Beyond SAST: Integrating Code Quality Checks in GitLab CI/CD

Introduction

GitLab CI/CD includes a built‑in SAST scanner that focuses on security vulnerabilities. SAST does not perform general code‑quality analysis such as syntax style, code‑smell detection, or complexity checks. To enforce code quality you must add a separate tool or use GitLab’s Code Quality framework.

SAST vs. Code Quality

SAST – static analysis for security issues (SQL injection, XSS, unsafe dependencies, hard‑coded secrets, etc.).

Code‑Quality testing – static analysis for engineering quality (duplicate code, long functions, high cyclomatic complexity, style violations, etc.).

GitLab Code Quality feature

The Code Quality feature consumes reports that follow the open Code Climate JSON schema. Any linter that can emit a Code Climate‑compatible report can be integrated and displayed in Merge Requests.

Solution 1 – Built‑in template

GitLab provides a ready‑made template Code-Quality.gitlab-ci.yml that runs a Docker image containing the Code Climate engine and language‑specific plugins. Add the template to .gitlab-ci.yml and optionally restrict execution to merge‑request pipelines.

include:
  - template: Code-Quality.gitlab-ci.yml

code_quality:
  rules:
    - if: $CI_PIPELINE_SOURCE == 'merge_request_event'

The job produces an artifact named codequality. GitLab parses the artifact and shows the findings in the Merge Request UI.

Solution 2 – Custom linters

When a project already uses a specific linter (e.g., pylint, flake8, ESLint), configure the job to run the linter and output a Code Climate report. Example for ESLint:

Install the GitLab formatter in the project: npm install --save-dev eslint-formatter-gitlab Add a CI job that runs ESLint with the formatter and registers the report:

eslint_code_quality:
  stage: test
  image: node:18
  script:
    - npm ci
    - npx eslint "src/**/*.js" -f gitlab
  artifacts:
    reports:
      codequality: gl-code-quality-report.json
  rules:
    - if: $CI_PIPELINE_SOURCE == 'merge_request_event'

Any tool that can emit Code Climate JSON (SonarQube, Checkstyle, etc.) can be integrated in the same way by adjusting the script and the report path.

Key considerations

SAST and Code Quality should be run in separate jobs; they address different risk domains.

Code Quality reports are visualized only when the artifacts:reports:codequality keyword is used.

Running the jobs only on merge‑request pipelines reduces unnecessary compute cost.

Conclusion

SAST in GitLab does not cover general code‑quality checks. To achieve full‑stack governance you must add a Code Quality analysis step, either by using the built‑in Code-Quality.gitlab-ci.yml template or by integrating your own linters that output Code Climate JSON. This ensures that security and maintainability are enforced early in the development workflow.