Skip to main content

GitLab CI

Integrate Musha into GitLab CI/CD pipelines to scan every push and merge request.

Full pipeline definition

Add to .gitlab-ci.yml:

musha-scan:
  stage: test
  image: alpine:latest
  before_script:
    - apk add --no-cache curl tar jq
  script:
    - |
      tar -czf scan.tar.gz \
        --exclude='.git' \
        --exclude='node_modules' \
        --exclude='vendor' \
        --exclude='.terraform' \
        --exclude='target' \
        .
    - |
      curl -fsS -X POST "$MUSHA_API_URL/v1/scans" \
        -H "Authorization: Bearer $MUSHA_API_KEY" \
        -F "files=@scan.tar.gz" \
        -F "project_id=$MUSHA_PROJECT_ID" \
        -F "branch=$CI_COMMIT_REF_NAME" \
        -F "pr_id=$CI_MERGE_REQUEST_IID" \
        -F "commit_hash=$CI_COMMIT_SHA" \
        -F "scan_type=full"

Variables

Configure in GitLab → Project → Settings → CI/CD → Variables:

VariableProtectedDescription
MUSHA_API_URLNohttps://api.mushasec.com
MUSHA_PROJECT_IDNoYour project UUID from the Musha dashboard
MUSHA_API_KEYYes (masked)API key created in Settings → API Keys

Mark MUSHA_API_KEY as Masked and Protected to prevent it from appearing in job logs and to restrict it to protected branches.

Merge request comments

When CI_MERGE_REQUEST_IID is set (GitLab CI automatically sets it for merge request pipelines), Musha posts a comment to the MR.

To ensure the pipeline runs on merge requests, configure the job with the right rules:

musha-scan:
  stage: test
  rules:
    - if: $CI_PIPELINE_SOURCE == "merge_request_event"
    - if: $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH

Separate jobs per scan type

For better visibility in the GitLab pipeline view:

stages:
  - security

musha-sca:
  stage: security
  image: alpine:latest
  before_script:
    - apk add --no-cache curl tar
  script:
    - tar -czf scan.tar.gz --exclude='.git' --exclude='node_modules' .
    - |
      curl -fsS -X POST "$MUSHA_API_URL/v1/scans" \
        -H "Authorization: Bearer $MUSHA_API_KEY" \
        -F "files=@scan.tar.gz" \
        -F "project_id=$MUSHA_PROJECT_ID" \
        -F "branch=$CI_COMMIT_REF_NAME" \
        -F "pr_id=$CI_MERGE_REQUEST_IID" \
        -F "commit_hash=$CI_COMMIT_SHA" \
        -F "scan_type=full"
note

Running scan_type=full in a single job is recommended over splitting into multiple jobs. Musha processes all three scanners in parallel internally — there's no speed benefit to splitting, and it uses fewer API calls.