/

CI/CD Integration

Automated project scanning

The ByteHide Secrets Scanner already provides CI/CD integration by default when installed directly in your project.

Native CI/CD Integration

The ByteHide.Secrets.Scanner package already provides CI/CD integration by default because:

  • It's installed directly in your .NET project
  • It runs automatically on every build
  • It works in any environment or platform where your project is compiled
  • It's independent of the specific CI/CD platform (GitHub Actions, Azure DevOps, AWS, Jenkins, etc.)

As long as the bytehide.secrets.json configuration file is present and the package is installed in your project, the scanner will work on any machine where the project is compiled, providing continuous protection against secret leaks.

Advanced Integration Options

Repository-Level Git Integration

If you prefer deeper integration at the Git repository level, rather than just at the project level, you can use our:

This option provides additional features like pull request scanning and automatic comments.

DevOps-Only Integration

Important note

This DevOps-only configuration is only recommended for advanced users. For most cases, the native project-level integration is sufficient and easier to maintain.

If you exceptionally don't want the package and configuration to be in your project or repository, there are options to integrate the scanner only in your DevOps pipeline:

GitHub Actions

name: Secrets Scanner

on:
  push:
    branches: [ main, develop ]
  pull_request:
    branches: [ main ]

jobs:
  scan:
    runs-on: ubuntu-latest
    
    steps:
    - uses: actions/checkout@v3
    
    - name: Setup .NET
      uses: actions/setup-dotnet@v3
      with:
        dotnet-version: 6.0.x
        
    - name: Add ByteHide Scanner
      run: dotnet add package Bytehide.Secrets.Scanner
      
    - name: Create scanner config
      run: |
        echo '{
          "Name": "CI Scanner",
          "Environment": "ci",
          "ProjectToken": "${{ secrets.BYTEHIDE_TOKEN }}",
          "RunConfiguration": "*",
          "Enabled": true,
          "DisplayCode": true
        }' > bytehide.secrets.json
      
    - name: Build and scan
      run: dotnet build

Azure DevOps Pipelines

trigger:
- main
- develop

pool:
  vmImage: 'ubuntu-latest'

variables:
  buildConfiguration: 'Release'

steps:
- task: UseDotNet@2
  inputs:
    packageType: 'sdk'
    version: '6.0.x'

- task: DotNetCoreCLI@2
  displayName: 'Add ByteHide Scanner'
  inputs:
    command: 'custom'
    custom: 'add'
    arguments: 'package Bytehide.Secrets.Scanner'

- task: Bash@3
  displayName: 'Create scanner config'
  inputs:
    targetType: 'inline'
    script: |
      echo '{
        "Name": "Azure Pipeline Scanner",
        "Environment": "azure-devops",
        "ProjectToken": "$(BYTEHIDE_TOKEN)",
        "RunConfiguration": "*",
        "Enabled": true,
        "DisplayCode": true
      }' > bytehide.secrets.json

- task: DotNetCoreCLI@2
  displayName: 'Build and scan'
  inputs:
    command: 'build'
    projects: '**/*.csproj'
    arguments: '--configuration $(buildConfiguration)'

GitLab CI/CD

image: mcr.microsoft.com/dotnet/sdk:6.0

stages:
  - build

variables:
  DOTNET_SKIP_FIRST_TIME_EXPERIENCE: "true"

build:
  stage: build
  script:
    - dotnet add package Bytehide.Secrets.Scanner
    - |
      echo '{
        "Name": "GitLab CI Scanner",
        "Environment": "gitlab-ci",
        "ProjectToken": "'$BYTEHIDE_TOKEN'",
        "RunConfiguration": "*",
        "Enabled": true,
        "DisplayCode": true
      }' > bytehide.secrets.json
    - dotnet build

Jenkins Pipeline

pipeline {
    agent {
        docker {
            image 'mcr.microsoft.com/dotnet/sdk:6.0'
        }
    }
    
    stages {
        stage('Build and Scan') {
            steps {
                sh 'dotnet add package Bytehide.Secrets.Scanner'
                sh '''
                    echo '{
                      "Name": "Jenkins Scanner",
                      "Environment": "jenkins",
                      "ProjectToken": "''' + env.BYTEHIDE_TOKEN + '''",
                      "RunConfiguration": "*",
                      "Enabled": true,
                      "DisplayCode": true
                    }' > bytehide.secrets.json
                '''
                sh 'dotnet build'
            }
        }
    }
}

CircleCI

version: 2.1

jobs:
  build:
    docker:
      - image: mcr.microsoft.com/dotnet/sdk:6.0
    steps:
      - checkout
      - run:
          name: Install ByteHide Scanner
          command: dotnet add package Bytehide.Secrets.Scanner
      - run:
          name: Configure Scanner
          command: |
            echo '{
              "Name": "CircleCI Scanner",
              "Environment": "circleci",
              "ProjectToken": "'$BYTEHIDE_TOKEN'",
              "RunConfiguration": "*",
              "Enabled": true,
              "DisplayCode": true
            }' > bytehide.secrets.json
      - run:
          name: Build and Scan
          command: dotnet build

workflows:
  version: 2
  build_and_scan:
    jobs:
      - build

TeamCity

import jetbrains.buildServer.configs.kotlin.*

project {
    buildType {
        name = "Build and Scan"
        
        steps {
            dotnetAdd {
                name = "Install ByteHide Scanner"
                packages = "Bytehide.Secrets.Scanner"
            }
            
            script {
                name = "Configure Scanner"
                scriptContent = """
                    echo '{
                      "Name": "TeamCity Scanner",
                      "Environment": "teamcity",
                      "ProjectToken": "%env.BYTEHIDE_TOKEN%",
                      "RunConfiguration": "*",
                      "Enabled": true,
                      "DisplayCode": true
                    }' > bytehide.secrets.json
                """
            }
            
            dotnetBuild {
                name = "Build and Scan"
                projects = "**/*.csproj"
            }
        }
    }
}

Environment-Specific Configuration

You can use different scanner configurations for different environments:

# For development builds
- name: Create dev scanner config
  if: ${{ github.ref == 'refs/heads/develop' }}
  run: |
    echo '{
      "Environment": "development",
      "ProjectToken": "${{ secrets.BYTEHIDE_TOKEN }}",
      # ... other settings
    }' > bytehide.secrets.json

# For production builds
- name: Create prod scanner config
  if: ${{ github.ref == 'refs/heads/main' }}
  run: |
    echo '{
      "Environment": "production",
      "ProjectToken": "${{ secrets.BYTEHIDE_TOKEN }}",
      # ... other settings
    }' > bytehide.secrets.json

Viewing Results

After the CI/CD pipeline runs, you can view the scanning results in your ByteHide dashboard. The results will include:

  • Detected secrets by type and location
  • The commit and branch where the secret was found
  • Confidence level of the detection
  • Link to the specific code location

Next Steps

Previous
GitHub Integration