# Integrating GOS into Your CI/CD Pipeline

Lineaje GOS integrates into existing CI/CD pipelines. The workflow consists of six sequential phases, each supported by Lineaje APIs, CLI tooling, and AI-driven automation.

<details>

<summary>Step 1: Choose a Deployment Model</summary>

</details>

<details>

<summary>Step 1: Generate a Project</summary>

To onboard the application to Lineaje, start by generating a project. Lineaje constructs a complete dependency graph, including all direct and transitive components, from one of the following ingestion sources:&#x20;

* **Source code repository**: Connect Lineaje to GitHub, GitLab, Bitbucket, or any SCM via the CLI or webhook integration.&#x20;
* **Container image**: Provide an image reference; Lineaje unpacks and analyzes the full layer dependency tree.&#x20;
* **Existing SBOM**: Import a CycloneDX or SPDX SBOM to bootstrap the project without re-scanning.&#x20;

Once a project is generated, Lineaje maintains a continuously-updated view of the application's supply chain, surfacing new vulnerabilities as they are disclosed against any component in the dependency tree.

{% hint style="info" %}
Refer to the [Lineaje CLI Integration Guide](/sca360-secure-deployment-for-restricted-environments/sca360-installation.md) for detailed setup instructions, authentication configuration, and proxy settings for air-gapped environments.
{% endhint %}

</details>

<details>

<summary>Step 2: Lineaje Generates a GOS Plan </summary>

Lineaje's AI agents analyze the project's dependency graph and produce a structured remediation plan that classifies every vulnerable component into one of three fix buckets:

| **Fix Type** | **Description**                                                                                                                          | **Effort Level** | **Automation**                         |
| ------------ | ---------------------------------------------------------------------------------------------------------------------------------------- | ---------------- | -------------------------------------- |
| Curated      | Drop-in replacement where a safe fixed version exists. Lineaje verifies the upgrade does not introduce new vulnerabilities transitively. | Low              | Fully automated via Auto Fix           |
| Rebuild      | Lineaje reconstructs the component with patched transitive dependencies — no source-code changes required.                               | Medium           | Automated rebuild pipeline             |
| Premium      | No safe public version exists; Lineaje applies targeted source-level patches to produce a hardened artifact.                             | High             | AI-assisted; manual review recommended |

The GOS plan output is a machine-readable artifact (manifest file) that specifies the exact package versions and patch identifiers required to eliminate all resolvable ECH vulnerabilities from the project.

</details>

<details>

<summary>Step 3: Prepare Fix Artifacts  </summary>

After the GOS plan is generated, Lineaje's build infrastructure prepares the required fix artifacts. For Curated and Rebuild fixes, this process typically completes within minutes. Premium fixes — which require targeted source-level modifications — may take additional time depending on component complexity.&#x20;

During this phase, the recommended polling strategy is to query the fix plan API until overall\_status transitions to "available". Once available, all fix artifacts are accessible via the Lineaje Gold Open Source (GOS) Artifactory Proxy.&#x20;

{% hint style="info" %}
Refer to the [Integrating GOS API into Your CI/CD Pipeline](/gold-open-source-gos/gold-catalog/oss-packages/ai-remediate.md) for the full polling flow using the /api/v1/explain endpoint.
{% endhint %}

</details>

<details>

<summary>Step 4: Apply GOS Fixes </summary>

Once fix artifacts are available, they are applied to the project repository using the GOS fix manifest. Two application paths are available depending on your license tier:

* GOS (Standard): Development teams apply the fix manifest manually by creating a new branch, updating the dependency manifest (e.g., pom.xml, requirements.txt, go.mod), committing the change, and raising a pull request for review and merge.&#x20;
* SCA 360 (Auto Fix): Lineaje's AI agents automate the entire developer workflow — branching, manifest update, commit, and PR creation — reducing the time from plan to remediation to minutes.&#x20;

{% hint style="info" icon="check" %}
Auto Fix integrates with GitHub, GitLab, and Bitbucket PR workflows. Branch naming conventions and PR templates are fully configurable via Lineaje organization settings.
{% endhint %}

</details>

<details>

<summary>Step 5: Integrate Lineaje Gold Open Source (GOS) Artifactory Proxy</summary>

Lineaje GOS Artifactory Proxy is a GOS-enforcing artifact registry. When configured as the upstream for your build tool (Maven, Gradle, pip, npm, Go module proxy, etc.), it acts as a policy gateway:&#x20;

* **Allows**: Package requests that resolve to Gold-rated versions are served immediately.&#x20;
* **Blocks**: Requests for non-Gold packages are rejected with a structured error response indicating the specific policy violation.&#x20;
* **Audits**: Every resolved package is logged with a timestamp, enabling on-demand SBOM generation and compliance attestation.&#x20;

Lineaje GOS Artifactory Proxy supports both cloud-hosted and on-premises deployment to meet data residency requirements. It is compatible with all major build ecosystems and can be configured as a virtual repository that proxies existing registries with Gold enforcement layered on top.&#x20;

{% hint style="info" %}
Refer to the [Integrating Lineaje GOS Artifactory Proxy into Your CI/CD Pipeline](/gold-open-source-gos/gold-catalog/oss-packages/integrating-lineaje-gos-artifactory-proxy-into-your-ci-cd-pipeline.md) for connector-specific setup instructions (Maven settings.xml, pip.conf, .npmrc, GOPROXY, etc.).
{% endhint %}

</details>

<details>

<summary>Step 6: Generate New Build </summary>

After fixes are applied and merged, trigger a new project generation in Lineaje to validate the remediation. The resulting project scan should confirm:&#x20;

* ECH vulnerability count = 0 across all direct and transitive dependencies.&#x20;
* All components resolve through Lineaje GOS Artifactory Proxy and carry valid Gold timestamps.&#x20;
* No new policy violations introduced by the fix packages.&#x20;

The new project SBOM serves as a compliance artifact and can be exported in CycloneDX or SPDX format for submission to regulators, customers, or internal audit processes.&#x20;

</details>


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.veedna.com/gold-open-source-gos/gold-catalog/oss-packages/integrating-gos-into-your-ci-cd-pipeline.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.