Integrate Code Pathfinder into your GitLab CI pipelines for automated security scanning with Security Dashboard integration.
Quick Start
Add this to your .gitlab-ci.yml:
stages:
- security
security-scan:
stage: security
image:
name: shivasurya/code-pathfinder:stable-latest
entrypoint: [""]
script:
- pathfinder scan --project . --ruleset python/deserialization,docker/security --output sarif --output-file pathfinder-results.sarif
artifacts:
reports:
sast: pathfinder-results.sarif
paths:
- pathfinder-results.sarif
when: always
Configuration Options
All pathfinder scan command options are available. Configure through command-line flags.
Rule Sources
Path to local Python SDK rules file or directory
--rules python-sdk/examples/owasp_top10.pyRemote ruleset(s) from registry. Comma-separated for multiple.
--ruleset python/deserialization,docker/securityScan Configuration
Path to source code to scan
Skip scanning test files
Output Options
Output format: sarif, json, csv, or text
Output file path
Fail build on severities: critical, high, medium, low (comma-separated)
Advanced Options
Enable verbose output with progress and statistics
Enable debug diagnostics with timestamps
Force refresh of cached rulesets (bypasses cache)
Disable anonymous usage metrics collection
Common Use Cases
Scan Python projects for deserialization, Django, and Flask vulnerabilities:
security-scan:
stage: security
image:
name: shivasurya/code-pathfinder:stable-latest
entrypoint: [""]
script:
- pathfinder scan --project . --ruleset python/deserialization,python/django,python/flask --fail-on critical,high --output sarif --output-file results.sarif
artifacts:
reports:
sast: results.sarif
Scan Dockerfiles and docker-compose files:
security-scan:
stage: security
image:
name: shivasurya/code-pathfinder:stable-latest
entrypoint: [""]
script:
- pathfinder scan --project . --ruleset docker/security,docker/best-practice --verbose --output sarif --output-file results.sarif
artifacts:
reports:
sast: results.sarif
Scan specific directories in a monorepo:
stages:
- security
scan-backend:
stage: security
image:
name: shivasurya/code-pathfinder:stable-latest
entrypoint: [""]
script:
- pathfinder scan --project ./backend --ruleset python/deserialization --output sarif --output-file backend-results.sarif
artifacts:
reports:
sast: backend-results.sarif
scan-infrastructure:
stage: security
image:
name: shivasurya/code-pathfinder:stable-latest
entrypoint: [""]
script:
- pathfinder scan --project ./infrastructure --ruleset docker/security --output sarif --output-file infra-results.sarif
artifacts:
reports:
sast: infra-results.sarif
Block pipelines if critical or high severity issues are found:
security-scan:
stage: security
image:
name: shivasurya/code-pathfinder:stable-latest
entrypoint: [""]
script:
- pathfinder scan --project . --ruleset python/deserialization,docker/security --fail-on critical,high --output sarif --output-file results.sarif
artifacts:
reports:
sast: results.sarif
when: always
allow_failure: false
GitLab Security Dashboard Integration
GitLab automatically displays SARIF reports in the Security Dashboard when using artifacts.reports.sast:
security-scan:
stage: security
image:
name: shivasurya/code-pathfinder:stable-latest
entrypoint: [""]
script:
- pathfinder scan --project . --ruleset python/deserialization,docker/security --output sarif --output-file gl-sast-report.sarif
artifacts:
reports:
sast: gl-sast-report.sarif # GitLab parses this automatically
when: always
:::tip[GitLab Security Dashboard] Use the artifacts.reports.sast key to integrate with GitLab's Security Dashboard. Findings will appear in merge requests and the Security tab. :::
Merge Request Integration
Show security findings directly in merge requests:
security-scan:
stage: security
image:
name: shivasurya/code-pathfinder:stable-latest
entrypoint: [""]
rules:
- if: $CI_PIPELINE_SOURCE == "merge_request_event"
script:
- pathfinder scan --project . --ruleset python/deserialization,docker/security --output sarif --output-file results.sarif
artifacts:
reports:
sast: results.sarif
Scheduled Scans
Run security scans on a schedule:
security-scan:
stage: security
image:
name: shivasurya/code-pathfinder:stable-latest
entrypoint: [""]
script:
- pathfinder scan --project . --ruleset python/deserialization,docker/security --output sarif --output-file results.sarif
artifacts:
reports:
sast: results.sarif
only:
- schedules
- merge_requests
- main
Output Formats
SARIF (GitLab Security Dashboard)
GitLab-compatible format for security alerts:
script:
- pathfinder scan --project . --ruleset python/deserialization --output sarif --output-file results.sarif
artifacts:
reports:
sast: results.sarif
JSON
Machine-readable format for custom processing:
script:
- pathfinder scan --project . --ruleset python/deserialization --output json --output-file scan-results.json
artifacts:
paths:
- scan-results.json
CSV
Spreadsheet-friendly format for reporting:
script:
- pathfinder scan --project . --ruleset python/deserialization --output csv --output-file vulnerabilities.csv
artifacts:
paths:
- vulnerabilities.csv
Troubleshooting
No vulnerabilities detected
Enable debug mode:
script:
- pathfinder scan --project . --ruleset python/deserialization --debug --verbose --output sarif --output-file results.sarif
Pipeline timeout
Scan specific directories or use GitLab's longer timeout:
security-scan:
timeout: 1h
script:
- pathfinder scan --project ./src --ruleset python/deserialization --output sarif --output-file results.sarif
Cache issues with remote rulesets
Force refresh cached rulesets:
script:
- pathfinder scan --project . --ruleset python/deserialization --refresh-rules --output sarif --output-file results.sarif