CI/CD Integration
Integrate Primus Security into your CI/CD pipelines for automated security scanning on every commit.
GitHub Actions
Basic Workflow
# .github/workflows/security-scan.yml
name: Security Scan
on:
push:
branches: [main, develop]
pull_request:
branches: [main]
jobs:
security-scan:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Setup .NET
uses: actions/setup-dotnet@v4
with:
dotnet-version: '8.0.x'
- name: Restore dependencies
run: dotnet restore
- name: Run Security Scan
run: |
dotnet run --project tools/PrimusSecurityScanner -- \
--scan ./src \
--db data/cve-database.db \
--output security-report.json
- name: Upload Report
uses: actions/upload-artifact@v4
with:
name: security-report
path: security-report.json
Fail on Critical Findings
- name: Run Security Scan
run: |
dotnet run --project tools/PrimusSecurityScanner -- \
--scan ./src \
--fail-on-critical \
--max-high 5
Generate HTML Report
- name: Generate HTML Report
run: |
dotnet run --project tools/PrimusSecurityScanner -- \
--scan ./src \
--format html \
--output security-report.html
- name: Upload HTML Report
uses: actions/upload-artifact@v4
with:
name: security-report-html
path: security-report.html
Azure DevOps
# azure-pipelines.yml
trigger:
- main
- develop
pool:
vmImage: 'ubuntu-latest'
steps:
- task: UseDotNet@2
inputs:
version: '8.0.x'
- script: dotnet restore
displayName: 'Restore dependencies'
- script: |
dotnet run --project tools/PrimusSecurityScanner -- \
--scan ./src \
--db data/cve-database.db \
--output $(Build.ArtifactStagingDirectory)/security-report.json
displayName: 'Run Security Scan'
- task: PublishBuildArtifacts@1
inputs:
pathToPublish: '$(Build.ArtifactStagingDirectory)/security-report.json'
artifactName: 'SecurityReport'
Pre-Commit Hook
Block commits with secrets:
#!/bin/sh
# .git/hooks/pre-commit
echo "Running security scan..."
dotnet run --project tools/PrimusSecurityScanner -- \
--scan . \
--secrets-only \
--fail-on-secrets
if [ $? -ne 0 ]; then
echo " Secrets detected! Commit blocked."
exit 1
fi
echo " No secrets found."
PowerShell Script
Use the included PowerShell script for comprehensive scans:
# Run full security scan with markdown report
./scripts/Run-SecurityScan.ps1 -ScanPath "./src" -GenerateReport
# Quick secrets-only scan
./scripts/Run-SecurityScan.ps1 -SecretsOnly
CLI Options
| Option | Description |
|---|---|
--scan <path> | Path to scan |
--db <path> | CVE database path |
--output <file> | Output file path |
--format <fmt> | json, html, pdf |
--fail-on-critical | Exit 1 on critical findings |
--fail-on-secrets | Exit 1 on any secrets |
--max-high <n> | Max allowed high severity |
--secrets-only | Only scan for secrets |
Exit Codes
| Code | Meaning |
|---|---|
| 0 | Scan passed |
| 1 | Policy violation (findings exceed thresholds) |
| 2 | Configuration error |
| 3 | Scan error |
Next Steps
| Want to... | See Guide |
|---|---|
| Generate compliance reports | Enterprise Reporting |
| Configure policies | Policy Engine |
| View supported ecosystems | Supported Ecosystems |