Skip to content
Documentation
CI/CD Integration
GitLab CI

GitLab CI

Integrate netbobr firewall rule analysis into GitLab CI/CD pipelines. GitLab supports SARIF-compatible SAST reports and granular exit code handling for nuanced severity gating.

Basic Pipeline

A minimal .gitlab-ci.yml job that fails on high or critical findings:

firewall-analysis:
  image: node:20
  stage: test
  script:
    - npx @netbobr/cli analyze firewall-rules.json --fail-on high
  rules:
    - if: $CI_PIPELINE_SOURCE == "merge_request_event"
    - if: $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH

The job fails when the CLI returns a non-zero exit code (severity meets or exceeds the --fail-on threshold).

With SARIF Output

Upload findings to GitLab's Security Dashboard using the SAST report artifact:

firewall-analysis:
  image: node:20
  stage: test
  script:
    - npx @netbobr/cli analyze firewall-rules.json --output sarif > gl-sast-report.json
  artifacts:
    reports:
      sast: gl-sast-report.json
  allow_failure:
    exit_codes:
      - 1
      - 2
      - 3
  rules:
    - if: $CI_PIPELINE_SOURCE == "merge_request_event"
    - if: $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH

GitLab imports SARIF-compatible reports via the artifacts:reports:sast mechanism. Using allow_failure with specific exit codes lets findings appear in the Merge Request security widget while the pipeline continues.

With PDF Report Artifact

Generate a PDF compliance report and make it downloadable from the pipeline:

firewall-report:
  image: node:20
  stage: test
  script:
    - npx @netbobr/cli analyze rules.json --output pdf --output-file report.pdf
  artifacts:
    paths:
      - report.pdf
    expire_in: 30 days

Severity Gating with allow_failure

Use exit codes for granular control over which findings block the pipeline:

# Pass on medium, fail on high or critical
firewall-analysis:
  image: node:20
  stage: test
  script:
    - npx @netbobr/cli analyze firewall-rules.json
  allow_failure:
    exit_codes:
      - 1

This allows medium findings (exit code 1) to pass while high (exit code 2) and critical (exit code 3) still fail the pipeline.

For stricter gating, remove the allow_failure block entirely -- any non-zero exit code will fail the job.

With Configuration

Load custom rules, zones, and risk score weights from a browser-exported session:

firewall-analysis:
  image: node:20
  stage: test
  script:
    - npx @netbobr/cli analyze rules.json --config netbobr-config.json --fail-on medium

Exit Code Reference

Exit CodeSeverityMeaning
0Low / NoneAll flows are low risk or clean
1MediumAt least one medium-severity finding
2HighAt least one high-severity finding
3CriticalAt least one critical-severity finding

Use --fail-on <severity> to set the threshold. Severities below the threshold are treated as passing (exit code 0).

Azure DevOpsJenkins