All integrations
GitLab CI/CD
CI/CD

Automate Cerbos policy deployments with GitLab Runners

Push validated Cerbos policies to Cerbos Hub on every merge using a GitLab CI/CD pipeline.

Pipeline-driven

Pipeline-driven

A single .gitlab-ci.yml file triggers policy uploads on every push to your main branch

Protected variables

Protected variables

Store Cerbos Hub credentials as protected and masked CI/CD variables, injected securely at runtime

Zero-downtime updates

Zero-downtime updates

Cerbos Hub distributes updated bundles to connected PDPs with no restarts or redeployments

How Cerbos works with GitLab CI/CD

Authorization policies should go through the same review and deployment rigour as application code. GitLab CI/CD lets you automate that workflow so every policy change is tested and deployed without manual steps.

Cerbos Hub stores your compiled policy bundles and distributes them to connected PDP instances. A CI/CD pipeline pushes validated policies to Cerbos Hub on every merge, and your PDPs pick up the changes automatically.

With GitLab CI/CD handling the pipeline and Cerbos Hub handling distribution, policy updates flow from pull request to production with a full audit trail and zero downtime.

Policy-as-codeHuman-readable YAML policies managed like source codeScalable PDPStateless policy decision point with sub-millisecond latencyCentralized managementManage, test, and deploy policies from a single control plane

How to deploy Cerbos policies with GitLab CI/CD

  1. Create a CI/CD config file, Add .gitlab-ci.yml to your repository with a job that uses Docker-in-Docker to run the cerbosctl image.
  2. Store credentials as CI/CD variables, Add CERBOS_HUB_CLIENT_ID and CERBOS_HUB_CLIENT_SECRET as protected, masked variables in GitLab.
  3. Push to main, Every push to main triggers the pipeline, which uploads your policies to Cerbos Hub using hub store replace-files.
  4. PDPs update automatically, Connected PDP instances pull the latest policy bundle from Cerbos Hub with zero downtime.

FAQ

How does the GitLab pipeline deploy policies?

A job uses Docker-in-Docker to run the cerbosctl image and execute `hub store replace-files`, uploading your policy directory to Cerbos Hub. Connected PDP instances pull the updated bundle automatically.

What credentials do I need?

You need a Cerbos Hub client ID and client secret with Read & Write permissions, stored as protected and masked CI/CD variables in GitLab.

Do I need shared runners or a self-hosted runner?

Either works. The pipeline uses Docker-in-Docker, which is supported by GitLab shared runners and self-hosted runners with Docker enabled.

Learn more about Cerbos

How Cerbos worksCerbos PDPCerbos HubWebinars and ebooksFeatures & use casesSuccess stories

Related integrations

View all integrations →
Azure DevOps
Azure DevOps PipelinesPush Cerbos policies to Cerbos Hub on every merge via Azure DevOps Pipelines
CI/CD
Bitbucket Pipelines
Bitbucket PipelinesPush Cerbos policies to Cerbos Hub on every merge via Bitbucket Pipelines
CI/CD
Buildkite
BuildkitePush Cerbos policies to Cerbos Hub on every merge via Buildkite
CI/CD
CircleCI
CircleCIPush Cerbos policies to Cerbos Hub on every merge via CircleCI
CI/CD
GitHub Actions
GitHub ActionsPush Cerbos policies to Cerbos Hub on every merge via GitHub Actions
CI/CD
Agent2Agent
Agent2Agent ProtocolPolicy-driven authorization for inter-agent communication via the Agent2Agent protocol
AI

Cerbos + GitLab CI/CD

  • Policies deployed to Cerbos Hub automatically on every merge via GitLab CI/CD
  • Connected PDP instances pick up changes with zero downtime
  • Policy changes go through the same review process as application code
  • Full audit trail from commit to production deployment
Book a free policy workshopTry the Playground