Skip to main content

GitLab pipelines

Prelude#

GitGuardian CI/CD integration with GitLab CI/CD is performed through our CLI application: ggshield.
ggshield is a wrapper around the GitGuardian API for secrets detection, an API key is required for authentication.

Note: If you want to ensure full coverage of your GitLab projects as well as full git history scans and reporting, you may be interested in using GitGuardian's GitLab integration.

Preview#

GitLab pipelines status

GitLab pipelines output

Installation#

Service accounts are recommended to run this integration.

Please note that service accounts are only available for workspaces under our Business plan, and their administration is restricted to Managers. If your workspace is under the Free plan, you can still use a personal access token to run this integration.

  1. Create a service account from the API section of your GitGuardian workspace (or a personal access token if you are on the Free plan).
  2. Add this API key to the GITGUARDIAN_API_KEY environment variable in your project settings.

GitLab CI/CD env

  1. Add a new step using ggshield to your GitLab project's pipeline.
stages:  - scanning
🦉 gitguardian scan:  image: gitguardian/ggshield:latest  stage: scanning  script: ggshield secret scan ci

Additional notes#

For ggshield to scan every commit in a merge request pipeline the CI must clone the full repository instead of just fetching the branch. The following snippet ensures this behavior.

variables:GIT_STRATEGY: cloneGIT_DEPTH: 0