CircleCI
Prerequisites
Add the variables in Project Settings → Environment Variables of your project:
| Variable | Description |
|---|---|
GERION_API_URL | Gerion API Gateway URL |
GERION_API_KEY | M2M API key for your organization |
To share credentials across your organization, create a Context in Organization Settings → Contexts
and reference it in the workflow with context: gerion.
Full config
Copy this content to .circleci/config.yml:
version: 2.1
executors: docker-executor: docker: - image: cimg/base:stable resource_class: medium
commands: gerion_scan: description: Run a Gerion security scan parameters: scan_type: type: enum enum: [all, secrets, sca, iac, sast] default: all output_format: type: string default: "" output_file: type: string default: "" steps: - run: name: Run Gerion << parameters.scan_type >> scan command: | case "<< parameters.scan_type >>" in all) CMD="scan-all" ;; secrets) CMD="secrets-scan" ;; sca) CMD="sca-scan" ;; iac) CMD="iac-scan" ;; sast) CMD="sast-scan" ;; esac
EXTRA="" [ -n "<< parameters.output_format >>" ] && EXTRA="$EXTRA --format << parameters.output_format >>" [ -n "<< parameters.output_file >>" ] && EXTRA="$EXTRA --output-file /code/<< parameters.output_file >>"
docker run --rm \ -v "$PWD:/code" \ -e GERION_API_URL="${GERION_API_URL}" \ -e GERION_API_KEY="${GERION_API_KEY}" \ -e GERION_REPO_NAME="${CIRCLE_PROJECT_REPONAME}" \ -e GERION_BRANCH_NAME="${CIRCLE_BRANCH}" \ -e GERION_COMMIT_HASH="${CIRCLE_SHA1}" \ -e GERION_BUILD_ID="${CIRCLE_BUILD_NUM}" \ ghcr.io/gerion-appsec/gerion-cli:latest \ "$CMD" /code $EXTRA
jobs: gerion-scan: executor: docker-executor steps: - checkout - setup_remote_docker: docker_layer_caching: true - gerion_scan: scan_type: all
gerion-scan-json: executor: docker-executor steps: - checkout - setup_remote_docker: docker_layer_caching: true - gerion_scan: scan_type: all output_format: json output_file: gerion-results.json - store_artifacts: path: gerion-results.json destination: gerion-results.json
gerion-nightly: executor: docker-executor steps: - checkout - setup_remote_docker: docker_layer_caching: true - gerion_scan: scan_type: all - run: name: Generate PDF report command: | docker run --rm \ -v "$PWD:/code" \ -e GERION_API_URL="${GERION_API_URL}" \ -e GERION_API_KEY="${GERION_API_KEY}" \ -e GERION_REPO_NAME="${CIRCLE_PROJECT_REPONAME}" \ -e GERION_BRANCH_NAME="${CIRCLE_BRANCH}" \ ghcr.io/gerion-appsec/gerion-cli:latest \ gerion report \ --format pdf \ --output-file /code/gerion-report.pdf \ --severity HIGH \ --active-only - store_artifacts: path: gerion-report.pdf destination: gerion-report.pdf
workflows: security-scan: jobs: - gerion-scan: context: gerion # Remove if using project-level env vars filters: branches: only: - main - master - develop - /feature\/.*/
nightly: triggers: - schedule: cron: "0 2 * * *" filters: branches: only: [main] jobs: - gerion-nightly: context: gerionNotes
- CircleCI has no native SARIF support. Use JSON output as an artifact or send results to the Gerion API.
- Gerion CLI does not automatically detect CircleCI variables. The config maps them explicitly from
CIRCLE_PROJECT_REPONAME,CIRCLE_BRANCH,CIRCLE_SHA1, andCIRCLE_BUILD_NUM. - If you use an organization context, make sure the project is authorized to access it.