/

CI/CD Integration

Automated project scanning

The ByteHide Secrets Scanner already provides CI/CD integration by default when installed directly in your project.

Native CI/CD Integration

The @bytehide/secrets-scanner npm package already provides CI/CD integration by default because:

  • It's installed directly in your JavaScript project
  • It runs automatically when called from your build process
  • It works in any environment or platform where your project is built
  • It's independent of the specific CI/CD platform (GitHub Actions, Azure DevOps, AWS, Jenkins, etc.)

As long as the bytehide.secrets.json configuration file is present and the package is installed in your project, the scanner will work on any machine where the project is built, providing continuous protection against secret leaks.

Integration Options

The simplest way to integrate the scanner is to add it to your build process by using a prebuild script in your package.json:

{
  "scripts": {
    "prebuild": "bytehide-secrets scan",
    "build": "your-build-command"
  }
}

With this setup, the scanner runs automatically whenever you build your project:

npm run build

Repository-Level Git Integration

If you prefer deeper integration at the Git repository level, rather than just at the project level, you can use our:

This option provides additional features like pull request scanning and automatic comments.

DevOps-Only Integration

Important note

This DevOps-only configuration is only recommended for advanced users. For most cases, the native project-level integration is sufficient and easier to maintain.

If you exceptionally don't want the package and configuration to be in your project or repository, there are options to integrate the scanner only in your DevOps pipeline:

GitHub Actions

name: Secrets Scanner

on:
  push:
    branches: [ main, develop ]
  pull_request:
    branches: [ main ]

jobs:
  scan:
    runs-on: ubuntu-latest
    
    steps:
    - uses: actions/checkout@v3
    
    - name: Setup Node.js
      uses: actions/setup-node@v3
      with:
        node-version: '16.x'
        
    - name: Install dependencies
      run: |
        npm install
        npm install @bytehide/secrets-scanner --save-dev
      
    - name: Create scanner config
      run: |
        echo '{
          "token": "${{ secrets.BYTEHIDE_TOKEN }}",
          "appName": "CI Scanner",
          "environment": "ci",
          "sync": true,
          "anonymize": false
        }' > bytehide.secrets.json
      
    - name: Run scanner
      run: npx bytehide-secrets scan

Azure DevOps Pipelines

trigger:
- main
- develop

pool:
  vmImage: 'ubuntu-latest'

steps:
- task: NodeTool@0
  inputs:
    versionSpec: '16.x'
  displayName: 'Install Node.js'

- script: |
    npm install
    npm install @bytehide/secrets-scanner --save-dev
  displayName: 'Install dependencies'

- task: Bash@3
  displayName: 'Create scanner config'
  inputs:
    targetType: 'inline'
    script: |
      echo '{
        "token": "$(BYTEHIDE_TOKEN)",
        "appName": "Azure Pipeline Scanner",
        "environment": "azure-devops",
        "sync": true,
        "anonymize": false
      }' > bytehide.secrets.json

- script: npx bytehide-secrets scan
  displayName: 'Run scanner'

GitLab CI/CD

image: node:16

stages:
  - scan

variables:
  npm_config_cache: "$CI_PROJECT_DIR/.npm"

cache:
  paths:
    - .npm/

scan_secrets:
  stage: scan
  script:
    - npm install @bytehide/secrets-scanner --save-dev
    - |
      echo '{
        "token": "'$BYTEHIDE_TOKEN'",
        "appName": "GitLab CI Scanner",
        "environment": "gitlab-ci",
        "sync": true,
        "anonymize": false
      }' > bytehide.secrets.json
    - npx bytehide-secrets scan

CircleCI

version: 2.1

jobs:
  scan:
    docker:
      - image: cimg/node:16.13
    steps:
      - checkout
      - run:
          name: Install scanner
          command: npm install @bytehide/secrets-scanner --save-dev
      - run:
          name: Configure scanner
          command: |
            echo '{
              "token": "'$BYTEHIDE_TOKEN'",
              "appName": "CircleCI Scanner",
              "environment": "circleci",
              "sync": true,
              "anonymize": false
            }' > bytehide.secrets.json
      - run:
          name: Run scan
          command: npx bytehide-secrets scan

workflows:
  version: 2
  scan_workflow:
    jobs:
      - scan

Environment-Specific Configuration

You can use different scanner configurations for different environments:

Using Environment Variables

In GitHub Actions:

- name: Create development config
  if: ${{ github.ref == 'refs/heads/develop' }}
  run: |
    echo '{
      "token": "${{ secrets.BYTEHIDE_TOKEN }}",
      "environment": "development",
      "appName": "Dev Build",
      "sync": true
    }' > bytehide.secrets.json

- name: Create production config
  if: ${{ github.ref == 'refs/heads/main' }}
  run: |
    echo '{
      "token": "${{ secrets.BYTEHIDE_TOKEN }}",
      "environment": "production",
      "appName": "Prod Build",
      "sync": true
    }' > bytehide.secrets.json

Using Environment Variables

Alternatively, you can use environment variables in your CI/CD system:

BYTEHIDE_SECRETS_TOKEN=your-project-token
BYTEHIDE_SECRETS_ENVIRONMENT=production

Viewing Results

After the CI/CD pipeline runs, you can view the scanning results in your ByteHide dashboard. The results will include:

  • Detected secrets by type and location
  • The commit and branch where the secret was found
  • Confidence level of the detection
  • Link to the specific code location

Next Steps

Previous
GitHub Integration
Next
Installation