[Updated draft]: Integrating GOS into Your CI/CD Pipeline
Lineaje GOS integrates into existing CI/CD pipelines. The workflow consists of six sequential phases, each supported by Lineaje APIs, CLI tooling, and AI-driven automation.
Step 1: Choose a Deployment Model
Lineaje GOS supports two deployment models to accommodate varying security, compliance, and data sovereignty requirements:
SaaS
Nothing — Lineaje cloud handles everything
Yes (via access tokens)
Teams comfortable sharing repo/image access
Hybrid (most common)
Lineaje CLI agent only
No — only SBOM metadata is sent
Enterprise customers needing code confidentiality
On-Premises (Customer Cloud)
Full Lineaje backend in your cloud (AWS, Azure, GCP)
No
Organizations requiring full data residency in their cloud
On-Premises (Data Center)
Full Lineaje backend in your data center
No
Highly regulated / data-center-only environments
Step 2: Generate a Project
To onboard the application to Lineaje, start by generating a project.
Generate a project for SaaS deployment model.
Generate a project for Hybrid deployment model.
Generate a project for Customer Cloud-Hosted deployment model.
Generate a project for On-Premises deployment model.
Lineaje constructs a complete dependency graph, including all direct and transitive components, from one of the following ingestion sources:
Source code repository
Connect via GitHub, GitLab, Bitbucket, or any SCM (CLI or webhook)
Container image
Provide an image reference; Lineaje unpacks and analyzes the full layer tree
Existing SBOM
Import a CycloneDX or SPDX SBOM to bootstrap without re-scanning
Once generated, Lineaje maintains a continuously-updated dependency graph, surfacing new vulnerabilities as they are disclosed.
Step 3: Lineaje Generates a GOS Plan
Lineaje's AI agents analyze the project's dependency graph and produce a structured remediation plan that classifies every vulnerable component into one of three fix buckets:
Fix Type
Description
Effort Level
Automation
Curated
Drop-in replacement where a safe fixed version exists. Lineaje verifies the upgrade does not introduce new vulnerabilities transitively.
Low
Fully automated via Auto Fix
Rebuild
Lineaje reconstructs the component with patched transitive dependencies — no source-code changes required.
Medium
Automated rebuild pipeline
Premium
No safe public version exists; Lineaje applies targeted source-level patches to produce a hardened artifact.
High
AI-assisted; manual review recommended
The GOS plan output is a machine-readable artifact (manifest file) that specifies the exact package versions and patch identifiers required to eliminate all resolvable ECH vulnerabilities from the project.
Step 4: Lineaje Prepares Fix Artifacts
After the GOS plan is generated, Lineaje's build infrastructure prepares the required fix artifacts. For Curated and Rebuild fixes, this process typically completes within minutes. Premium fixes — which require targeted source-level modifications — may take additional time depending on component complexity.
During this phase, the recommended polling strategy is to query the fix plan API until overall_status transitions to "available". Once available, all fix artifacts are accessible via the Lineaje Gold Open Source (GOS) Artifactory Proxy.
Refer to the Integrating GOS API into Your CI/CD Pipeline for the full polling flow using the /api/v1/explain endpoint.
Step 5: Lineaje Applies GOS Fixes
Once fix artifacts are available, Lineaje applies them to the project repository using the GOS fix manifest. Three application paths are available depending on your license tier:
CI/CD Integration Script
Ready-to-use pipeline script embedding all Lineaje API calls in the correct sequence. Add to Bitbucket Pipelines, GitHub Actions, or GitLab CI. Self-contained with inline comments.
Hybrid, Customer Cloud-Hosted, On-Premises
SCA 360 (Auto Fix)
Lineaje AI agents automate branching, manifest update, commit, and PR creation. Integrates with GitHub, GitLab, and Bitbucket PR workflows.
All models
Manual API Calls
Call Lineaje APIs individually for full control over each step.
All models
Auto Fix integrates with GitHub, GitLab, and Bitbucket PR workflows. Branch naming conventions and PR templates are fully configurable via Lineaje organization settings.
Step 6: Integrate Lineaje Gold Open Source (GOS) Artifactory Proxy
Lineaje GOS Artifactory Proxy is a GOS-enforcing artifact registry. When configured as the upstream for your build tool (Maven, Gradle, pip, npm, Go module proxy, etc.), it acts as a policy gateway:
Allows
Requests for Gold-rated package versions are served immediately
Blocks
Non-Gold packages are rejected with structured error responses (enforce mode); in observe mode, all packages proceed regardless
Audits
Every resolved package is logged with timestamp, enabling SBOM generation and compliance attestation
Lineaje GOS Artifactory Proxy supports both cloud-hosted and on-premises deployment to meet data residency requirements. It is compatible with all major build ecosystems and can be configured as a virtual repository that proxies existing registries with Gold enforcement layered on top.
Refer to the Integrating Lineaje GOS Artifactory Proxy into Your CI/CD Pipeline for connector-specific setup instructions (Maven settings.xml, pip.conf, .npmrc, GOPROXY, etc.).
Step 7: Generate New Build (Recommended)
After fixes are applied and merged, trigger a new project generation in Lineaje to validate the remediation. The resulting project scan should confirm:
ECH vulnerability count
0 across all direct and transitive dependencies
Component resolution
All components resolve through GOS Artifactory Proxy with valid Gold timestamps
Policy violations
No new violations introduced by fix packages
Compliance export
SBOM exportable in CycloneDX or SPDX format for regulators, customers, or internal audit
The new project SBOM serves as a compliance artifact and can be exported in CycloneDX or SPDX format for submission to regulators, customers, or internal audit processes.
Last updated