Connect APVISO with GitLab

How APVISO Integrates with GitLab

APVISO's GitLab integration provides deep, native security testing within your GitLab CI/CD pipelines. Unlike generic webhook integrations, APVISO produces DAST-format report artifacts that plug directly into GitLab's Security Dashboard, merge request security widgets, and vulnerability management features.

Native GitLab Security Reports

The key differentiator of APVISO's GitLab integration is native report compatibility. When the APVISO pentest job runs in your pipeline, it outputs a gl-dast-report.json artifact in GitLab's expected DAST format. This means APVISO findings appear in:

• Project Security Dashboard: View all APVISO findings alongside results from SAST, dependency pentesting, and other security tools
• Merge Request Security Widget: See which vulnerabilities are new in the current MR vs. already existing on the default branch
• Group Security Dashboard: Aggregate APVISO findings across all projects in your GitLab group for an organization-wide security view

This native integration eliminates the need to switch between APVISO and GitLab to manage vulnerabilities. Your existing GitLab security workflows — approval rules, vulnerability dismissals, issue creation — all work seamlessly with APVISO findings.

Pipeline Configuration

Adding APVISO to your .gitlab-ci.yml is straightforward. The pentest job uses the APVISO CLI image, authenticates with your API key stored as a CI/CD variable, triggers a pentest against your target, polls for completion, and saves the results as a DAST report artifact. The job can be configured to fail the pipeline based on severity thresholds — for example, failing on any Critical finding while allowing Medium and Low findings to pass.

For organizations with many projects, you can define the APVISO pentest job in a shared CI/CD template at the group level. Individual projects inherit the template and only need to set their specific target URL variable.

Review App Pentesting

GitLab's review app feature deploys each merge request to a unique URL for testing. APVISO can pentest these review app deployments, providing security testing against the exact code changes in a merge request. The pipeline passes the review app URL as a variable to the APVISO pentest job.

This pattern is powerful because it catches vulnerabilities before they reach the default branch. When a developer opens a merge request that introduces a new API endpoint with an injection flaw, APVISO detects it in the review app pentest and the merge request security widget flags it as a new vulnerability — before any reviewer even looks at the code.

Merge Request Security Gating

By combining APVISO pentests with GitLab's approval rules, you can enforce security review when vulnerabilities are present. Configure an approval rule that requires a member of the security team to approve any merge request where the APVISO pentest found new Critical or High findings. This creates a hard security gate that ensures critical vulnerabilities receive human review before merging.

For less severe findings, you can take a softer approach: allow the merge request to proceed but automatically create a GitLab issue for the team to address. The issue is linked to the merge request for traceability and includes the full finding details from APVISO.

Issue Creation and Tracking

APVISO can create GitLab issues for each finding, populated with the vulnerability details, reproduction steps, severity label, and a link to the full finding in the APVISO dashboard. Issues are automatically assigned the appropriate severity and vulnerability-type labels (~security-critical, ~vulnerability::xss, etc.) and can be routed to milestone boards or assigned to specific team members.

When a finding is resolved in a subsequent pentest, APVISO can close the corresponding GitLab issue or add a comment noting the resolution. This creates a complete audit trail from discovery through remediation.

Scheduled Comprehensive Pentests

While merge request pentests use a quick profile to keep pipeline times reasonable, you can schedule comprehensive pentests using GitLab's pipeline schedules. Run a full APVISO pentest nightly or weekly against your production or staging environment, with the results appearing in the Security Dashboard. Any new findings are automatically filed as issues with a scheduled-scan label.

This dual approach — quick pentests in MR pipelines and comprehensive scheduled pentests — provides both developer-friendly fast feedback and thorough periodic security coverage.