Guía pública
Embed Trivy, Semgrep, TruffleHog, and Syft into every commit with a single workflow file. Works with GitHub Actions, GitLab CI, and Bitbucket Pipelines. Audiencia: DevOps engineers, platform engineers, and security engineers. Tiempo típico de configuración: 2 minutes.
Embed Trivy, Semgrep, TruffleHog, and Syft into every commit with a single workflow file. Works with GitHub Actions, GitLab CI, and Bitbucket Pipelines.
Empieza aquí
Paso 1
Generate a scoped key for the pipeline scanner and store it in your CI secret manager.
Cómo se ve el éxito
Add BLACKSHIELD_API_KEY as a masked CI secret and BLACKSHIELD_API_URL as a CI variable.
Paso 2
Drop one file into your repository. The matrix strategy runs all four scanners in parallel.
Cómo se ve el éxito
The optional gate job blocks PR merges when critical findings are open.
Paso 3
Confirm findings appear in the platform, then roll out to more repositories.
Cómo se ve el éxito
For GitLab: copy .gitlab-ci.yml snippet; for Bitbucket: copy bitbucket-pipelines.yml snippet.
Descarga los archivos exactos usados en esta guía o ejecuta el instalador de un solo comando para escribirlos localmente antes del despliegue.
Writes `.github/workflows/security-scan.yml` into the current repository so the pipeline scanner can run immediately.
BLACKSHIELD_PIPELINE_IMAGE=public.ecr.aws/blackshield-security/pipeline-scanner:1.0.0 \
bash <(curl -fsSL https://blackshield.chaplau.com/source-bundles/github-security-scan.sh)Writes `.gitlab-ci.yml` into the current repository with the four scanner jobs, schedule support, and the current platform API URL prefilled.
BLACKSHIELD_PIPELINE_IMAGE=public.ecr.aws/blackshield-security/pipeline-scanner:1.0.0 \
BLACKSHIELD_API_URL=https://api.blackshield.chaplau.com \
bash <(curl -fsSL https://blackshield.chaplau.com/source-bundles/gitlab-ci.sh)name: Security Scan
on:
push:
branches: [main, develop]
pull_request:
jobs:
pipeline-scan:
name: "${{ matrix.tool }}"
runs-on: ubuntu-latest
permissions:
contents: read
strategy:
fail-fast: false
matrix:
tool: [trivy, semgrep, trufflehog, syft]
steps:
- uses: actions/checkout@v4
with:
fetch-depth: ${{ matrix.tool == 'trufflehog' && 0 || 1 }}
- name: "Run ${{ matrix.tool }}"
run: |
docker run --rm \
-e BLACKSHIELD_API_URL="${{ vars.BLACKSHIELD_API_URL }}" \
-e BLACKSHIELD_API_KEY="${{ secrets.BLACKSHIELD_API_KEY }}" \
-e SCAN_TOOL="${{ matrix.tool }}" \
-e SCAN_TARGET="/workspace" \
-e REPOSITORY_NAME="${{ github.repository }}" \
-e SCAN_INTERVAL_SECONDS="0" \
-v "${{ github.workspace }}:/workspace:ro" \
public.ecr.aws/blackshield-security/pipeline-scanner:1.0.0variables:
BLACKSHIELD_API_URL: "https://api.blackshield.chaplau.com"
# BLACKSHIELD_API_KEY: set in CI/CD → Variables (masked)
.scanner-base: &scanner-base
stage: security
image: public.ecr.aws/blackshield-security/pipeline-scanner:1.0.0
script: [python -m pipeline.entrypoint]
variables:
SCAN_TARGET: "$CI_PROJECT_DIR"
REPOSITORY_NAME: "$CI_PROJECT_PATH"
SCAN_INTERVAL_SECONDS: "0"
rules:
- if: $CI_PIPELINE_SOURCE == "merge_request_event"
- if: $CI_PIPELINE_SOURCE == "schedule"
- if: $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH
scan:trivy: { <<: *scanner-base, variables: { SCAN_TOOL: trivy } }
scan:semgrep: { <<: *scanner-base, variables: { SCAN_TOOL: semgrep } }
scan:syft: { <<: *scanner-base, variables: { SCAN_TOOL: syft } }
scan:trufflehog:
<<: *scanner-base
before_script: [git fetch --unshallow || true]
variables: { SCAN_TOOL: trufflehog }docker run --rm \
-e BLACKSHIELD_API_URL=https://api.blackshield.chaplau.com \
-e BLACKSHIELD_API_KEY=sp_xxxx \
-e SCAN_TOOL=trivy \
-e SCAN_TARGET=/workspace \
-e SCAN_INTERVAL_SECONDS=0 \
-v "$(pwd):/workspace:ro" \
public.ecr.aws/blackshield-security/pipeline-scanner:1.0.0Keep your rollout moving with the next recommended step.
Ingiere tus primeros hallazgos