In this configuration a minimal base docker image is employed for the whole build hence the user must ensure the supporting tooling is installed prior to the scan.
The example below is meant for a sample project based on Unity available on GitLab. Additional special tooling is not required as the Unity scanner reads directly the manifest files of the project ( manifest.json and packages-lock.json) to produce the bill of materials and detect any vulnerable or out of date component.
meterian-analysis:
image:
name: openjdk:17.0.2-slim-buster
stage: test
script:
- apt update; apt -y install curl
- curl -o /tmp/meterian-cli.jar -O -J -L -s https://www.meterian.com/downloads/meterian-cli.jar
- java -jar /tmp/meterian-cli.jar --scan-unity=true --scan-nodejs=false
--project-branch=$CI_COMMIT_BRANCH --project-commit=$CI_COMMIT_SHA
Note that we are using the OpenJdk mini image, which we need to run a Java program. Then we simply download the Meterian Java Thin client and we run it with Java at the root of the project. Note that we collect the project branch and the project commits from the GitLab pipeline variables (see the official GitLab reference).
Note also that, in the case of Unity, we have to explicitly enable the Unity scanner engine (--scan-unity=true) and, at the same time, disable the NodeJS scanner (--scan-nodejs=false).
Last updated