diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml
index 778ff99d..30ce43a0 100644
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@@ -1,11 +1,75 @@
 stages:
+  - test
   - scan
 
-sonarqube_scan:
+cache:
+  paths:
+    - .sonar/cache
+    - .cache
+
+# ======================================================
+# 🧪 Step 1: Unit Test + Coverage
+# ======================================================
+unit_test:
+  stage: test
+  image: golang:1.24
+  script:
+    - echo "🧪 Menjalankan unit test..."
+    - go mod tidy
+    - go test ./... -coverprofile=coverage.out
+    - go tool cover -func=coverage.out | tail -n 1
+  artifacts:
+    when: always
+    paths:
+      - coverage.out
+    expire_in: 1 week
+  only:
+    - devops-ec2
+
+# ======================================================
+# 🔒 Step 2: Security Scan (Gosec)
+# ======================================================
+gosec_scan:
+  stage: scan
+  image: golang:1.24
+  script:
+    - apt-get update && apt-get install -y jq
+    - go install github.com/securego/gosec/v2/cmd/gosec@latest
+    - echo "🔍 Menjalankan scan keamanan dengan gosec..."
+    - gosec -fmt=json -out=gosec-report.json ./... || true
+    - echo "📄 Jumlah issue ditemukan:" && cat gosec-report.json | jq '.Issues | length'
+    # Konversi hasil gosec ke format SonarQube
+    - |
+      jq -r '.Issues[] | {
+        engineId: "gosec",
+        ruleId: .rule_id,
+        primaryLocation: {
+          message: .details,
+          filePath: .file,
+          textRange: {startLine: .line}
+        },
+        type: "VULNERABILITY",
+        severity: (if .severity == "HIGH" then "CRITICAL" elif .severity == "MEDIUM" then "MAJOR" else "MINOR" end)
+      }' gosec-report.json | jq -s '{issues: .}' > gosec-generic-report.json
+  artifacts:
+    when: always
+    paths:
+      - gosec-report.json
+      - gosec-generic-report.json
+    expire_in: 1 week
+  allow_failure: false
+  only:
+    - devops-ec2
+
+# ======================================================
+# 📊 Step 3: SonarQube Analysis
+# ======================================================
+sonarqube_analysis:
   stage: scan
   image: sonarsource/sonar-scanner-cli:latest
   script:
-    - echo "🚀 Menjalankan analisis ke SonarQube..."
+    - apk add --no-cache jq
+    - echo "🚀 Mengirim analisis ke SonarQube..."
     - |
       sonar-scanner \
         -Dsonar.projectKey=mbu-lti-backend \
@@ -13,7 +77,19 @@ sonarqube_scan:
         -Dsonar.sources=. \
         -Dsonar.host.url=https://status.mbugroup.id/sonar \
         -Dsonar.login=sqp_57fbffb8337608c331091dd1544569df613a2d3f \
+        -Dsonar.go.coverage.reportPaths=coverage.out \
+        -Dsonar.externalIssuesReportPaths=gosec-generic-report.json \
         -Dsonar.sourceEncoding=UTF-8 \
         -Dsonar.verbose=true
+  dependencies:
+    - unit_test
+    - gosec_scan
+  artifacts:
+    when: always
+    paths:
+      - .scannerwork
+      - coverage.out
+      - gosec-generic-report.json
+    expire_in: 1 week
   only:
     - devops-ec2
\ No newline at end of file