CI/CD Integration

Azure Pipelines

Add Redactyl to your Azure DevOps pipelines

Basic Pipeline

Add to azure-pipelines.yml:

trigger:
  - main

pool:
  vmImage: 'ubuntu-latest'

steps:
  - task: GoTool@0
    inputs:
      version: '1.21'

  - script: |
      go install github.com/redactyl/redactyl@latest
      redactyl scan --sarif > $(Build.ArtifactStagingDirectory)/redactyl.sarif.json
    displayName: 'Run Redactyl scan'

  - task: PublishBuildArtifacts@1
    inputs:
      pathToPublish: '$(Build.ArtifactStagingDirectory)/redactyl.sarif.json'
      artifactName: 'SecurityScans'

Container Scanning

Scan images built in your pipeline:

stages:
  - stage: Build
    jobs:
      - job: BuildImage
        steps:
          - task: Docker@2
            inputs:
              command: build
              dockerfile: Dockerfile
              tags: |
                $(Build.Repository.Name):$(Build.BuildId)

          - script: |
              docker save $(Build.Repository.Name):$(Build.BuildId) > image.tar
            displayName: 'Save image'

          - script: |
              go install github.com/redactyl/redactyl@latest
              redactyl scan image.tar --sarif > redactyl.sarif.json
            displayName: 'Scan image'

          - task: PublishBuildArtifacts@1
            inputs:
              pathToPublish: redactyl.sarif.json
              artifactName: 'SecurityScans'

Pull Request Validation

trigger: none

pr:
  branches:
    include:
      - main

steps:
  - script: |
      go install github.com/redactyl/redactyl@latest
      redactyl scan --no-tui
    displayName: 'Redactyl PR scan'

Template Usage

Create a reusable template:

# templates/redactyl-scan.yml
parameters:
  - name: severity
    default: 'high'
  - name: scanHelm
    default: false

steps:
  - script: go install github.com/redactyl/redactyl@latest
    displayName: 'Install Redactyl'

  - script: |
      redactyl scan \
        --severity ${{ parameters.severity }} \
        ${{ if eq(parameters.scanHelm, true) }}--helm${{ endif }} \
        --sarif > redactyl.sarif.json
    displayName: 'Run Redactyl'

Use the template:

steps:
  - template: templates/redactyl-scan.yml
    parameters:
      severity: medium
      scanHelm: true

Helm Chart Scanning

- script: |
    go install github.com/redactyl/redactyl@latest
    redactyl scan --helm ./charts --json > helm-findings.json
  displayName: 'Scan Helm charts'

Variable Groups

Store configuration in variable groups:

variables:
  - group: RedactylConfig

steps:
  - script: |
      redactyl scan \
        --severity $(REDACTYL_SEVERITY) \
        --baseline $(REDACTYL_BASELINE)

Multi-Stage Pipeline

stages:
  - stage: Scan
    jobs:
      - job: SecretScan
        steps:
          - script: |
              go install github.com/redactyl/redactyl@latest
              redactyl scan --no-tui
            displayName: 'Redactyl scan'

  - stage: Build
    dependsOn: Scan
    condition: succeeded()
    jobs:
      - job: BuildApp
        steps:
          - script: echo "Building..."

Scheduled Scans

schedules:
  - cron: '0 0 * * *'
    displayName: 'Nightly scan'
    branches:
      include:
        - main

stages:
  - stage: NightlyScan
    jobs:
      - job: FullScan
        steps:
          - script: |
              go install github.com/redactyl/redactyl@latest
              redactyl scan --deep --json > findings.json

GitLab CI

Add Redactyl to your GitLab CI/CD pipelines

Bitbucket Pipelines

Add Redactyl to your Bitbucket Pipelines

On this page

Basic PipelineContainer ScanningPull Request ValidationTemplate UsageHelm Chart ScanningVariable GroupsMulti-Stage PipelineScheduled Scans