Skip to main content
Our CI integration provides both infra and code scans, to help you identify vulnerabilities before they reach production.

Using Github Actions

To make it easier for organizations using Github, we created a Github Action that can be easily integrated in your pipelines. 
  
  code-security-scan:
    runs-on: ubuntu-latest

    steps:
      - uses: actions/checkout@v4

      - name: Scan
        uses: SymbioticSec/actions/[email protected]
        with:
          scan-type: infra
          api-token: ${{ secrets.SYMBIOTIC_API_TOKEN }}
Don’t forget to retrieve your organization token and to set it as a secret in your Github setttings.

Using our CLI

If you are not using Github you can still use our cli in your pipelines :
1

Install our CLI

      curl -sSL https://github.com/SymbioticSec/cli/releases/latest/download/install.sh | bash
      echo 'export PATH="$HOME/.local/bin:$PATH"'
We advise you to set SYMBIOTIC_API_TOKEN as an environment variable in your pipeline. You can create or retrieve this token here.
2

Launch our CLI

  symbiotic-cli ci infra ./ --skip-upload-results
If you want your detected vulnerabilities to be uploaded to Symbiotic’s backend to benefit from the dashboard, detailed reports, remediation suggestions and more ; you need to provide information about your git repository to the command. See the example below :
  symbiotic-cli ci infra ./ \
    --git-remote-url <your repository remote url> \
    --git-first-commit-sha <your repository first commit sha> \
    --git-latest-commit-sha <the scanned branch latest commit sha> \
    --git-default-branch <your repository default branch> \
    --git-current-branch <the scanned branch>
You can override the severity threshold defined in the configuration file using the severity-threshold option.Ex: symbiotic-cli ci infra ./ --severity-threshold high
As of today scans must be launched on the root folder to correctly take into account the configuration file
stages:
  - test

test-full-script:
  stage: test
  image: ubuntu:latest

  before_script:
    - apt-get update && apt-get install -y curl bash git unzip
    - curl -sSL https://github.com/SymbioticSec/cli/releases/latest/download/install.sh | bash
    - export "PATH=$HOME/.local/bin:$PATH"

  script:
    - symbiotic-cli ci code ./ --skip-upload-results
  rules:
    - if: '$CI_COMMIT_BRANCH'

Configuration

You can configure what makes the CI fail using our configuration file.
If there is no configuration file in the repository or if this configuration file has no blocking property, the CI will pass by default.