socket-python-cli/workflows/gitlab-ci.yml at main · SocketDev/socket-python-cli · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
# Socket Security GitLab CI Pipeline
# This pipeline runs Socket Security scans on every commit to any branch
# The CLI automatically detects most information from the git repository

stages:
  - security-scan

socket-security:
  stage: security-scan
  image: socketdev/cli:latest

  # Run on all branches and merge requests
  rules:
    - if: $CI_PIPELINE_SOURCE == "push"
    - if: $CI_PIPELINE_SOURCE == "merge_request_event"

  variables:
    # These environment variables are automatically available in GitLab CI
    # and are used by the Socket CLI's GitLab SCM integration
    PIP_CACHE_DIR: "$CI_PROJECT_DIR/.cache/pip"

  cache:
    paths:
      - .cache/pip/

  script:
    # Run Socket CLI with minimal required parameters
    # The CLI automatically detects:
    # - Repository name from git
    # - Branch name from git
    # - Commit SHA from git (or CI_COMMIT_SHA)
    # - Commit message from git
    # - Committer information from git
    # - Default branch status from GitLab CI environment variables
    # - Changed files from git commit
    # - Merge request number from CI_MERGE_REQUEST_IID
    - |
      socketcli \
        --target-path $CI_PROJECT_DIR \
        --scm gitlab \
        --pr-number ${CI_MERGE_REQUEST_IID:-0}

  # Required for GitLab integration to work properly
  variables:
    SOCKET_SECURITY_API_KEY: $SOCKET_SECURITY_API_KEY
    # GitLab token for API access - supports both authentication patterns:
    # 1. CI_JOB_TOKEN: Built-in GitLab CI token (automatically uses Bearer auth)
    # 2. Personal Access Token: Custom token (auto-detects Bearer vs PRIVATE-TOKEN)
    GITLAB_TOKEN: $CI_JOB_TOKEN

# Optional: Run only when manifest files change (more efficient)
# To use this version instead, replace the rules section above with:
#
# rules:
#   - if: $CI_PIPELINE_SOURCE == "push"
#     changes:
#       - "package.json"
#       - "package-lock.json"
#       - "yarn.lock"
#       - "pnpm-lock.yaml"
#       - "requirements.txt"
#       - "Pipfile"
#       - "Pipfile.lock"
#       - "pyproject.toml"
#       - "poetry.lock"
#       - "go.mod"
#       - "go.sum"
#       - "Cargo.toml"
#       - "Cargo.lock"
#       - "composer.json"
#       - "composer.lock"
#       - "Gemfile"
#       - "Gemfile.lock"
#       - "**/*.csproj"
#       - "**/*.fsproj"
#       - "**/*.vbproj"
#       - "packages.config"
#       - "paket.dependencies"
#       - "project.json"
#   - if: $CI_PIPELINE_SOURCE == "merge_request_event"