diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml
index 976fa73c..7d3eafa3 100644
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@@ -7,16 +7,16 @@ cache:
     - .cache
 
 # ============================================================
-# 🧠 Step 1: Security Scan dengan gosec
+# 🧠 Step 1: Security Scan dengan gosec (pakai Go 1.24)
 # ============================================================
 gosec_scan:
   stage: scan
-  image: golang:1.23
+  image: golang:1.24
   script:
     - go install github.com/securego/gosec/v2/cmd/gosec@latest
     - echo "🔍 Menjalankan scan keamanan Go..."
     - gosec -fmt=json -out=gosec-report.json ./...
-    - cat gosec-report.json | jq '.Issues | length'
+    - echo "📄 Jumlah issue terdeteksi:" && cat gosec-report.json | jq '.Issues | length'
   artifacts:
     when: always
     paths:
@@ -24,8 +24,7 @@ gosec_scan:
     expire_in: 1 week
   allow_failure: false
   only:
-    - merge_requests
-    - branches
+    - devops-ec2
 
 # ============================================================
 # 🧱 Step 2: Analisis SonarQube
@@ -35,17 +34,18 @@ sonarqube_analysis:
   image: sonarsource/sonar-scanner-cli:latest
   script:
     - echo "🚀 Menjalankan analisis SonarQube..."
+    - if [ -f "go.mod" ]; then go test ./... -coverprofile=coverage.out || true; fi
     - sonar-scanner \
         -Dsonar.projectKey="mbu-lti-backend" \
         -Dsonar.projectName="MBU LTI Backend" \
         -Dsonar.sources="." \
         -Dsonar.host.url="https://status.mbugroup.id/sonar" \
         -Dsonar.login="sqp_97b3cb2f80ce932fb07b5641aeecc8704b76d1a7" \
+        -Dsonar.go.coverage.reportPaths="coverage.out" \
         -Dsonar.sourceEncoding="UTF-8" \
         -Dsonar.verbose=true
   only:
-    - merge_requests
-    - branches
+    - devops-ec2
   allow_failure: false
   dependencies:
     - gosec_scan
@@ -53,4 +53,5 @@ sonarqube_analysis:
     when: always
     paths:
       - .scannerwork
+      - coverage.out
     expire_in: 1 week
\ No newline at end of file