/

CI/CD Integration

Automated project scanning

The ByteHide Secrets Scanner can be easily integrated into any CI/CD pipeline where Java and Node.js are available.

Maven/Gradle Build Integration

If you have the scanner integrated into your Maven or Gradle build process (see Scanner Installation), it will run automatically in any CI/CD environment where your project is built. This is the simplest approach.

Repository-Level Git Integration

If you prefer deeper integration at the Git repository level, you can use our:

This option provides additional features like pull request scanning and automatic comments.

DevOps-Only Integration

Important note

This DevOps-only configuration is only recommended for advanced users. For most cases, the Maven/Gradle build integration is sufficient and easier to maintain.

If you don't want the scanner in your project build, you can integrate it only in your DevOps pipeline:

GitHub Actions

YAML
name: Secrets Scanner

on:
  push:
    branches: [ main, develop ]
  pull_request:
    branches: [ main ]

jobs:
  scan:
    runs-on: ubuntu-latest

    steps:
    - uses: actions/checkout@v3

    - name: Setup Java
      uses: actions/setup-java@v3
      with:
        distribution: 'temurin'
        java-version: '17'

    - name: Setup Node.js
      uses: actions/setup-node@v3
      with:
        node-version: '18'

    - name: Download ByteHide Scanner
      run: |
        curl -L -o bytehide-secrets-scanner.jar \
          https://github.com/bytehide/bytehide-secrets-scanner-wrappers/releases/latest/download/bytehide-secrets-scanner.jar

    - name: Create scanner config
      run: |
        echo '{
          "token": "${{ secrets.BYTEHIDE_TOKEN }}",
          "appName": "CI Scanner",
          "environment": "ci",
          "sync": true,
          "anonymize": false
        }' > bytehide.secrets.json

    - name: Run scanner
      run: java -jar bytehide-secrets-scanner.jar scan

Azure DevOps Pipelines

YAML
trigger:
- main
- develop

pool:
  vmImage: 'ubuntu-latest'

steps:
- task: JavaToolInstaller@0
  inputs:
    versionSpec: '17'
    jdkArchitectureOption: 'x64'
    jdkSourceOption: 'PreInstalled'

- task: NodeTool@0
  inputs:
    versionSpec: '18.x'
  displayName: 'Install Node.js'

- task: Bash@3
  displayName: 'Download and configure scanner'
  inputs:
    targetType: 'inline'
    script: |
      curl -L -o bytehide-secrets-scanner.jar \
        https://github.com/bytehide/bytehide-secrets-scanner-wrappers/releases/latest/download/bytehide-secrets-scanner.jar
      echo '{
        "token": "$(BYTEHIDE_TOKEN)",
        "appName": "Azure Pipeline Scanner",
        "environment": "azure-devops",
        "sync": true,
        "anonymize": false
      }' > bytehide.secrets.json

- script: java -jar bytehide-secrets-scanner.jar scan
  displayName: 'Run scanner'

GitLab CI/CD

YAML
image: maven:3.9-eclipse-temurin-17

stages:
  - scan

variables:
  NODE_VERSION: "18"

scan_secrets:
  stage: scan
  before_script:
    - apt-get update && apt-get install -y nodejs npm
  script:
    - |
      curl -L -o bytehide-secrets-scanner.jar \
        https://github.com/bytehide/bytehide-secrets-scanner-wrappers/releases/latest/download/bytehide-secrets-scanner.jar
    - |
      echo '{
        "token": "'$BYTEHIDE_TOKEN'",
        "appName": "GitLab CI Scanner",
        "environment": "gitlab-ci",
        "sync": true,
        "anonymize": false
      }' > bytehide.secrets.json
    - java -jar bytehide-secrets-scanner.jar scan

Jenkins Pipeline

Groovy
pipeline {
    agent {
        docker {
            image 'maven:3.9-eclipse-temurin-17'
        }
    }

    stages {
        stage('Scan Secrets') {
            steps {
                sh 'apt-get update && apt-get install -y nodejs npm'
                sh '''
                    curl -L -o bytehide-secrets-scanner.jar \
                      https://github.com/bytehide/bytehide-secrets-scanner-wrappers/releases/latest/download/bytehide-secrets-scanner.jar
                '''
                sh '''
                    echo '{
                      "token": "''' + env.BYTEHIDE_TOKEN + '''",
                      "appName": "Jenkins Scanner",
                      "environment": "jenkins",
                      "sync": true,
                      "anonymize": false
                    }' > bytehide.secrets.json
                '''
                sh 'java -jar bytehide-secrets-scanner.jar scan'
            }
        }
    }
}

Environment-Specific Configuration

You can use different scanner configurations for different environments:

YAML
# For development builds
- name: Create dev scanner config
  if: ${{ github.ref == 'refs/heads/develop' }}
  run: |
    echo '{
      "environment": "development",
      "token": "${{ secrets.BYTEHIDE_TOKEN }}",
      "sync": true
    }' > bytehide.secrets.json

# For production builds
- name: Create prod scanner config
  if: ${{ github.ref == 'refs/heads/main' }}
  run: |
    echo '{
      "environment": "production",
      "token": "${{ secrets.BYTEHIDE_TOKEN }}",
      "sync": true
    }' > bytehide.secrets.json

Viewing Results

After the CI/CD pipeline runs, you can view the scanning results in your ByteHide dashboard. The results will include:

  • Detected secrets by type and location
  • The commit and branch where the secret was found
  • Confidence level of the detection
  • Link to the specific code location

Next Steps

Previous
GitHub Integration
Next
Installation