GitLab Premium, Ultimate & Server: MR Scans Setup

Publish MR scan results and comments for issues from Aikido. No pipeline code needed.

This setup is meant for GitLab Premium, GitLab Ultimate, or GitLab Server.

Service Accounts are available on these plans. They’re the recommended way to run MR scans.

If you’re on GitLab Free, use the user-based setup instead.

Set up GitLab MR scanning

Create a dedicated Service Account

In GitLab, go to Group → Settings → Service accounts.

Select Add service account.

Set a Name and Username:

Name: Aikido Security
Username: AikidoSec
Select Create.

Use this account only for Aikido.

Create an Access Token

On the service account select the vertical ellipsis → Manage access tokens.

Add a new token:

Name: for example Aikido Scans
Expiration date: Set an expiry date that matches your rotation policy
Scopes: api

Save the token

Copy the token now. GitLab won’t show it again.

You’ll paste it into Aikido in step 6.

Invite the account to your group(s)

Go to Groups in GitLab.

For each group you want to enable, open the group.

Go to Manage → Members → Invite members.

Invite the service account.

Give it at least Maintainer access.

Enable the integration

In Aikido, open the Integrations page. Then select GitLab CI under MR Quality Gating.

Paste the access token

Paste the token you created in step 3.

Click Update token.

Aikido validates group access and required permissions.

Configure your first repository

After authorization, Aikido opens the GitLab MR Checks page.

Start with one repository first. Confirm everything works before rolling out broadly.

Verify with a new MR

Open a new merge request (MR) in the repo you configured.

Then confirm the checks run in the Pipelines tab.

Comments should appear as the service account. For example, @AikidoSec.

Require the scan to succeed

If you want to block merging until the scan succeeds, configure merge checks in GitLab.

In GitLab, go to [Repository] → Settings → Merge Requests. Enable the check Pipelines must succeed.

Enable for all repositories

Once you’re happy with the results, go back to the GitLab MR Checks page and enable checks for the rest of your repositories.

Set the default for new repositories

In the top-right, open Actions and select Set Default for New Repos and enable automatic configuration for newly added repositories in the future.

Need the UI walkthrough? See Default PR/MR gating configuration for new repositories.

Last updated 9 days ago

Was this helpful?

hashtagSet up GitLab MR scanning

hashtagCreate a dedicated Service Account

hashtagCreate an Access Token

hashtagSave the token

hashtagInvite the account to your group(s)

hashtagEnable the integration

hashtagPaste the access token

hashtagConfigure your first repository

hashtagVerify with a new MR

hashtagRequire the scan to succeed

hashtagEnable for all repositories

hashtagSet the default for new repositories