MCPSafe
DocsIntegrationsGitLab CI
GitLab CI

GitLab CI Integration

Add MCPSafe security scanning to your GitLab CI/CD pipelines.

Setup

1

Add your API key as a CI/CD variable

Go to Settings → CI/CD → Variables → Add variable

Key: MCPSAFE_API_KEY

Value: Your API key

Check "Mask variable" and "Protect variable"

2

Add the job to .gitlab-ci.yml

Create or update your .gitlab-ci.yml file

Basic Configuration

Simple Security Scan

Run on merge requests and main branch

.gitlab-ci.yml
stages:
  - test
  - security

security-scan:
  stage: security
  image: node:20
  script:
    - npm install -g @mcpsafe/cli
    - mcpsafe scan ./ --wait --fail-on high
  variables:
    MCPSAFE_API_KEY: $MCPSAFE_API_KEY
  rules:
    - if: $CI_PIPELINE_SOURCE == "merge_request_event"
    - if: $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH

GitLab SAST Integration

Security Dashboard Integration

Display results in GitLab's Security Dashboard

.gitlab-ci.yml
stages:
  - test
  - security

include:
  - template: Security/SAST.gitlab-ci.yml

mcpsafe-scan:
  stage: security
  image: node:20
  script:
    - npm install -g @mcpsafe/cli
    - mcpsafe scan ./ --wait --format json --output gl-sast-report.json
  artifacts:
    reports:
      sast: gl-sast-report.json
    when: always
  variables:
    MCPSAFE_API_KEY: $MCPSAFE_API_KEY

GitLab Ultimate Feature

SAST reports in the Security Dashboard require GitLab Ultimate. The scan will still work on other tiers.

Merge Request Reports

Generate Security Report

Create an artifact with scan results for merge requests

.gitlab-ci.yml
security-scan:
  stage: security
  image: node:20
  script:
    - npm install -g @mcpsafe/cli
    - |
      mcpsafe scan ./ --wait --format json --output scan-results.json
      GRADE=$(jq -r '.data.results.grade' scan-results.json)
      SCORE=$(jq -r '.data.results.securityScore' scan-results.json)
      echo "## Security Scan Results" >> security-report.md
      echo "" >> security-report.md
      echo "**Grade:** $GRADE ($SCORE/100)" >> security-report.md
  artifacts:
    paths:
      - security-report.md
      - scan-results.json
    when: always
  variables:
    MCPSAFE_API_KEY: $MCPSAFE_API_KEY
  rules:
    - if: $CI_PIPELINE_SOURCE == "merge_request_event"

Optimizing with Cache

Cache CLI Installation

Speed up pipeline runs by caching the CLI

.gitlab-ci.yml
security-scan:
  stage: security
  image: node:20
  cache:
    key: mcpsafe-cli
    paths:
      - node_modules/
  before_script:
    - npm install -g @mcpsafe/cli
  script:
    - mcpsafe scan ./ --wait --fail-on high
  variables:
    MCPSAFE_API_KEY: $MCPSAFE_API_KEY

Tips

Use Protected Variables

Protect your API key on protected branches only

Parallel Jobs

Run security scan in parallel with tests

Allow Failure Initially

Use allow_failure: true while fixing issues

Keep Artifacts

Save scan results for debugging