APVISO + GitLab Integration - apviso [APVISO](/)Product

Resources

Developers

Company

[Pricing](/#pricing)[Partners](/partners)[Enterprise](/enterprise)

[Login](/login)[Get started](/register)

[Login](/login)[Start pentest](/register)

[Home](/)[Integrations](/integrations)APVISO + GitLab[Back to Integrations](/integrations)![GitLab logo](/integrations/gitlab.svg)

Connect APVISO with GitLab
==========================

Version Control

Integrate APVISO pentests into GitLab CI/CD pipelines. Create issues from findings and display results in merge request security reports.

Why connect APVISO with GitLab?
-------------------------------

### Native Security Report Integration

APVISO outputs results in GitLab's DAST report format, so findings appear natively in the Security Dashboard and merge request security widgets.

### Pipeline-Integrated Pentesting

Add APVISO as a CI/CD stage that runs alongside your existing tests. Fail pipelines when critical vulnerabilities are discovered.

### Merge Request Gating

Block merge requests that introduce new vulnerabilities. GitLab's approval rules can require security team sign-off when APVISO findings are present.

### Issue Board Integration

Automatically create GitLab issues with severity labels and link them to the merge request that triggered the pentest.

Setup Guide
-----------

1

### Create an APVISO API Token

Generate an API token in your APVISO dashboard under Settings &gt; API Keys. This token will be used by the GitLab CI runner to authenticate with APVISO.

2

### Add CI/CD Variables

Store the APVISO API token as a masked CI/CD variable in your GitLab project or group settings. Add the target URL as another variable or derive it from your review app configuration.

3

### Add APVISO to Your .gitlab-ci.yml

Include the APVISO pentest job template in your pipeline configuration. The job runs the APVISO CLI, triggers a pentest, waits for completion, and outputs a GitLab-compatible DAST report artifact.

4

### Configure Security Approval Rules

Optionally set up GitLab approval rules that require security team review when the APVISO pentest stage finds new vulnerabilities in a merge request.

Features
--------

- GitLab CI/CD pipeline integration with DAST report output
- Native Security Dashboard compatibility
- Merge request security widget showing new vs. existing vulnerabilities
- Auto-create GitLab issues from pentest findings
- Review app pentesting for dynamic merge request environments
- Group-level configuration for multi-project setups
- Scheduled pipeline pentests with comprehensive pentest profiles

How APVISO Integrates with GitLab
---------------------------------

APVISO's GitLab integration provides deep, native security testing within your GitLab CI/CD pipelines. Unlike generic webhook integrations, APVISO produces DAST-format report artifacts that plug directly into GitLab's Security Dashboard, merge request security widgets, and vulnerability management features.

Native GitLab Security Reports
------------------------------

The key differentiator of APVISO's GitLab integration is native report compatibility. When the APVISO pentest job runs in your pipeline, it outputs a `gl-dast-report.json` artifact in GitLab's expected DAST format. This means APVISO findings appear in:

- **Project Security Dashboard**: View all APVISO findings alongside results from SAST, dependency pentesting, and other security tools
- **Merge Request Security Widget**: See which vulnerabilities are new in the current MR vs. already existing on the default branch
- **Group Security Dashboard**: Aggregate APVISO findings across all projects in your GitLab group for an organization-wide security view

This native integration eliminates the need to switch between APVISO and GitLab to manage vulnerabilities. Your existing GitLab security workflows — approval rules, vulnerability dismissals, issue creation — all work seamlessly with APVISO findings.

Pipeline Configuration
----------------------

Adding APVISO to your `.gitlab-ci.yml` is straightforward. The pentest job uses the APVISO CLI image, authenticates with your API key stored as a CI/CD variable, triggers a pentest against your target, polls for completion, and saves the results as a DAST report artifact. The job can be configured to fail the pipeline based on severity thresholds — for example, failing on any Critical finding while allowing Medium and Low findings to pass.

For organizations with many projects, you can define the APVISO pentest job in a shared CI/CD template at the group level. Individual projects inherit the template and only need to set their specific target URL variable.

Review App Pentesting
---------------------

GitLab's review app feature deploys each merge request to a unique URL for testing. APVISO can pentest these review app deployments, providing security testing against the exact code changes in a merge request. The pipeline passes the review app URL as a variable to the APVISO pentest job.

This pattern is powerful because it catches vulnerabilities before they reach the default branch. When a developer opens a merge request that introduces a new API endpoint with an injection flaw, APVISO detects it in the review app pentest and the merge request security widget flags it as a new vulnerability — before any reviewer even looks at the code.

Merge Request Security Gating
-----------------------------

By combining APVISO pentests with GitLab's approval rules, you can enforce security review when vulnerabilities are present. Configure an approval rule that requires a member of the security team to approve any merge request where the APVISO pentest found new Critical or High findings. This creates a hard security gate that ensures critical vulnerabilities receive human review before merging.

For less severe findings, you can take a softer approach: allow the merge request to proceed but automatically create a GitLab issue for the team to address. The issue is linked to the merge request for traceability and includes the full finding details from APVISO.

Issue Creation and Tracking
---------------------------

APVISO can create GitLab issues for each finding, populated with the vulnerability details, reproduction steps, severity label, and a link to the full finding in the APVISO dashboard. Issues are automatically assigned the appropriate severity and vulnerability-type labels (`~security-critical`, `~vulnerability::xss`, etc.) and can be routed to milestone boards or assigned to specific team members.

When a finding is resolved in a subsequent pentest, APVISO can close the corresponding GitLab issue or add a comment noting the resolution. This creates a complete audit trail from discovery through remediation.

Scheduled Comprehensive Pentests
--------------------------------

While merge request pentests use a quick profile to keep pipeline times reasonable, you can schedule comprehensive pentests using GitLab's pipeline schedules. Run a full APVISO pentest nightly or weekly against your production or staging environment, with the results appearing in the Security Dashboard. Any new findings are automatically filed as issues with a `scheduled-scan` label.

This dual approach — quick pentests in MR pipelines and comprehensive scheduled pentests — provides both developer-friendly fast feedback and thorough periodic security coverage.

Frequently Asked Questions
--------------------------

Does APVISO work with GitLab's Security Dashboard?▾Yes. APVISO produces artifacts in GitLab's DAST report format, so findings appear natively in your project and group Security Dashboards alongside results from other security tools.

Can I pentest GitLab review apps?▾Yes. Pass the review app URL as a dynamic variable to the APVISO pentest job. Confirm that the target is authorized before pentesting it.

Is this compatible with GitLab SaaS and self-managed instances?▾Yes. The integration works with GitLab.com SaaS, GitLab self-managed, and GitLab Dedicated. For self-managed instances, ensure your runners can reach the APVISO API.

How does APVISO differentiate new findings from existing ones in MRs?▾APVISO fingerprints each finding and compares it against the default branch baseline. The merge request security widget shows only net-new vulnerabilities introduced by the changes in that MR.

Related Integrations
--------------------

[APVISO + GitHub](/integrations/github)[APVISO + Jenkins](/integrations/jenkins)[APVISO + Slack](/integrations/slack)

Related Terms
-------------

[Dast](/glossary/dast)[Devsecops](/glossary/devsecops)[Continuous Pentesting](/glossary/continuous-pentesting)

Connect APVISO with GitLab today
--------------------------------

Set up the GitLab integration in minutes and start routing security findings to your team.

[Get Started](/register)

[APVISO](/)Autonomous AI-powered penetration testing for modern web applications.

Subscribe

[](https://github.com/apviso)[](https://x.com/Apviso_com)[](https://www.linkedin.com/company/apviso/)

[![Featured on Good AI Tools](https://goodaitools.com/assets/images/badge.png)](https://goodaitools.com/ai/apviso)

Product

- [Features](/#features)
- [Sentinel](/sentinel)
- [Pricing](/pricing)
- [Integrations](/integrations)
- [Benchmarks](/#compare)
- [Affiliate Program](/affiliate)
- [Partners](/partners)
- [Enterprise](/enterprise)

Resources

- [Blog](/blog)
- [Use Cases](/use-cases)
- [Glossary](/glossary)
- [Comparisons](/comparisons)
- [Alternatives](/alternatives)
- [Compliance](/compliance)
- [Vulnerabilities](/vulnerabilities)
- [Industries](/industries)
- [OWASP APTS](/trust/apts)

Developers

- [Knowledge Base](/docs)
- [API Reference](/docs/api)
- [MCP Server](/docs/mcp)

Company

- [About](/about)
- [Contact](/contact)
- [Status](https://status.apviso.com)
- [Privacy Policy](/legal/privacy)
- [Terms of Service](/legal/terms)

© 2026 APVISO. All rights reserved.
