Documentation
Start typing to search…

Socket for Gitlab Pipeline

Socket fights vulnerabilities and provides visibility, defense-in-depth, and proactive supply chain protection for your open source dependencies. It is easy to integrate Socket into your Gitlab Pipeline to provide an extra layer of security against Supply Chain Attacks.

Adding Socket to your pipeline

Create your Socket Environment variables

  1. Create a Socket API Key (Directions)

  2. Log into Gitlab

  3. Navigate to your project

  4. Go to Settings -> CI/CD

  5. Expand Variables

  6. Do Add Variable

    1. Tick the "Masked" radio button for "Visibility" option
    2. Check the "Expand variable reference" box for the "Flags" option
    3. For the "Key:" field, enter the name "SOCKET_SECURITY_API_KEY"
    4. For the "Value:" field, enter your <Socket API Token>

  7. Next, to add another variable called "GITLAB_TOKEN" for your Gitlab Token that has access to the Project

    1. First, let’s go generate the gitlab project access token value
    2. Go to Setting -> Access tokens
    3. Click on “Add new token” button
      1. Give a “Token name
      2. Optional, given a token description
      3. For the role select the scoping as required per permission needs:
        1. Personal Access Token
          • read/write API
        2. Group Access Tokens
          • Read Merge Requests Comments: Reporter
          • Write Merge Requests Comments: Developer
          • The Token needs to be granted access to the project or group
      4. Then click on “Create project access token” button
      5. You will need to make a copy of the generated project access token for the next step.
    4. Go back to the CI/CD -> Variables (Expand it) -> Click on “Add variable

      1. Tick the “Masked” radio button for “Visibility” option

      2. Check the "Expand variable reference" box for the "Flags" option

        Protect variable:

        • ✅ Enable if your jobs run only on protected branches/tags (recommended for secrets)
        • ❌ Disable (uncheck) if your jobs must run on unprotected branches and need this token (Important!) Environment scope: All (or narrow if needed)

        Why this matters

        • Protected = safer: Protected variables are only available in pipelines on protected branches/tags.
        • Unprotected usage: If a job needs the token on unprotected branches, you must uncheck Protect variable, or provide a separate, least-privilege token as an unprotected variable.

        Tip: Prefer keeping sensitive tokens protected. Use $CI_JOB_TOKEN or a restricted-scope token for unprotected branches; reserve powerful tokens for protected branches only.

      3. For the "Key:" field, enter the name "GITLAB_TOKEN"

      4. For the "Value:" field, paste the generated <project_access_token> here

  8. Sample screenshot

Example Gitlab Pipeline Setup

  1. Go to Build

  2. Go to Pipeline Editor

  3. Paste the following Pipeline Yaml, or integrate with your existing code

    # Socket Security GitLab CI Pipeline
# This pipeline runs Socket Security scans on every commit to any branch
# The CLI automatically detects most information from the git repository

stages:
  - security-scan

socket-security:
  stage: security-scan
  image: socketdev/cli:latest
  
  # Run on all branches and merge requests
  rules:
    - if: $CI_PIPELINE_SOURCE == "push"
    - if: $CI_PIPELINE_SOURCE == "merge_request_event"
  
  # Required for GitLab integration to work properly
  variables:
    SOCKET_SECURITY_API_KEY: $SOCKET_SECURITY_API_KEY
    GITLAB_TOKEN: $CI_JOB_TOKEN
    # This is an option to help speed up the processing
    PIP_CACHE_DIR: "$CI_PROJECT_DIR/.cache/pip"
    
  # This variable is optional, configuration for the runner
  cache:
    paths:
      - .cache/pip/
  
  script:
    # Run Socket CLI with minimal required parameters
    # The CLI automatically detects:
    # - Repository name from git
    # - Branch name from git 
    # - Commit SHA from git (or CI_COMMIT_SHA)
    # - Commit message from git
    # - Committer information from git
    # - Default branch status from GitLab CI environment variables
    # - Changed files from git commit
    # - Merge request number from CI_MERGE_REQUEST_IID
    - |
      socketcli \
        --target-path $CI_PROJECT_DIR \
        --scm gitlab \
        --pr-number ${CI_MERGE_REQUEST_IID:-0}

  4. Commit changes to your main branch or the current branch you are working on

Testing pipeline

  1. Create a new branch

  2. Modify or add a package.json

  3. Create a new Merge request

  4. Confirm that the Socket CI pipeline job ran

  5. Confirm that for an unhealthy report a comment is left on the Merge request

Updated 7 days ago

What’s Next

That's it! You're all done now any time there is an update to your manifest file the Socket CI will automatically run. You can update the criteria to add more things like requirements.txt or other lock files.