دليل عام
Embed Trivy, Semgrep, TruffleHog, and Syft into every commit with a single workflow file. Works with GitHub Actions, GitLab CI, and Bitbucket Pipelines. الجمهور: DevOps engineers, platform engineers, and security engineers. وقت الإعداد المعتاد: 2 minutes.
Embed Trivy, Semgrep, TruffleHog, and Syft into every commit with a single workflow file. Works with GitHub Actions, GitLab CI, and Bitbucket Pipelines.
Start here
الخطوة 1
Generate a scoped key for the pipeline scanner and store it in your CI secret manager.
What success looks like
Add BLACKSHIELD_API_KEY as a masked CI secret and BLACKSHIELD_API_URL as a CI variable.
الخطوة 2
Drop one file into your repository. The matrix strategy runs all four scanners in parallel.
What success looks like
The optional gate job blocks PR merges when critical findings are open.
الخطوة 3
Confirm findings appear in the platform, then roll out to more repositories.
What success looks like
For GitLab: copy .gitlab-ci.yml snippet; for Bitbucket: copy bitbucket-pipelines.yml snippet.
Download the exact source files referenced on this page, or run the one-command installer to write them locally before following the deployment steps.
Writes `.github/workflows/security-scan.yml` into the current repository so the pipeline scanner can run immediately.
BLACKSHIELD_PIPELINE_IMAGE=public.ecr.aws/blackshield-security/pipeline-scanner:1.0.0 \
bash <(curl -fsSL https://blackshield.chaplau.com/source-bundles/github-security-scan.sh)Writes `.gitlab-ci.yml` into the current repository with the four scanner jobs, schedule support, and the current platform API URL prefilled.
BLACKSHIELD_PIPELINE_IMAGE=public.ecr.aws/blackshield-security/pipeline-scanner:1.0.0 \
BLACKSHIELD_API_URL=https://api.blackshield.chaplau.com \
bash <(curl -fsSL https://blackshield.chaplau.com/source-bundles/gitlab-ci.sh)name: Security Scan
on:
push:
branches: [main, develop]
pull_request:
jobs:
pipeline-scan:
name: "${{ matrix.tool }}"
runs-on: ubuntu-latest
permissions:
contents: read
strategy:
fail-fast: false
matrix:
tool: [trivy, semgrep, trufflehog, syft]
steps:
- uses: actions/checkout@v4
with:
fetch-depth: ${{ matrix.tool == 'trufflehog' && 0 || 1 }}
- name: "Run ${{ matrix.tool }}"
run: |
docker run --rm \
-e BLACKSHIELD_API_URL="${{ vars.BLACKSHIELD_API_URL }}" \
-e BLACKSHIELD_API_KEY="${{ secrets.BLACKSHIELD_API_KEY }}" \
-e SCAN_TOOL="${{ matrix.tool }}" \
-e SCAN_TARGET="/workspace" \
-e REPOSITORY_NAME="${{ github.repository }}" \
-e SCAN_INTERVAL_SECONDS="0" \
-v "${{ github.workspace }}:/workspace:ro" \
public.ecr.aws/blackshield-security/pipeline-scanner:1.0.0variables:
BLACKSHIELD_API_URL: "https://api.blackshield.chaplau.com"
# BLACKSHIELD_API_KEY: set in CI/CD → Variables (masked)
.scanner-base: &scanner-base
stage: security
image: public.ecr.aws/blackshield-security/pipeline-scanner:1.0.0
script: [python -m pipeline.entrypoint]
variables:
SCAN_TARGET: "$CI_PROJECT_DIR"
REPOSITORY_NAME: "$CI_PROJECT_PATH"
SCAN_INTERVAL_SECONDS: "0"
rules:
- if: $CI_PIPELINE_SOURCE == "merge_request_event"
- if: $CI_PIPELINE_SOURCE == "schedule"
- if: $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH
scan:trivy: { <<: *scanner-base, variables: { SCAN_TOOL: trivy } }
scan:semgrep: { <<: *scanner-base, variables: { SCAN_TOOL: semgrep } }
scan:syft: { <<: *scanner-base, variables: { SCAN_TOOL: syft } }
scan:trufflehog:
<<: *scanner-base
before_script: [git fetch --unshallow || true]
variables: { SCAN_TOOL: trufflehog }docker run --rm \
-e BLACKSHIELD_API_URL=https://api.blackshield.chaplau.com \
-e BLACKSHIELD_API_KEY=sp_xxxx \
-e SCAN_TOOL=trivy \
-e SCAN_TARGET=/workspace \
-e SCAN_INTERVAL_SECONDS=0 \
-v "$(pwd):/workspace:ro" \
public.ecr.aws/blackshield-security/pipeline-scanner:1.0.0Keep your rollout moving with the next recommended step.
استيعاب أولى النتائج