feat(reporter): add support for GitLab JUnit test report

[derevnjuk]

To make test results visible directly in merge requests and pipeline details—and to allow easy identification of detected vulnerabilities without searching through job logs—the new reporter generates JUnit test reports as artifacts.

To display test results in merge requests and pipelines, configure the artifacts section in your .gitlab-ci.yml as follows:

sectester:
  stage: test
  script:
    - jest
  artifacts:
    when: always
    reports:
      junit: spec.xml

Tip

The path field supports wildcards (*), allowing you to upload multiple artifacts at once.

You can retrieve the generated test report using the GitLab API:

curl --header "PRIVATE-TOKEN: <your_access_token>" "https://gitlab.example.com/api/v4/projects/<project_id>/pipelines/<pipeline_id>/test_report"

Test report example

<?xml version="1.0" encoding="UTF-8"?>
<testsuites>
  <testsuite name="Bright Tests" tests="1" failures="1" time="0">
    <testcase classname="GET https://brokencrystals.com/bar" name="SQLi" file="test.spec.ts" time="0">
      <failure>SQLi vulnerability found at GET https://brokencrystals.com/bar</failure>
      <system-out>{&quot;id&quot;:&quot;446af73d-c67b-4443-b6c1-866975e60066&quot;,&quot;entryPointId&quot;:&quot;upmVm5iPkddvzY6RisT7Cr&quot;,&quot;details&quot;:&quot;Cross-site request forgery is a type of malicious website exploit.&quot;,&quot;name&quot;:&quot;Database connection crashed&quot;,&quot;severity&quot;:&quot;Medium&quot;,&quot;protocol&quot;:&quot;http&quot;,&quot;remedy&quot;:&quot;The best way to protect against those kind of issues is making sure the Database resources are sufficient&quot;,&quot;cvss&quot;:&quot;CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L&quot;,&quot;time&quot;:&quot;2025-09-12T18:46:05.344Z&quot;,&quot;originalRequest&quot;:{&quot;method&quot;:&quot;GET&quot;,&quot;url&quot;:&quot;https://brokencrystals.com/&quot;},&quot;request&quot;:{&quot;method&quot;:&quot;GET&quot;,&quot;url&quot;:&quot;https://brokencrystals.com/&quot;},&quot;link&quot;:&quot;http://app.brightsec.com/scans/pDzxcEXQC8df1fcz1QwPf9/issues/pDzxcEXQC8df1fcz1QwPf9&quot;,&quot;certainty&quot;:true,&quot;comments&quot;:[{&quot;headline&quot;:&quot;Missing Strict-Transport-Security Header&quot;,&quot;text&quot;:&quot;The engine detected a missing Strict-Transport-Security header, which might cause data to be sent insecurely from the client to the server.&quot;,&quot;links&quot;:[&quot;https://www.owasp.org/index.php/OWASP_Secure_Headers_Project#hsts&quot;]}],&quot;resources&quot;:[&quot;https://www.owasp.org/index.php/OWASP_Secure_Headers_Project#hsts&quot;]}</system-out>
    </testcase>
  </testsuite>
</testsuites>

Tests tab of pipeline details

View details dialog

Merge request details

[qltysh]

All good ✅

[qltysh]

Diff Coverage: The code coverage on the diff in this pull request is 95.4%.

Total Coverage: This PR will increase coverage by 0.15%.

File Coverage Changes

Path	File Coverage Δ	Indirect
packages/reporter/src/fixtures/junit-reports.ts	100.0
packages/reporter/src/reporters/gitlab/GitLabCodeQualityReporter.ts	-100.0	√
packages/reporter/src/reporters/gitlab/GitLabReporter.ts	100.0
packages/reporter/src/reporters/gitlab/builders/JUnitReportBuilder.ts	100.0
packages/reporter/src/reporters/gitlab/utils/build-junit-xml.ts	86.8

🛟 Help

• Diff Coverage: Coverage for added or modified lines of code (excludes deleted files). Learn more.

• Total Coverage: Coverage for the whole repository, calculated as the sum of all File Coverage. Learn more.

• File Coverage: Covered Lines divided by Covered Lines plus Missed Lines. (Excludes non-executable lines including blank lines and comments.)

  • Indirect Changes: Changes to File Coverage for files that were not modified in this PR. Learn more.

[SevenWhite]

LGTM