CI/CD Integration

Integrate ByteHide Radar into your CI/CD pipeline to automatically scan your codebase on every build, pull request, or deployment. This ensures vulnerabilities are caught early in the development lifecycle before reaching production.

Why Integrate with CI/CD

Shift-left security: catch vulnerabilities during development, not after deployment
Automated enforcement: fail builds when critical vulnerabilities are detected
Continuous monitoring: every code change is scanned automatically
Developer feedback loop: security issues appear in PRs alongside other CI checks

GitHub Actions

The following workflow triggers a Radar scan on every push to main and on pull requests, then checks for critical findings.

YAML

name: ByteHide Radar Security Scan
on:
  push:
    branches: [main]
  pull_request:
    branches: [main]

jobs:
  security-scan:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4

      - name: Trigger Radar Scan
        run: |
          SCAN_RESPONSE=$(curl -s -X POST \
            https://api.bytehide.com/v1/radar/projects/${{ secrets.RADAR_PROJECT_ID }}/scans \
            -H "Authorization: Bearer ${{ secrets.RADAR_TOKEN }}" \
            -H "Content-Type: application/json" \
            -d '{"branch": "${{ github.head_ref || github.ref_name }}"}')

          SCAN_ID=$(echo $SCAN_RESPONSE | jq -r '.scanId')
          echo "SCAN_ID=$SCAN_ID" >> $GITHUB_ENV

      - name: Wait for Scan Completion
        run: |
          for i in $(seq 1 60); do
            STATUS=$(curl -s \
              https://api.bytehide.com/v1/radar/projects/${{ secrets.RADAR_PROJECT_ID }}/scans/${{ env.SCAN_ID }} \
              -H "Authorization: Bearer ${{ secrets.RADAR_TOKEN }}" | jq -r '.status')

            if [ "$STATUS" = "completed" ]; then
              echo "Scan completed"
              break
            fi
            sleep 10
          done

      - name: Check for Critical Findings
        run: |
          CRITICAL=$(curl -s \
            "https://api.bytehide.com/v1/radar/projects/${{ secrets.RADAR_PROJECT_ID }}/findings?severity=critical&status=open" \
            -H "Authorization: Bearer ${{ secrets.RADAR_TOKEN }}" | jq '.total')

          if [ "$CRITICAL" -gt 0 ]; then
            echo "::error::$CRITICAL critical vulnerabilities found"
            exit 1
          fi

name: ByteHide Radar Security Scan
on:
  push:
    branches: [main]
  pull_request:
    branches: [main]

jobs:
  security-scan:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4

      - name: Trigger Radar Scan
        run: |
          SCAN_RESPONSE=$(curl -s -X POST \
            https://api.bytehide.com/v1/radar/projects/${{ secrets.RADAR_PROJECT_ID }}/scans \
            -H "Authorization: Bearer ${{ secrets.RADAR_TOKEN }}" \
            -H "Content-Type: application/json" \
            -d '{"branch": "${{ github.head_ref || github.ref_name }}"}')

          SCAN_ID=$(echo $SCAN_RESPONSE | jq -r '.scanId')
          echo "SCAN_ID=$SCAN_ID" >> $GITHUB_ENV

      - name: Wait for Scan Completion
        run: |
          for i in $(seq 1 60); do
            STATUS=$(curl -s \
              https://api.bytehide.com/v1/radar/projects/${{ secrets.RADAR_PROJECT_ID }}/scans/${{ env.SCAN_ID }} \
              -H "Authorization: Bearer ${{ secrets.RADAR_TOKEN }}" | jq -r '.status')

            if [ "$STATUS" = "completed" ]; then
              echo "Scan completed"
              break
            fi
            sleep 10
          done

      - name: Check for Critical Findings
        run: |
          CRITICAL=$(curl -s \
            "https://api.bytehide.com/v1/radar/projects/${{ secrets.RADAR_PROJECT_ID }}/findings?severity=critical&status=open" \
            -H "Authorization: Bearer ${{ secrets.RADAR_TOKEN }}" | jq '.total')

          if [ "$CRITICAL" -gt 0 ]; then
            echo "::error::$CRITICAL critical vulnerabilities found"
            exit 1
          fi

How it works: Trigger scan on push/PR > Poll status every 10 seconds (up to 10 min) > Fail build if critical findings exist.

Setting Up Secrets

Store your project token and ID as CI/CD secrets:

GitHub Actions: Repository Settings > Secrets and variables > Actions > New repository secret

Secret Name	Value
`RADAR_TOKEN`	Your Radar project token from Project Settings
`RADAR_PROJECT_ID`	Your Radar project ID

Quality Gates

Policy	Fails On	Recommended For
Strict	Any new finding (Critical, High, Medium, or Low)	Security-critical applications
Standard	Critical or High findings only	Most teams (good default)
Relaxed	Critical findings only	Teams adopting scanning for the first time

Customize the severity check in your workflow:

Bash

# Fail on Critical or High findings
FINDINGS=$(curl -s \
  "https://api.bytehide.com/v1/radar/projects/$PROJECT_ID/findings?severity=critical,high&status=open" \
  -H "Authorization: Bearer $TOKEN" | jq '.total')

if [ "$FINDINGS" -gt 0 ]; then
  echo "::error::$FINDINGS critical/high vulnerabilities found"
  exit 1
fi

# Fail on Critical or High findings
FINDINGS=$(curl -s \
  "https://api.bytehide.com/v1/radar/projects/$PROJECT_ID/findings?severity=critical,high&status=open" \
  -H "Authorization: Bearer $TOKEN" | jq '.total')

if [ "$FINDINGS" -gt 0 ]; then
  echo "::error::$FINDINGS critical/high vulnerabilities found"
  exit 1
fi

Other CI/CD Platforms

The Radar API works with any platform that can make HTTP requests.

GitLab CI

YAML

security_scan:
  stage: test
  script:
    - |
      SCAN_RESPONSE=$(curl -s -X POST \
        https://api.bytehide.com/v1/radar/projects/$RADAR_PROJECT_ID/scans \
        -H "Authorization: Bearer $RADAR_TOKEN" \
        -H "Content-Type: application/json" \
        -d "{\"branch\": \"$CI_COMMIT_REF_NAME\"}")

security_scan:
  stage: test
  script:
    - |
      SCAN_RESPONSE=$(curl -s -X POST \
        https://api.bytehide.com/v1/radar/projects/$RADAR_PROJECT_ID/scans \
        -H "Authorization: Bearer $RADAR_TOKEN" \
        -H "Content-Type: application/json" \
        -d "{\"branch\": \"$CI_COMMIT_REF_NAME\"}")

Store RADAR_TOKEN and RADAR_PROJECT_ID as protected CI/CD variables in Settings > CI/CD > Variables.

Azure DevOps

YAML

- task: Bash@3
  inputs:
    targetType: 'inline'
    script: |
      curl -s -X POST \
        https://api.bytehide.com/v1/radar/projects/$(RADAR_PROJECT_ID)/scans \
        -H "Authorization: Bearer $(RADAR_TOKEN)" \
        -H "Content-Type: application/json" \
        -d '{"branch": "$(Build.SourceBranchName)"}'

- task: Bash@3
  inputs:
    targetType: 'inline'
    script: |
      curl -s -X POST \
        https://api.bytehide.com/v1/radar/projects/$(RADAR_PROJECT_ID)/scans \
        -H "Authorization: Bearer $(RADAR_TOKEN)" \
        -H "Content-Type: application/json" \
        -d '{"branch": "$(Build.SourceBranchName)"}'

Store secrets using pipeline variables with "Keep this value secret" enabled.

Jenkins

Groovy

pipeline {
    environment {
        RADAR_TOKEN = credentials('radar-token')
        RADAR_PROJECT_ID = credentials('radar-project-id')
    }
    stages {
        stage('Security Scan') {
            steps {
                sh '''
                    curl -s -X POST \
                      https://api.bytehide.com/v1/radar/projects/$RADAR_PROJECT_ID/scans \
                      -H "Authorization: Bearer $RADAR_TOKEN" \
                      -H "Content-Type: application/json" \
                      -d '{"branch": "'$GIT_BRANCH'"}'
                '''
            }
        }
    }
}

pipeline {
    environment {
        RADAR_TOKEN = credentials('radar-token')
        RADAR_PROJECT_ID = credentials('radar-project-id')
    }
    stages {
        stage('Security Scan') {
            steps {
                sh '''
                    curl -s -X POST \
                      https://api.bytehide.com/v1/radar/projects/$RADAR_PROJECT_ID/scans \
                      -H "Authorization: Bearer $RADAR_TOKEN" \
                      -H "Content-Type: application/json" \
                      -d '{"branch": "'$GIT_BRANCH'"}'
                '''
            }
        }
    }
}

CircleCI

YAML

jobs:
  security-scan:
    docker:
      - image: cimg/base:stable
    steps:
      - run:
          name: Trigger Radar Scan
          command: |
            curl -s -X POST \
              https://api.bytehide.com/v1/radar/projects/$RADAR_PROJECT_ID/scans \
              -H "Authorization: Bearer $RADAR_TOKEN" \
              -H "Content-Type: application/json" \
              -d "{\"branch\": \"$CIRCLE_BRANCH\"}"

jobs:
  security-scan:
    docker:
      - image: cimg/base:stable
    steps:
      - run:
          name: Trigger Radar Scan
          command: |
            curl -s -X POST \
              https://api.bytehide.com/v1/radar/projects/$RADAR_PROJECT_ID/scans \
              -H "Authorization: Bearer $RADAR_TOKEN" \
              -H "Content-Type: application/json" \
              -d "{\"branch\": \"$CIRCLE_BRANCH\"}"

Best Practices

Scan every pull request to catch issues before merging
Start with relaxed gates, tighten over time as your team resolves existing issues
Store scan results as build artifacts for audit trails
Configure notifications (Slack or email) when critical findings are detected
Use branch-specific scanning to give developers feedback on their changes
Avoid blocking on legacy findings by checking only new findings if your codebase has existing issues

Automatic Scanning

If your repository is connected via the GitHub integration, pushes and PRs already trigger automatic scans. CI/CD integration adds build gating and custom workflows beyond what automatic scanning offers.

CI/CD Integration

Why Integrate with CI/CD

GitHub Actions

Setting Up Secrets

Quality Gates

Other CI/CD Platforms

GitLab CI

Azure DevOps

Jenkins

CircleCI

Best Practices

Next Steps

API Reference

GitHub Integration

Project Settings