Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Integrate vet with Gitlab CI/CD Catalog as a Component #314

Open
abhisek opened this issue Jan 23, 2025 · 9 comments
Open

Integrate vet with Gitlab CI/CD Catalog as a Component #314

abhisek opened this issue Jan 23, 2025 · 9 comments
Assignees
@KunalSin9h

Comments

@abhisek
Copy link
Member

abhisek commented Jan 23, 2025
edited
Loading

Gitlab launched CI/CD catalog:
https://about.gitlab.com/blog/2023/12/21/introducing-the-gitlab-ci-cd-catalog-beta/

To be able to integrate with Gitlab CI through its Catalog, we need to package vet as a Gitlab CI Component
https://docs.gitlab.com/ee/ci/components/
@insaaniManav
Copy link
Contributor

@abhisek I would like to work on this

@abhisek
Copy link
Member Author

abhisek commented Feb 22, 2025

@insaaniManav Awesome. Thanks :)

Lets pick this up first. Goal is to provide vet-action like user experience for Gitlab CI and list in Gitlab CI catalog. It may not be exact user experience but closer. Lets do a bit of analysis to identify how we can integrate vet natively in Gitlab CI using Gitlab CI Components:

https://docs.gitlab.com/ee/ci/components/

@KunalSin9h
Copy link
Member

KunalSin9h commented Mar 18, 2025
edited
Loading

Feature implementation approach:

Approach:

CI Component can be implemented with any language, favorably using bash script or golang, since there is no package (like github actions), this makes the implementation pretty simple. We just need to create a report and make it available to artifact (gitlab will take case of displaying this report to, PR section, Pipeline section and Security Dashboards).

Blocking: #404

CycloneDX Support Docs: https://docs.gitlab.com/user/application_security/dependency_scanning/#cyclonedx-software-bill-of-materials

Reference:

Progress:

@KunalSin9h KunalSin9h mentioned this issue Mar 20, 2025
Open
@abhisek
Copy link
Member Author

abhisek commented Mar 20, 2025

@KunalSin9h When an MR is raised, how can get have vet run automatically, perform necessary scanning and then add a comment to the MR? Is this possible with Gitlab like we do for GitHub?

@KunalSin9h
Copy link
Member

KunalSin9h commented Mar 20, 2025
edited
Loading

@abhisek yes, it possible and this is what happening.

see this MR: https://gitlab.com/vetting/dummy/-/merge_requests/9

This is a dummy repo, i am prototyping solution on.

See, vet run automatilly as CI just like github (doing necessary scanning), but we dont do comments, it is done by gitlab automatically, we just have to give gitlab correct report artifact of different types

@KunalSin9h
Copy link
Member

Its UX is better then github i my view
Image

@KunalSin9h
Copy link
Member

KunalSin9h commented Mar 20, 2025
edited
Loading

i see other uses are not able to see the security details. only we (developer) see it

Image

@abhisek
Copy link
Member Author

abhisek commented Mar 20, 2025

@KunalSin9h I think it is fine that Gitlab restricts security info to developers only

@KunalSin9h
Copy link
Member

@abhisek its flexible
This was the artifacts config, we can make it all or none also

job:
  artifacts:
    access: 'developer'

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@KunalSin9h KunalSin9h

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@abhisek @insaaniManav @KunalSin9h