/

CI/CD Integration

Automated project scanning

The ByteHide Secrets Scanner already provides CI/CD integration by default when installed directly in your project.

Composer Scripts Integration

The bytehide/secrets-scanner Composer package already provides CI/CD integration by default because:

  • It's installed directly in your PHP project
  • It runs automatically when called from your Composer scripts
  • It works in any environment or platform where your project is built
  • It's independent of the specific CI/CD platform (GitHub Actions, GitLab CI, Jenkins, etc.)

As long as the bytehide.secrets.json configuration file is present and the package is installed in your project, the scanner will work on any machine where the project is built.

Repository-Level Git Integration

If you prefer deeper integration at the Git repository level, you can use our:

This option provides additional features like pull request scanning and automatic comments.

DevOps-Only Integration

Important note

This DevOps-only configuration is only recommended for advanced users. For most cases, the Composer scripts integration is sufficient and easier to maintain.

If you don't want the package and configuration to be in your project, you can integrate the scanner only in your DevOps pipeline:

GitHub Actions

YAML
name: Secrets Scanner

on:
  push:
    branches: [ main, develop ]
  pull_request:
    branches: [ main ]

jobs:
  scan:
    runs-on: ubuntu-latest

    steps:
    - uses: actions/checkout@v3

    - name: Setup PHP
      uses: shivammathur/setup-php@v2
      with:
        php-version: '8.2'

    - name: Setup Node.js
      uses: actions/setup-node@v3
      with:
        node-version: '18'

    - name: Install dependencies
      run: |
        composer install
        composer require bytehide/secrets-scanner --dev

    - name: Create scanner config
      run: |
        echo '{
          "token": "${{ secrets.BYTEHIDE_TOKEN }}",
          "appName": "CI Scanner",
          "environment": "ci",
          "sync": true,
          "anonymize": false
        }' > bytehide.secrets.json

    - name: Run scanner
      run: vendor/bin/bytehide-secrets scan

GitLab CI/CD

YAML
image: php:8.2

stages:
  - scan

scan_secrets:
  stage: scan
  before_script:
    - apt-get update && apt-get install -y nodejs npm git unzip
    - curl -sS https://getcomposer.org/installer | php -- --install-dir=/usr/local/bin --filename=composer
  script:
    - composer install
    - composer require bytehide/secrets-scanner --dev
    - |
      echo '{
        "token": "'$BYTEHIDE_TOKEN'",
        "appName": "GitLab CI Scanner",
        "environment": "gitlab-ci",
        "sync": true,
        "anonymize": false
      }' > bytehide.secrets.json
    - vendor/bin/bytehide-secrets scan

Environment-Specific Configuration

You can use different scanner configurations for different environments:

YAML
# For development builds
- name: Create dev scanner config
  if: ${{ github.ref == 'refs/heads/develop' }}
  run: |
    echo '{
      "environment": "development",
      "token": "${{ secrets.BYTEHIDE_TOKEN }}",
      "sync": true
    }' > bytehide.secrets.json

# For production builds
- name: Create prod scanner config
  if: ${{ github.ref == 'refs/heads/main' }}
  run: |
    echo '{
      "environment": "production",
      "token": "${{ secrets.BYTEHIDE_TOKEN }}",
      "sync": true
    }' > bytehide.secrets.json

Viewing Results

After the CI/CD pipeline runs, you can view the scanning results in your ByteHide dashboard. The results will include:

  • Detected secrets by type and location
  • The commit and branch where the secret was found
  • Confidence level of the detection
  • Link to the specific code location

Next Steps

Previous
GitHub Integration
Next
Installation