GitLab CI/CD Configuration
Add the following to your.gitlab-ci.yml
. It will trigger on every push to your repository and run quality gate checks to detect secrets and other security issues:
Important:
- In Settings β CI/CD β Variables, add a protected and masked variable named
ACCESS_TOKEN
with your GitLab Personal Access Token or project access token.- The quality gate will fail your pipeline if secrets are detected in the changed code.
How it works
-
Download script
We fetch the quality gates script (quality_gates.sh
) from the CodeAnt API endpoint. -
Start scan
The script initiates a quality gate scan for your commit using the-o start
operation. -
Poll for results
The script polls for scan results using the-o results
operation with:- Timeout: 300 seconds (5 minutes)
- Poll interval: 15 seconds
-
Pipeline feedback
- Success: Quality gate passes if no secrets are detected
- Failure: Quality gate fails if secrets are found, blocking the pipeline
Script Parameters
Thequality_gates.sh
script accepts the following parameters:
Parameter | Description | Required | Example |
---|---|---|---|
-a, --access-token | GitLab Personal Access Token or project token | Yes | $ACCESS_TOKEN |
-r, --repo | Project path in format group/project | Yes | $CI_PROJECT_PATH |
-c, --commit-id | Commit SHA to scan | Yes | $CI_COMMIT_SHA |
-s, --service | VCS provider | Yes | gitlab |
-o, --operation | Operation to perform (start or results ) | Yes | start or results |
-t, --timeout | Timeout in seconds for polling (default: 300) | No | 300 |
-p, --poll-interval | Poll interval in seconds (default: 15) | No | 15 |
-u, --base-url | Base URL for GitLab instance (optional) | No | https://gitlab.com |
Quality Gate Checks
Currently, the quality gate performs the following checks:Secret Detection
- Scans for hardcoded secrets, API keys, passwords, and tokens
- Analyzes only the changed lines since your merge base commit
- Uses high-confidence detection to minimize false positives
- Blocks the pipeline if any secrets are found
Best Practices
- Run on all branches: Quality gates should run on every push to catch issues early
- Block merges: Configure merge request approval rules to require quality gate checks before merging
- Review failures: When quality gates fail, review the detected issues immediately
- Keep tokens secure: Never commit access tokens directly - always use GitLab CI/CD Variables
- Use protected variables: Mark your
ACCESS_TOKEN
as both protected and masked
Troubleshooting
Quality gate times out
If the scan takes longer than expected:- Increase the timeout using
-t 600
(10 minutes) - Check if the CodeAnt service is operational
Authentication failures
If you see βAccess token invalidβ:- Verify your
ACCESS_TOKEN
variable is correctly configured in Settings β CI/CD β Variables - Ensure the token has appropriate project permissions (
api
,read_repository
scopes) - Check that the variable is available to your pipeline (not restricted to protected branches only)
No results returned
If the scan completes but returns no results:- Check that quality gates are enabled for your repository in CodeAnt
- Verify the commit SHA is correct using
echo $CI_COMMIT_SHA
- Ensure your project path format is correct (
group/project
)
Pipeline fails immediately
If the pipeline fails before scanning:- Check that
curl
is available in your image (install withapt-get install -y curl
) - Verify the API endpoint is accessible from your GitLab runners
- Check GitLab CI/CD variable configuration and permissions