GitLab Runners

To configure how different types of SCM actions trigger a scan in Gomboc see CI Pipeline Configuration.

Pull request pipeline

GitLab CI/CD can use the following code to use the following job on the Gomboc-AI project. This will trigger a submit for review action on the Gomboc CLI for every pull request. You can replace the effect input with preview if no pull request is wanted. Please note that with preview, the pipelines will pass, regardless of any remediations we find.

# Example of a pipeline that runs on ever Pull Request
include:
  - 'https://gitlab.com/gomboc-ai/actions/-/raw/main/action/.gitlab-ci.yml'

stages:
  - example

variables:
  EFFECT: submit-for-review

setup-job:
  stage: example
  extends: .run-scan
  rules:
    - if: $CI_PIPELINE_SOURCE == 'merge_request_event'

Scheduled pipeline

The Gomboc CLI command also recognizes scheduled execution to support detecting remediations in code that happen due to changes in IaC modules or improvements in Gomboc remediation coverage. You can view the GitLab pipeline documentation to setup scheduled pipelines.

If more flexibility is desired, the Docker image can be used by using gombocai/cli:latest for the image value in your .gitlab-ci.yml file. The implementation of the CI/CD can be viewed here. From the image, you may use the gomboc command directly.

# Example of a pipeline that can be run on a schedule
# The 'target_directories' array should be updated to include all directories
# that include your IaC that should be scanned

image:
  name: gombocai/cli:1.0.13
  entrypoint: [""]

stages:
  - build

run-scan:
  id_tokens:
    GL_ID_TOKEN:
      aud: https://gomboc.ai
  stage: build
  variables:
    FORCE_COLOR: 3
  script:
  - |
      target_directories=("." "tf" "terraform")
      gomboc submit-for-review on-schedule --auth-token $GL_ID_TOKEN --target-directories "${target_directories[@]}" --iac cloudformation terraform