Integrate CodeThreat application security scanning into your GitLab CI/CD pipelines. Performs SAST, SCA, Secrets detection, and Infrastructure-as-Code (IaC) analysis.
Available as a Docker image on GitHub Container Registry.
In your GitLab project, go to Settings > CI/CD > Variables and add:
| Variable | Description | Masked |
|---|---|---|
CODETHREAT_API_KEY |
Your CodeThreat API key | Yes |
CODETHREAT_SERVER_URL |
CodeThreat server URL (e.g., https://api.codethreat.com) |
No |
Add the following job to your .gitlab-ci.yml:
codethreat-scan:
stage: test
image:
name: ghcr.io/codethreat/codethreat-appsec-gitlab-extension:latest
entrypoint: [""]
variables:
CT_API_KEY: $CODETHREAT_API_KEY
CT_SERVER_URL: $CODETHREAT_SERVER_URL
CT_ORGANIZATION_SLUG: "your-org-slug"
script:
- node /opt/codethreat/index.js
artifacts:
paths:
- codethreat-results.json
- codethreat.env
reports:
dotenv: codethreat.env
when: alwaysThe repository URL and branch are automatically detected from GitLab's predefined CI/CD variables (CI_REPOSITORY_URL, CI_COMMIT_REF_NAME).
codethreat-scan:
stage: test
image:
name: ghcr.io/codethreat/codethreat-appsec-gitlab-extension:latest
entrypoint: [""]
variables:
CT_API_KEY: $CODETHREAT_API_KEY
CT_SERVER_URL: $CODETHREAT_SERVER_URL
CT_ORGANIZATION_SLUG: "my-org"
script:
- node /opt/codethreat/index.jsFail the pipeline if vulnerability counts exceed your thresholds:
codethreat-scan:
stage: test
image:
name: ghcr.io/codethreat/codethreat-appsec-gitlab-extension:latest
entrypoint: [""]
variables:
CT_API_KEY: $CODETHREAT_API_KEY
CT_SERVER_URL: $CODETHREAT_SERVER_URL
CT_ORGANIZATION_SLUG: "my-org"
CT_MAX_CRITICAL: "0"
CT_MAX_HIGH: "5"
CT_MAX_MEDIUM: "20"
script:
- node /opt/codethreat/index.jscodethreat-scan:
stage: test
image:
name: ghcr.io/codethreat/codethreat-appsec-gitlab-extension:latest
entrypoint: [""]
variables:
CT_API_KEY: $CODETHREAT_API_KEY
CT_SERVER_URL: $CODETHREAT_SERVER_URL
CT_ORGANIZATION_SLUG: "my-org"
CT_OUTPUT_FORMAT: "sarif"
CT_OUTPUT_FILE: "codethreat-results.sarif"
script:
- node /opt/codethreat/index.js
artifacts:
paths:
- codethreat-results.sarifRun the full scan but only enforce thresholds on SAST findings:
codethreat-scan:
stage: test
image:
name: ghcr.io/codethreat/codethreat-appsec-gitlab-extension:latest
entrypoint: [""]
variables:
CT_API_KEY: $CODETHREAT_API_KEY
CT_SERVER_URL: $CODETHREAT_SERVER_URL
CT_ORGANIZATION_SLUG: "my-org"
CT_MAX_CRITICAL: "0"
CT_MAX_HIGH: "10"
CT_ENABLE_SCA_FOR_FAIL_CONDITION: "false"
CT_ENABLE_SECRETS_FOR_FAIL_CONDITION: "false"
CT_ENABLE_INFRASTRUCTURE_FOR_FAIL_CONDITION: "false"
script:
- node /opt/codethreat/index.jscodethreat-scan:
stage: test
image:
name: ghcr.io/codethreat/codethreat-appsec-gitlab-extension:latest
entrypoint: [""]
variables:
CT_API_KEY: $CODETHREAT_API_KEY
CT_SERVER_URL: "https://codethreat.internal.company.com"
CT_ORGANIZATION_SLUG: "my-org"
script:
- node /opt/codethreat/index.jsThe scan outputs a codethreat.env dotenv artifact that downstream jobs can consume:
codethreat-scan:
stage: test
image:
name: ghcr.io/codethreat/codethreat-appsec-gitlab-extension:latest
entrypoint: [""]
variables:
CT_API_KEY: $CODETHREAT_API_KEY
CT_SERVER_URL: $CODETHREAT_SERVER_URL
CT_ORGANIZATION_SLUG: "my-org"
script:
- node /opt/codethreat/index.js
artifacts:
paths:
- codethreat-results.json
- codethreat.env
reports:
dotenv: codethreat.env
notify:
stage: deploy
needs:
- codethreat-scan
script:
- echo "Scan ID: $CT_SCAN_ID"
- echo "Violations: $CT_VIOLATION_COUNT"
- echo "Critical: $CT_CRITICAL_COUNT"
- echo "Score: $CT_SECURITY_SCORE"
- echo "Results: $CT_SCAN_URL"Set these as environment variables in your .gitlab-ci.yml job under variables:.
| Variable | Default | Description |
|---|---|---|
CT_API_KEY |
(required) | CodeThreat API key |
CT_SERVER_URL |
(required) | CodeThreat server URL |
CT_ORGANIZATION_SLUG |
(required) | Organization slug |
CT_REPOSITORY_URL |
auto-detected | Override repository URL |
CT_BRANCH |
auto-detected | Override branch name |
CT_WAIT_FOR_COMPLETION |
true |
Wait for scan to finish |
CT_OUTPUT_FORMAT |
json |
Output format: json, sarif, csv, xml, junit |
CT_OUTPUT_FILE |
codethreat-results.json |
Results file path |
CT_MAX_CRITICAL |
-1 |
Critical threshold (-1 = disabled) |
CT_MAX_HIGH |
-1 |
High threshold (-1 = disabled) |
CT_MAX_MEDIUM |
-1 |
Medium threshold (-1 = disabled) |
CT_MAX_LOW |
-1 |
Low threshold (-1 = disabled) |
CT_MAX_VIOLATIONS |
0 |
Total violations threshold (0 = disabled) |
CT_ENABLE_SCA_FOR_FAIL_CONDITION |
true |
Include SCA in threshold checks |
CT_ENABLE_SECRETS_FOR_FAIL_CONDITION |
true |
Include Secrets in threshold checks |
CT_ENABLE_INFRASTRUCTURE_FOR_FAIL_CONDITION |
true |
Include IaC in threshold checks |
CT_VERBOSE |
false |
Enable verbose logging |
Available to downstream jobs via the codethreat.env dotenv artifact:
| Variable | Description |
|---|---|
CT_SCAN_ID |
Scan identifier |
CT_VIOLATION_COUNT |
Total number of violations |
CT_CRITICAL_COUNT |
Critical severity count |
CT_HIGH_COUNT |
High severity count |
CT_MEDIUM_COUNT |
Medium severity count |
CT_LOW_COUNT |
Low severity count |
CT_SECURITY_SCORE |
Security score (0-100) |
CT_SCAN_DURATION |
Scan duration in seconds |
CT_SCAN_URL |
Link to results in CodeThreat dashboard |
CT_STATUS |
Scan status |
CT_REPOSITORY |
Repository name |
CT_BRANCH |
Scanned branch |
CT_RESULTS_FILE |
Path to results file |
- Repository must be imported in CodeThreat before running the scan
- A valid CodeThreat API key with scan permissions
- GitLab Runner with Docker executor
# Install dependencies
npm install
# Compile TypeScript
npm run compile
# Bundle with webpack
npm run bundle
# Full build
npm run build
# Run tests
npm test
# Build Docker image locally
docker build -t codethreat-gitlab-scanner .MIT