Documentation

Socket for Gitlab Pipeline

Suggest Edits

Socket fights vulnerabilities and provides visibility, defense-in-depth, and proactive supply chain protection for your open source dependencies. It is easy to integrate Socket into your Gitlab Pipeline to provide an extra layer of security against Supply Chain Attacks.

Adding Socket to your pipeline

Create your Socket Environment variables

  1. Create a Socket API Key (Directions)

  2. Log into Gitlab

  3. Navigate to your project

  4. Go to Settings -> CI/CD

  5. Expand Variables

  6. Do Add Variable

    1. Select Mask Variable
    2. Key: SOCKET_SECURITY_API_KEY
    3. Value: Socket API Token

  7. Create a new variable for your Gitlab Token that has access to the Project

    1. Personal Access Token
      1. read/write API
    2. Group Access Tokens
      1. Read Merge Requests Comments: Reporter
      2. Write Merge Requests Comments: Developer
      3. The Token needs to be granted access to the project or group

  8. Key: GITLAB_TOKEN

  9. Value: gitlab_token_with_access

Example Gitlab Pipeline Setup

  1. Go to Build

  2. Go to Pipeline Editor

  3. Paste the following Pipeline Yaml, or integrate with your existing code

    test:
  image: socketdev/cli:latest
  rules:
    - when: always
  script:
    - |
      socketcli \
        --repo "$CI_PROJECT_NAME" \
        --branch "$(if [ -z "$CI_MERGE_REQUEST_SOURCE_BRANCH_NAME" ]; then echo "$CI_COMMIT_BRANCH"; else echo "$CI_MERGE_REQUEST_SOURCE_BRANCH_NAME"; fi)" \
        --target-path "$CI_PROJECT_DIR" \
        --committer "$(echo "$CI_COMMIT_AUTHOR" | awk -F '<' '{print $2}' | head -c -2)" \
        --commit-message "$CI_COMMIT_MESSAGE" \
        --commit-sha "$CI_COMMIT_SHA" \
        --pr-number "$(if [ -z "$CI_MERGE_REQUEST_IID" ]; then echo 0; else echo "$CI_MERGE_REQUEST_IID"; fi)" \
        --scm gitlab \
        $(if [ "$CI_DEFAULT_BRANCH" == "$CI_COMMIT_BRANCH" ] || [ "$CI_DEFAULT_BRANCH" == "$CI_COMMIT_REF_NAME" ]; then echo --default-branch; fi)

  4. Commit changes to your main branch or the current branch you are working on

Testing pipeline

  1. Create a new branch

  2. Modify or add a package.json

  3. Create a new Merge request

  4. Confirm that the Socket CI pipeline job ran

  5. Confirm that for an unhealthy report a comment is left on the Merge request

Updated 9 days ago

What’s Next

That's it! You're all done now any time there is an update to your manifest file the Socket CI will automatically run. You can update the criteria to add more things like requirements.txt or other lock files.