/.xygeni/xygeni secrets --dir . --send-to=gitlab/alerts --no-stdin --never-fail

Command Parameters Explained:

  • --dir .: Scans the current directory for secrets

  • --send-to=gitlab/alerts: Sends findings directly to GitLab's security alerts system

  • --no-stdin: Prevents reading from standard input, ensuring the command runs non-interactively

  • --never-fail: Ensures the pipeline continues even if secrets are found, allowing for reporting without blocking development

GitLab CI/CD Configuration:

To properly receive Xygeni findings, ensure your GitLab project has the security scanning features enabled. The findings will appear in:

  • Security & Compliance > Vulnerability Report

  • CI/CD > Pipelines > Security tab for each pipeline run

  • Project > Security Dashboard

Example GitLab CI Configuration:

variables:
  XYGENI_TOKEN: $XYGENI_TOKEN

stages:
  - scan

secrets-scan:
  stage: scan
  script:
    - >
      curl -L https://get.xygeni.io/latest/scanner/install.sh |
      /bin/bash -s -- -o -t $XYGENI_TOKEN
    - >
      $HOME/.xygeni/xygeni secrets --dir . --send-to=gitlab/alerts --no-stdin --never-fail
  artifacts:
    reports:
      secret_detection: gl-secret-detection-report.json
  allow_failure: true

The allow_failure: true setting ensures that secrets findings don't block pipeline execution while still reporting them to GitLab's security dashboard for review and remediation.

Benefits of Integration:

  • Centralized security reporting in GitLab

  • Automated vulnerability tracking

  • Historical trend analysis

  • Integration with GitLab's issue tracking system

  • Compliance reporting capabilities

Last updated