Skip to main content

CodeAnt CI Scan for GitLab

A GitLab CI/CD configuration to run CodeAnt security and code quality analysis on your repository.

Features

  • 🧠 Automated security and code quality scanning
  • 🔍 Deep vulnerability and dependency analysis
  • 📊 Comprehensive reports and actionable insights
  • ⚡ Fast setup - integrate in under a minute
  • 🔄 Supports push, merge requests, and default branch commits
Add this to your project’s .gitlab-ci.yml file: 
include:
  - remote: 'https://gitlab.com/codeant-pipelines/ci-scan-gitlab/-/raw/main/.gitlab-ci.yml'

variables:
  ACCESS_TOKEN_GITLAB: "$ACCESS_TOKEN_GITLAB"        # Required - set this in GitLab CI/CD Variables
  SCANNERS: "sast,sca"                 # Optional (default sast,sca)
  INCLUDE_PATHS: "src/,lib/"           # Optional
  EXCLUDE_PATHS: "tests/,docs/"        # Optional
  SCAN_TIMEOUT: "600"                  # Optional (default 300 seconds)
This will automatically run the codeant_scan job defined in the shared CodeAnt pipeline template.

Setup Guide

1. Create a CodeAnt Token

In CodeAnt AI, go to Settings → API tokens, click Create token, and copy the generated token (it starts with cdt_ and is shown only once). See API Tokens for the full walkthrough. This single token authenticates the scan — you don’t need a GitLab access token.

2. Add Token to GitLab CI/CD Variables

  1. Go to Settings > CI/CD > Variables
  2. Click Add Variable
  3. Fill in the details:
    • Key: ACCESS_TOKEN_GITLAB (this is the variable name the included template reads)
    • Value: your CodeAnt token (cdt_…)
    • Protect variable: Yes (Recommended)
    • Mask variable: Yes (Recommended)
  4. Click Add Variable

3. Commit and Push

Once your .gitlab-ci.yml file includes the CodeAnt template, push it to your repository. Your next push, merge request, or main branch commit will automatically trigger a scan.

Advanced Usage

You can customize how CodeAnt scans your repository by overriding variables: 
include:
  - remote: 'https://gitlab.com/codeant-pipelines/ci-scan-gitlab/-/raw/main/.gitlab-ci.yml'

variables:
  ACCESS_TOKEN_GITLAB: "$ACCESS_TOKEN_GITLAB"
  SCANNERS: "sast,sca"                  # Customize scanners (all, sast, sast,secrets, etc.)
  INCLUDE_PATHS: "src/,backend/"
  EXCLUDE_PATHS: "tests/,vendor/"
  SCAN_TIMEOUT: "900"                   # Timeout in seconds

Scanner Options

🔍 Available Scanners: The SCANNERS variable allows you to customize which security scanners run during analysis:
  • sast - Static Application Security Testing (code vulnerabilities)
  • sca - Software Composition Analysis (dependency vulnerabilities)
  • secrets - Secret detection (API keys, passwords, tokens)
  • antipatterns - Code quality and duplicate code detection
  • iac - Infrastructure as Code security (Terraform, CloudFormation, etc.)
  • all - Run all available scanners
Default: If not specified, runs sast,sca Examples:
  • Run all scanners: SCANNERS: 'all'
  • Only SAST: SCANNERS: 'sast'
  • SAST + Secrets: SCANNERS: 'sast,secrets'
  • Full security suite: SCANNERS: 'sast,sca,secrets,iac'

Example Configurations

Run All Scanners

include:
  - remote: 'https://gitlab.com/codeant-pipelines/ci-scan-gitlab/-/raw/main/.gitlab-ci.yml'

variables:
  ACCESS_TOKEN_GITLAB: "$ACCESS_TOKEN_GITLAB"
  SCANNERS: "all"  # Runs all scanner types

Security-Focused Scan

include:
  - remote: 'https://gitlab.com/codeant-pipelines/ci-scan-gitlab/-/raw/main/.gitlab-ci.yml'

variables:
  ACCESS_TOKEN_GITLAB: "$ACCESS_TOKEN_GITLAB"
  SCANNERS: "sast,secrets"  # Only code vulnerabilities and secret detection

Scan on Push and Merge Requests (Default)

codeant_scan:
  # ... configuration
  rules:
    - if: $CI_PIPELINE_SOURCE == "merge_request_event"
    - if: $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH
    - if: $CI_PIPELINE_SOURCE == "push"

Scan Only on Main Branch and Merge Requests

codeant_scan:
  # ... configuration
  rules:
    - if: $CI_COMMIT_BRANCH == "main"
    - if: $CI_PIPELINE_SOURCE == "merge_request_event"

Scheduled Daily Scan

Create a scheduled pipeline in CI/CD > Schedules and use: 
codeant_scan:
  # ... configuration
  rules:
    - if: $CI_PIPELINE_SOURCE == "schedule"

Scan Specific Directories with Security Focus

codeant_scan:
  image: alpine:latest
  variables:
    SCANNERS: "sast,secrets"
    INCLUDE_PATHS: "src/,backend/"
    EXCLUDE_PATHS: "src/tests/,backend/vendor/"
  # ... rest of configuration

Using a Self-Hosted CodeAnt Instance

codeant_scan:
  image: alpine:latest
  variables:
    API_BASE: "https://codeant.your-company.com"
    INCLUDE_PATHS: ""
    EXCLUDE_PATHS: ""
  # ... rest of configuration

Increasing Scan Timeout

For large repositories that need more time to complete analysis: 
codeant_scan:
  image: alpine:latest
  timeout: 15m  # GitLab job timeout (prevents job from running too long)
  variables:
    SCAN_TIMEOUT: "600"  # Scan script timeout in seconds (10 minutes)
    INCLUDE_PATHS: ""
    EXCLUDE_PATHS: ""
  # ... rest of configuration
Timeout Options:
  • timeout: 15m - GitLab CI job timeout (format: 30s, 5m, 1h, 2h 30m)
  • SCAN_TIMEOUT: "600" - CodeAnt scan timeout in seconds (default: 300)
Recommended Values:
  • Samll repos (< 1000 files): SCAN_TIMEOUT: "300" (5 minutes)
  • Medium repos (1000-5000 files): SCAN_TIMEOUT: "600" (10 minutes)
  • Large repos (>5000 files): SCAN_TIMEOUT: "900" (15 minutes)

Multi-Stage Pipeline

Integrate CodeAnt scan with other pipeline stages: 
stages:
  - security
  - test
  - build
  - deploy

codeant_scan:
  stage: security
  image: alpine:latest
  variables:
    API_BASE: "https://api.codeant.ai"
  before_script:
    - apk add --no-cache curl bash python3
  script:
    - |
      curl -sS -X GET "${API_BASE}/analysis/ci/scan/script/get" \
        --output start_scan.sh.b64
      if [ "$API_BASE" = "https://api.codeant.ai" ]; then
        base64 -d start_scan.sh.b64 > start_scan.sh
      else
        mv start_scan.sh.b64 start_scan.sh
      fi
      chmod +x start_scan.sh
      bash start_scan.sh \
        -a "$ACCESS_TOKEN_GITLAB" \
        -r "$CI_PROJECT_PATH" \
        -c "$CI_COMMIT_SHA" \
        -b "$CI_COMMIT_REF_NAME" \
        -s gitlab \
        -i "$INCLUDE_PATHS" \
        -e "$EXCLUDE_PATHS" \
        --scanners "$SCANNERS"
  rules:
    - if: $CI_PIPELINE_SOURCE == "merge_request_event"
    - if: $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH

unit_tests:
  stage: test
  script:
    - npm test

build_app:
  stage: build
  script:
    - npm run build

deploy_production:
  stage: deploy
  script:
    - ./deploy.sh
  only:
    - main

GitLab CI Variables Used

The configuration automatically uses these GitLab predefined variables:
  • CI_PROJECT_PATH - Full path of the repository (e.g., group/project)
  • CI_COMMIT_SHA - The commit SHA being analyzed
  • CI_COMMIT_REF_NAME - The branch or tag name
  • CI_PIPELINE_SOURCE - The source of the pipeline trigger
  • CI_DEFAULT_BRANCH - The default branch of the project

Troubleshooting

Authentication Errors
  • Ensure your ACCESS_TOKEN_GITLAB holds a valid CodeAnt token (cdt_…) that hasn’t been revoked
  • Check that the token belongs to the same organization as the repository
  • Confirm the variable is available (not protected when running on non-protected branches)
Scan Failures
  • Verify your repository is accessible
  • Check that the API base URL is correct
  • Review the pipeline logs for specific error messages
  • Ensure GitLab runners can access the CodeAnt API endpoint
Script Download Issues
  • Verify the API_BASE URL is correct
  • Check network connectivity and firewall rules
  • Ensure the CodeAnt API endpoint is accessible from your GitLab runners
Pipeline Not Triggering
  • Check that .gitlab-ci.yml is in the repository root
  • Verify the rules section matches your intended triggers
  • Review CI/CD > Pipelines for error messages
  • Validate the YAML syntax using GitLab’s CI Lint tool (CI/CD > Editor > Validate)

Support

License

This project is licensed under the MIT License - see the LICENSE file for details.

About CodeAnt

CodeAnt provides automated code analysis and security scanning to help developers build secure, high-quality software. Visit codeant.ai to learn more.