{"id":20637826,"url":"https://github.com/oss-review-toolkit/ort-ci-gitlab","last_synced_at":"2025-04-15T21:51:30.372Z","repository":{"id":40368745,"uuid":"456120990","full_name":"oss-review-toolkit/ort-ci-gitlab","owner":"oss-review-toolkit","description":"Use ORT in your GitLab pipelines","archived":false,"fork":false,"pushed_at":"2024-07-12T09:46:49.000Z","size":287,"stargazers_count":14,"open_issues_count":2,"forks_count":17,"subscribers_count":5,"default_branch":"main","last_synced_at":"2025-03-29T01:51:43.050Z","etag":null,"topics":["ci","cyclonedx","gitlab","gitlab-ci","license-checking","ospo","sbom","sbom-generator","spdx"],"latest_commit_sha":null,"homepage":null,"language":null,"has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/oss-review-toolkit.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2022-02-06T10:39:50.000Z","updated_at":"2025-03-07T10:51:37.000Z","dependencies_parsed_at":"2024-05-02T11:59:27.189Z","dependency_job_id":"051e19e1-261f-4db3-963c-fcf145d6f3c7","html_url":"https://github.com/oss-review-toolkit/ort-ci-gitlab","commit_stats":null,"previous_names":["oss-review-toolkit/ort-gitlab-ci"],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/oss-review-toolkit%2Fort-ci-gitlab","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/oss-review-toolkit%2Fort-ci-gitlab/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/oss-review-toolkit%2Fort-ci-gitlab/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/oss-review-toolkit%2Fort-ci-gitlab/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/oss-review-toolkit","download_url":"https://codeload.github.com/oss-review-toolkit/ort-ci-gitlab/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":249161104,"owners_count":21222468,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["ci","cyclonedx","gitlab","gitlab-ci","license-checking","ospo","sbom","sbom-generator","spdx"],"created_at":"2024-11-16T15:15:59.383Z","updated_at":"2025-04-15T21:51:30.353Z","avatar_url":"https://github.com/oss-review-toolkit.png","language":null,"funding_links":[],"categories":[],"sub_categories":[],"readme":"# GitLab Job Template for ORT\n\nRun licensing, security and best practices checks and generate reports/SBOMs using [ORT][ort].\n\n## Usage\n\nSee [.gitlab-ci.yml](.gitlab-ci.yml)\n\n### Prerequisites\n\nGitLab Commmunity or Enterprise Edition, version 15 or higher.\n\n### Basic\n\n```yaml\ninclude:\n  - https://raw.githubusercontent.com/oss-review-toolkit/ort-ci-gitlab/main/templates/ort-scan.yml\n\nstages:\n  - ort\n\nort-scan:\n  stage: ort\n  extends: .ort-scan\n  artifacts:\n    when: always\n    paths:\n      - $ORT_RESULTS_PATH\n```\n\nAlternatively, you can also use ORT to scan any Git, Git-repo, Mercurial or Subversion project.\n\n```yaml\ninclude:\n  - https://raw.githubusercontent.com/oss-review-toolkit/ort-ci-gitlab/main/templates/ort-scan.yml\n\nstages:\n  - ort\n\nort-scan:\n  stage: ort\n  extends: .ort-scan\n  variables:\n    SW_NAME: 'Mime Types'\n    SW_VERSION: '2.1.35'\n    VCS_URL: 'ssh://git@github.com:jshttp/mime-types.git'\n    VCS_REVISION: 'ef932231c20e716ec27ea159c082322c3c485b66'\n    ALLOW_DYNAMIC_VERSIONS: 'true'\n  before_script:\n    # Use HTTPS instead of SSH for Git cloning\n    - git config --global url.https://github.com/.insteadOf ssh://git@github.com/\n  rules:\n    - if: '$CI_PIPELINE_SOURCE == \"merge_request_event\"'\n      when: manual\n      allow_failure: true\n    - if: '$CI_PIPELINE_SOURCE == \"schedule\"'\n  artifacts:\n    when: always\n    paths:\n      - $ORT_RESULTS_PATH\n```\n\n### Scenarios\n\n- [Run ORT and analyze only specified package managers](#Run-ORT-and-analyze-only-specified-package-managers)\n- [Run ORT with labels](#Run-ORT-with-labels)\n- [Run ORT and fail job on policy violations or security issues](#Run-ORT-and-fail-job-on-policy-violations-or-security-issues)\n- [Run ORT on private repositories](#Run-ORT-on-private-repositories)\n- [Run ORT with a custom global configuration](#Run-ORT-with-a-custom-global-configuration)\n- [Run ORT with a custom Docker image](#Run-ORT-with-a-custom-Docker-image)\n- [Run ORT with PostgreSQL database](#Run-ORT-with-PostgreSQL-database)\n- [Run only parts of the GitLab Job Template for ORT](#Run-only-parts-of-the-GitLab-Job-Template-for-ORT)\n\n#### Run ORT and analyze only specified package managers\n\n```yaml\ninclude:\n  - https://raw.githubusercontent.com/oss-review-toolkit/ort-ci-gitlab/main/templates/ort-scan.yml\n\nstages:\n  - ort\n\nort-scan:\n  stage: ort\n  extends: .ort-scan\n  variables:\n    SW_NAME: 'Mime Types'\n    SW_VERSION: '2.1.35'\n    VCS_URL: 'ssh://git@github.com:jshttp/mime-types.git'\n    VCS_REVISION: 'ef932231c20e716ec27ea159c082322c3c485b66'\n    ALLOW_DYNAMIC_VERSIONS: 'true'\n    ORT_CLI_ARGS: '-P ort.analyzer.enabledPackageManagers=NPM,Yarn,Yarn2 -P ort.forceOverwrite=true --stacktrace'\n  before_script:\n    # Use HTTPS instead of SSH for Git cloning\n    - git config --global url.https://github.com/.insteadOf ssh://git@github.com/\n  artifacts:\n    when: always\n    paths:\n      - $ORT_RESULTS_PATH\n```\n\n#### Run ORT with labels\n\nUse labels to track scan related info or execute policy rules for specific product, delivery or organization.\n\n```yaml\ninclude:\n  - https://raw.githubusercontent.com/oss-review-toolkit/ort-ci-gitlab/main/templates/ort-scan.yml\n\nstages:\n  - ort\n\nort-scan:\n  stage: ort\n  extends: .ort-scan\n  variables:\n    SW_NAME: 'Mime Types'\n    SW_VERSION: '2.1.35'\n    VCS_URL: 'ssh://git@github.com:jshttp/mime-types.git'\n    VCS_REVISION: 'ef932231c20e716ec27ea159c082322c3c485b66'\n    ALLOW_DYNAMIC_VERSIONS: 'true'\n    ORT_CLI_ANALYZE_ARGS: \u003e\n      -l project=oss-project\n      -l dist=external\n      -l org=engineering-sdk-xyz-team-germany-berlin\n  before_script:\n    # Use HTTPS instead of SSH for Git cloning\n    - git config --global url.https://github.com/.insteadOf ssh://git@github.com/\n  artifacts:\n    when: always\n    paths:\n      - $ORT_RESULTS_PATH\n```\n\n### Run ORT and fail job on policy violations or security issues\n\nSet `FAIL_ON` to fail the pipeline if:\n- policy violations reported by Evaluator exceed the `severeRuleViolationThreshold` level.\n- security issues reported by the Advisor exceed the `severeIssueThreshold` level.\n\nBy default `severeRuleViolationThreshold` and `severeIssueThreshold` are set to `WARNING` \nbut you can change this to for example `ERROR` in your [config.yml][ort-config-yml].\n\n```yaml\ninclude:\n  - https://raw.githubusercontent.com/oss-review-toolkit/ort-ci-gitlab/main/templates/ort-scan.yml\n\nstages:\n  - ort\n\nort-scan:\n  stage: ort\n  extends: .ort-scan\n  variables:\n    SW_NAME: 'Mime Types'\n    SW_VERSION: '2.1.35'\n    VCS_URL: 'ssh://git@github.com:jshttp/mime-types.git'\n    VCS_REVISION: 'ef932231c20e716ec27ea159c082322c3c485b66'\n    ALLOW_DYNAMIC_VERSIONS: 'true'\n    FAIL_ON: 'violations'\n  before_script:\n    # Use HTTPS instead of SSH for Git cloning\n    - git config --global url.https://github.com/.insteadOf ssh://git@github.com/\n  artifacts:\n    when: always\n    paths:\n      - $ORT_RESULTS_PATH\n```\n\n#### Run ORT on private repositories\n\nTo run ORT on private Git repositories, we recommend to:\n- Set up an account with read-only access rights\n- Use [masked variables][gitlab-define-variable] for authentication secrets such as passwords or key values\n- Use the `before_script` to generate the required authentication configuration files or set authentication tokens.\n\n```yaml\ninclude:\n  - https://raw.githubusercontent.com/oss-review-toolkit/ort-ci-gitlab/main/templates/ort-scan.yml\n\nimage: 'ubuntu:latest'\n\nstages:\n  - ort\n\nort-scan:\n  stage: ort\n  extends: .ort-scan\n  variables:\n    SW_NAME: 'Mime Types'\n    SW_VERSION: '2.1.35'\n    VCS_URL: 'ssh://git@github.com:jshttp/mime-types.git'\n    VCS_REVISION: 'ef932231c20e716ec27ea159c082322c3c485b66'\n    ALLOW_DYNAMIC_VERSIONS: 'true'\n  before_script:\n    # Generate .netrc configuration file\n    - echo \"default login ${NETRC_LOGIN} password ${NETRC_PASSWORD}\" \u003e ${HOME}/.netrc\n    # Add SSH private key and generate SSH configuration file\n    # Based on https://gitlab.com/gitlab-examples/ssh-private-key\n    - |\n    - 'which ssh-agent || ( apt-get update -y \u0026\u0026 apt-get install openssh-client -y )'\n    - eval $(ssh-agent -s)\n    - ssh-add \u003c(echo \"$SSH_PRIVATE_KEY\" | base64 --decode)\n    - mkdir -p ~/.ssh\n    - chmod 700 ~/.ssh\n    - echo -e \"Host *\\n\\tStrictHostKeyChecking no\\n\\n\" \u003e ~/.ssh/config\n  artifacts:\n    when: always\n    paths:\n      - $ORT_RESULTS_PATH\n```\n\n```yaml\ninclude:\n  - https://raw.githubusercontent.com/oss-review-toolkit/ort-ci-gitlab/main/templates/ort-scan.yml\n\nstages:\n  - ort\n\nort-scan:\n  stage: ort\n  extends: .ort-scan\n  variables:\n    SW_NAME: 'Mime Types'\n    SW_VERSION: '2.1.35'\n    VCS_URL: 'ssh://git@github.com:jshttp/mime-types.git'\n    VCS_REVISION: 'ef932231c20e716ec27ea159c082322c3c485b66'\n    ALLOW_DYNAMIC_VERSIONS: 'true'\n    ORT_CONFIG_REPOSITORY: \"https://oauth2:${EXAMPLE_ORG_AUTH_TOKEN}@git.example.com/ort-project/ort-config.git\"\n  before_script:\n    # Set network proxy server environment variables \n    - |\n      export https_proxy='http://proxy.example.com:3128/'\n      export http_proxy='http://proxy.example.com:3128/'\n      printenv \u003e\u003e vars.env\n    # Use HTTPS with personal token instead of SSH for Git cloning\n    - |\n      git config --global url.'https://oauth2:${GITHUB_PERSONAL_TOKEN}@github.com/'.insteadOf 'ssh://git@github.com/'\n      git config --global url.'https://oauth2:${EXAMPLE_ORG_AUTH_TOKEN}@git.example.com/'.insteadOf 'ssh://git@git.example.com/'\n      git config --global url.'https://oauth2:${EXAMPLE_ORG_AUTH_TOKEN}@git.example.com/'.insteadOf 'https://git.example.com/'\n  artifacts:\n    when: always\n    paths:\n      - $ORT_RESULTS_PATH\n```\n\n### Run ORT with a custom global configuration\n\nUse `ORT_CONFIG_REPOSITORY` to specify the location of your ORT global configuration repository.\nIf `ORT_CONFIG_REVISION` is not automatically latest state of configuration repository will be used.\n\nAlternatively, you can also define your ORT global configuration files in `~/.ort/config` \nusing `before_script` within the `ort-scan` job.\n\n```yaml\ninclude:\n  - https://raw.githubusercontent.com/oss-review-toolkit/ort-ci-gitlab/main/templates/ort-scan.yml\n\nstages:\n  - ort\n\nort-scan:\n  stage: ort-scan\n  extends: .ort-scan\n  variables:\n    SW_NAME: 'Mime Types'\n    SW_VERSION: '2.1.35'\n    VCS_URL: 'https://github.com/jshttp/mime-types.git'\n    VCS_REVISION: 'ef932231c20e716ec27ea159c082322c3c485b66'\n    ALLOW_DYNAMIC_VERSIONS: 'true'\n    ORT_CONFIG_REPOSITORY: 'https://github.com/oss-review-toolkit/ort-config.git'\n    ORT_CONFIG_REVISION: 'e4ae8f0a2d0415e35d80df0f48dd95c90a992514'\n  before_script:\n    # Use HTTPS instead of SSH for Git cloning\n    - git config --global url.https://github.com/.insteadOf ssh://git@github.com/\n  artifacts:\n    when: always\n    paths:\n      - $ORT_RESULTS_PATH\n```\n\n### Run ORT with a custom Docker image\n\n```yaml\ninclude:\n  - https://raw.githubusercontent.com/oss-review-toolkit/ort-ci-gitlab/main/templates/ort-scan.yml\n\nstages:\n  - ort\n\nort-scan:\n  stage: ort\n  image: 'example.com/my-org/ort-container:latest'\n  extends: .ort-scan\n  variables:\n    SW_NAME: 'Mime Types'\n    SW_VERSION: '2.1.35'\n    VCS_URL: 'https://github.com/jshttp/mime-types.git'\n    VCS_REVISION: 'ef932231c20e716ec27ea159c082322c3c485b66'\n    ALLOW_DYNAMIC_VERSIONS: 'true'\n  before_script:\n    # Use HTTPS instead of SSH for Git cloning\n    - git config --global url.https://github.com/.insteadOf ssh://git@github.com/\n  artifacts:\n    when: always\n    paths:\n      - $ORT_RESULTS_PATH\n```\n\n### Run ORT with PostgreSQL database\n\nORT supports using a PostgreSQL database to caching scan data to speed-up scans.\n\nSet the following [masked variables][gitlab-define-variable] at project, group or instance level to specify the database to use:\n- `POSTGRES_URL`: 'jdbc:postgresql://ort-db.example.com:5432/ort'\n- `POSTGRES_USERNAME`: 'ort-db-username'\n- `POSTGRES_PASSWORD`: 'ort-db-password'\n- `POSTGRES_SCHEMA`: 'ort-prod'\n\nNext, call GitLab Pipeline for ORT as shown below:\n\n```yaml\ninclude:\n  - https://raw.githubusercontent.com/oss-review-toolkit/ort-ci-gitlab/main/templates/ort-scan.yml\n\nstages:\n  - ort\n\nort-scan:\n  stage: ort\n  extends: .ort-scan\n  variables:\n    SW_NAME: 'Mime Types'\n    SW_VERSION: '2.1.35'\n    VCS_URL: 'https://github.com/jshttp/mime-types.git'\n    VCS_REVISION: 'ef932231c20e716ec27ea159c082322c3c485b66'\n    ALLOW_DYNAMIC_VERSIONS: 'true'\n    DB_URL: \"${POSTGRES_URL}\"\n    DB_SCHEMA: \"${POSTGRES_SCHEMA}\"\n    DB_USERNAME: \"${POSTGRES_USERNAME}\"\n    DB_USER: \"${POSTGRES_PASSWORD}\"\n  before_script:\n    # Use HTTPS instead of SSH for Git cloning\n    - git config --global url.https://github.com/.insteadOf ssh://git@github.com/\n  artifacts:\n    when: always\n    paths:\n      - $ORT_RESULTS_PATH\n```\n\n### Run only parts of the GitLab Job Template for ORT\n\n```yaml\ninclude:\n  - https://raw.githubusercontent.com/oss-review-toolkit/ort-ci-gitlab/main/templates/ort-scan.yml\n\nstages:\n  - ort\n\nort-scan:\n  stage: ort\n  extends: .ort-scan\n  variables:\n    SW_NAME: 'Mime Types'\n    SW_VERSION: '2.1.35'\n    VCS_URL: 'https://github.com/jshttp/mime-types.git'\n    VCS_REVISION: 'ef932231c20e716ec27ea159c082322c3c485b66'\n    ALLOW_DYNAMIC_VERSIONS: 'true'\n    RUN: \u003e\n      labels,\n      analyzer,\n      advisor,\n      reporter\n  before_script:\n    # Use HTTPS instead of SSH for Git cloning\n    - git config --global url.https://github.com/.insteadOf ssh://git@github.com/\n  artifacts:\n    when: always\n    paths:\n      - $ORT_RESULTS_PATH\n```\n\n# Want to Help or have Questions?\n\nAll contributions are welcome. If you are interested in contributing, please read our\n[contributing guide][ort-contributing-md], and to get quick answers\nto any of your questions we recommend you [join our Slack community][ort-slack].\n\n# License\n\nCopyright (C) 2020 [The ORT Project Authors](./NOTICE).\n\nSee the [LICENSE](./LICENSE) file in the root of this project for license details.\n\nOSS Review Toolkit (ORT) is a [Linux Foundation project][lf] and part of [ACT][act].\n\n[act]: https://automatecompliance.org/\n[gitlab-define-variable]: https://docs.gitlab.com/ee/ci/variables/#define-a-cicd-variable-in-the-ui\n[ort]: https://github.com/oss-review-toolkit/ort\n[ort-config-yml]: https://github.com/oss-review-toolkit/ort/blob/main/model/src/main/resources/reference.yml\n[ort-contributing-md]: https://github.com/oss-review-toolkit/.github/blob/main/CONTRIBUTING.md\n[ort-slack]: http://slack.oss-review-toolkit.org\n[lf]: https://www.linuxfoundation.org\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Foss-review-toolkit%2Fort-ci-gitlab","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Foss-review-toolkit%2Fort-ci-gitlab","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Foss-review-toolkit%2Fort-ci-gitlab/lists"}