2026-01-19 · Authensor

How to Add AI Agent Safety to GitLab CI/CD

SafeClaw by Authensor integrates into GitLab CI/CD pipelines to validate AI agent safety policies, run simulation tests, and verify audit trail integrity before every deployment. By adding SafeClaw as a pipeline stage, you ensure that no policy misconfiguration or unsafe action pattern reaches production. Install with npx @authensor/safeclaw and make AI safety a first-class citizen in your GitLab pipeline.

Prerequisites

Step 1 — Add a Safety Stage to .gitlab-ci.yml

stages:
  - install
  - safety
  - test
  - deploy


variables:
  NODE_VERSION: "20"



install:
  stage: install
  image: node:20-slim
  script:
    - npm ci
  cache:
    key: $CI_COMMIT_REF_SLUG
    paths:
      - node_modules/



safety-validate:
  stage: safety
  image: node:20-slim
  script:
    - npm ci
    - npx @authensor/safeclaw validate
  cache:
    key: $CI_COMMIT_REF_SLUG
    paths:
      - node_modules/



safety-simulation:
  stage: safety
  image: node:20-slim
  script:
    - npm ci
    - npx @authensor/safeclaw test --simulation
  cache:
    key: $CI_COMMIT_REF_SLUG
    paths:
      - node_modules/



test:
  stage: test
  image: node:20-slim
  script:
    - npm ci
    - npm test
  cache:
    key: $CI_COMMIT_REF_SLUG
    paths:
      - node_modules/



deploy:
  stage: deploy
  image: node:20-slim
  script:
    - npm ci
    - npx @authensor/safeclaw
    - npm run deploy
  only:
    - main
  cache:
    key: $CI_COMMIT_REF_SLUG
    paths:
      - node_modules/

The safety stage runs in parallel with test, validating the policy and running simulation tests. The deploy stage depends on both passing.

Step 2 — Gate Policy Changes with Merge Request Rules

Detect when the SafeClaw policy file changes and require manual approval:

safety-policy-review:
  stage: safety
  image: node:20-slim
  script:
    - npm ci
    - npx @authensor/safeclaw validate
    - npx @authensor/safeclaw diff --base origin/main --head HEAD
  rules:
    - changes:
        - safeclaw.config.yaml
        - policies/**
      when: manual
      allow_failure: false

The when: manual flag requires a team member to explicitly approve the pipeline step when the policy file is modified. Setting allow_failure: false blocks deployment until approval is granted.

Step 3 — Use GitLab CI/CD Variables for Secrets

Store API keys and audit endpoints in GitLab CI/CD variables (Settings > CI/CD > Variables), not in your repository:

safety-audit-verify:
  stage: deploy
  image: node:20-slim
  script:
    - npm ci
    - npx @authensor/safeclaw audit verify --last 100
  variables:
    SAFECLAW_AUDIT_SOURCE: $AUDIT_LOG_URL
  only:
    - main

SafeClaw never needs access to your LLM API keys during CI. It validates policy syntax and runs simulation tests without making real API calls.

Step 4 — Multi-Environment Pipeline

If you deploy to staging and production, validate the correct policy for each:

safety-staging:
  stage: safety
  script:
    - npm ci
    - npx @authensor/safeclaw validate --config policies/staging.yaml
    - npx @authensor/safeclaw test --simulation --config policies/staging.yaml
  rules:
    - if: $CI_COMMIT_BRANCH == "develop"


safety-production:
  stage: safety
  script:
    - npm ci
    - npx @authensor/safeclaw validate --config policies/production.yaml
    - npx @authensor/safeclaw test --simulation --config policies/production.yaml
  rules:
    - if: $CI_COMMIT_BRANCH == "main"

Production policies should always be stricter than staging. SafeClaw validates each independently.

Step 5 — Artifact the Audit Report

Save simulation test results as a GitLab CI artifact for review:

safety-simulation:
  stage: safety
  image: node:20-slim
  script:
    - npm ci
    - npx @authensor/safeclaw test --simulation --output report.json
  artifacts:
    paths:
      - report.json
    expire_in: 30 days

The report shows every simulated action, the policy rule that matched, and whether it was allowed or denied. This artifact is reviewable in the merge request UI.

Step 6 — Include as a Reusable Template

For organizations with multiple AI agent projects, create a reusable CI template:

# .gitlab-ci/safeclaw.yml
.safeclaw-validate:
  image: node:20-slim
  script:
    - npm ci
    - npx @authensor/safeclaw validate
    - npx @authensor/safeclaw test --simulation

Include it in each project:

include:
  - project: "your-org/ci-templates"
    file: ".gitlab-ci/safeclaw.yml"


safety:
  extends: .safeclaw-validate
  stage: safety

This ensures consistent AI safety checks across your entire organization.

Related Pages

Try SafeClaw

Action-level gating for AI agents. Set it up in your browser in 60 seconds.

$ npx @authensor/safeclaw