doc/ci/yaml/artifacts_reports.md
{{< details >}}
{{< /details >}}
Use artifacts:reports to:
Artifacts created for artifacts: reports are always uploaded, regardless of the job results (success or failure).
You can use artifacts:expire_in to set an expiration
time for the artifacts, which overrides the instance's default setting.
GitLab.com might have a different default artifacts expiry value.
Some artifacts:reports types can be generated by multiple jobs in the same pipeline, and used by merge request or
pipeline features from each job.
To browse the report output files, ensure you include the artifacts:paths keyword in your job definition.
[!note] Combined reports in parent pipelines using artifacts from child pipelines is not supported. Support for this feature is proposed in epic 8205.
artifacts:reports:accessibilityThe accessibility report uses pa11y to report on the accessibility impact
of changes introduced in merge requests.
GitLab can display the results of one or more reports in the merge request accessibility widget.
For more information, see Accessibility testing.
artifacts:reports:annotations{{< history >}}
{{< /history >}}
The annotations report is used to attach auxiliary data to a job.
An annotations report is a JSON file with annotation sections. Each annotation section can have any desired name and can have any number of annotations of the same or differing types.
Each annotation is a single key (the annotation type), containing the subkeys with the data for that annotation.
external_linkAn external_link annotation can be attached to a job to add a link to the job
output page. The value of an external_link annotation is an object with the
following keys:
| Key | Description |
|---|---|
label | The human-readable label associated with the link. |
url | The URL pointed to by the link. |
The following is an example of what a job annotations report might look like:
{
"my_annotation_section_1": [
{
"external_link": {
"label": "URL 1",
"url": "https://url1.example.com/"
}
},
{
"external_link": {
"label": "URL 2",
"url": "https://url2.example.com/"
}
}
]
}
artifacts:reports:api_fuzzing{{< details >}}
{{< /details >}}
The api_fuzzing report collects API fuzzing bugs
as artifacts.
GitLab can display the results of one or more reports in:
artifacts:reports:browser_performance{{< details >}}
{{< /details >}}
The browser_performance report collects Browser Performance Testing metrics
as an artifact. This artifact is a JSON file output by the Sitespeed plugin.
GitLab can display the results of one report in the merge request browser performance testing widget.
GitLab cannot display the combined results of multiple browser_performance reports.
artifacts:reports:coverage_reportUse coverage_report: to collect coverage report in Cobertura or JaCoCo formats.
The coverage_format: Can be either cobertura or
jacoco.
Cobertura was originally developed for Java, but there are many third-party ports for other languages such as JavaScript, Python, and Ruby.
artifacts:
reports:
coverage_report:
coverage_format: cobertura
path: coverage/cobertura-coverage.xml
The collected coverage report is uploaded to GitLab as an artifact.
You can generate multiple JaCoCo or Cobertura reports and include them in the final job artifact using wildcards. The results of the reports are aggregated in the final coverage report.
The results of coverage reports appear in merge request diff annotations.
[!note] Coverage reports from child pipelines appear in merge request diff annotations, but the artifacts themselves are not shared with parent pipelines.
artifacts:reports:codequalityThe codequality report collects code quality issues. The
collected code quality report uploads to GitLab as an artifact.
GitLab can display the results of one or more reports in:
The artifacts:expire_in value is set to 1 week.
artifacts:reports:container_scanning{{< details >}}
{{< /details >}}
The container_scanning report collects container scanning vulnerabilities.
The collected container scanning report uploads to GitLab as an artifact.
GitLab can display the results of one or more reports in:
artifacts:reports:coverage_fuzzing{{< details >}}
{{< /details >}}
The coverage_fuzzing report collects coverage fuzzing bugs.
The collected coverage fuzzing report uploads to GitLab as an artifact.
GitLab can display the results of one or more reports in:
artifacts:reports:cyclonedx{{< details >}}
{{< /details >}}
This report is a Software Bill of Materials describing the components of a project following the CycloneDX protocol format.
You can specify multiple CycloneDX reports per job. These can be either supplied as a list of filenames, a filename pattern, or both:
cyclonedx: gl-sbom-*.json, junit: test-results/**/*.json).cyclonedx: [gl-sbom-npm-npm.cdx.json, gl-sbom-bundler-gem.cdx.json]).cyclonedx: [gl-sbom-*.json, my-cyclonedx.json]).cyclonedx: test-results, cyclonedx: test-results/**).The following example shows a job that exposes CycloneDX artifacts:
artifacts:
reports:
cyclonedx:
- gl-sbom-npm-npm.cdx.json
- gl-sbom-bundler-gem.cdx.json
artifacts:reports:dast{{< details >}}
{{< /details >}}
The dast report collects DAST vulnerabilities. The collected DAST
report uploads to GitLab as an artifact.
GitLab can display the results of one or more reports in:
artifacts:reports:dependency_scanning{{< details >}}
{{< /details >}}
The dependency_scanning report collects dependency scanning vulnerabilities.
The collected dependency scanning report uploads to GitLab as an artifact.
GitLab can display the results of one or more reports in:
artifacts:reports:dotenvThe dotenv report collects environment variables from a file and makes them
available as CI/CD variables to later jobs in the pipeline.
For more information, see dotenv variables.
artifacts:reports:junitThe junit report collects JUnit report format XML files.
The collected Unit test reports upload to GitLab as an artifact. Although JUnit was originally developed in Java, there
are many third-party ports for other languages such as JavaScript, Python, and Ruby.
See Unit test reports for more details and examples. The following example shows how to collect a JUnit XML report from Ruby RSpec tests:
rspec:
stage: test
script:
- bundle install
- rspec --format RspecJunitFormatter --out rspec.xml
artifacts:
reports:
junit: rspec.xml
GitLab can display the results of one or more reports in:
Some JUnit tools export to multiple XML files. You can specify multiple test report paths in a single job to concatenate them into a single file. Use either:
junit: rspec-*.xml, junit: test-results/**/*.xml).junit: [rspec-1.xml, rspec-2.xml, rspec-3.xml]).junit: [rspec.xml, test-results/TEST-*.xml]).junit: test-results, junit: test-results/**).artifacts:reports:load_performance{{< details >}}
{{< /details >}}
The load_performance report collects Load Performance Testing metrics.
The report is uploaded to GitLab as an artifact.
GitLab can display the results of only one report in the merge request load testing widget.
GitLab cannot display the combined results of multiple load_performance reports.
artifacts:reports:metrics{{< details >}}
{{< /details >}}
The metrics report collects Metrics. The collected Metrics report uploads to GitLab as an
artifact.
GitLab can display the results of one or more reports in the merge request metrics reports widget.
artifacts:reports:requirements{{< details >}}
{{< /details >}}
The requirements report collects requirements.json files. The collected Requirements report uploads to GitLab as an
artifact and existing requirements are marked as Satisfied.
GitLab can display the results of one or more reports in the project requirements.
artifacts:reports:sarif{{< details >}}
{{< /details >}}
{{< history >}}
sarif_ingestion. Disabled by default.{{< /history >}}
[!flag] The availability of this feature is controlled by a feature flag named
sarif_ingestion. For more information, see the history.
The sarif report collects security findings from tools that emit
SARIF 2.1.0 output.
The collected SARIF report uploads to GitLab as an artifact.
Use this report type to ingest findings from any SARIF-compatible scanner, such as Semgrep, ESLint security plugins, or GitHub Advanced Security tools.
GitLab can display the results of one or more reports in:
Example:
semgrep:
image: returntocorp/semgrep
script:
- semgrep ci --sarif --output gl-sarif-report.sarif
artifacts:
reports:
sarif: gl-sarif-report.sarif
artifacts:reports:sastThe sast report collects SAST vulnerabilities.
The collected SAST report uploads to GitLab as an artifact.
For more information, see:
artifacts:reports:secret_detectionThe secret-detection report collects detected secrets.
The collected secret detection report is uploaded to GitLab.
GitLab can display the results of one or more reports in:
artifacts:reports:terraformThe terraform report obtains an OpenTofu tfplan.json file. JQ processing required to remove credentials.
The collected OpenTofu plan report uploads to GitLab as an artifact.
GitLab can display the results of one or more reports in the merge request OpenTofu widget.
For more information, see Output tofu plan information into a merge request.