CI/CD Integration
Integrate SecurityChecks into your continuous integration pipeline.
CI/CD Integration
Integrate SecurityChecks into your CI/CD pipeline to automatically scan every commit and pull request.
Prerequisites
Before setting up CI/CD integration, ensure you have:
- An API key from your API Keys settings
- A project created in SecurityChecks
- Access to your CI/CD configuration
GitHub Actions
Add this workflow to .github/workflows/securitychecks.yml:
name: SecurityChecks
on:
push:
branches: [main, master, develop]
pull_request:
branches: [main, master, develop]
jobs:
security-scan:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
with:
fetch-depth: 0
- name: Setup Node.js
uses: actions/setup-node@v4
with:
node-version: '20'
- name: Install SecurityChecks CLI
run: npm install -g @securitychecks/cli
- name: Run Security Scan
env:
SECURITYCHECKS_API_KEY: ${{ secrets.SECURITYCHECKS_API_KEY }}
run: scheck run --ci
- name: Sync Results to Dashboard
if: always()
env:
SECURITYCHECKS_API_KEY: ${{ secrets.SECURITYCHECKS_API_KEY }}
run: |
scheck sync \
--project ${{ github.event.repository.name }} \
--branch ${{ github.ref_name }} \
--commit ${{ github.sha }}
- name: Upload Results
if: always()
uses: actions/upload-artifact@v4
with:
name: security-results
path: .scheck/
Setting up the Secret
- Go to your repository Settings > Secrets and variables > Actions
- Click New repository secret
- Name:
SECURITYCHECKS_API_KEY - Value: Your API key from the dashboard
Pull Request Comments
When scanning pull requests, SecurityChecks automatically:
- Posts a summary comment with findings
- Adds inline annotations for each finding
- Updates the check status
GitLab CI
Add to your .gitlab-ci.yml:
stages:
- test
security-scan:
stage: test
image: node:20
before_script:
- npm install -g @securitychecks/cli
script:
- scheck run --ci
- scheck sync --project $CI_PROJECT_NAME --branch $CI_COMMIT_REF_NAME --commit $CI_COMMIT_SHA
variables:
SECURITYCHECKS_API_KEY: $SECURITYCHECKS_API_KEY
artifacts:
paths:
- .scheck/
when: always
rules:
- if: $CI_PIPELINE_SOURCE == "merge_request_event"
- if: $CI_COMMIT_BRANCH == "main"
- if: $CI_COMMIT_BRANCH == "develop"
Setting up the Variable
- Go to Settings > CI/CD > Variables
- Add variable:
SECURITYCHECKS_API_KEY - Check Mask variable for security
Jenkins
Add to your Jenkinsfile:
pipeline {
agent any
environment {
SECURITYCHECKS_API_KEY = credentials('securitychecks-api-key')
}
stages {
stage('Checkout') {
steps {
checkout scm
}
}
stage('Security Scan') {
steps {
sh 'npm install -g @securitychecks/cli'
sh 'scheck run --ci'
sh '''
scheck sync \
--project ${JOB_BASE_NAME} \
--branch ${GIT_BRANCH} \
--commit ${GIT_COMMIT}
'''
}
}
}
post {
always {
archiveArtifacts artifacts: '.scheck/**/*', allowEmptyArchive: true
}
failure {
emailext(
subject: "Security findings in ${JOB_NAME}",
body: "SecurityChecks found issues. Check the build at ${BUILD_URL}",
recipientProviders: [[$class: 'DevelopersRecipientProvider']]
)
}
}
}
CircleCI
Add to your .circleci/config.yml:
version: 2.1
jobs:
security-scan:
docker:
- image: cimg/node:20.0
steps:
- checkout
- run:
name: Install SecurityChecks CLI
command: npm install -g @securitychecks/cli
- run:
name: Run Security Scan
command: scheck run --ci
- run:
name: Sync Results to Dashboard
command: |
scheck sync \
--project ${CIRCLE_PROJECT_REPONAME} \
--branch ${CIRCLE_BRANCH} \
--commit ${CIRCLE_SHA1}
when: always
- store_artifacts:
path: .scheck
workflows:
security:
jobs:
- security-scan:
context: securitychecks
Azure DevOps
Add to your azure-pipelines.yml:
trigger:
branches:
include:
- main
- develop
pr:
branches:
include:
- main
pool:
vmImage: 'ubuntu-latest'
steps:
- task: NodeTool@0
inputs:
versionSpec: '20.x'
displayName: 'Install Node.js'
- script: npm install -g @securitychecks/cli
displayName: 'Install SecurityChecks CLI'
- script: scheck run --ci
displayName: 'Run Security Scan'
env:
SECURITYCHECKS_API_KEY: $(SECURITYCHECKS_API_KEY)
- script: |
scheck sync \
--project $(Build.Repository.Name) \
--branch $(Build.SourceBranchName) \
--commit $(Build.SourceVersion)
displayName: 'Sync Results to Dashboard'
condition: always()
env:
SECURITYCHECKS_API_KEY: $(SECURITYCHECKS_API_KEY)
- task: PublishBuildArtifacts@1
inputs:
pathToPublish: '.scheck'
artifactName: 'security-results'
condition: always()
Best Practices
CI Mode
Use scheck run --ci to run in CI mode. This exits with a non-zero status code when new violations are found, which fails the CI step and blocks the merge.
Pair it with scheck sync to upload results to the dashboard for tracking and team review.
Branch Strategies
- Main/Master: Run
scheck run --cito block merges with violations - Feature branches: Run
scheck run --cifor early detection - PRs: Full scan with
scheck syncto post results to the dashboard
Caching
Speed up scans by caching dependencies:
# GitHub Actions
- uses: actions/cache@v4
with:
path: ~/.npm
key: ${{ runner.os }}-node-${{ hashFiles('**/package-lock.json') }}
Notifications
Configure alerts for scan failures:
- Go to Settings > Notifications in your dashboard
- Enable email/Slack notifications for scan failures
- Configure severity thresholds for alerts
Troubleshooting
Common Issues
Scan times out
- Increase CI timeout
- Configure include/exclude patterns in
.scheck/config.yaml
API key not found
- Ensure the
SECURITYCHECKS_API_KEYsecret/variable is correctly named - Check variable is available to the job
No findings uploaded
- Verify
--projectinscheck syncmatches your dashboard project slug - Check API key has write permissions