Skip to main content

GitLab CI

Cimon integrates seamlessly with GitLab CI/CD, providing robust support for automating your pipeline workflows.

GitLab CI/CD Runners Support

GitLab CI/CD offers flexible runner options, and Cimon is designed to adapt to various environments. Here’s how Cimon supports GitLab CI/CD runners:

  • Runner Compatibility: Cimon works with GitLab CI/CD runners running on Ubuntu or any other supported Linux distribution.
  • Host Whitelisting: GitLab-related hosts are automatically whitelisted, ensuring smooth and secure communication.
  • Ignored IPs: Internal IP addresses are automatically ignored to streamline network communication.
  • Custom Reporting: Detailed reports are generated and tailored to fit GitLab CI/CD job artifacts.

Cimon supports both GitLab hosted runners and self-hosted runners. The following section explains how to install Cimon within a pipeline that requires privileged access. For installation outside the pipeline, with non-privileged runners, please refer to the Kubernetes deployment guide.

Cimon Installation

Cimon can be easily installed within GitLab CI/CD pipelines using a predefined setup script, based on Cimon CLI installation. This script facilitates the download and installation of Cimon within seconds.

Below is a script that is adapted for Docker executors that do not require sudo. If you are running shell executor, you must add sudo -E to the Cimon running command.

Usage

To install Cimon within your GitLab CI/CD pipeline, include the predefined setup script in your .gitlab-ci.yml file:

variables:
  CIMON_CLIENT_ID: $CIMON_CLIENT_ID
  CIMON_SECRET: $CIMON_SECRET

install_and_start_cimon:
  before_script: |
    # 'curl' and 'jq' are prerequisite for the installation script.
    # change the following line according to the package manager.
    apt update && apt install curl jq -y
    # Download Cimon
    curl -sSfL https://cimon-releases.s3.amazonaws.com/install.sh | sh -s -- -b /usr/local/bin
    # Start Cimon
    cimon agent start-background

  script: |
    # Run commands
    curl -sm 1 https://cycode.com > /dev/null || true
    ...
    # Stop Cimon
    cimon agent stop

Refer to CLI for additional information regarding the supported environment variables.

GitLab Hosted Support

Cimon also supports GitLab’s hosted environments, as detailed in the GitLab documentation. In summary, the GitLab hosted environment provisions a new VM for each job and uses a privileged Docker executor to run the steps. This privileged mode is crucial for Cimon, as it allows the necessary loading of eBPF modules.

Key points to note when using GitLab hosted environments:

  • Isolated Jobs: Each job runs on a separate VM. This means Cimon is installed for each job and can enforce different policies per job if required. The variables that define Cimon configuration can be defined globally to apply for all jobs, or seperately in each job.
  • Stopping Cimon: It is necessary to stop Cimon within the script tag, and not in the after_script tag. Cimon must be stopped when pipeline ends in order to send its report locally (to artifact and job logs), and remotely (to backend). As soon as the script tag ends, the Docker executor stops all processes, and shuts down the container, terminating Cimon without allowing it to send its report.
  • Flexible Start Options: Depending on your workflow requirements, Cimon can be started either in the before_script or directly within the script section.

Job Summary Report

Cimon can upload the final report as a job artifact. Simply specify the CIMON_REPORT_ARTIFACT environment variable, and Cimon will utilize the CI_JOB_TOKEN to upload the report as a job artifact. For example:

variables:
  CIMON_REPORT_ARTIFACT: 1

Printing the Report to Job Logs

In addition to uploading the report as an artifact, Cimon also prints the report directly to the job logs. This allows you to quickly review the results and gain insights into what occurred during the job execution.