GitLab - MergeGuide

Add MergeGuide to GitLab CI with the official template. It runs your policy checks on merge request pipelines and produces a GitLab SAST report so findings appear on the merge request.

Include the template

Add the MergeGuide template to your .gitlab-ci.yml and use the job it defines:

.gitlab-ci.yml

stages:
  - security

include:
  - project: 'mergeguide/gitlab-ci'
    ref: main
    file: '/templates/policy-check.yml'

policy-check:
  extends: .mergeguide-policy-check
  stage: security

Template inputs

The template accepts these inputs:

Input	Description	Default
`paths`	Files or directories to check.	`.`
`format`	Output format: `text`, `json`, `gitlab-sast`.	`text`
`policy`	Path to custom policy file(s).	—
`no_defaults`	Skip the default built-in policies.	`false`
`fail_on_warnings`	Treat warnings as errors.	`false`
`stage`	Pipeline stage to run in.	`test`
`allow_failure`	Let the job fail without blocking the pipeline.	`false`
`merge_request_only`	Only run on merge request pipelines.	`true`

SAST report on merge requests

The job writes a SAST report (mergeguide-results.json) and attaches it as a GitLab sast artifact, so findings surface in the merge request’s security widget. The report artifact is retained for one week by default.

Block merges on findings

To prevent a merge while findings block, leave allow_failure at its default (false) and configure the merge request to require a passing pipeline in your project’s Settings → Merge requests. See Set up the PR gate.

Next steps

PR gate

Block merges on blocking findings.

CI/CD patterns

Wire MergeGuide into any pipeline.

GitHub Bitbucket

​Include the template

​Template inputs

​SAST report on merge requests

​Block merges on findings

​Next steps