CI/CD Integration

Integrating Gerion into your CI/CD ensures every commit is automatically analyzed before reaching production. Gerion CLI runs as a Docker container, making it compatible with any system that can run containers.

Required variables

On any platform, you need to configure these two secret variables:

Variable	Where to set it	Description
`GERION_API_URL`	Environment variable / pipeline variable	Base URL of your Gerion API Gateway
`GERION_API_KEY`	Secret (never as a public variable)	M2M API key for your organization

Docker image

ghcr.io/gerion-appsec/gerion-cli:latest

Available commands

Command	Description
`gerion scan-all`	Runs all four scanners in sequence (recommended)
`gerion secrets-scan`	Hardcoded credentials and secrets only
`gerion sca-scan`	Vulnerable dependencies only
`gerion iac-scan`	Infrastructure configuration only
`gerion sast-scan`	Static code analysis only
`gerion report`	Generates a report from findings stored in the API

Output modes

The CLI prioritizes the output destination in this order:

--output-file → saves to file (no API call, no console table)
--format → prints format to stdout
GERION_API_URL + GERION_API_KEY → sends findings to the Gerion API
No options → Rich table in console

Automatic metadata detection

Gerion CLI automatically detects the CI/CD environment and extracts repository name, branch, commit, and build ID from each platform’s native environment variables. You don’t need to configure these variables manually in GitHub Actions, GitLab CI, or Jenkins.

For other platforms, use explicit overrides:

GERION_REPO_NAME="my-repo"
GERION_BRANCH_NAME="main"
GERION_COMMIT_HASH="abc123..."
GERION_BUILD_ID="42"

Exit codes

Code	Meaning
`0`	Scan completed (findings may exist)
`1`	Execution error (tool failure, timeout, missing dependency)

The CLI always returns 0 even when vulnerabilities are found. To block the pipeline based on findings, use the report command to parse results and apply your own quality gates.