Skip to content

GitLab

Integrate the AQtive Guard (AQG) GitLab integration into your GitLab CI/CD pipelines to automate security analysis and receive real-time feedback directly within your merge requests.

Before you begin

To set up the integration, you’ll need to gather credentials from both AQG and GitLab.

Collect AQtive Guard credentials

Navigate to Data sources in the AQG main menu, then select the GitLab tile under the Integrations tab. Locate the following values:

  • aqg_instance - the base URL of your AQtive Guard instance.
  • aqg_token - the API token used for authentication with AQtive Guard.

Generate a GitLab Access Token

If you plan to enable merge request (MR) comments, you’ll need a token that allows AQG to write back to your project:

  • gitlab_api_token - A GitLab Project/Group Access Token or Personal Access Token with API permissions to post comments on an MR.
  • post_mr_comments - During setup, you’ll set this to true to enable inline MR feedback.

You can use either a project or group token, or a personal token. The sections below outline how to create these tokens.

Create a project or group access token

This token is recommended for production environments to ensure the integration remains active regardless of individual team member changes.

To create a project or group token:

  1. Navigate to either your Project or Group in GitLab.
  2. On the left sidebar, select Settings, then Access Tokens.
  3. Select Add new token.

  4. Enter a Name for the token.

    Tip

    We recommend using a descriptive name (for example, AQG Static Code Scanner) so you can easily identify comments created by AQtive Guard.

  5. Enter an optional Description.

  6. Select the Expiration date.
  7. Select a Role. You’ll need to choose Developer or higher to allow the component to post comments.
  8. Under Select scopes, check the api box.
  9. Click Create project access token.
  10. Copy the token immediately. For security reasons, you can’t access this token again once the page is closed.

Create a personal access token

This token is recommended if you’re working within a personal namespace or require the integration to act on your specific behalf.

To create a personal token:

  1. Select your Avatar in the top-left corner of GitLab and select Edit profile.
  2. In the left sidebar under Access, select Personal Access Tokens.
  3. Select Add new token.

  4. Enter a Name for the token.

    Tip

    We recommend using a descriptive name (for example, AQG Static Code Scanner) so you can easily identify comments created by AQtive Guard.

  5. Enter an optional Description.

  6. Select the Expiration date.
  7. Under Select scopes, check the api box.
  8. Select Create personal access token.
  9. Copy the token immediately. For security reasons, you can’t access this token again once the page is closed.

GitLab integration deployment

Follow these steps to deploy the GitLab integration.

  1. Visit this page to install the AQG Static Code Scanner GitLab CI component.
  2. Use the previously obtained values to configure the GitLab CI/CD pipeline in your workflow.
  3. View your findings in the AQtive Guard Inventory and Issues tables.

Tip

We strongly recommend using GitLab CI/CD variables (masked and protected) for aqg_token. If you plan to use this GitLab CI/CD component across multiple projects, define these variables at the Group level. Refer to the GitLab CI/CD variables documentation for details.

Data handling and privacy

AQG is committed to transparent data handling. When using the AQG GitLab CI component, we retain a small code snippet surrounding each identified vulnerability to help you locate and resolve the issue faster. For full details on data retention and privacy measures, refer to How we manage your data.