CI/CD Integration
Integrate Safeguard.sh into your CI/CD pipelines
CI/CD Integration
Integrate Safeguard.sh into your CI/CD pipelines for automated SBOM generation and security gates.
Overview
CI/CD integration enables:
- Automatic SBOM generation on every build
- Security gate enforcement before deployment
- Vulnerability scanning in the pipeline
- AI Remediate pull request generation
Supported Platforms
- GitHub Actions
- GitLab CI/CD
- Jenkins
- Azure DevOps
- CircleCI
- Bitbucket Pipelines
GitHub Actions
Basic SBOM Generation
name: Security Scan
on: [push, pull_request]
jobs:
sbom:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Generate SBOM
uses: safeguard-sh/sbom-action@v1
with:
api-key: ${{ secrets.SAFEGUARD_API_KEY }}With Security Gate
name: Security Gate
on: [pull_request]
jobs:
security:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Security Check
uses: safeguard-sh/gate-action@v1
with:
api-key: ${{ secrets.SAFEGUARD_API_KEY }}
policy: production
fail-on: criticalGitLab CI/CD
stages:
- security
safeguard-scan:
stage: security
image: safeguard-sh/cli:latest
script:
- safeguard sbom generate --source .
- safeguard gate check --policy production
variables:
SAFEGUARD_API_KEY: $SAFEGUARD_API_KEYJenkins
pipeline {
agent any
environment {
SAFEGUARD_API_KEY = credentials('safeguard-api-key')
}
stages {
stage('Security Scan') {
steps {
sh 'npm install -g @safeguard-sh/cli'
sh 'safeguard sbom generate --source .'
sh 'safeguard gate check --policy production'
}
}
}
}Azure DevOps
trigger:
- main
pool:
vmImage: 'ubuntu-latest'
steps:
- script: |
npm install -g @safeguard-sh/cli
safeguard sbom generate --source .
safeguard gate check --policy production
env:
SAFEGUARD_API_KEY: $(SafeguardApiKey)
displayName: 'Security Scan'Gate Configuration
Policy Options
| Option | Description |
|---|---|
--fail-on critical | Fail on critical vulnerabilities |
--fail-on high | Fail on high or critical |
--policy NAME | Use named policy |
--allow-exceptions | Honor approved exceptions |
Output Formats
# SARIF for GitHub Security tab
safeguard gate check --format sarif --output results.sarif
# JUnit for test reports
safeguard gate check --format junit --output results.xmlBest Practices
- Scan on every PR - Catch issues before merge
- Block on critical - Never deploy critical vulnerabilities
- Enable AI Remediate - Let Griffin AI generate fix PRs
- Cache results - Speed up repeated scans
- Store SBOMs - Archive for compliance
Exit Codes
| Code | Description |
|---|---|
| 0 | Success, no violations |
| 1 | Policy violations found |
| 2 | Authentication error |
| 3 | Configuration error |