Additional Parameters¶
Options beyond the core -f and -p flags on gitlab-compliance check.
--include-nested / --no-include-nested¶
Default: nested local includes are resolved.
When enabled, include: entries that reference local project files are merged
into the compliance entity stash so policies can see jobs and variables from
included fragments.
gitlab-compliance check -f policies/ -p .gitlab-ci.yml --no-include-nested
--strict¶
Default: off (API scenarios skip when token or project/group is missing).
When enabled, API-backed Given steps fail instead of skipping if
GITLAB_TOKEN / CI_JOB_TOKEN and --project or --group are not available.
gitlab-compliance check -f policies/ -p .gitlab-ci.yml --strict
Use --strict in CI jobs that must enforce API checks.
--dry-run¶
Parse scenarios and list them without running assertions.
gitlab-compliance check -f policies/ -p .gitlab-ci.yml --dry-run
--fix¶
Auto-remediate supply-chain issues before running policies:
- Project/component includes — bump
ref:or@versionto the latest semver tag from GitLab - Container images — rewrite
image:/services:to@sha256:<digest>for the resolved tag
Requires a GitLab token (--token, GITLAB_TOKEN, or CI_JOB_TOKEN). Cannot
be combined with --dry-run.
gitlab-compliance check -f policies/security/ -p .gitlab-ci.yml --fix
--update¶
With an OCI -f reference, pull the latest policy bundle before executing
checks.
gitlab-compliance check -f oci://registry.example.com/org/policies:1.0.0 -p
.gitlab-ci.yml --update
--policy-cache-dir¶
Directory used when extracting OCI policy bundles (default: system temp directory).
gitlab-compliance check -f oci://registry.example.com/org/policies:1.0.0 \
-p .gitlab-ci.yml --policy-cache-dir /tmp/policy-cache
--gitlab-url¶
GitLab instance URL for API checks. Defaults to CI_SERVER_URL or
https://gitlab.com.
gitlab-compliance check -f policies/ -p .gitlab-ci.yml \
--gitlab-url https://gitlab.example.com --project my-group/my-project
Documentation commands¶
generate¶
| Option | Description |
|---|---|
-i / --input-config |
Pipeline YAML path (default: .gitlab-ci.yml) |
-o / --output-file |
Output path |
--format |
markdown, swagger-markdown, or html |
--detailed |
Include workflow and per-job rules |
--dry-mode |
Print to stdout without writing a file |
-x / --exclude |
Comma-separated sections or job attributes to omit (sections: inputs, variables, includes, workflow, jobs, container_images) |
-g / --group-by |
Group jobs in the Jobs section by a job attribute (e.g. stage) |
Use get-attributes when you need an include whitelist of specific job
attributes as a table; use generate --exclude for a blacklist when
building full pipeline documentation.
Example:
gitlab-compliance generate -i .gitlab-ci.yml \
--exclude variables,workflow,image \
--group-by stage \
--format swagger-markdown
policies doc¶
| Option | Description |
|---|---|
-f / --features |
Policy directory |
--format |
markdown (default) or html |
-o / --output-file |
Catalog output path |
policies push / policies pull¶
gitlab-compliance policies push -f policies/
registry.example.com/org/policies:1.0.0
gitlab-compliance policies pull oci://registry.example.com/org/policies:1.0.0 -o
policies/