Skip to main content

CodeAnt CI Scan for GitLab

A GitLab CI/CD configuration to run CodeAnt security and code quality analysis on your repository.

Features

  • 🧠 Automated security and code quality scanning
  • 🔍 Deep vulnerability and dependency analysis
  • 📊 Comprehensive reports and actionable insights
  • ⚡ Fast setup - integrate in under a minute
  • 🔄 Supports push, merge requests, and default branch commits
Add this to your project’s .gitlab-ci.yml file:
This will automatically run the codeant_scan job defined in the shared CodeAnt pipeline template.
Self-hosted GitLab: The pipeline forwards your instance URL (CI_SERVER_URL) to CodeAnt so the token is validated against the correct GitLab server. This happens automatically - no extra configuration is needed. If validation fails with 401 Access token invalid, confirm CI_SERVER_URL resolves to your GitLab instance, or set BASE_URL explicitly (e.g. https://gitlab.your-company.com).

Setup Guide

1. Create a CodeAnt Token

In CodeAnt AI, open the user menu (click your email at the bottom-left) and select API Tokens, click Create token, and copy the generated token (it starts with cdt_ and is shown only once). See API Tokens for the full walkthrough. This single token authenticates the scan - you don’t need a GitLab access token.

2. Add Token to GitLab CI/CD Variables

  1. Go to Settings > CI/CD > Variables
  2. Click Add Variable
  3. Fill in the details:
    • Key: ACCESS_TOKEN (this is the variable name the included template reads)
    • Value: your CodeAnt token (cdt_…)
    • Protect variable: Yes (Recommended)
    • Mask variable: Yes (Recommended)
  4. Click Add Variable

3. Commit and Push

Once your .gitlab-ci.yml file includes the CodeAnt template, push it to your repository. Your next push, merge request, or main branch commit will automatically trigger a scan.

Advanced Usage

You can customize how CodeAnt scans your repository by overriding variables:

Scanner Options

🔍 Available Scanners: The SCANNERS variable allows you to customize which security scanners run during analysis:
  • sast - Static Application Security Testing (code vulnerabilities)
  • sca - Software Composition Analysis (dependency vulnerabilities)
  • secrets - Secret detection (API keys, passwords, tokens)
  • antipatterns - Code quality and duplicate code detection
  • iac - Infrastructure as Code security (Terraform, CloudFormation, etc.)
  • all - Run all available scanners
Default: If not specified, runs sast,sca Examples:
  • Run all scanners: SCANNERS: 'all'
  • Only SAST: SCANNERS: 'sast'
  • SAST + Secrets: SCANNERS: 'sast,secrets'
  • Full security suite: SCANNERS: 'sast,sca,secrets,iac'

Quality Gate Enforcement

🚦 Block the pipeline on the whole-repository posture: Pass --quality-gate (-q) to start_scan.sh to turn the scan into an enforced gate. After the scan completes, CodeAnt evaluates the entire repository against your thresholds and the script exits non-zero if the gate fails - failing the pipeline. This is the Checkmarx / SonarQube-style whole-repo gate, independent of the new-code/PR quality gate. Configure thresholds in Settings → Code Analysis → Quality Gates using the “(Full Code / CI Pipeline)” metrics (these run only in the pipeline, never on merge requests):
  • (Full Code / CI Pipeline) SAST Security Rating C
  • (Full Code / CI Pipeline) SCA Security Rating C
  • (Full Code / CI Pipeline) IaC Security Rating C
  • (Full Code / CI Pipeline) Duplicate Code Percentage > 30
Results group into three status checks: SAST (app security + IaC), SCA (dependencies), and SCR (duplicate code). The gate writes codeant.sarif (SARIF 2.1.0), codeant-qg.xml (JUnit), and results.json (full verdict + findings).
--quality-gate requires a commit SHA (-c) and cannot be combined with --no-wait (the gate needs the scan results). Use --scanners to scope the gate (e.g. --scanners "sast,sca").

Example Configurations

Run All Scanners

Security-Focused Scan

Scan on Push and Merge Requests (Default)

Scan Only on Main Branch and Merge Requests

Scheduled Daily Scan

Create a scheduled pipeline in CI/CD > Schedules and use:

Scan Specific Directories with Security Focus

Using a Self-Hosted CodeAnt Instance

Increasing Scan Timeout

For large repositories that need more time to complete analysis:
Timeout Options:
  • timeout: 15m - GitLab CI job timeout (format: 30s, 5m, 1h, 2h 30m)
  • SCAN_TIMEOUT: "600" - CodeAnt scan timeout in seconds (default: 300)
Recommended Values:
  • Samll repos (< 1000 files): SCAN_TIMEOUT: "300" (5 minutes)
  • Medium repos (1000-5000 files): SCAN_TIMEOUT: "600" (10 minutes)
  • Large repos (>5000 files): SCAN_TIMEOUT: "900" (15 minutes)

Multi-Stage Pipeline

Integrate CodeAnt scan with other pipeline stages:

GitLab CI Variables Used

The configuration automatically uses these GitLab predefined variables:
  • CI_PROJECT_PATH - Full path of the repository (e.g., group/project)
  • CI_COMMIT_SHA - The commit SHA being analyzed
  • CI_COMMIT_REF_NAME - The branch or tag name
  • CI_PIPELINE_SOURCE - The source of the pipeline trigger
  • CI_DEFAULT_BRANCH - The default branch of the project

Troubleshooting

Authentication Errors / 401 Access token invalid
  • Ensure your ACCESS_TOKEN holds a valid CodeAnt token (cdt_…) that hasn’t been revoked
  • Check that the token belongs to the same organization as the repository
  • Confirm the variable is available (not protected when running on non-protected branches)
  • Self-hosted GitLab: the token is validated against the GitLab instance reported by BASE_URL (default $CI_SERVER_URL). A 401 usually means CodeAnt validated against the wrong instance - confirm CI_SERVER_URL points to your GitLab server, or set BASE_URL explicitly (e.g. https://gitlab.your-company.com)
Scan Failures
  • Verify your repository is accessible
  • Check that the API base URL is correct
  • Review the pipeline logs for specific error messages
  • Ensure GitLab runners can access the CodeAnt API endpoint
Script Download Issues
  • Verify the API_BASE URL is correct
  • Check network connectivity and firewall rules
  • Ensure the CodeAnt API endpoint is accessible from your GitLab runners
Pipeline Not Triggering
  • Check that .gitlab-ci.yml is in the repository root
  • Verify the rules section matches your intended triggers
  • Review CI/CD > Pipelines for error messages
  • Validate the YAML syntax using GitLab’s CI Lint tool (CI/CD > Editor > Validate)

Support

License

This project is licensed under the MIT License - see the LICENSE file for details.

About CodeAnt

CodeAnt provides automated code analysis and security scanning to help developers build secure, high-quality software. Visit codeant.ai to learn more.## Token permission This pipeline authenticates with a CodeAnt API token (cdt_…). If the token is scoped, give it the Codeant CI/CD role - it covers scans, quality gates, and test-coverage upload - scoped to the repositories this pipeline runs on (or All repositories). A token missing the required permission is rejected with an HTTP 403 token_scope_forbidden error that names the permission it needs. See API token permissions.