# \[Updated draft]: Integrating GOS into Your CI/CD Pipeline
Lineaje GOS integrates into existing CI/CD pipelines. The workflow consists of six sequential phases, each supported by Lineaje APIs, CLI tooling, and AI-driven automation.
Step 1: Choose a Deployment Model
Lineaje GOS supports two deployment models to accommodate varying security, compliance, and data sovereignty requirements:
| Model | What Gets Deployed | Source Code Leaves Your Network? | Best For |
| -------------------------------- | ---------------------------------------------------- | -------------------------------- | ---------------------------------------------------------- |
| **SaaS** | Nothing — Lineaje cloud handles everything | Yes (via access tokens) | Teams comfortable sharing repo/image access |
| **Hybrid** (most common) | Lineaje CLI agent only | No — only SBOM metadata is sent | Enterprise customers needing code confidentiality |
| **On-Premises (Customer Cloud)** | Full Lineaje backend in your cloud (AWS, Azure, GCP) | No | Organizations requiring full data residency in their cloud |
| **On-Premises (Data Center)** | Full Lineaje backend in your data center | No | Highly regulated / data-center-only environments |
Step 2: Generate a Project
To onboard the application to Lineaje, start by generating a project.
* Generate a project for SaaS deployment model.
* Generate a project for Hybrid deployment model.
* Generate a project for Customer Cloud-Hosted deployment model.
* Generate a project for On-Premises deployment model.
Lineaje constructs a complete dependency graph, including all direct and transitive components, from one of the following ingestion sources:
| Source | How It Works |
| -------------------------- | ---------------------------------------------------------------------------- |
| **Source code repository** | Connect via GitHub, GitLab, Bitbucket, or any SCM (CLI or webhook) |
| **Container image** | Provide an image reference; Lineaje unpacks and analyzes the full layer tree |
| **Existing SBOM** | Import a CycloneDX or SPDX SBOM to bootstrap without re-scanning |
Once generated, Lineaje maintains a continuously-updated dependency graph, surfacing new vulnerabilities as they are disclosed.
Step 3: Lineaje Generates a GOS Plan
Lineaje's AI agents analyze the project's dependency graph and produce a structured remediation plan that classifies every vulnerable component into one of three fix buckets:
| **Fix Type** | **Description** | **Effort Level** | **Automation** |
| ------------ | ---------------------------------------------------------------------------------------------------------------------------------------- | ---------------- | -------------------------------------- |
| **Curated** | Drop-in replacement where a safe fixed version exists. Lineaje verifies the upgrade does not introduce new vulnerabilities transitively. | Low | Fully automated via Auto Fix |
| **Rebuild** | Lineaje reconstructs the component with patched transitive dependencies — no source-code changes required. | Medium | Automated rebuild pipeline |
| **Premium** | No safe public version exists; Lineaje applies targeted source-level patches to produce a hardened artifact. | High | AI-assisted; manual review recommended |
The GOS plan output is a machine-readable artifact (manifest file) that specifies the exact package versions and patch identifiers required to eliminate all resolvable ECH vulnerabilities from the project.
Step 4: Lineaje Prepares Fix Artifacts
After the GOS plan is generated, Lineaje's build infrastructure prepares the required fix artifacts. For Curated and Rebuild fixes, this process typically completes within minutes. Premium fixes — which require targeted source-level modifications — may take additional time depending on component complexity.
During this phase, the recommended polling strategy is to query the fix plan API until overall\_status transitions to "available". Once available, all fix artifacts are accessible via the Lineaje Gold Open Source (GOS) Artifactory Proxy.
{% hint style="info" %} Refer to the [Integrating GOS API into Your CI/CD Pipeline](/gold-open-source-gos/gold-catalog/oss-packages/ai-remediate.md) for the full polling flow using the /api/v1/explain endpoint.
{% endhint %}
Step 5: Lineaje Applies GOS Fixes
Once fix artifacts are available, Lineaje applies them to the project repository using the GOS fix manifest. Three application paths are available depending on your license tier:
| Method | How It Works | Deployment Models |
| ---------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | ---------------------------------------------- |
| **CI/CD Integration Script** | Ready-to-use pipeline script embedding all Lineaje API calls in the correct sequence. Add to Bitbucket Pipelines, GitHub Actions, or GitLab CI. Self-contained with inline comments. | Hybrid, Customer Cloud-Hosted, On-Premises |
| **SCA 360 (Auto Fix)** | Lineaje AI agents automate branching, manifest update, commit, and PR creation. Integrates with GitHub, GitLab, and Bitbucket PR workflows. | All models |
| **Manual API Calls** | Call Lineaje APIs individually for full control over each step. | All models |
{% hint style="info" icon="check" %}
Auto Fix integrates with GitHub, GitLab, and Bitbucket PR workflows. Branch naming conventions and PR templates are fully configurable via Lineaje organization settings.
{% endhint %}
Step 6: Integrate Lineaje Gold Open Source (GOS) Artifactory Proxy
Lineaje GOS Artifactory Proxy is a GOS-enforcing artifact registry. When configured as the upstream for your build tool (Maven, Gradle, pip, npm, Go module proxy, etc.), it acts as a policy gateway:
| Action | Behavior |
| ---------- | ------------------------------------------------------------------------------------------------------------------------------- |
| **Allows** | Requests for Gold-rated package versions are served immediately |
| **Blocks** | Non-Gold packages are rejected with structured error responses (enforce mode); in observe mode, all packages proceed regardless |
| **Audits** | Every resolved package is logged with timestamp, enabling SBOM generation and compliance attestation |
Lineaje GOS Artifactory Proxy supports both cloud-hosted and on-premises deployment to meet data residency requirements. It is compatible with all major build ecosystems and can be configured as a virtual repository that proxies existing registries with Gold enforcement layered on top.
{% hint style="info" %}
Refer to the [Integrating Lineaje GOS Artifactory Proxy into Your CI/CD Pipeline](/gold-open-source-gos/gold-catalog/oss-packages/integrating-lineaje-gos-artifactory-proxy-into-your-ci-cd-pipeline.md) for connector-specific setup instructions (Maven settings.xml, pip.conf, .npmrc, GOPROXY, etc.).
{% endhint %}
Step 7: Generate New Build (Recommended)
After fixes are applied and merged, trigger a new project generation in Lineaje to validate the remediation. The resulting project scan should confirm:
| Validation Check | Expected Result |
| --------------------------- | ---------------------------------------------------------------------------------------- |
| **ECH vulnerability count** | 0 across all direct and transitive dependencies |
| **Component resolution** | All components resolve through GOS Artifactory Proxy with valid Gold timestamps |
| **Policy violations** | No new violations introduced by fix packages |
| **Compliance export** | SBOM exportable in CycloneDX or SPDX format for regulators, customers, or internal audit |
The new project SBOM serves as a compliance artifact and can be exported in CycloneDX or SPDX format for submission to regulators, customers, or internal audit processes.
---
# Agent Instructions: Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.
Perform an HTTP GET request on the current page URL with the `ask` query parameter:
```
GET https://docs.veedna.com/gold-open-source-gos/gold-catalog/oss-packages/updated-draft-integrating-gos-into-your-ci-cd-pipeline.md?ask=
```
The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.
Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.