CI/CD Integration
Integrate Qryon into your CI/CD pipeline to automatically scan code for security vulnerabilities on every pull request and deployment.
GitHub Actions
Basic Setup
# .github/workflows/security.yml
name: Security Scan
on:
push:
branches: [main]
pull_request:
branches: [main]
jobs:
security-scan:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Install Qryon
run: npm install -g rma-cli
- name: Run Qryon Security Scan
run: rma scan . --format sarif --output results.sarif
- name: Upload SARIF
uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: results.sarifWith Caching
# .github/workflows/security.yml
name: Security Scan
on:
push:
branches: [main]
pull_request:
jobs:
security-scan:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Cache Qryon
uses: actions/cache@v4
with:
path: |
~/.cache/rma
~/.npm
key: rma-${{ runner.os }}-${{ hashFiles('**/package-lock.json') }}
restore-keys: |
rma-${{ runner.os }}-
- name: Install Qryon
run: npm install -g rma-cli
- name: Run Qryon Security Scan
run: |
rma scan . \
--format sarif \
--output results.sarif \
--fail-on high
- name: Upload SARIF
if: always()
uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: results.sarifGitLab CI
# .gitlab-ci.yml
stages:
- test
- security
security-scan:
stage: security
image: node:20
before_script:
- npm install -g rma-cli
script:
- rma scan . --format json --output gl-sast-report.json
- rma scan . --format sarif --output gl-sast-report.sarif
artifacts:
reports:
sast: gl-sast-report.json
paths:
- gl-sast-report.json
- gl-sast-report.sarif
expire_in: 1 week
rules:
- if: $CI_PIPELINE_SOURCE == "merge_request_event"
- if: $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCHJenkins
// Jenkinsfile
pipeline {
agent any
tools {
nodejs 'Node 20'
}
stages {
stage('Install') {
steps {
sh 'npm install -g rma-cli'
}
}
stage('Security Scan') {
steps {
sh '''
rma scan . \
--format sarif \
--output results.sarif \
--format json \
--output results.json
'''
}
post {
always {
recordIssues(
tools: [sarif(pattern: 'results.sarif')]
)
archiveArtifacts artifacts: 'results.*'
}
}
}
}
}Azure DevOps
# azure-pipelines.yml
trigger:
branches:
include:
- main
- develop
pool:
vmImage: 'ubuntu-latest'
steps:
- task: NodeTool@0
inputs:
versionSpec: '20.x'
displayName: 'Install Node.js'
- script: npm install -g rma-cli
displayName: 'Install RMA'
- script: |
rma scan . \
--format sarif \
--output $(Build.ArtifactStagingDirectory)/results.sarif
displayName: 'Run Security Scan'
continueOnError: true
- task: PublishBuildArtifacts@1
inputs:
pathtoPublish: '$(Build.ArtifactStagingDirectory)'
artifactName: 'security-results'CircleCI
# .circleci/config.yml
version: 2.1
jobs:
security-scan:
docker:
- image: cimg/node:20.0
steps:
- checkout
- restore_cache:
keys:
- rma-cache-v1-{{ checksum "package-lock.json" }}
- run:
name: Install RMA
command: npm install -g rma-cli
- run:
name: Run Security Scan
command: |
rma scan . \
--format json \
--output results.json \
--fail-on high
- save_cache:
paths:
- ~/.cache/rma
key: rma-cache-v1-{{ checksum "package-lock.json" }}
- store_artifacts:
path: results.json
destination: security-results
workflows:
main:
jobs:
- security-scanPre-commit Hook
# .pre-commit-config.yaml
repos:
- repo: local
hooks:
- id: rma-security-scan
name: RMA Security Scan
entry: rma scan --staged-only --fail-on high
language: system
pass_filenames: false
stages: [commit]SARIF Output
Qryon's SARIF output integrates with GitHub Code Scanning, Azure DevOps, and other SARIF-compatible tools.
# Generate SARIF
rma scan . --format sarif --output results.sarifExit Codes
Use exit codes to control pipeline flow:
| Exit Code | Meaning | CI Action |
|---|---|---|
0 | No findings above threshold | Pass |
1 | Findings above threshold | Fail |
2 | Configuration error | Fail |
3 | Internal error | Fail |
# Configure failure threshold
rma scan . --fail-on critical # Only fail on critical
rma scan . --fail-on high # Fail on high or critical
rma scan . --fail-on medium # Fail on medium+
rma scan . --fail-on none # Never fail (for monitoring)Best Practices
- Start with monitoring - Use
--fail-on noneinitially - Gradually increase strictness - Move from critical to high to medium
- Cache analysis results - Qryon caching speeds up repeat scans
- Scan changed files only - Use
--difffor faster PR checks - Use SARIF for visibility - Get findings in GitHub Security tab
- Set up notifications - Alert on new critical/high findings