GitLab CI/CD artifacts reports types

Tier: Free, Premium, Ultimate Offering: GitLab.com, Self-managed, GitLab Dedicated

Use artifacts:reports to:

  • Collect test reports, code quality reports, security reports, and other artifacts generated by included templates in jobs.
  • Some of these reports are used to display information in:

Artifacts created for artifacts: reports are always uploaded, regardless of the job results (success or failure). You can use artifacts:expire_in to set an expiration time for the artifacts, which overrides the instance’s default setting. GitLab.com might have a different default artifacts expiry value.

Some artifacts:reports types can be generated by multiple jobs in the same pipeline, and used by merge request or pipeline features from each job.

To browse the report output files, ensure you include the artifacts:paths keyword in your job definition.

note
Combined reports in parent pipelines using artifacts from child pipelines is not supported. Track progress on adding support in this issue.

artifacts:reports:accessibility

The accessibility report uses pa11y to report on the accessibility impact of changes introduced in merge requests.

GitLab can display the results of one or more reports in the merge request accessibility widget.

For more information, see Accessibility testing.

artifacts:reports:annotations

History

The annotations report is used to attach auxiliary data to a job.

An annotations report is a JSON file with annotation sections. Each annotation section can have any desired name and can have any number of annotations of the same or differing types.

Each annotation is a single key (the annotation type), containing the subkeys with the data for that annotation.

Annotation types

An external_link annotation can be attached to a job to add a link to the job output page. The value of an external_link annotation is an object with the following keys:

Key Description
label The human-readable label associated with the link.
url The URL pointed to by the link.

Example report

The following is an example of what a job annotations report might look like:

{
  "my_annotation_section_1": [
    {
      "external_link": {
        "label": "URL 1",
        "url": "https://url1.example.com/"
      }
    },
    {
      "external_link": {
        "label": "URL 2",
        "url": "https://url2.example.com/"
      }
    }
  ]
}

artifacts:reports:api_fuzzing

Tier: Ultimate

The api_fuzzing report collects API Fuzzing bugs as artifacts.

GitLab can display the results of one or more reports in:

artifacts:reports:browser_performance

Tier: Premium, Ultimate

The browser_performance report collects Browser Performance Testing metrics as an artifact. This artifact is a JSON file output by the Sitespeed plugin.

GitLab can display the results of one report in the merge request browser performance testing widget.

GitLab cannot display the combined results of multiple browser_performance reports.

artifacts:reports:coverage_report

Use coverage_report: to collect coverage report in Cobertura or JaCoCo formats.

The coverage_format: Can be either cobertura or jacoco.

Cobertura was originally developed for Java, but there are many third-party ports for other languages such as JavaScript, Python, and Ruby.

artifacts:
  reports:
    coverage_report:
      coverage_format: cobertura
      path: coverage/cobertura-coverage.xml

The collected coverage report is uploaded to GitLab as an artifact.

You can generate multiple JaCoCo or Cobertura reports within a job and include them in the final job artifact using wildcards. The results of the reports are aggregated in the final coverage report.

GitLab can display the results of coverage report in the merge request diff annotations.

artifacts:reports:codequality

  • Support for multiple reports in diff annotations and full pipeline report introduced in 15.7.

The codequality report collects code quality issues. The collected code quality report uploads to GitLab as an artifact.

GitLab can display the results of one or more reports in:

The artifacts:expire_in value is set to 1 week.

artifacts:reports:container_scanning

Tier: Ultimate

The container_scanning report collects Container Scanning vulnerabilities. The collected Container Scanning report uploads to GitLab as an artifact.

GitLab can display the results of one or more reports in:

artifacts:reports:coverage_fuzzing

Tier: Ultimate

The coverage_fuzzing report collects coverage fuzzing bugs. The collected coverage fuzzing report uploads to GitLab as an artifact. GitLab can display the results of one or more reports in:

artifacts:reports:cyclonedx

Tier: Ultimate
History

This report is a Software Bill of Materials describing the components of a project following the CycloneDX protocol format.

You can specify multiple CycloneDX reports per job. These can be either supplied as a list of filenames, a filename pattern, or both:

  • A filename pattern (cyclonedx: gl-sbom-*.json, junit: test-results/**/*.json).
  • An array of filenames (cyclonedx: [gl-sbom-npm-npm.cdx.json, gl-sbom-bundler-gem.cdx.json]).
  • A combination of both (cyclonedx: [gl-sbom-*.json, my-cyclonedx.json]).
  • Directories are not supported(cyclonedx: test-results, cyclonedx: test-results/**).

Below is an example of a job exposing CycloneDX artifacts:

artifacts:
  reports:
    cyclonedx:
      - gl-sbom-npm-npm.cdx.json
      - gl-sbom-bundler-gem.cdx.json

artifacts:reports:dast

Tier: Ultimate

The dast report collects DAST vulnerabilities. The collected DAST report uploads to GitLab as an artifact.

GitLab can display the results of one or more reports in:

artifacts:reports:dependency_scanning

Tier: Ultimate

The dependency_scanning report collects Dependency Scanning vulnerabilities. The collected Dependency Scanning report uploads to GitLab as an artifact.

GitLab can display the results of one or more reports in:

artifacts:reports:dotenv

The dotenv report collects a set of environment variables as artifacts.

The collected variables are registered as runtime-created variables of the job, which you can use in subsequent job scripts or to set dynamic environment URLs after a job finishes.

If duplicate environment variables are present in a dotenv report, the last one specified is used.

You should avoid storing sensitive data like credentials in dotenv reports, as the reports can be downloaded from the pipeline details page. If necessary, you can use artifacts:access to restrict the users that can download the report artifacts in a job.

The exceptions to the original dotenv rules are:

  • The variable key can contain only letters, digits, and underscores (_).
  • The maximum size of the .env file is 5 KB. This limit can be changed on self-managed instances.
  • On GitLab.com, the maximum number of inherited variables is 50 for Free, 100 for Premium and 150 for Ultimate. The default for self-managed instances is 20, and can be changed by changing the dotenv_variables application limit.
  • Variable substitution in the .env file is not supported.
  • Multiline values in the .env file are not supported.
  • The .env file can’t have empty lines or comments (starting with #).
  • Key values in the env file cannot have spaces or newline characters (\n), including when using single or double quotes.
  • Quote escaping during parsing (key = 'value' -> {key: "value"}) is not supported.
  • Only UTF-8 encoding is supported.

artifacts:reports:junit

The junit report collects JUnit report format XML files. The collected Unit test reports upload to GitLab as an artifact. Although JUnit was originally developed in Java, there are many third-party ports for other languages such as JavaScript, Python, and Ruby.

See Unit test reports for more details and examples. Below is an example of collecting a JUnit report format XML file from Ruby’s RSpec test tool:

rspec:
  stage: test
  script:
    - bundle install
    - rspec --format RspecJunitFormatter --out rspec.xml
  artifacts:
    reports:
      junit: rspec.xml

GitLab can display the results of one or more reports in:

Some JUnit tools export to multiple XML files. You can specify multiple test report paths in a single job to concatenate them into a single file. Use either:

  • A filename pattern (junit: rspec-*.xml, junit: test-results/**/*.xml).
  • An array of filenames (junit: [rspec-1.xml, rspec-2.xml, rspec-3.xml]).
  • A combination of both (junit: [rspec.xml, test-results/TEST-*.xml]).
  • Directories are not supported(junit: test-results, junit: test-results/**).

artifacts:reports:load_performance

Tier: Premium, Ultimate

The load_performance report collects Load Performance Testing metrics. The report is uploaded to GitLab as an artifact.

GitLab can display the results of only one report in the merge request load testing widget.

GitLab cannot display the combined results of multiple load_performance reports.

artifacts:reports:metrics

Tier: Premium, Ultimate

The metrics report collects Metrics. The collected Metrics report uploads to GitLab as an artifact.

GitLab can display the results of one or more reports in the merge request metrics reports widget.

artifacts:reports:requirements

Tier: Ultimate

The requirements report collects requirements.json files. The collected Requirements report uploads to GitLab as an artifact and existing requirements are marked as Satisfied.

GitLab can display the results of one or more reports in the project requirements.

artifacts:reports:repository_xray (deprecated)

Tier: Premium, Ultimate
History

The repository_xray report collects information about your repository for use by GitLab Duo Code Suggestions.

caution
This feature was deprecated in GitLab 17.6 and is planned for removal in 18.0. Use Enable Repository X-Ray instead.

artifacts:reports:sast

The sast report collects SAST vulnerabilities. The collected SAST report uploads to GitLab as an artifact.

For more information, see:

artifacts:reports:secret_detection

The secret-detection report collects detected secrets. The collected Secret Detection report is uploaded to GitLab.

GitLab can display the results of one or more reports in:

artifacts:reports:terraform

The terraform report obtains an OpenTofu tfplan.json file. JQ processing required to remove credentials. The collected OpenTofu plan report uploads to GitLab as an artifact.

GitLab can display the results of one or more reports in the merge request OpenTofu widget.

For more information, see Output tofu plan information into a merge request.