feat(scorecard): add GitLab module with issues, MRs, pipelines, and jobs metrics

[fullsend-ai-coder]

Implements a new scorecard-backend-module-gitlab plugin that provides 16 metrics for GitLab projects via the GitLab REST API. The module uses Backstage SCM integration for authentication and filters entities by the gitlab.com/project-slug annotation.

Metrics: open/opened/closed issues (7d), open/opened/closed MRs (7d), started/successful/failed pipelines (7d), started/successful/failed jobs (7d), pipeline and job success ratios (7d and 24h).

Co-Authored-By: Claude Opus 4.6 noreply@anthropic.com

---

Closes #3475

Post-script verification

• Branch is not main/master (feat/scorecard-gitlab-module-3475)
• Secret scan passed (gitleaks — 7ccaff17753df64c7ab288cdcba34cee5a657254..HEAD)
• Pre-commit hooks passed (authoritative run on runner)
• Tests ran inside sandbox

[rhdh-gh-app]

Missing Changesets

The following package(s) are changed by this PR but do not have a changeset:

• @red-hat-developer-hub/backstage-plugin-scorecard-backend-module-gitlab

See CONTRIBUTING.md for more information about how to add changesets.

Changed Packages

Package Name	Package Path	Changeset Bump	Current Version
@red-hat-developer-hub/backstage-plugin-scorecard-backend-module-gitlab	workspaces/scorecard/plugins/scorecard-backend-module-gitlab	none	v1.0.0

[codecov]

⚠️ JUnit XML file not found

The CLI was unable to find any JUnit XML files to upload.
For more help, visit our troubleshooting guide.

[sonarqubecloud]

Quality Gate failed

Failed conditions
9.2% Duplication on New Code (required ≤ 3%)

See analysis details on SonarQube Cloud

[fullsend-ai-review]

🤖 Finished Review · ✅ Success · Started 1:54 PM UTC · Completed 2:08 PM UTC
Commit: 1912534 · View workflow run →

[fullsend-ai-review]

Review

Findings

High

• [logic-error] workspaces/scorecard/plugins/scorecard-backend-module-gitlab/src/metricProviders/GitlabPipelinesProvider.ts — PERCENTAGE_THRESHOLDS is defined with correct rules (<50 error, 50-80 warning, >80 success) but is never used by any provider's getMetricThresholds(). All providers return DEFAULT_NUMBER_THRESHOLDS which treats <10 as success and >50 as error. For ratio metrics (pipeline_success_ratio, job_success_ratio), this means a 90% success ratio displays as "error" and a 5% ratio displays as "success" — the thresholds are semantically inverted.
  Remediation: GitlabPipelinesProvider and GitlabJobsProvider should return PERCENTAGE_THRESHOLDS from their getMetricThresholds() method instead of DEFAULT_NUMBER_THRESHOLDS. Note that each provider can only return one ThresholdConfig, so the ratio providers may need to be split from the count providers, or the interface needs to support per-metric thresholds.

Medium

• [DoS] workspaces/scorecard/plugins/scorecard-backend-module-gitlab/src/gitlab/GitlabClient.ts — The fetchAllPages method has no upper bound on pages fetched. A project with extensive job history could trigger hundreds of sequential HTTP requests. The early-exit condition relies on created_at descending order, which GitLab provides by default but does not explicitly guarantee.
  Remediation: Add a maximum page limit (e.g., MAX_PAGES = 100) to the while (hasMore) loop and log a warning when the limit is reached.

• [architectural-conflict] workspaces/scorecard/plugins/scorecard-backend-module-gitlab/src/gitlab/GitlabClient.ts — getApiBaseUrl hardcodes gitlab.com as the host. Self-hosted GitLab instances configured in Backstage SCM integrations will not be resolved. The GitHub module resolves this by accepting the entity source URL and calling integrations.github.byUrl(url). Issue Create new gitlab module for scorecard #3475 specifies "using Backstage SCM configuration for gitlab," implying self-hosted support.
  Remediation: Pass entity or host information through to GitlabClient so it can resolve the correct integration by URL, similar to GithubClient.

Low

• [api-contract] workspaces/scorecard/plugins/scorecard-backend-module-gitlab/src/gitlab/GitlabClient.ts — The scope[] parameter is set via params['scope[]'] = scope.join(','). GitLab expects repeated query params (scope[]=success&scope[]=failed), not comma-separated. Current callers only pass single-element arrays so the bug does not manifest, but the API is incorrect for multi-value use.

• [edge-case] workspaces/scorecard/plugins/scorecard-backend-module-gitlab/src/gitlab/GitlabClient.ts — fetchTotalCount falls back to counting response body items when x-total header is missing, but since per_page=1, the fallback returns at most 1 (not the actual total). The header is present for the endpoints used here, so this is a low-probability edge case.

• [DoS] workspaces/scorecard/plugins/scorecard-backend-module-gitlab/src/gitlab/GitlabClient.ts — fetch() calls lack request timeouts (AbortController/signal). If GitLab is unresponsive, the backend hangs indefinitely.

• [code-organization] workspaces/scorecard/plugins/scorecard-backend-module-gitlab/src/metricProviders/GitlabPipelinesProvider.ts — calculateRatio is a shared utility defined in GitlabPipelinesProvider.ts and imported by GitlabJobsProvider.ts. Shared utilities should live in gitlab/utils.ts per established module conventions.

• [api-shape] workspaces/scorecard/plugins/scorecard-backend-module-gitlab/src/metricProviders/GitlabIssuesProvider.ts — Existing providers reference this.getProviderId() and this.getMetricType() in getMetric(). GitLab providers hardcode METRIC_IDS constants instead, diverging from the established pattern.

• [api-shape] workspaces/scorecard/plugins/scorecard-backend-module-gitlab/src/metricProviders/GitlabIssuesProvider.ts — All GitLab providers add explicit : string return types on getProviderId(), while existing providers rely on type inference.

• [auth] workspaces/scorecard/plugins/scorecard-backend-module-gitlab/src/gitlab/GitlabClient.ts — When no token is configured, unauthenticated requests proceed silently without logging a warning. Operators may not realize they are running without auth (reduced rate limits, no private project access).

[fullsend-ai-review]

See the review comment for full details.