Docs // Scroll Gate · GitLab
Gate unsigned agent merges in GitLab CI.
Add ssx360 check to merge request pipelines — hosted verify maps to SLSA L1–2 commit provenance. Keys stay local; only envelope metadata hits SSX360.
Scroll Gate · GitLab CI
Ed25519
commit envelopes
offline-verifiable proof
local-only
CLI & HOOKS
repo never uploaded
Scroll Gate
PR enforcement
signed vs unsigned
SSX360
control plane
identity · billing · audit
Last verified against matrixscroll 0.5.1. Community tier includes 100 hosted verifications per day. Team+ unlocks org audit export.
Copy-paste
GitLab CI pipeline
Runs on every merge request. Fails when signatures are missing, invalid, or post-generation edits break envelope integrity.
stages:
- provenance
scroll-gate:
stage: provenance
image: python:3.12
rules:
- if: $CI_PIPELINE_SOURCE == "merge_request_event"
variables:
GIT_DEPTH: "0"
SSX360_API_KEY: $SSX360_API_KEY
before_script:
- pip install "matrixscroll==0.5.1"
script:
- ssx360 check --hosted --base origin/$CI_MERGE_REQUEST_TARGET_BRANCH_NAME --head HEADOne variable
CI/CD variable
Store your SSX360 API key as SSX360_API_KEY — mask and protect the variable; never commit keys to the repo.
# Project → Settings → CI/CD → Variables # Mask and protect SSX360_API_KEY SSX360_API_KEY=sk_live_... # Community or Team key from ssx360.com/settings
Full spec: SCROLL_GATE_V2.md · SLSA mapping