/

CI/CD Integration

Automated project scanning

The ByteHide Secrets Scanner can be easily integrated into any CI/CD pipeline where Go and Node.js are available.

Makefile Build Integration

If you have the scanner integrated into your Makefile (see Scanner Installation), it will run automatically in any CI/CD environment. This is the simplest approach.

Repository-Level Git Integration

If you prefer deeper integration at the Git repository level, you can use our:

This option provides additional features like pull request scanning and automatic comments.

DevOps-Only Integration

Important note

This DevOps-only configuration is only recommended for advanced users. For most cases, the Makefile build integration is sufficient and easier to maintain.

If you don't want the scanner in your project build, you can integrate it only in your DevOps pipeline:

GitHub Actions

YAML
name: Secrets Scanner

on:
  push:
    branches: [ main, develop ]
  pull_request:
    branches: [ main ]

jobs:
  scan:
    runs-on: ubuntu-latest

    steps:
    - uses: actions/checkout@v3

    - name: Setup Go
      uses: actions/setup-go@v4
      with:
        go-version: '1.21'

    - name: Setup Node.js
      uses: actions/setup-node@v3
      with:
        node-version: '18'

    - name: Install ByteHide Scanner
      run: |
        git clone https://github.com/bytehide/bytehide-secrets-scanner-wrappers.git /tmp/scanner
        cd /tmp/scanner/wrappers/go
        go build -o /usr/local/bin/bytehide-secrets .

    - name: Create scanner config
      run: |
        echo '{
          "token": "${{ secrets.BYTEHIDE_TOKEN }}",
          "appName": "CI Scanner",
          "environment": "ci",
          "sync": true,
          "anonymize": false
        }' > bytehide.secrets.json

    - name: Run scanner
      run: bytehide-secrets scan

GitLab CI/CD

YAML
image: golang:1.21

stages:
  - scan

scan_secrets:
  stage: scan
  before_script:
    - apt-get update && apt-get install -y nodejs npm
  script:
    - |
      git clone https://github.com/bytehide/bytehide-secrets-scanner-wrappers.git /tmp/scanner
      cd /tmp/scanner/wrappers/go
      go build -o /usr/local/bin/bytehide-secrets .
      cd $CI_PROJECT_DIR
    - |
      echo '{
        "token": "'$BYTEHIDE_TOKEN'",
        "appName": "GitLab CI Scanner",
        "environment": "gitlab-ci",
        "sync": true,
        "anonymize": false
      }' > bytehide.secrets.json
    - bytehide-secrets scan

Environment-Specific Configuration

You can use different scanner configurations for different environments:

YAML
# For development builds
- name: Create dev scanner config
  if: ${{ github.ref == 'refs/heads/develop' }}
  run: |
    echo '{
      "environment": "development",
      "token": "${{ secrets.BYTEHIDE_TOKEN }}",
      "sync": true
    }' > bytehide.secrets.json

# For production builds
- name: Create prod scanner config
  if: ${{ github.ref == 'refs/heads/main' }}
  run: |
    echo '{
      "environment": "production",
      "token": "${{ secrets.BYTEHIDE_TOKEN }}",
      "sync": true
    }' > bytehide.secrets.json

Viewing Results

After the CI/CD pipeline runs, you can view the scanning results in your ByteHide dashboard. The results will include:

  • Detected secrets by type and location
  • The commit and branch where the secret was found
  • Confidence level of the detection
  • Link to the specific code location

Next Steps

Previous
GitHub Integration
Next
Installation