Documentation
CI/CD Integration
Use QODRYX in your automated pipelines
Overview
Integrate QODRYX into your CI/CD pipelines to automate security scanning, code review, and deployments. The CLI is designed to work seamlessly in automated environments.
Authentication in CI/CD
For CI/CD environments, use API keys or Personal Access Tokens instead of interactive login:
# Set API key as environment variable
export QODRYX_API_KEY=qx_live_your_api_key_here
# Or use the --token flag
qodryx auth login --token $QODRYX_API_KEY
# The CLI automatically uses QODRYX_API_KEY if setSecurity Best Practice
Store your API key as a secret in your CI/CD platform. Never commit API keys to your repository.
GitHub Actions
Basic Setup
# .github/workflows/qodryx.yml
name: QODRYX CI
on:
push:
branches: [main, develop]
pull_request:
branches: [main]
jobs:
security-scan:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Setup Node.js
uses: actions/setup-node@v4
with:
node-version: '20'
- name: Install QODRYX CLI
run: npm install -g @qodryx/cli
- name: Run Security Scan
env:
QODRYX_API_KEY: ${{ secrets.QODRYX_API_KEY }}
run: |
qodryx security scan --type sast,secrets,dependencies
- name: Check Results
env:
QODRYX_API_KEY: ${{ secrets.QODRYX_API_KEY }}
run: |
# Fail if critical vulnerabilities found
qodryx security results --severity critical -o json | \
jq -e '.findings | length == 0' || exit 1Using QODRYX Action
# .github/workflows/qodryx.yml
name: QODRYX Security
on: [push, pull_request]
jobs:
scan:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: QODRYX Security Scan
uses: qodryx/action@v1
with:
api-key: ${{ secrets.QODRYX_API_KEY }}
scan-types: 'sast,secrets,dependencies'
fail-on: 'critical,high'
- name: Upload SARIF
uses: github/codeql-action/upload-sarif@v2
with:
sarif_file: qodryx-results.sarifFull Pipeline with Deploy
# .github/workflows/full-pipeline.yml
name: QODRYX Full Pipeline
on:
push:
branches: [main]
jobs:
security:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: qodryx/action@v1
with:
api-key: ${{ secrets.QODRYX_API_KEY }}
scan-types: 'sast,secrets,dependencies'
fail-on: 'critical'
test:
runs-on: ubuntu-latest
needs: security
steps:
- uses: actions/checkout@v4
- name: Setup Node.js
uses: actions/setup-node@v4
with:
node-version: '20'
- run: npm ci
- run: npm test
deploy:
runs-on: ubuntu-latest
needs: [security, test]
if: github.ref == 'refs/heads/main'
steps:
- uses: actions/checkout@v4
- name: Install QODRYX CLI
run: npm install -g @qodryx/cli
- name: Deploy
env:
QODRYX_API_KEY: ${{ secrets.QODRYX_API_KEY }}
run: |
qodryx deploy --env production --message "Deploy ${{ github.sha }}"GitLab CI
Basic Configuration
# .gitlab-ci.yml
stages:
- security
- test
- deploy
variables:
QODRYX_API_KEY: $QODRYX_API_KEY
security-scan:
stage: security
image: node:20
before_script:
- npm install -g @qodryx/cli
script:
- qodryx security scan --type sast,secrets,dependencies
- qodryx security results --severity critical,high -o json > security-report.json
artifacts:
reports:
sast: security-report.json
paths:
- security-report.json
rules:
- if: $CI_PIPELINE_SOURCE == "merge_request_event"
- if: $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH
test:
stage: test
image: node:20
script:
- npm ci
- npm test
needs: ["security-scan"]
deploy-production:
stage: deploy
image: node:20
before_script:
- npm install -g @qodryx/cli
script:
- qodryx deploy --env production
needs: ["test"]
rules:
- if: $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH
environment:
name: productionGitLab Security Integration
# .gitlab-ci.yml
include:
- template: Security/SAST.gitlab-ci.yml
qodryx-sast:
stage: test
image: node:20
before_script:
- npm install -g @qodryx/cli
script:
- qodryx security scan --type sast -o gitlab > gl-sast-report.json
artifacts:
reports:
sast: gl-sast-report.jsonJenkins
Jenkinsfile (Declarative)
// Jenkinsfile
pipeline {
agent any
environment {
QODRYX_API_KEY = credentials('qodryx-api-key')
}
stages {
stage('Setup') {
steps {
sh 'npm install -g @qodryx/cli'
}
}
stage('Security Scan') {
steps {
sh '''
qodryx security scan --type sast,secrets,dependencies
qodryx security results -o json > security-results.json
'''
}
post {
always {
archiveArtifacts artifacts: 'security-results.json'
}
}
}
stage('Test') {
steps {
sh 'npm ci'
sh 'npm test'
}
}
stage('Deploy') {
when {
branch 'main'
}
steps {
sh 'qodryx deploy --env production'
}
}
}
post {
failure {
// Notify on failure
sh 'qodryx notify --channel slack --status failure'
}
}
}Jenkins Scripted Pipeline
// Jenkinsfile (Scripted)
node {
withCredentials([string(credentialsId: 'qodryx-api-key', variable: 'QODRYX_API_KEY')]) {
stage('Setup') {
sh 'npm install -g @qodryx/cli'
}
stage('Security') {
sh 'qodryx security scan'
def results = sh(
script: 'qodryx security results --severity critical -o json',
returnStdout: true
).trim()
def json = readJSON text: results
if (json.findings.size() > 0) {
error "Critical vulnerabilities found!"
}
}
stage('Deploy') {
if (env.BRANCH_NAME == 'main') {
sh 'qodryx deploy --env production'
}
}
}
}CircleCI
# .circleci/config.yml
version: 2.1
orbs:
node: circleci/node@5.0
jobs:
security-scan:
docker:
- image: cimg/node:20.0
steps:
- checkout
- run:
name: Install QODRYX CLI
command: npm install -g @qodryx/cli
- run:
name: Run Security Scan
command: |
qodryx security scan --type sast,secrets,dependencies
qodryx security results -o json > security-results.json
- store_artifacts:
path: security-results.json
- run:
name: Check for Critical Issues
command: |
qodryx security results --severity critical -o json | \
jq -e '.findings | length == 0'
deploy:
docker:
- image: cimg/node:20.0
steps:
- checkout
- run:
name: Install QODRYX CLI
command: npm install -g @qodryx/cli
- run:
name: Deploy
command: qodryx deploy --env production
workflows:
build-and-deploy:
jobs:
- security-scan
- deploy:
requires:
- security-scan
filters:
branches:
only: mainAzure DevOps
# azure-pipelines.yml
trigger:
- main
pool:
vmImage: 'ubuntu-latest'
variables:
- group: qodryx-secrets
stages:
- stage: Security
jobs:
- job: Scan
steps:
- task: NodeTool@0
inputs:
versionSpec: '20.x'
- script: npm install -g @qodryx/cli
displayName: 'Install QODRYX CLI'
- script: |
qodryx security scan --type sast,secrets,dependencies
qodryx security results -o json > $(Build.ArtifactStagingDirectory)/security-results.json
displayName: 'Run Security Scan'
env:
QODRYX_API_KEY: $(QODRYX_API_KEY)
- publish: $(Build.ArtifactStagingDirectory)/security-results.json
artifact: SecurityResults
- stage: Deploy
dependsOn: Security
condition: and(succeeded(), eq(variables['Build.SourceBranch'], 'refs/heads/main'))
jobs:
- deployment: Production
environment: 'production'
strategy:
runOnce:
deploy:
steps:
- script: |
npm install -g @qodryx/cli
qodryx deploy --env production
env:
QODRYX_API_KEY: $(QODRYX_API_KEY)Bitbucket Pipelines
# bitbucket-pipelines.yml
image: node:20
pipelines:
default:
- step:
name: Security Scan
script:
- npm install -g @qodryx/cli
- qodryx security scan --type sast,secrets,dependencies
- qodryx security results --severity critical,high
artifacts:
- security-results.json
branches:
main:
- step:
name: Security Scan
script:
- npm install -g @qodryx/cli
- qodryx security scan
- step:
name: Deploy to Production
deployment: production
script:
- npm install -g @qodryx/cli
- qodryx deploy --env productionCommon CI/CD Patterns
Fail on Critical Vulnerabilities
# Bash script to fail pipeline on critical findings
#!/bin/bash
set -e
qodryx security scan --type sast,secrets,dependencies
CRITICAL_COUNT=$(qodryx security results --severity critical -o json | jq '.findings | length')
if [ "$CRITICAL_COUNT" -gt 0 ]; then
echo "❌ Found $CRITICAL_COUNT critical vulnerabilities"
qodryx security results --severity critical
exit 1
fi
echo "✅ No critical vulnerabilities found"PR Comment with Results
# Post scan summary to PR
qodryx security scan
qodryx security results --format markdown > scan-summary.md
# GitHub Actions example
gh pr comment $PR_NUMBER --body-file scan-summary.mdConditional Deployment
#!/bin/bash
# Only deploy if no high/critical vulnerabilities
qodryx security scan
HIGH_COUNT=$(qodryx security results --severity critical,high -o json | jq '.findings | length')
if [ "$HIGH_COUNT" -eq 0 ]; then
echo "✅ Security check passed, deploying..."
qodryx deploy --env production
else
echo "⚠️ Found $HIGH_COUNT high/critical issues, skipping deploy"
exit 0 # Don't fail, just skip deploy
fiEnvironment Variables
| Variable | Description |
|---|---|
| QODRYX_API_KEY | API key for authentication |
| QODRYX_PROJECT | Default project ID |
| QODRYX_OUTPUT | Default output format |
| QODRYX_NO_COLOR | Disable colored output |
Best Practices
Recommendations
- Store API keys as encrypted secrets in your CI/CD platform
- Run security scans on every PR, not just main branch
- Cache CLI installation to speed up builds
- Use --quiet flag to reduce log noise
- Archive scan results as build artifacts
- Set up notifications for scan failures