GitLab Free: MR Scans Setup

Publish MR scan results and comments for issues from Aikido. No pipeline code needed.

This setup is meant for the GitLab Free plan, where Service Accounts aren’t available and a dedicated user is used instead.

If you’re on GitLab Premium, GitLab Ultimate or GitLab Server, use a Service Account instead of a user-based setup.

Set up GitLab MR scanning

Create a dedicated GitLab user

Create a dedicated user like AikidoSecurity[YourCompany]. Use it only for Aikido.

For easy recognition, use the Aikido logo as the profile picture.

Create a Personal Access Token

Go to Preferences → Personal access tokens.

Add a new token:

Name: for example Aikido Scans
Expiration date: Set an expiry date that matches your rotation policy
Scopes: api

Save the token

Copy the token now. GitLab won’t show it again.

You’ll paste it into Aikido in step 6.

Invite your Aikido user to your group

Log back in with your own GitLab account.

Go to Groups.

For each group you want to enable, open the group.

Go to Manage → Members → Invite members.

Invite the dedicated Aikido user.

Give it at least Maintainer access.

Enable the integration

In Aikido, open the Integrations page. Then select GitLab CI under MR Quality Gating.

Paste the Personal Access Token

Paste the token you created in step 3.

Click Update token.

Aikido validates group access and required permissions.

Configure your first repository

After authorization, Aikido opens the GitLab MR Checks page.

Start with one repository first. Confirm everything works before rolling out broadly.

Verify with a new MR

Open a new merge request (MR) in the repo you configured.

Then confirm the checks run in the Pipelines tab.

Comments should appear as the dedicated user. For example, @AikidoSecurity[YourCompany].

Require the scan to succeed

If you want to block merging until the scan succeeds, configure merge checks in GitLab.

In GitLab, go to [Repository] → Settings → Merge Requests. Enable the check Pipelines must succeed.

Enable for all repositories

Once you’re happy with the results, go back to the GitLab MR Checks page and enable checks for the rest of your repositories.

Set the default for new repositories

In the top-right, open Actions and select Set Default for New Repos and enable automatic configuration for newly added repositories in the future.

Need the UI walkthrough? See Default PR/MR gating configuration for new repositories.

Ignore issues directly from MR comments

When Aikido posts an inline MR comment for a finding, you can ignore that issue directly from GitLab by replying to the comment with:

@AikidoSecurity[YourCompany] ignore: [your reason to ignore]

Example:

@AikidoSecurity[YourCompany] ignore: This secret is used for tests only.

Replace @AikidoSecurity[YourCompany] with the username of the dedicated GitLab user you created in step 1.

This performs the same action as manually ignoring the issue in the Aikido platform:

The issue is marked as ignored in Aikido.
The ignore reason is stored.
MR gating can turn green once all blocking issues are resolved or ignored.

Last updated 1 month ago

Was this helpful?