Skip to main content

CodeAnt CI Scan for GitLab

A GitLab CI/CD configuration to run CodeAnt security and code quality analysis on your repository.

Features

  • 🧠 Automated security and code quality scanning
  • 🔍 Deep vulnerability and dependency analysis
  • 📊 Comprehensive reports and actionable insights
  • ⚡ Fast setup - integrate in under a minute
  • 🔄 Supports push, merge requests, and default branch commits
Add this to your project’s .gitlab-ci.yml file: 
include:
  - remote: 'https://gitlab.com/codeant-pipelines/ci-scan-gitlab/-/raw/main/.gitlab-ci.yml'

variables:
  ACCESS_TOKEN: "$ACCESS_TOKEN"        # Required - set this in GitLab CI/CD Variables
  INCLUDE_PATHS: "src/,lib/"           # Optional
  EXCLUDE_PATHS: "tests/,docs/"        # Optional
  SCAN_TIMEOUT: "600"                  # Optional (default 300 seconds)
This will automatically run the codeant_scan job defined in the shared CodeAnt pipeline template.

Setup Guide

1. Get Your CodeAnt Access Token

  1. Sign up or log in to CodeAnt
  2. Navigate to your Account Settings > Personal Access Tokens
  3. Click Generate Token
  4. Copy the token

2. Add Token to GitLab CI/CD Variables

  1. Go to Settings > CI/CD > Variables
  2. Click Add Variable
  3. Fill in the details:
    • Key: ACCESS_TOKEN
    • Value: your CodeAnt token
    • Protect variable: Yes (Recommended)
    • Mask variable: Yes (Recommended)
  4. Click Add Variable

3. Commit and Push

Once your .gitlab-ci.yml file includes the CodeAnt template, push it to your repository. Your next push, merge request, or main branch commit will automatically trigger a scan.

Advanced Usage

You can customize how CodeAnt scans your repository by overriding variables: 
include:
  - remote: 'https://gitlab.com/codeant-pipelines/ci-scan-gitlab/-/raw/main/.gitlab-ci.yml'

variables:
  ACCESS_TOKEN: "$ACCESS_TOKEN"
  API_BASE: "https://api.codeant.ai"    # Change if self-hosted
  INCLUDE_PATHS: "src/,backend/"
  EXCLUDE_PATHS: "tests/,vendor/"
  SCAN_TIMEOUT: "900"                   # Timeout in seconds

Example Configurations

Scan on Push and Merge Requests (Default)

codeant_scan:
  # ... configuration
  rules:
    - if: $CI_PIPELINE_SOURCE == "merge_request_event"
    - if: $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH
    - if: $CI_PIPELINE_SOURCE == "push"

Scan Only on Main Branch and Merge Requests

codeant_scan:
  # ... configuration
  rules:
    - if: $CI_COMMIT_BRANCH == "main"
    - if: $CI_PIPELINE_SOURCE == "merge_request_event"

Scheduled Daily Scan

Create a scheduled pipeline in CI/CD > Schedules and use: 
codeant_scan:
  # ... configuration
  rules:
    - if: $CI_PIPELINE_SOURCE == "schedule"

Scan Specific Directories

codeant_scan:
  image: alpine:latest
  variables:
    API_BASE: "https://api.codeant.ai"
    INCLUDE_PATHS: "src/,backend/"
    EXCLUDE_PATHS: "src/tests/,backend/vendor/"
  # ... rest of configuration

Using a Self-Hosted CodeAnt Instance

codeant_scan:
  image: alpine:latest
  variables:
    API_BASE: "https://codeant.your-company.com"
    INCLUDE_PATHS: ""
    EXCLUDE_PATHS: ""
  # ... rest of configuration

Increasing Scan Timeout

For large repositories that need more time to complete analysis: 
codeant_scan:
  image: alpine:latest
  timeout: 15m  # GitLab job timeout (prevents job from running too long)
  variables:
    API_BASE: "https://api.codeant.ai"
    SCAN_TIMEOUT: "600"  # Scan script timeout in seconds (10 minutes)
    INCLUDE_PATHS: ""
    EXCLUDE_PATHS: ""
  # ... rest of configuration
Timeout Options:
  • timeout: 15m - GitLab CI job timeout (format: 30s, 5m, 1h, 2h 30m)
  • SCAN_TIMEOUT: "600" - CodeAnt scan timeout in seconds (default: 300)
Recommended Values:
  • Samll repos (< 1000 files): SCAN_TIMEOUT: "300" (5 minutes)
  • Medium repos (1000-5000 files): SCAN_TIMEOUT: "600" (10 minutes)
  • Large repos (>5000 files): SCAN_TIMEOUT: "900" (15 minutes)

Multi-Stage Pipeline

Integrate CodeAnt scan with other pipeline stages: 
stages:
  - security
  - test
  - build
  - deploy

codeant_scan:
  stage: security
  image: alpine:latest
  variables:
    API_BASE: "https://api.codeant.ai"
  before_script:
    - apk add --no-cache curl bash python3
  script:
    - |
      curl -sS -X GET "${API_BASE}/analysis/ci/scan/script/get" \
        --output start_scan.sh.b64
      if [ "$API_BASE" = "https://api.codeant.ai" ]; then
        base64 -d start_scan.sh.b64 > start_scan.sh
      else
        mv start_scan.sh.b64 start_scan.sh
      fi
      chmod +x start_scan.sh
      bash start_scan.sh \
        -a "$ACCESS_TOKEN" \
        -r "$CI_PROJECT_PATH" \
        -c "$CI_COMMIT_SHA" \
        -b "$CI_COMMIT_REF_NAME" \
        -s gitlab \
        -i "$INCLUDE_PATHS" \
        -e "$EXCLUDE_PATHS"
  rules:
    - if: $CI_PIPELINE_SOURCE == "merge_request_event"
    - if: $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH

unit_tests:
  stage: test
  script:
    - npm test

build_app:
  stage: build
  script:
    - npm run build

deploy_production:
  stage: deploy
  script:
    - ./deploy.sh
  only:
    - main

GitLab CI Variables Used

The configuration automatically uses these GitLab predefined variables:
  • CI_PROJECT_PATH - Full path of the repository (e.g., group/project)
  • CI_COMMIT_SHA - The commit SHA being analyzed
  • CI_COMMIT_REF_NAME - The branch or tag name
  • CI_PIPELINE_SOURCE - The source of the pipeline trigger
  • CI_DEFAULT_BRANCH - The default branch of the project

Troubleshooting

Authentication Errors
  • Ensure your ACCESS_TOKEN is correctly set in CI/CD variables
  • Verify the token hasn’t expired
  • Check that the token has the necessary permissions
  • Confirm the variable is available (not protected when running on non-protected branches)
Scan Failures
  • Verify your repository is accessible
  • Check that the API base URL is correct
  • Review the pipeline logs for specific error messages
  • Ensure GitLab runners can access the CodeAnt API endpoint
Script Download Issues
  • Verify the API_BASE URL is correct
  • Check network connectivity and firewall rules
  • Ensure the CodeAnt API endpoint is accessible from your GitLab runners
Pipeline Not Triggering
  • Check that .gitlab-ci.yml is in the repository root
  • Verify the rules section matches your intended triggers
  • Review CI/CD > Pipelines for error messages
  • Validate the YAML syntax using GitLab’s CI Lint tool (CI/CD > Editor > Validate)

Support

License

This project is licensed under the MIT License - see the LICENSE file for details.

About CodeAnt

CodeAnt provides automated code analysis and security scanning to help developers build secure, high-quality software. Visit codeant.ai to learn more.
I