CI/CD Integration

GitLab CI

Add Redactyl to your GitLab CI/CD pipelines

Basic Pipeline

Add to .gitlab-ci.yml:

stages:
  - scan

redactyl:
  stage: scan
  image: golang:1.21
  script:
    - go install github.com/redactyl/redactyl@latest
    - redactyl scan --json > redactyl-findings.json
  artifacts:
    paths:
      - redactyl-findings.json
    reports:
      sast: redactyl-findings.json

SAST Report Integration

GitLab supports SAST report format for security findings:

redactyl:
  stage: scan
  image: golang:1.21
  script:
    - go install github.com/redactyl/redactyl@latest
    - redactyl scan --sarif > gl-sast-report.json
  artifacts:
    reports:
      sast: gl-sast-report.json

Container Scanning

Scan images in your pipeline:

stages:
  - build
  - scan

build:
  stage: build
  script:
    - docker build -t $CI_REGISTRY_IMAGE:$CI_COMMIT_SHA .
    - docker push $CI_REGISTRY_IMAGE:$CI_COMMIT_SHA

scan-image:
  stage: scan
  image: golang:1.21
  services:
    - docker:dind
  variables:
    DOCKER_HOST: tcp://docker:2375
  script:
    - go install github.com/redactyl/redactyl@latest
    - docker pull $CI_REGISTRY_IMAGE:$CI_COMMIT_SHA
    - docker save $CI_REGISTRY_IMAGE:$CI_COMMIT_SHA > image.tar
    - redactyl scan image.tar --json > findings.json
  artifacts:
    paths:
      - findings.json

Merge Request Scanning

Only scan on merge requests:

redactyl:
  stage: scan
  rules:
    - if: $CI_PIPELINE_SOURCE == "merge_request_event"
  script:
    - go install github.com/redactyl/redactyl@latest
    - redactyl scan --no-tui

Helm Chart Scanning

scan-helm:
  stage: scan
  script:
    - go install github.com/redactyl/redactyl@latest
    - redactyl scan --helm ./charts --json > helm-findings.json
  artifacts:
    paths:
      - helm-findings.json

Scheduled Pipelines

redactyl-scheduled:
  stage: scan
  rules:
    - if: $CI_PIPELINE_SOURCE == "schedule"
  script:
    - go install github.com/redactyl/redactyl@latest
    - redactyl scan --deep --json > findings.json
  artifacts:
    paths:
      - findings.json

Using Variables

variables:
  REDACTYL_SEVERITY: high
  REDACTYL_BASELINE: .redactyl-baseline.json

redactyl:
  script:
    - redactyl scan --severity $REDACTYL_SEVERITY --baseline $REDACTYL_BASELINE

Cache Go Modules

Speed up pipelines:

redactyl:
  cache:
    key: go-modules
    paths:
      - .go/pkg/mod
  variables:
    GOPATH: $CI_PROJECT_DIR/.go
  script:
    - go install github.com/redactyl/redactyl@latest
    - redactyl scan --no-tui

Allow Failure

Continue pipeline on findings:

redactyl:
  script:
    - redactyl scan --no-tui
  allow_failure: true

GitHub Actions

Add Redactyl to your GitHub Actions workflows with SARIF integration

Azure Pipelines

Add Redactyl to your Azure DevOps pipelines

On this page

Basic PipelineSAST Report IntegrationContainer ScanningMerge Request ScanningHelm Chart ScanningScheduled PipelinesUsing VariablesCache Go ModulesAllow Failure