GitLab CI

Prerequisites

Add the following variables in Settings → CI/CD → Variables of your project:

Variable	Protected	Description
GERION_API_URL	Yes	Gerion API Gateway URL
GERION_API_KEY	Yes (masked)	M2M API key for your organization

Pipelines

Scan → API

Results are sent to the Gerion dashboard. Copy this content into your .gitlab-ci.yml:

stages:
  - security

gerion-scan:
  stage: security
  image: ghcr.io/gerion-appsec/gerion-cli:latest
  needs: []
  rules:
    - if: $CI_PIPELINE_SOURCE == "merge_request_event"
    - if: $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH
    - if: $CI_PIPELINE_SOURCE == "schedule"
  script:
    - gerion scan-all .

Scan → SARIF

Upload results to GitLab’s Security Dashboard (requires GitLab Ultimate). Findings appear directly in the Merge Request security widget.

stages:
  - security

gerion-scan-sarif:
  stage: security
  image: ghcr.io/gerion-appsec/gerion-cli:latest
  needs: []
  rules:
    - if: $CI_PIPELINE_SOURCE == "merge_request_event"
    - if: $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH
  script:
    - gerion scan-all . --format sarif --output-file gerion-results.sarif
  artifacts:
    when: always
    expire_in: 30 days
    paths:
      - gerion-results.sarif
    reports:
      sast: gerion-results.sarif

Note

The reports: sast: field is GitLab-specific. It requires GitLab Ultimate to be displayed in the Security Dashboard. On lower editions, the file is still saved as a downloadable artifact.

Scheduled (nightly)

Configure a scheduled pipeline in Settings → CI/CD → Schedules pointing to custom:nightly.

stages:
  - security

gerion-nightly:
  stage: security
  image: ghcr.io/gerion-appsec/gerion-cli:latest
  needs: []
  rules:
    - if: $CI_PIPELINE_SOURCE == "schedule"
  script:
    - gerion scan-all . --format json --output-file gerion-results.json
  artifacts:
    when: always
    expire_in: 90 days
    paths:
      - gerion-results.json

Reusable template (include)

Instead of copying the YAML into every repository, you can include Gerion’s official template and extend it with your own variables:

include:
  - project: 'gerion-appsec/gerion-cicd-configs'
    file: '/gitlab-ci/gerion-include.yml'
    ref: main

gerion-scan:
  extends: .gerion-scan        # inherits the full base config
  variables:
    GERION_SCAN_TYPE: "secrets" # overrides only the scan type

Available template variables

Variable	Default	Description
GERION_SCAN_TYPE	all	all | secrets | sca | iac | sast
GERION_OUTPUT_FORMAT	""	json | markdown | sarif | empty
GERION_OUTPUT_FILE	""	Output file path
GERION_LOG_LEVEL	info	debug | info | warning | error
GERION_TIMEOUT	180	Timeout per scanner in seconds

For SARIF with automatically configured artifacts, extend .gerion-scan-sarif:

gerion-scan:
  extends: .gerion-scan-sarif

Notes

• Gerion CLI automatically detects GitLab CI variables (GITLAB_CI, CI_PROJECT_NAME, CI_COMMIT_REF_NAME, CI_COMMIT_SHA). No manual metadata configuration needed.
• When using image: in the job, the CLI runs directly as the job container without needing docker run.