CI/CD Integration
Integrate SecurityChecks into your continuous integration pipeline.
CI/CD Integration
Integrate SecurityChecks into your CI/CD pipeline to automatically scan every commit and pull request.
Prerequisites
Before setting up CI/CD integration, ensure you have:
- An API key from your API Keys settings
- A project created in SecurityChecks
- Access to your CI/CD configuration
GitHub Actions
Add this workflow to .github/workflows/securitychecks.yml:
name: SecurityChecks
on:
push:
branches: [main, master, develop]
pull_request:
branches: [main, master, develop]
jobs:
security-scan:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
with:
fetch-depth: 0
- name: Setup Node.js
uses: actions/setup-node@v4
with:
node-version: '20'
- name: Install SecurityChecks CLI
run: npm install -g @securitychecks/cli
- name: Run Security Scan
env:
SECURITYCHECKS_API_KEY: ${{ secrets.SECURITYCHECKS_API_KEY }}
run: |
scheck run \
--project ${{ github.event.repository.name }} \
--branch ${{ github.ref_name }} \
--commit ${{ github.sha }} \
--fail-on p1
- name: Upload Results
if: always()
uses: actions/upload-artifact@v4
with:
name: security-results
path: .scheck/
Setting up the Secret
- Go to your repository Settings > Secrets and variables > Actions
- Click New repository secret
- Name:
SECURITYCHECKS_API_KEY - Value: Your API key from the dashboard
Pull Request Comments
When scanning pull requests, SecurityChecks automatically:
- Posts a summary comment with findings
- Adds inline annotations for each finding
- Updates the check status
GitLab CI
Add to your .gitlab-ci.yml:
stages:
- test
security-scan:
stage: test
image: node:20
before_script:
- npm install -g @securitychecks/cli
script:
- scheck run --project $CI_PROJECT_NAME --branch $CI_COMMIT_REF_NAME --commit $CI_COMMIT_SHA --fail-on p1
variables:
SECURITYCHECKS_API_KEY: $SECURITYCHECKS_API_KEY
artifacts:
paths:
- .scheck/
when: always
rules:
- if: $CI_PIPELINE_SOURCE == "merge_request_event"
- if: $CI_COMMIT_BRANCH == "main"
- if: $CI_COMMIT_BRANCH == "develop"
Setting up the Variable
- Go to Settings > CI/CD > Variables
- Add variable:
SECURITYCHECKS_API_KEY - Check Mask variable for security
Jenkins
Add to your Jenkinsfile:
pipeline {
agent any
environment {
SECURITYCHECKS_API_KEY = credentials('securitychecks-api-key')
}
stages {
stage('Checkout') {
steps {
checkout scm
}
}
stage('Security Scan') {
steps {
sh 'npm install -g @securitychecks/cli'
sh '''
scheck run \
--project ${JOB_BASE_NAME} \
--branch ${GIT_BRANCH} \
--commit ${GIT_COMMIT} \
--fail-on p1
'''
}
}
}
post {
always {
archiveArtifacts artifacts: '.scheck/**/*', allowEmptyArchive: true
}
failure {
emailext(
subject: "Security findings in ${JOB_NAME}",
body: "SecurityChecks found issues. Check the build at ${BUILD_URL}",
recipientProviders: [[$class: 'DevelopersRecipientProvider']]
)
}
}
}
CircleCI
Add to your .circleci/config.yml:
version: 2.1
jobs:
security-scan:
docker:
- image: cimg/node:20.0
steps:
- checkout
- run:
name: Install SecurityChecks CLI
command: npm install -g @securitychecks/cli
- run:
name: Run Security Scan
command: |
scheck run \
--project ${CIRCLE_PROJECT_REPONAME} \
--branch ${CIRCLE_BRANCH} \
--commit ${CIRCLE_SHA1} \
--fail-on p1
- store_artifacts:
path: .scheck
workflows:
security:
jobs:
- security-scan:
context: securitychecks
Azure DevOps
Add to your azure-pipelines.yml:
trigger:
branches:
include:
- main
- develop
pr:
branches:
include:
- main
pool:
vmImage: 'ubuntu-latest'
steps:
- task: NodeTool@0
inputs:
versionSpec: '20.x'
displayName: 'Install Node.js'
- script: npm install -g @securitychecks/cli
displayName: 'Install SecurityChecks CLI'
- script: |
scheck run \
--project $(Build.Repository.Name) \
--branch $(Build.SourceBranchName) \
--commit $(Build.SourceVersion) \
--fail-on p1
displayName: 'Run Security Scan'
env:
SECURITYCHECKS_API_KEY: $(SECURITYCHECKS_API_KEY)
- task: PublishBuildArtifacts@1
inputs:
pathToPublish: '.scheck'
artifactName: 'security-results'
condition: always()
Best Practices
Fail Thresholds
Choose the right --fail-on level for your workflow:
| Level | Use Case |
|---|---|
p0 | Block merges only for critical vulnerabilities |
p1 | Block merges for important security issues |
p2 | Report all issues but don't block |
Branch Strategies
- Main/Master: Scan with
--fail-on p0to prevent critical issues - Feature branches: Scan with
--fail-on p1for early detection - PRs: Full scan with annotations for code review
Caching
Speed up scans by caching dependencies:
# GitHub Actions
- uses: actions/cache@v4
with:
path: ~/.npm
key: ${{ runner.os }}-node-${{ hashFiles('**/package-lock.json') }}
Notifications
Configure alerts for scan failures:
- Go to Settings > Notifications in your dashboard
- Enable email/Slack notifications for scan failures
- Configure severity thresholds for alerts
Troubleshooting
Common Issues
Scan times out
- Increase CI timeout
- Use
--includeto scan specific directories - Add exclusions for node_modules, dist, etc.
API key not found
- Ensure the secret/variable is correctly named
- Check variable is available to the job
No findings uploaded
- Verify
--projectmatches your dashboard project - Check API key has write permissions