CI/CD Integration

Automated Security in Your Pipeline

Integrate Bloodhound security scanning into your CI/CD pipeline for automated vulnerability detection on every commit, PR, and release.

Overview

Shift security left by integrating Bloodhound into your development workflow. Catch vulnerabilities before they reach production.

Platforms

SARIF

Native Format

Comments

Gates

Quality Gates

Supported Platforms

GitHub Actions

Native integration with GitHub workflows and PR checks.

PR commentsStatus checksSARIF uploadSecurity tab integration

GitLab CI

Full support for GitLab pipelines and merge request integration.

MR commentsPipeline reportsSecurity dashboardSAST integration

Jenkins

Plugin and command-line integration for Jenkins pipelines.

Pipeline stepsBuild reportsTrend graphsQuality gates

Quick Start

Get started with CI/CD integration in minutes.

.github/workflows/security.yml

YAML

1# GitHub Actions Example
2name: Security Scan
3
4on:
5  push:
6    branches: [main]
7  pull_request:
8    branches: [main]
9
10jobs:
11  security:
12    runs-on: ubuntu-latest
13    steps:
14      - uses: actions/checkout@v4
15
16      - name: Setup Node.js
17        uses: actions/setup-node@v4
18        with:
19          node-version: '20'
20
21      - name: Install Bloodhound CLI
22        run: npm install -g @agnech/cli
23
24      - name: Activate License
25        run: bloodhound license activate ${{ secrets.BLOODHOUND_LICENSE }}
26
27      - name: Run Security Scan
28        run: bloodhound scan --report sarif --output results.sarif ./src
29
30      - name: Upload SARIF
31        uses: github/codeql-action/upload-sarif@v3
32        with:
33          sarif_file: results.sarif

Configuration

Configure CI/CD behavior with environment variables and config files.

Environment Variables

BLOODHOUND_LICENSELicense key (required)

BLOODHOUND_FAIL_ONFail threshold (critical/high/medium)

BLOODHOUND_MODEScan mode (quick/advanced/ultimate)

BLOODHOUND_OUTPUTOutput format (sarif/json/html)

bloodhound.config.json

JSON

1# bloodhound.config.json for CI/CD
2{
3  "ci": {
4    "failOn": "high",
5    "mode": "advanced",
6    "output": "sarif",
7    "prComments": true,
8    "statusCheck": true,
9    "baseline": "./security-baseline.json"
10  }
11}

Best Practices

Use Baselines

Establish a security baseline to track new vs existing vulnerabilities. Only fail builds on new findings to avoid blocking development.

Progressive Enforcement

Start with warnings, then progress to blocking critical issues, and finally enforce on high-severity findings.

Cache Results

Use caching to speed up scans. Bloodhound can skip unchanged files when the cache is available.

Secure License Storage

Always store the license key in secrets management (GitHub Secrets, GitLab CI Variables, Jenkins Credentials).

Need Help?

Our team can help you set up CI/CD integration for your specific environment. Contact support@agnech.com.