Skip to main content
CI/CD Catalog component

Turn GitLab security findings into secure-coding training

A CI/CD Catalog component reads your security scanner reports on a merge request and gives the developer who introduced each finding a short, matched lesson, right where they are working. It runs inside your own GitLab, stores nothing about your developers, and records completion back on the merge request.

Last updated July 2026

Overview

Security scanners find the vulnerability. They do not teach the developer how to avoid the next one. This component closes that gap inside GitLab: when a scanner flags a finding on a merge request, the developer who introduced it gets a short lesson on the exact class of bug, on the merge request, while the code is still fresh.

It is a GitLab CI/CD Catalog component, so adoption is one include line and three variables:

  • Reads your SAST, Secret, Dependency, and Container reports
  • Matches each finding to a secure-coding module
  • Posts the lesson on the merge request
  • Stateless, in your own GitLab boundary

How it works

The component is a job in your merge request pipeline that runs after your security scanners. It never talks to your source; it reads the reports the scanners already produce and acts on them.

  1. Your GitLab scanners run and write their gl-*-report.json artifacts. The component reads them and iterates the findings.

  2. For each finding it takes the CWE and OWASP identifiers and matches them to the secure-coding module that teaches the fix. A SQL injection maps to injection, a hard-coded secret to secrets handling, a vulnerable dependency to dependency hygiene.

  3. It works out the responsible developer from the commit author and posts the module link as a single note on the merge request, deduplicated so a re-run never spams it.

  4. When the developer finishes the module, the completion is recorded back on the merge request as a signed note, so the review shows the lesson was assigned and done.

The lesson lands at the moment of the mistake, on the merge request, not in a quarterly training queue. That is when a developer is most receptive to the fix for the code they just wrote.

Add it to your pipeline

The component is published in the GitLab CI/CD Catalog. Add it to your .gitlab-ci.yml after the jobs that produce your security reports:

include: - component: $CI_SERVER_FQDN/ransomleak/secure-coding-jit/secure-coding-training@1

Then set three masked CI/CD variables from your RansomLeak install:

Variable What it is
RANSOMLEAK_ORG_INSTALL_IDYour organisation install id, shown once when you enable the integration.
RANSOMLEAK_INGEST_SECRETThe per-install secret the component uses to request the matching module.
RANSOMLEAK_GITLAB_TOKENA GitLab token with api scope that posts the note on the merge request.

There is no agent to deploy and nothing to host. The component is a pipeline job that runs on GitLab-hosted or your own runners, and the version pin (@1) keeps you on the latest release without breaking changes.

Permissions and data handling

The integration is stateless and runs inside your own GitLab boundary. It reads the scanner reports the pipeline already produced, and it talks to GitLab with a token you own and can revoke.

  • Runs in your GitLab, with your token
  • No per-developer rows, no completion storage
  • Revoke the token and it stops, cleanly
Data How it is handled
FindingsRead from the scanner reports in the pipeline. RansomLeak receives only the finding class (CWE and OWASP), never your source code.
The developerResolved from the commit author to address the note. No per-developer record is kept on our side.
The completionA signed note on your merge request. GitLab holds it as the record; RansomLeak does not store it.

Because it runs inside your own GitLab, no source and no developer data crosses between GitLab and RansomLeak as companies. For how RansomLeak handles data, see the privacy policy and the security and compliance page.

Frequently asked questions

Does RansomLeak integrate with GitLab?

Yes. RansomLeak publishes a GitLab CI/CD Catalog component that turns a security finding into secure-coding training for the developer who introduced it. It runs after your security scanners in a merge request pipeline, reads their reports, and posts a short, matched lesson on the merge request. Completion is recorded back on the same merge request.

How does a GitLab finding become training?

The component runs in the merge request pipeline, after your scanners produce their gl-*-report.json artifacts. For each finding it reads the CWE and OWASP identifiers, matches them to a secure-coding micro-module, works out the responsible developer from the commit author, and posts the module link as a note on the merge request. Finishing the module records completion back on the merge request.

Which scanners does it read?

GitLab SAST, Secret Detection, Dependency Scanning, and Container Scanning. Each finding is matched by its CWE and OWASP identifiers, so a SQL injection, a hard-coded secret, or a vulnerable dependency each map to the lesson that teaches the fix.

What developer data does RansomLeak store?

None. The component runs inside your own GitLab, calling your GitLab with a token you control. The org-level install holds only a signing key, the enabled-module list, and your API token. There are no per-developer rows and no completion storage on our side. The completion is a signed note on your merge request; GitLab holds it, and we do not.

How do I add it?

Add one include line to your .gitlab-ci.yml from the CI/CD Catalog, set three masked CI/CD variables from your RansomLeak install, and it runs on the next merge request. There is no agent to deploy and nothing to host.

Does it block the merge?

By default it posts the training on the merge request as a prompt, not a blocking gate, so it fits your existing review flow without stopping it. Completion is recorded back on the merge request, so a reviewer can see the lesson was assigned and finished.

Next guide Turn a Datadog detection into coaching The same idea at runtime: a detection assigns the person involved a short lesson, so the response includes coaching, not just another alert.

Need a hand?

Email support@ransomleak.com and we will help you connect GitLab to your tenant.

See RansomLeak in Action

Try the free exercises or book a demo to see analytics, SCORM export, SSO, and custom content in your environment.