CI/CD Integration
Integrate Primus Security into your CI/CD pipelines for automated scanning on every commit.
Install the CLI
dotnet tool install -g PrimusSaaS.Security.Cli
primus-scan --version # 2.4.9
GitHub Actions — Recommended workflow
# .github/workflows/security-scan.yml
name: Primus Security Scan
on:
push:
branches: [main, develop]
pull_request:
branches: [main]
jobs:
security-scan:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Setup .NET
uses: actions/setup-dotnet@v4
with:
dotnet-version: 10.0.x
- name: Install primus-scan CLI
run: dotnet tool install -g PrimusSaaS.Security.Cli
- name: Run security scan
run: |
primus-scan ./src \
--sarif results.sarif \
--no-fail
- name: Upload SARIF to GitHub Advanced Security
uses: github/codeql-action/upload-sarif@v3.28.13
if: always()
with:
sarif_file: results.sarif
continue-on-error: true
- name: Upload SARIF artifact
uses: actions/upload-artifact@v4
if: always()
with:
name: security-sarif
path: results.sarif
Fail the build on Critical findings
- name: Run security scan (gate enforced)
run: |
primus-scan ./src \
--max-critical 0 \
--max-high 5 \
--sarif results.sarif
# Exits 1 if gate fails — blocks the build
Azure DevOps
# azure-pipelines.yml
trigger:
- main
- develop
pool:
vmImage: ubuntu-latest
steps:
- task: UseDotNet@2
inputs:
version: 10.0.x
- script: dotnet tool install -g PrimusSaaS.Security.Cli
displayName: Install primus-scan
- script: |
primus-scan $(Build.SourcesDirectory)/src \
--sarif $(Build.ArtifactStagingDirectory)/results.sarif \
--no-fail
displayName: Run Primus Security Scan
- task: PublishBuildArtifacts@1
inputs:
pathToPublish: $(Build.ArtifactStagingDirectory)/results.sarif
artifactName: SecurityResults
Pre-commit hook — block secrets
#!/bin/sh
# .git/hooks/pre-commit
echo "Running secret detection..."
primus-scan . --no-sast --no-deps --max-critical 0 --quiet
if [ $? -ne 0 ]; then
echo "Secrets detected. Commit blocked."
exit 1
fi
echo "Clean."
CLI reference
| Flag | Default | Description |
|---|---|---|
<path> | required | Directory or .sln to scan |
--sarif <file> | — | Write SARIF 2.1.0 output |
--json <file> | — | Write full findings as JSON |
--html <file> | — | Write full 11-section HTML report |
--pdf <file> | — | Write PDF report |
--csv <file> | — | Write CSV findings export |
--owasp <file> | — | Write OWASP Top 10 2021 compliance JSON |
--compliance <file> | — | Write all-frameworks compliance scores JSON |
--max-critical <n> | 0 | Gate: max Critical allowed |
--max-high <n> | 0 | Gate: max High allowed |
--no-fail | false | Exit 0 even when gate fails |
--no-sast | false | Skip Roslyn static analysis |
--no-secrets | false | Skip secret detection |
--no-deps | false | Skip CVE scanning |
--duplication | false | Enable code duplication detection |
--baseline <file> | — | Suppress pre-existing findings (new code only) |
--save-baseline <file> | — | Save current result as baseline |
--quiet | false | Suppress progress output |
--verbose | false | Show debug output + suppression details |
Exit codes
| Code | Meaning |
|---|---|
| 0 | Quality gate passed (or --no-fail set) |
| 1 | Quality gate failed |
| 2 | Usage error (bad arguments) |
| 3 | Scan error (path not found) |
Next Steps
| Want to... | See |
|---|---|
| Upload to GitHub Security tab | SARIF Export |
| Configure quality gate thresholds | Quality Gate |
| Generate HTML report | Enterprise Reporting |
| Use in VS Code | VS Code Extension |