Guia público
Embed Trivy, Semgrep, TruffleHog, and Syft into every commit with a single workflow file. Works with GitHub Actions, GitLab CI, and Bitbucket Pipelines. Público: DevOps engineers, platform engineers, and security engineers. Tempo típico de configuração: 2 minutes.
Embed Trivy, Semgrep, TruffleHog, and Syft into every commit with a single workflow file. Works with GitHub Actions, GitLab CI, and Bitbucket Pipelines.
Comece aqui
Passo 1
Generate a scoped key for the pipeline scanner and store it in your CI secret manager.
Como é o sucesso
Add BLACKSHIELD_API_KEY as a masked CI secret and BLACKSHIELD_API_URL as a CI variable.
Passo 2
Drop one file into your repository. The matrix strategy runs all four scanners in parallel.
Como é o sucesso
The optional gate job blocks PR merges when critical findings are open.
Passo 3
Confirm findings appear in the platform, then roll out to more repositories.
Como é o sucesso
For GitLab: copy .gitlab-ci.yml snippet; for Bitbucket: copy bitbucket-pipelines.yml snippet.
Descarrega os ficheiros exatos usados neste guia ou executa o instalador de um só comando para os escrever localmente antes do deploy.
Writes `.github/workflows/security-scan.yml` into the current repository so the pipeline scanner can run immediately.
BLACKSHIELD_PIPELINE_IMAGE=public.ecr.aws/blackshield-security/pipeline-scanner:1.0.0 \
bash <(curl -fsSL https://blackshield.chaplau.com/source-bundles/github-security-scan.sh)Writes `.gitlab-ci.yml` into the current repository with the four scanner jobs, schedule support, and the current platform API URL prefilled.
BLACKSHIELD_PIPELINE_IMAGE=public.ecr.aws/blackshield-security/pipeline-scanner:1.0.0 \
BLACKSHIELD_API_URL=https://api.blackshield.chaplau.com \
bash <(curl -fsSL https://blackshield.chaplau.com/source-bundles/gitlab-ci.sh)name: Security Scan
on:
push:
branches: [main, develop]
pull_request:
jobs:
pipeline-scan:
name: "${{ matrix.tool }}"
runs-on: ubuntu-latest
permissions:
contents: read
strategy:
fail-fast: false
matrix:
tool: [trivy, semgrep, trufflehog, syft]
steps:
- uses: actions/checkout@v4
with:
fetch-depth: ${{ matrix.tool == 'trufflehog' && 0 || 1 }}
- name: "Run ${{ matrix.tool }}"
run: |
docker run --rm \
-e BLACKSHIELD_API_URL="${{ vars.BLACKSHIELD_API_URL }}" \
-e BLACKSHIELD_API_KEY="${{ secrets.BLACKSHIELD_API_KEY }}" \
-e SCAN_TOOL="${{ matrix.tool }}" \
-e SCAN_TARGET="/workspace" \
-e REPOSITORY_NAME="${{ github.repository }}" \
-e SCAN_INTERVAL_SECONDS="0" \
-v "${{ github.workspace }}:/workspace:ro" \
public.ecr.aws/blackshield-security/pipeline-scanner:1.0.0variables:
BLACKSHIELD_API_URL: "https://api.blackshield.chaplau.com"
# BLACKSHIELD_API_KEY: set in CI/CD → Variables (masked)
.scanner-base: &scanner-base
stage: security
image: public.ecr.aws/blackshield-security/pipeline-scanner:1.0.0
script: [python -m pipeline.entrypoint]
variables:
SCAN_TARGET: "$CI_PROJECT_DIR"
REPOSITORY_NAME: "$CI_PROJECT_PATH"
SCAN_INTERVAL_SECONDS: "0"
rules:
- if: $CI_PIPELINE_SOURCE == "merge_request_event"
- if: $CI_PIPELINE_SOURCE == "schedule"
- if: $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH
scan:trivy: { <<: *scanner-base, variables: { SCAN_TOOL: trivy } }
scan:semgrep: { <<: *scanner-base, variables: { SCAN_TOOL: semgrep } }
scan:syft: { <<: *scanner-base, variables: { SCAN_TOOL: syft } }
scan:trufflehog:
<<: *scanner-base
before_script: [git fetch --unshallow || true]
variables: { SCAN_TOOL: trufflehog }docker run --rm \
-e BLACKSHIELD_API_URL=https://api.blackshield.chaplau.com \
-e BLACKSHIELD_API_KEY=sp_xxxx \
-e SCAN_TOOL=trivy \
-e SCAN_TARGET=/workspace \
-e SCAN_INTERVAL_SECONDS=0 \
-v "$(pwd):/workspace:ro" \
public.ecr.aws/blackshield-security/pipeline-scanner:1.0.0Keep your rollout moving with the next recommended step.
Ingira seus primeiros achados