Skip to main content
Aguara integrates with GitLab CI/CD through SARIF artifacts, enabling security scanning for AI agent skills and MCP server configurations directly in your pipeline.

Quick Start

Add to .gitlab-ci.yml: 
security-scan:
  stage: test
  script:
    - curl -fsSL https://raw.githubusercontent.com/garagon/aguara/main/install.sh | bash
    - ~/.local/bin/aguara scan . --format sarif -o gl-sast-report.sarif --fail-on high
  artifacts:
    reports:
      sast: gl-sast-report.sarif
    when: always
This scans your repository, generates a SARIF report, and uploads it as a GitLab SAST artifact.

SAST Integration

GitLab displays SARIF results in the Security Dashboard and merge request widgets when you upload findings as SAST artifacts.

Basic SAST job

aguara-scan:
  stage: test
  image: alpine:3.21
  before_script:
    - apk add --no-cache curl bash
    - curl -fsSL https://raw.githubusercontent.com/garagon/aguara/main/install.sh | bash
    - export PATH="$HOME/.local/bin:$PATH"
  script:
    - aguara scan . --format sarif -o gl-sast-report.sarif --severity medium
  artifacts:
    reports:
      sast: gl-sast-report.sarif
    expire_in: 1 week
    when: always

With severity threshold

aguara-scan:
  stage: security
  script:
    - curl -fsSL https://raw.githubusercontent.com/garagon/aguara/main/install.sh | bash
    - ~/.local/bin/aguara scan ./mcp-server/ --format sarif -o gl-sast-report.sarif --fail-on high
  artifacts:
    reports:
      sast: gl-sast-report.sarif
    when: always
  allow_failure: false
Fails the pipeline if high or critical findings are detected. Set allow_failure: true to report findings without blocking the pipeline.

Using Docker

Use the official Aguara Docker image to avoid installation steps: 
aguara-scan:
  stage: test
  image: ghcr.io/garagon/aguara:latest
  script:
    - aguara scan /builds/$CI_PROJECT_PATH --format sarif -o gl-sast-report.sarif --fail-on high
  artifacts:
    reports:
      sast: gl-sast-report.sarif
    when: always
The Docker image includes git, so --changed mode works: 
aguara-scan:
  image: ghcr.io/garagon/aguara:latest
  script:
    - aguara scan /builds/$CI_PROJECT_PATH --changed --format sarif -o gl-sast-report.sarif
  artifacts:
    reports:
      sast: gl-sast-report.sarif
    when: always

Scanning specific paths

scan-skills:
  stage: test
  script:
    - curl -fsSL https://raw.githubusercontent.com/garagon/aguara/main/install.sh | bash
    - ~/.local/bin/aguara scan ./.claude/skills/ --format sarif -o gl-sast-report.sarif
  artifacts:
    reports:
      sast: gl-sast-report.sarif
    when: always
  only:
    changes:
      - .claude/skills/**/*
Only runs when files in .claude/skills/ are modified.

Multiple output formats

Generate both SARIF (for GitLab) and JSON (for custom processing): 
aguara-scan:
  stage: test
  script:
    - curl -fsSL https://raw.githubusercontent.com/garagon/aguara/main/install.sh | bash
    - ~/.local/bin/aguara scan . --format sarif -o gl-sast-report.sarif
    - ~/.local/bin/aguara scan . --format json -o aguara-results.json
  artifacts:
    reports:
      sast: gl-sast-report.sarif
    paths:
      - aguara-results.json
    when: always

Custom rules

aguara-scan:
  stage: test
  script:
    - curl -fsSL https://raw.githubusercontent.com/garagon/aguara/main/install.sh | bash
    - ~/.local/bin/aguara scan . --rules ./custom-rules/ --format sarif -o gl-sast-report.sarif
  artifacts:
    reports:
      sast: gl-sast-report.sarif
    when: always
Loads additional detection rules from ./custom-rules/.

Pin a specific version

variables:
  AGUARA_VERSION: v0.5.0

aguara-scan:
  stage: test
  script:
    - VERSION=$AGUARA_VERSION curl -fsSL https://raw.githubusercontent.com/garagon/aguara/main/install.sh | bash
    - ~/.local/bin/aguara scan . --format sarif -o gl-sast-report.sarif
  artifacts:
    reports:
      sast: gl-sast-report.sarif
    when: always
Or with Docker: 
aguara-scan:
  image: ghcr.io/garagon/aguara:v0.5.0
  script:
    - aguara scan . --format sarif -o gl-sast-report.sarif
  artifacts:
    reports:
      sast: gl-sast-report.sarif
    when: always

Merge request comments

Post findings as a merge request comment: 
aguara-scan:
  stage: test
  script:
    - curl -fsSL https://raw.githubusercontent.com/garagon/aguara/main/install.sh | bash
    - ~/.local/bin/aguara scan . --format sarif -o gl-sast-report.sarif --fail-on high
    - ~/.local/bin/aguara scan . --format markdown -o findings.md
  artifacts:
    reports:
      sast: gl-sast-report.sarif
    paths:
      - findings.md
    when: always
  after_script:
    - |
      if [ -f findings.md ] && [ "$CI_PIPELINE_SOURCE" = "merge_request_event" ]; then
        COMMENT=$(cat findings.md)
        curl --request POST \
          --header "PRIVATE-TOKEN: $CI_JOB_TOKEN" \
          --data "body=$COMMENT" \
          "$CI_API_V4_URL/projects/$CI_PROJECT_ID/merge_requests/$CI_MERGE_REQUEST_IID/notes"
      fi
Requires CI_JOB_TOKEN to have API access (GitLab 14.0+).

Complete pipeline example

stages:
  - test
  - security
  - deploy

variables:
  AGUARA_VERSION: latest

# Run on merge requests and main branch
aguara-scan:
  stage: security
  image: ghcr.io/garagon/aguara:${AGUARA_VERSION}
  script:
    - |
      aguara scan /builds/$CI_PROJECT_PATH \
        --format sarif \
        -o gl-sast-report.sarif \
        --severity medium \
        --fail-on high \
        --verbose
  artifacts:
    reports:
      sast: gl-sast-report.sarif
    paths:
      - gl-sast-report.sarif
    expire_in: 30 days
    when: always
  allow_failure: false
  only:
    - merge_requests
    - main

# Full scan on schedule
aguara-full-scan:
  stage: security
  image: ghcr.io/garagon/aguara:${AGUARA_VERSION}
  script:
    - aguara scan /builds/$CI_PROJECT_PATH --format sarif -o gl-sast-report.sarif --severity info
  artifacts:
    reports:
      sast: gl-sast-report.sarif
    expire_in: 90 days
    when: always
  only:
    - schedules

# Incremental scan on commits
aguara-changed:
  stage: test
  image: ghcr.io/garagon/aguara:${AGUARA_VERSION}
  script:
    - aguara scan /builds/$CI_PROJECT_PATH --changed --format sarif -o gl-sast-report.sarif --fail-on high
  artifacts:
    reports:
      sast: gl-sast-report.sarif
    when: always
  allow_failure: true
  except:
    - schedules
    - main
This pipeline:
  • Runs a medium+ scan on merge requests and main (fails on high+)
  • Runs a full info-level scan weekly (scheduled)
  • Runs an incremental scan on other branches (non-blocking)

Viewing results

Security Dashboard

Findings appear in:
  • Security & ComplianceVulnerability Report
  • Merge Requests → Security widget
  • Pipeline → Security tab

Download SARIF artifact

# Using GitLab CLI
gl ci artifact download --job aguara-scan gl-sast-report.sarif

# Or via API
curl --header "PRIVATE-TOKEN: $GITLAB_TOKEN" \
  "https://gitlab.com/api/v4/projects/$PROJECT_ID/jobs/artifacts/main/raw/gl-sast-report.sarif?job=aguara-scan"

Troubleshooting

SAST report not appearing

Ensure:
  • Artifact name is exactly gl-sast-report.sarif
  • SARIF file is valid JSON (test: jq . gl-sast-report.sarif)
  • artifacts.reports.sast is set (not just artifacts.paths)

Job fails with “command not found”

Add install directory to PATH: 
script:
  - curl -fsSL https://raw.githubusercontent.com/garagon/aguara/main/install.sh | bash
  - export PATH="$HOME/.local/bin:$PATH"
  - aguara scan .
Or use the full path: 
script:
  - curl -fsSL https://raw.githubusercontent.com/garagon/aguara/main/install.sh | bash
  - ~/.local/bin/aguara scan .

Large repositories timeout

Increase job timeout or use --changed mode: 
aguara-scan:
  timeout: 30m
  script:
    - aguara scan . --changed --format sarif -o gl-sast-report.sarif

Next Steps

GitHub Actions

Integrate with GitHub Actions workflows

Docker

Run Aguara in Docker containers

Build docs developers (and LLMs) love

Get started for freeTalk to us