CI/CD Integration
Automate security scans in your pipeline
⚡ Quick Setup
Generate CI config for your platform:
veestack init --ci githubCreates .github/workflows/veestack.yml automatically.
GitHub Actions
Add to .github/workflows/veestack.yml:
name: VeeStack Security Scan
on:
push:
branches: [main, develop]
pull_request:
branches: [main]
jobs:
security-scan:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Setup Node.js
uses: actions/setup-node@v4
with:
node-version: '20'
- name: Install VeeStack
run: npm install -g @vee_stack/cli
- name: Run Security Scan
run: veestack scan --ci --fail-on high --output sarif --output-path ./reports
env:
VEESTACK_API_KEY: ${{ secrets.VEESTACK_API_KEY }}
- name: Upload SARIF Report
uses: github/codeql-action/upload-sarif@v2
if: always()
with:
sarif_file: ./reports/veestack-report.sarif
- name: Comment PR
uses: actions/github-script@v7
if: github.event_name == 'pull_request'
with:
script: |
const fs = require('fs');
const report = fs.readFileSync('./reports/veestack-report.md', 'utf8');
github.rest.issues.createComment({
owner: context.repo.owner,
repo: context.repo.repo,
issue_number: context.issue.number,
body: report
});Note: Add VEESTACK_API_KEY to your repository secrets.
GitLab CI
Add to .gitlab-ci.yml:
veestack_scan:
image: node:20
stage: test
script:
- npm install -g @vee_stack/cli
- veestack scan --ci --fail-on high --output junit --output-path ./reports
artifacts:
reports:
junit: reports/veestack-report.junit
expire_in: 1 week
rules:
- if: $CI_PIPELINE_SOURCE == "merge_request_event"
- if: $CI_COMMIT_BRANCH == "main"CircleCI
Add to .circleci/config.yml:
version: 2.1
jobs:
security-scan:
docker:
- image: cimg/node:20.0
steps:
- checkout
- run:
name: Install VeeStack
command: npm install -g @vee_stack/cli
- run:
name: Run Security Scan
command: veestack scan --ci --fail-on high
- store_artifacts:
path: ./reports
destination: veestack-reports
workflows:
version: 2
security-workflow:
jobs:
- security-scan:
filters:
branches:
only: [main, develop]Exit Codes
| Code | Meaning |
|---|---|
| 0 | Scan passed (no issues above threshold) |
| 1 | Scan failed (issues found above threshold) |
| 2 | Configuration error |
| 3 | Authentication error |
Failure Thresholds
--fail-on criticalExit 1 only on CRITICAL findings
--fail-on highExit 1 on HIGH or CRITICAL findings
--fail-on mediumExit 1 on MEDIUM, HIGH, or CRITICAL findings
--fail-on lowExit 1 on any finding
Output Formats
| Format | Use Case |
|---|---|
| sarif | GitHub Code Scanning |
| junit | GitLab, Jenkins |
| json | Custom processing |
| markdown | PR comments |
| html | Human-readable reports |