GitLab CI
Drop vulkro into a GitLab pipeline as a test-stage job that publishes
JUnit so findings render in the MR's test-report tab.
Minimal pipeline
.gitlab-ci.yml
vulkro:
stage: test
image: ubuntu:24.04
script:
- curl -fsSL https://dist.vulkro.com/install.sh | bash
- vulkro scan . --format junit > vulkro-junit.xml
- vulkro scan . --min-confidence high
artifacts:
when: always
reports:
junit: vulkro-junit.xml
paths:
- vulkro-junit.xml
expire_in: 30 days
The two vulkro scan calls are intentional:
- The first run produces JUnit (always succeeds because we don't gate
on its exit code) - the
reports.junitartefact path makes it light up in the MR UI. - The second run is the gate.
Caching the binary
vulkro:
stage: test
image: ubuntu:24.04
cache:
key: vulkro-v0.3.0
paths:
- .vulkro-cache/
before_script:
- mkdir -p .vulkro-cache
- export VULKRO_BIN_DIR="$CI_PROJECT_DIR/.vulkro-cache"
- export PATH="$VULKRO_BIN_DIR:$PATH"
- test -x "$VULKRO_BIN_DIR/vulkro" || curl -fsSL https://dist.vulkro.com/install.sh | bash
script:
- vulkro scan . --format junit > vulkro-junit.xml
- vulkro scan . --min-confidence high
SARIF artefact (for external dashboards)
GitLab doesn't natively render SARIF in MRs, but the artefact is useful for downstream consumers:
script:
- vulkro scan . --format sarif > vulkro.sarif
artifacts:
paths:
- vulkro.sarif
Air-gapped runner
vulkro:
variables:
VULKRO_OFFLINE: "1"
VULKRO_CDN_BASE_URL: "https://artifacts.internal/vulkro-cve"
before_script:
- curl -fsSL https://artifacts.internal/vulkro/install.sh | bash