Gitlab Ci

Integrate BlockSecOps into your GitLab pipeline. - GitLab repository - BlockSecOps account with API access - API key created --- 1. Go to BlockSecOps Settings...

Last updated: January 14, 2026

GitLab CI

Integrate BlockSecOps into your GitLab pipeline.

Prerequisites

  • GitLab repository
  • BlockSecOps account with API access
  • API key created

Setup

1. Create API Key

  1. Go to BlockSecOps SettingsAPI Keys
  2. Click Create Key
  3. Name: "GitLab CI"
  4. Copy the key

2. Add Variable

  1. Go to GitLab project → Settings → CI/CD
  2. Expand Variables
  3. Add variable:
    • Key: BLOCKSECOPS_API_KEY
    • Value: Your API key
    • Masked: Yes
    • Protected: Optional

Basic Pipeline

Create .gitlab-ci.yml:

stages:
  - test
  - security

security-scan:
  stage: security
  image: curlimages/curl:latest

  variables:
    API_URL: "https://api.blocksecops.com/api/v1"

  before_script:
    - apk add --no-cache jq zip

  script:
    # Create archive
    - cd contracts && zip -r ../contracts.zip . && cd ..

    # Upload contract
    - |
      UPLOAD_RESPONSE=$(curl -s -X POST "$API_URL/contracts/upload" \
        -H "Authorization: Bearer $BLOCKSECOPS_API_KEY" \
        -F "[email protected]")
      CONTRACT_ID=$(echo $UPLOAD_RESPONSE | jq -r '.id')

    # Start scan
    - |
      SCAN_RESPONSE=$(curl -s -X POST "$API_URL/scans" \
        -H "Authorization: Bearer $BLOCKSECOPS_API_KEY" \
        -H "Content-Type: application/json" \
        -d "{\"contract_id\": \"$CONTRACT_ID\", \"preset\": \"standard\"}")
      SCAN_ID=$(echo $SCAN_RESPONSE | jq -r '.id')

    # Wait for completion
    - |
      while true; do
        STATUS=$(curl -s "$API_URL/scans/$SCAN_ID" \
          -H "Authorization: Bearer $BLOCKSECOPS_API_KEY" | jq -r '.status')

        if [ "$STATUS" = "completed" ]; then
          break
        elif [ "$STATUS" = "failed" ]; then
          echo "Scan failed"
          exit 1
        fi

        echo "Status: $STATUS"
        sleep 15
      done

    # Check results
    - |
      RESULTS=$(curl -s "$API_URL/scans/$SCAN_ID/results" \
        -H "Authorization: Bearer $BLOCKSECOPS_API_KEY")

      CRITICAL=$(echo $RESULTS | jq '.summary.critical')
      HIGH=$(echo $RESULTS | jq '.summary.high')

      echo "Critical: $CRITICAL, High: $HIGH"

      if [ "$CRITICAL" -gt 0 ]; then
        echo "Critical vulnerabilities found!"
        exit 1
      fi

  only:
    changes:
      - contracts/**

Merge Request Integration

Scan on merge requests:

security-scan-mr:
  stage: security
  extends: .security-scan-base

  rules:
    - if: $CI_PIPELINE_SOURCE == "merge_request_event"

  script:
    # ... scan script ...

    # Post comment to MR
    - |
      COMMENT="## Security Scan Results\n\nCritical: $CRITICAL\nHigh: $HIGH"

      curl -X POST "$CI_API_V4_URL/projects/$CI_PROJECT_ID/merge_requests/$CI_MERGE_REQUEST_IID/notes" \
        -H "PRIVATE-TOKEN: $GITLAB_TOKEN" \
        -d "body=$COMMENT"

Different Presets by Branch

.security-scan-base:
  stage: security
  image: curlimages/curl:latest

  variables:
    SCAN_PRESET: "standard"

  script:
    # Use $SCAN_PRESET in API call

security-scan-feature:
  extends: .security-scan-base
  variables:
    SCAN_PRESET: "quick"
  rules:
    - if: $CI_COMMIT_BRANCH =~ /^feature\//

security-scan-main:
  extends: .security-scan-base
  variables:
    SCAN_PRESET: "deep"
  rules:
    - if: $CI_COMMIT_BRANCH == "main"

SAST Integration

Integrate with GitLab SAST:

include:
  - template: Security/SAST.gitlab-ci.yml

blocksecops-scan:
  stage: test
  script:
    # ... BlockSecOps scan ...

    # Export as SAST report (SARIF)
    - |
      curl -s "$API_URL/scans/$SCAN_ID/export?format=sarif" \
        -H "Authorization: Bearer $BLOCKSECOPS_API_KEY" \
        -o gl-sast-report.json

  artifacts:
    reports:
      sast: gl-sast-report.json

Scheduled Pipelines

Run deep scans on schedule:

nightly-deep-scan:
  stage: security
  extends: .security-scan-base

  variables:
    SCAN_PRESET: "deep"

  rules:
    - if: $CI_PIPELINE_SOURCE == "schedule"

Then create a schedule in GitLab:

  1. Go to CI/CD → Schedules
  2. Create new schedule
  3. Set cron pattern (e.g., 0 2 * * *)

Caching

Cache for faster builds:

security-scan:
  cache:
    key: blocksecops-$CI_COMMIT_REF_SLUG
    paths:
      - .blocksecops-cache/

Artifacts

Save scan results:

security-scan:
  # ... script ...

  after_script:
    - curl -s "$API_URL/scans/$SCAN_ID/export?format=json" \
        -H "Authorization: Bearer $BLOCKSECOPS_API_KEY" \
        -o scan-results.json

  artifacts:
    paths:
      - scan-results.json
    expire_in: 30 days

Environment Variables

Variable Description
BLOCKSECOPS_API_KEY API authentication key
BLOCKSECOPS_API_URL API base URL (optional)
SCAN_PRESET quick/standard/deep
FAIL_THRESHOLD critical/high/medium

Troubleshooting

Variable Not Found

  • Check variable is defined
  • Check variable name matches
  • Check variable isn't protected (if on unprotected branch)

Timeout Issues

  • Increase job timeout
  • Use quick preset
  • Consider async with webhooks

Masked Variable Errors

  • Ensure key doesn't contain special chars
  • Check masking is compatible with curl

Next Steps