GitLab CI/CD Configuration

Add the following to your .gitlab-ci.yml. It will trigger on every push to your repository and run quality gate checks to detect secrets and other security issues: 
stages:
  - quality-gate

variables:
  # Define ACCESS_TOKEN in CI/CD -> Variables (protected, masked)
  ACCESS_TOKEN: "${ACCESS_TOKEN}"
  API_BASE: "https://api.codeant.ai"

quality_gate_scan:
  stage: quality-gate
  image: ubuntu:latest
  before_script:
    - apt-get update -q && apt-get install -y curl
  script:
    - echo "📥 Fetching quality gates script..."
    - curl -sS -X GET "${API_BASE}/analysis/ci/quality-gates/script/get" \
        --output quality_gates.sh.b64
    
    - echo "⚙️  Making script executable"
    - base64 -d quality_gates.sh.b64 > quality_gates.sh
    - chmod +x quality_gates.sh

    - echo "🚀 Starting Quality Gate Scan"
    - ./quality_gates.sh \
        -a "$ACCESS_TOKEN" \
        -r "$CI_PROJECT_PATH" \
        -c "$CI_COMMIT_SHA" \
        -s gitlab \
        -o start
    - echo "Quality gate scan initiated successfully"

    - echo "🔍 Polling for Quality Gate Results"
    - ./quality_gates.sh \
        -a "$ACCESS_TOKEN" \
        -r "$CI_PROJECT_PATH" \
        -c "$CI_COMMIT_SHA" \
        -s gitlab \
        -o results \
        -t 300 \
        -p 15

  after_script:
    - |
      if [ "$CI_JOB_STATUS" = "success" ]; then
        echo "✅ Quality Gate PASSED - No secrets detected"
      else
        echo "❌ Quality Gate FAILED - Secrets detected or scan error"
        exit 1
      fi
  rules:
    - if: '$CI_PIPELINE_SOURCE == "push"'
Important:
  • In Settings → CI/CD → Variables, add a protected and masked variable named ACCESS_TOKEN with your GitLab Personal Access Token or project access token.
  • The quality gate will fail your pipeline if secrets are detected in the changed code.

How it works

  1. Download script
    We fetch the quality gates script (quality_gates.sh) from the CodeAnt API endpoint.
  2. Start scan
    The script initiates a quality gate scan for your commit using the -o start operation.
  3. Poll for results
    The script polls for scan results using the -o results operation with:
    • Timeout: 300 seconds (5 minutes)
    • Poll interval: 15 seconds
  4. Pipeline feedback
    • Success: Quality gate passes if no secrets are detected
    • Failure: Quality gate fails if secrets are found, blocking the pipeline

Script Parameters

The quality_gates.sh script accepts the following parameters:
ParameterDescriptionRequiredExample
-a, --access-tokenGitLab Personal Access Token or project tokenYes$ACCESS_TOKEN
-r, --repoProject path in format group/projectYes$CI_PROJECT_PATH
-c, --commit-idCommit SHA to scanYes$CI_COMMIT_SHA
-s, --serviceVCS providerYesgitlab
-o, --operationOperation to perform (start or results)Yesstart or results
-t, --timeoutTimeout in seconds for polling (default: 300)No300
-p, --poll-intervalPoll interval in seconds (default: 15)No15
-u, --base-urlBase URL for GitLab instance (optional)Nohttps://gitlab.com

Quality Gate Checks

Currently, the quality gate performs the following checks:

Secret Detection

  • Scans for hardcoded secrets, API keys, passwords, and tokens
  • Analyzes only the changed lines since your merge base commit
  • Uses high-confidence detection to minimize false positives
  • Blocks the pipeline if any secrets are found

Best Practices

  1. Run on all branches: Quality gates should run on every push to catch issues early
  2. Block merges: Configure merge request approval rules to require quality gate checks before merging
  3. Review failures: When quality gates fail, review the detected issues immediately
  4. Keep tokens secure: Never commit access tokens directly - always use GitLab CI/CD Variables
  5. Use protected variables: Mark your ACCESS_TOKEN as both protected and masked

Troubleshooting

Quality gate times out

If the scan takes longer than expected:
  • Increase the timeout using -t 600 (10 minutes)
  • Check if the CodeAnt service is operational

Authentication failures

If you see “Access token invalid”:
  • Verify your ACCESS_TOKEN variable is correctly configured in Settings → CI/CD → Variables
  • Ensure the token has appropriate project permissions (api, read_repository scopes)
  • Check that the variable is available to your pipeline (not restricted to protected branches only)

No results returned

If the scan completes but returns no results:
  • Check that quality gates are enabled for your repository in CodeAnt
  • Verify the commit SHA is correct using echo $CI_COMMIT_SHA
  • Ensure your project path format is correct (group/project)

Pipeline fails immediately

If the pipeline fails before scanning:
  • Check that curl is available in your image (install with apt-get install -y curl)
  • Verify the API endpoint is accessible from your GitLab runners
  • Check GitLab CI/CD variable configuration and permissions

Advanced Configuration

Custom GitLab Instance

For self-hosted GitLab instances, specify your base URL: 
script:
  - ./quality_gates.sh \
      -a "$ACCESS_TOKEN" \
      -r "$CI_PROJECT_PATH" \
      -c "$CI_COMMIT_SHA" \
      -s gitlab \
      -u "https://gitlab.example.com" \
      -o start

Conditional Execution

Run quality gates only on specific branches: 
quality_gate_scan:
  # ... other configuration ...
  rules:
    - if: '$CI_COMMIT_BRANCH == "main"'
    - if: '$CI_COMMIT_BRANCH =~ /^feature\/.*/'
    - if: '$CI_PIPELINE_SOURCE == "merge_request_event"'
With quality gates in place, every push will automatically be scanned for security issues, helping you maintain code security and compliance standards across your GitLab projects.