Skip to main content

Build Type: GitLab CI

This is a SLSA Provenance buildType that describes the execution of a GitLab CI/CD pipeline.

This build type was inspired by the GitHub Actions build type described here.


"buildType": ""

The GitLab build type describes the execution of a GitLab CI/CD pipeline that builds a software artifact.

Build Definition

External parameters

All external parameters are REQUIRED unless empty.

workflowobjectThe workflow that was run
workflow.namestringThe full name of the GitLab job
workflow.repositorystringURI of the git repository (if exists)
workflow.refstringA git reference to the commit (if exists)
workflow.filePathstringThe default GitLab CI workflow file
jobobjectThe currently running stage of the GitLab job
job.jobNamestringThe stage name currently running
job.jobIdstringThe current job id
buildobjectThe specific build that generated the provenance
build.buildRunstringThe build run ID
build.buildUrlstringThe full web URL for the build


"externalParameters": {
"workflow": {
"name": "Gitlab CI/CD pipeline",
"repository": "",
"ref": "main",
"filePath": ".gitlab-ci.yml"
"job": {
"jobName": "run-cimon",
"jobId": "6412263894"
"build": {
"buildRun": "1216772341",
"buildUrl": ""

Internal parameters

All internal parameters are OPTIONAL. This build type doesn't use internal parameters.

Resolved Dependencies

The resolvedDependencies SHOULD contain an entry identifying the resolved git commit ID corresponding to externalParameters.workflow. The dependency's URI MUST be in SPDX Download Location format, i.e., "git+" + workflow.uri + "@" + workflow.ref.

"resolvedDependencies": [
"uri": "git+",
"digest": {
"gitCommit": "5bd5af481363b91878f8f3e55262c6ecc3169f59"

Run Details


The MUST represent the entity that generated the provenance, as per the SLSA Provenance documentation. In the case of GitLab CI, this should represent the agent that have been running the build. Based on this information, the provenance consumer can decide whether the build environment is secure enough to trust the produced attestation.


"builder": {
"id": ""


The invocationId SHOULD be set to the GitLab URL for the specific run.


"metadata": {
"invocationID": ""