[Updated draft]: Integrating GOS into Your CI/CD Pipeline

Lineaje GOS integrates into existing CI/CD pipelines. The workflow consists of six sequential phases, each supported by Lineaje APIs, CLI tooling, and AI-driven automation.

chevron-rightStep 1: Choose a Deployment Modelhashtag

Lineaje GOS supports two deployment models to accommodate varying security, compliance, and data sovereignty requirements:

Model
What Gets Deployed
Source Code Leaves Your Network?
Best For

SaaS

Nothing — Lineaje cloud handles everything

Yes (via access tokens)

Teams comfortable sharing repo/image access

Hybrid (most common)

Lineaje CLI agent only

No — only SBOM metadata is sent

Enterprise customers needing code confidentiality

On-Premises (Customer Cloud)

Full Lineaje backend in your cloud (AWS, Azure, GCP)

No

Organizations requiring full data residency in their cloud

On-Premises (Data Center)

Full Lineaje backend in your data center

No

Highly regulated / data-center-only environments

chevron-rightStep 2: Generate a Projecthashtag

To onboard the application to Lineaje, start by generating a project.

  • Generate a project for SaaS deployment model.

  • Generate a project for Hybrid deployment model.

  • Generate a project for Customer Cloud-Hosted deployment model.

  • Generate a project for On-Premises deployment model.

Lineaje constructs a complete dependency graph, including all direct and transitive components, from one of the following ingestion sources:

Source
How It Works

Source code repository

Connect via GitHub, GitLab, Bitbucket, or any SCM (CLI or webhook)

Container image

Provide an image reference; Lineaje unpacks and analyzes the full layer tree

Existing SBOM

Import a CycloneDX or SPDX SBOM to bootstrap without re-scanning

Once generated, Lineaje maintains a continuously-updated dependency graph, surfacing new vulnerabilities as they are disclosed.

chevron-rightStep 3: Lineaje Generates a GOS Plan hashtag

Lineaje's AI agents analyze the project's dependency graph and produce a structured remediation plan that classifies every vulnerable component into one of three fix buckets:

Fix Type

Description

Effort Level

Automation

Curated

Drop-in replacement where a safe fixed version exists. Lineaje verifies the upgrade does not introduce new vulnerabilities transitively.

Low

Fully automated via Auto Fix

Rebuild

Lineaje reconstructs the component with patched transitive dependencies — no source-code changes required.

Medium

Automated rebuild pipeline

Premium

No safe public version exists; Lineaje applies targeted source-level patches to produce a hardened artifact.

High

AI-assisted; manual review recommended

The GOS plan output is a machine-readable artifact (manifest file) that specifies the exact package versions and patch identifiers required to eliminate all resolvable ECH vulnerabilities from the project.

chevron-rightStep 4: Lineaje Prepares Fix Artifacts hashtag

After the GOS plan is generated, Lineaje's build infrastructure prepares the required fix artifacts. For Curated and Rebuild fixes, this process typically completes within minutes. Premium fixes — which require targeted source-level modifications — may take additional time depending on component complexity.

During this phase, the recommended polling strategy is to query the fix plan API until overall_status transitions to "available". Once available, all fix artifacts are accessible via the Lineaje Gold Open Source (GOS) Artifactory Proxy.

circle-info

Refer to the Integrating GOS API into Your CI/CD Pipeline for the full polling flow using the /api/v1/explain endpoint.

chevron-rightStep 5: Lineaje Applies GOS Fixes hashtag

Once fix artifacts are available, Lineaje applies them to the project repository using the GOS fix manifest. Three application paths are available depending on your license tier:

Method
How It Works
Deployment Models

CI/CD Integration Script

Ready-to-use pipeline script embedding all Lineaje API calls in the correct sequence. Add to Bitbucket Pipelines, GitHub Actions, or GitLab CI. Self-contained with inline comments.

Hybrid, Customer Cloud-Hosted, On-Premises

SCA 360 (Auto Fix)

Lineaje AI agents automate branching, manifest update, commit, and PR creation. Integrates with GitHub, GitLab, and Bitbucket PR workflows.

All models

Manual API Calls

Call Lineaje APIs individually for full control over each step.

All models

check

Auto Fix integrates with GitHub, GitLab, and Bitbucket PR workflows. Branch naming conventions and PR templates are fully configurable via Lineaje organization settings.

chevron-rightStep 6: Integrate Lineaje Gold Open Source (GOS) Artifactory Proxyhashtag

Lineaje GOS Artifactory Proxy is a GOS-enforcing artifact registry. When configured as the upstream for your build tool (Maven, Gradle, pip, npm, Go module proxy, etc.), it acts as a policy gateway:

Action
Behavior

Allows

Requests for Gold-rated package versions are served immediately

Blocks

Non-Gold packages are rejected with structured error responses (enforce mode); in observe mode, all packages proceed regardless

Audits

Every resolved package is logged with timestamp, enabling SBOM generation and compliance attestation

Lineaje GOS Artifactory Proxy supports both cloud-hosted and on-premises deployment to meet data residency requirements. It is compatible with all major build ecosystems and can be configured as a virtual repository that proxies existing registries with Gold enforcement layered on top.

circle-info

Refer to the Integrating Lineaje GOS Artifactory Proxy into Your CI/CD Pipeline for connector-specific setup instructions (Maven settings.xml, pip.conf, .npmrc, GOPROXY, etc.).

Last updated