taudit-parse-gitlab

GitLab CI YAML parser for taudit authority graphs.

This crate converts .gitlab-ci.yml content into taudit's typed AuthorityGraph, capturing GitLab CI/CD authority flow for security analysis. It models jobs, implicit CI_JOB_TOKEN authority, secrets, ID tokens, images, services, includes, extends, artifacts, dotenv handoffs, protected-branch hints, and merge request trigger context.

What It Models

• Job nodes and the implicit broad CI_JOB_TOKEN identity.
• Credential-shaped variables, secrets:, id_tokens:, images, services, artifacts, and dotenv reports.
• rules:, only:, protected-branch indicators, environment names, child-pipeline triggers, and include/extends metadata.
• Duplicate YAML key recovery that preserves later keys as opaque metadata and marks the graph partial.

Rule evaluation lives in taudit-core; this crate only parses and annotates.

Install

[dependencies]
taudit-core = "3"
taudit-parse-gitlab = "3"

Basic Use

use taudit_core::graph::PipelineSource;
use taudit_core::ports::PipelineParser;
use taudit_parse_gitlab::GitlabParser;

let source = PipelineSource {
    file: ".gitlab-ci.yml".into(),
    repo: None,
    git_ref: None,
    commit_sha: None,
};

let graph = GitlabParser.parse(pipeline_yaml, &source)?;

Use Cases

• Add GitLab CI support to a custom taudit-powered scanner.
• Build graph evidence for GitLab supply-chain and merge-request security review.
• Feed GitLab authority graphs into JSON, SARIF, CloudEvents, or custom report sinks.

Related Docs

• Product README: https://github.com/0ryant/taudit
• Authority graph spec: https://github.com/0ryant/taudit/blob/main/docs/authority-graph.md
• Rule catalogue: https://github.com/0ryant/taudit/blob/main/docs/rules/index.md