GitLab CI Governance Gate
Include the official template
include: - remote: 'https://raw.githubusercontent.com/archetypal-ai/govern-ci/main/gitlab/govern-build.gitlab-ci.yml'Basic configuration
include: - remote: 'https://raw.githubusercontent.com/archetypal-ai/govern-ci/main/gitlab/govern-build.gitlab-ci.yml'
variables: GOVERN_MODEL: "claude-sonnet-4-20250514" GOVERN_TEST_PROMPTS: "tests/govern/prompts.json" GOVERN_FAIL_ON: "flag" GOVERN_BASELINE_BRANCH: "main"
stages: - test - govern - deploy
unit-tests: stage: test script: npm test
govern-build: stage: govern extends: .govern-build-assessManual pipeline definition
govern-build: stage: govern image: archetypal/govern-cli:latest variables: GOVERN_API_KEY: $GOVERN_API_KEY GOVERN_ORG_ID: $GOVERN_ORG_ID script: - | govern assess \ --batch-file ${GOVERN_TEST_PROMPTS} \ --model ${GOVERN_MODEL} \ --baseline-branch ${GOVERN_BASELINE_BRANCH} \ --fail-on ${GOVERN_FAIL_ON} \ --output gitlab-security > gl-govern-report.json - govern assess --output junit > govern-junit.xml artifacts: reports: sast: gl-govern-report.json junit: govern-junit.xml paths: - govern-results.json expire_in: 30 days rules: - if: '$CI_PIPELINE_SOURCE == "merge_request_event"' - if: '$CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH'Merge request approval gate
Add GOVERN Build as a required approval in Settings → Merge requests → Approval rules:
# CODEOWNERS or Approval rulesgovern-build: stage: govern needs: [] allow_failure: false # Blocks merge on failureGitLab Security Dashboard
The gl-govern-report.json output format is compatible with GitLab’s security scanning format. Violations appear in:
- The Merge Request security widget
- The Security Dashboard
- Vulnerability reports
Environment variables in GitLab CI
Set these in Settings → CI/CD → Variables (masked + protected):
| Variable | Type | Description |
|---|---|---|
GOVERN_API_KEY | Masked | GOVERN API key |
GOVERN_ORG_ID | Masked | Organization ID |
ANTHROPIC_API_KEY | Masked | Model API key (if generating responses) |
Scheduled regression
govern-nightly: stage: govern extends: .govern-build-assess variables: GOVERN_FAIL_ON: "block" # Stricter for nightly only: - schedulesAdd a schedule in CI/CD → Schedules → New schedule → daily at midnight.