# llm-security — GitLab CI template
# Deterministic security scanning for AI/LLM projects.
# No LLM calls. No data leaves your pipeline. Fully Schrems II compatible.
#
# Include in your .gitlab-ci.yml:
#   include:
#     - local: ci/gitlab-ci.yml
#
# See docs/ci-cd-guide.md for configuration options and detailed setup.
#
# Alternative (without npx): replace the script with:
#   script: node bin/llm-security.mjs scan . --fail-on high --format sarif --output-file results.sarif

llm-security-scan:
  image: node:18-alpine
  stage: test
  script:
    - npx llm-security scan . --fail-on high --format sarif --output-file results.sarif
  artifacts:
    paths:
      - results.sarif
    reports:
      sast: results.sarif
    when: always

# Notes:
#   - GitLab SAST report parsing of SARIF requires GitLab Ultimate
#   - The artifact is always available regardless of license tier
#   - For GitLab Free/Premium, results are in the downloadable artifact only
#
# Configuration:
#   --fail-on <critical|high|medium|low>  Exit 1 if findings at or above severity
#   --compact                              One-liner per finding (reduced log noise)
#   --format sarif                         OASIS SARIF 2.1.0 output
#
# Or configure via .llm-security/policy.json:
#   { "ci": { "failOn": "high", "compact": true } }