CI/CD Integration
Automated project scanning
The ByteHide Secrets Scanner already provides CI/CD integration by default when installed directly in your project.
Native CI/CD Integration
The ByteHide.Secrets.Scanner package already provides CI/CD integration by default because:
- It's installed directly in your .NET project
- It runs automatically on every build
- It works in any environment or platform where your project is compiled
- It's independent of the specific CI/CD platform (GitHub Actions, Azure DevOps, AWS, Jenkins, etc.)
As long as the bytehide.secrets.json
configuration file is present and the package is installed in your project, the scanner will work on any machine where the project is compiled, providing continuous protection against secret leaks.
Advanced Integration Options
Repository-Level Git Integration
If you prefer deeper integration at the Git repository level, rather than just at the project level, you can use our:
This option provides additional features like pull request scanning and automatic comments.
DevOps-Only Integration
Important note
This DevOps-only configuration is only recommended for advanced users. For most cases, the native project-level integration is sufficient and easier to maintain.
If you exceptionally don't want the package and configuration to be in your project or repository, there are options to integrate the scanner only in your DevOps pipeline:
GitHub Actions
name: Secrets Scanner
on:
push:
branches: [ main, develop ]
pull_request:
branches: [ main ]
jobs:
scan:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
- name: Setup .NET
uses: actions/setup-dotnet@v3
with:
dotnet-version: 6.0.x
- name: Add ByteHide Scanner
run: dotnet add package Bytehide.Secrets.Scanner
- name: Create scanner config
run: |
echo '{
"Name": "CI Scanner",
"Environment": "ci",
"ProjectToken": "${{ secrets.BYTEHIDE_TOKEN }}",
"RunConfiguration": "*",
"Enabled": true,
"DisplayCode": true
}' > bytehide.secrets.json
- name: Build and scan
run: dotnet build
Azure DevOps Pipelines
trigger:
- main
- develop
pool:
vmImage: 'ubuntu-latest'
variables:
buildConfiguration: 'Release'
steps:
- task: UseDotNet@2
inputs:
packageType: 'sdk'
version: '6.0.x'
- task: DotNetCoreCLI@2
displayName: 'Add ByteHide Scanner'
inputs:
command: 'custom'
custom: 'add'
arguments: 'package Bytehide.Secrets.Scanner'
- task: Bash@3
displayName: 'Create scanner config'
inputs:
targetType: 'inline'
script: |
echo '{
"Name": "Azure Pipeline Scanner",
"Environment": "azure-devops",
"ProjectToken": "$(BYTEHIDE_TOKEN)",
"RunConfiguration": "*",
"Enabled": true,
"DisplayCode": true
}' > bytehide.secrets.json
- task: DotNetCoreCLI@2
displayName: 'Build and scan'
inputs:
command: 'build'
projects: '**/*.csproj'
arguments: '--configuration $(buildConfiguration)'
GitLab CI/CD
image: mcr.microsoft.com/dotnet/sdk:6.0
stages:
- build
variables:
DOTNET_SKIP_FIRST_TIME_EXPERIENCE: "true"
build:
stage: build
script:
- dotnet add package Bytehide.Secrets.Scanner
- |
echo '{
"Name": "GitLab CI Scanner",
"Environment": "gitlab-ci",
"ProjectToken": "'$BYTEHIDE_TOKEN'",
"RunConfiguration": "*",
"Enabled": true,
"DisplayCode": true
}' > bytehide.secrets.json
- dotnet build
Jenkins Pipeline
pipeline {
agent {
docker {
image 'mcr.microsoft.com/dotnet/sdk:6.0'
}
}
stages {
stage('Build and Scan') {
steps {
sh 'dotnet add package Bytehide.Secrets.Scanner'
sh '''
echo '{
"Name": "Jenkins Scanner",
"Environment": "jenkins",
"ProjectToken": "''' + env.BYTEHIDE_TOKEN + '''",
"RunConfiguration": "*",
"Enabled": true,
"DisplayCode": true
}' > bytehide.secrets.json
'''
sh 'dotnet build'
}
}
}
}
CircleCI
version: 2.1
jobs:
build:
docker:
- image: mcr.microsoft.com/dotnet/sdk:6.0
steps:
- checkout
- run:
name: Install ByteHide Scanner
command: dotnet add package Bytehide.Secrets.Scanner
- run:
name: Configure Scanner
command: |
echo '{
"Name": "CircleCI Scanner",
"Environment": "circleci",
"ProjectToken": "'$BYTEHIDE_TOKEN'",
"RunConfiguration": "*",
"Enabled": true,
"DisplayCode": true
}' > bytehide.secrets.json
- run:
name: Build and Scan
command: dotnet build
workflows:
version: 2
build_and_scan:
jobs:
- build
TeamCity
import jetbrains.buildServer.configs.kotlin.*
project {
buildType {
name = "Build and Scan"
steps {
dotnetAdd {
name = "Install ByteHide Scanner"
packages = "Bytehide.Secrets.Scanner"
}
script {
name = "Configure Scanner"
scriptContent = """
echo '{
"Name": "TeamCity Scanner",
"Environment": "teamcity",
"ProjectToken": "%env.BYTEHIDE_TOKEN%",
"RunConfiguration": "*",
"Enabled": true,
"DisplayCode": true
}' > bytehide.secrets.json
"""
}
dotnetBuild {
name = "Build and Scan"
projects = "**/*.csproj"
}
}
}
}
Environment-Specific Configuration
You can use different scanner configurations for different environments:
# For development builds
- name: Create dev scanner config
if: ${{ github.ref == 'refs/heads/develop' }}
run: |
echo '{
"Environment": "development",
"ProjectToken": "${{ secrets.BYTEHIDE_TOKEN }}",
# ... other settings
}' > bytehide.secrets.json
# For production builds
- name: Create prod scanner config
if: ${{ github.ref == 'refs/heads/main' }}
run: |
echo '{
"Environment": "production",
"ProjectToken": "${{ secrets.BYTEHIDE_TOKEN }}",
# ... other settings
}' > bytehide.secrets.json
Viewing Results
After the CI/CD pipeline runs, you can view the scanning results in your ByteHide dashboard. The results will include:
- Detected secrets by type and location
- The commit and branch where the secret was found
- Confidence level of the detection
- Link to the specific code location