Skip to main content
Our CI integration provides both infra and code scans, to help you identify vulnerabilities before they reach production.

Using Github Actions

To make it easier for organizations using Github, we created a Github Action that can be easily integrated in your pipelines. By default, the action will launch a differential scan (only returning new vulnerabilities) when triggered by a pull request event. If you want to disable this behavior and always return all vulnerabilities, you can set the diff-scan input to false. 
  
  code-security-scan:
    runs-on: ubuntu-latest

    steps:
      - uses: actions/checkout@v4

      - name: Scan
        uses: SymbioticSec/actions/scan@v0.4.0
        with:
          scan-type: infra
          api-token: ${{ secrets.SYMBIOTIC_API_TOKEN }}
          diff-scan: true
To run the differential scan, the action must be triggered by a pull request event. To do that, make sure to add the following to your workflow triggers:
on:
  pull_request:
    types:
      - opened
      - synchronize
      - reopened
Don’t forget to retrieve your organization token and to set it as a secret in your Github setttings.

Using our CLI

If you are not using Github you can still use our cli in your pipelines :
1

Install our CLI

      curl -sSL https://github.com/SymbioticSec/cli/releases/latest/download/install.sh | bash
      echo 'export PATH="$HOME/.local/bin:$PATH"'
We advise you to set SYMBIOTIC_API_TOKEN as an environment variable in your pipeline. You can create or retrieve this token here.
2

Launch our CLI

  symbiotic-cli ci infra ./ --skip-upload-results
You can override the severity threshold defined in the configuration file using the severity-threshold option.Ex: symbiotic-cli ci infra ./ --severity-threshold high
As of today scans must be launched on the root folder to correctly take into account the configuration file
If you want your detected vulnerabilities to be uploaded to Symbiotic’s backend to benefit from the dashboard, detailed reports, remediation suggestions and more: you need to provide information about your git repository to the command.See the example below :
  symbiotic-cli ci infra ./ \
    --git-remote-url <your repository remote url> \
    --git-first-commit-sha <your repository first commit sha> \
    --git-latest-commit-sha <the scanned branch latest commit sha> \
    --git-default-branch <your repository default branch> \
    --git-current-branch <the scanned branch>

stages:
  - test

test-full-script:
  stage: test
  image: ubuntu:latest

  before_script:
    - apt-get update && apt-get install -y curl bash git unzip
    - curl -sSL https://github.com/SymbioticSec/cli/releases/latest/download/install.sh | bash
    - export "PATH=$HOME/.local/bin:$PATH"

  script:
    - symbiotic-cli ci code ./ --skip-upload-results
  rules:
    - if: '$CI_COMMIT_BRANCH'

Configuration

You can configure what makes the CI fail using our configuration file.
If there is no configuration file in the repository or if this configuration file has no blocking property, the CI will pass by default.