2c33e9cc64
Add threshold-based exit codes (--fail-on <severity>) and compact output mode (--compact) to scan-orchestrator and CLI. Pipeline templates for GitHub Actions, Azure DevOps, GitLab CI with SARIF upload. CI/CD guide with Schrems II/NSM compliance documentation. npm publish preparation (files whitelist, .npmignore). Policy ci section for distributable CI defaults. Version 6.1.0. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
37 lines
1.3 KiB
YAML
37 lines
1.3 KiB
YAML
# llm-security — GitLab CI template
|
|
# Deterministic security scanning for AI/LLM projects.
|
|
# No LLM calls. No data leaves your pipeline. Fully Schrems II compatible.
|
|
#
|
|
# Include in your .gitlab-ci.yml:
|
|
# include:
|
|
# - local: ci/gitlab-ci.yml
|
|
#
|
|
# See docs/ci-cd-guide.md for configuration options and detailed setup.
|
|
#
|
|
# Alternative (without npx): replace the script with:
|
|
# script: node bin/llm-security.mjs scan . --fail-on high --format sarif --output-file results.sarif
|
|
|
|
llm-security-scan:
|
|
image: node:18-alpine
|
|
stage: test
|
|
script:
|
|
- npx llm-security scan . --fail-on high --format sarif --output-file results.sarif
|
|
artifacts:
|
|
paths:
|
|
- results.sarif
|
|
reports:
|
|
sast: results.sarif
|
|
when: always
|
|
|
|
# Notes:
|
|
# - GitLab SAST report parsing of SARIF requires GitLab Ultimate
|
|
# - The artifact is always available regardless of license tier
|
|
# - For GitLab Free/Premium, results are in the downloadable artifact only
|
|
#
|
|
# Configuration:
|
|
# --fail-on <critical|high|medium|low> Exit 1 if findings at or above severity
|
|
# --compact One-liner per finding (reduced log noise)
|
|
# --format sarif OASIS SARIF 2.1.0 output
|
|
#
|
|
# Or configure via .llm-security/policy.json:
|
|
# { "ci": { "failOn": "high", "compact": true } }
|