Skip to main content
Version: Current

CI/CD Integration

Integrate Primus Security into your CI/CD pipelines for automated scanning on every commit.


Install the CLI

dotnet tool install -g PrimusSaaS.Security.Cli
primus-scan --version # 2.4.9

# .github/workflows/security-scan.yml
name: Primus Security Scan

on:
push:
branches: [main, develop]
pull_request:
branches: [main]

jobs:
security-scan:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4

- name: Setup .NET
uses: actions/setup-dotnet@v4
with:
dotnet-version: 10.0.x

- name: Install primus-scan CLI
run: dotnet tool install -g PrimusSaaS.Security.Cli

- name: Run security scan
run: |
primus-scan ./src \
--sarif results.sarif \
--no-fail

- name: Upload SARIF to GitHub Advanced Security
uses: github/codeql-action/upload-sarif@v3.28.13
if: always()
with:
sarif_file: results.sarif
continue-on-error: true

- name: Upload SARIF artifact
uses: actions/upload-artifact@v4
if: always()
with:
name: security-sarif
path: results.sarif

Fail the build on Critical findings

      - name: Run security scan (gate enforced)
run: |
primus-scan ./src \
--max-critical 0 \
--max-high 5 \
--sarif results.sarif
# Exits 1 if gate fails — blocks the build

Azure DevOps

# azure-pipelines.yml
trigger:
- main
- develop

pool:
vmImage: ubuntu-latest

steps:
- task: UseDotNet@2
inputs:
version: 10.0.x

- script: dotnet tool install -g PrimusSaaS.Security.Cli
displayName: Install primus-scan

- script: |
primus-scan $(Build.SourcesDirectory)/src \
--sarif $(Build.ArtifactStagingDirectory)/results.sarif \
--no-fail
displayName: Run Primus Security Scan

- task: PublishBuildArtifacts@1
inputs:
pathToPublish: $(Build.ArtifactStagingDirectory)/results.sarif
artifactName: SecurityResults

Pre-commit hook — block secrets

#!/bin/sh
# .git/hooks/pre-commit
echo "Running secret detection..."
primus-scan . --no-sast --no-deps --max-critical 0 --quiet
if [ $? -ne 0 ]; then
echo "Secrets detected. Commit blocked."
exit 1
fi
echo "Clean."

CLI reference

FlagDefaultDescription
<path>requiredDirectory or .sln to scan
--sarif <file>Write SARIF 2.1.0 output
--json <file>Write full findings as JSON
--html <file>Write full 11-section HTML report
--pdf <file>Write PDF report
--csv <file>Write CSV findings export
--owasp <file>Write OWASP Top 10 2021 compliance JSON
--compliance <file>Write all-frameworks compliance scores JSON
--max-critical <n>0Gate: max Critical allowed
--max-high <n>0Gate: max High allowed
--no-failfalseExit 0 even when gate fails
--no-sastfalseSkip Roslyn static analysis
--no-secretsfalseSkip secret detection
--no-depsfalseSkip CVE scanning
--duplicationfalseEnable code duplication detection
--baseline <file>Suppress pre-existing findings (new code only)
--save-baseline <file>Save current result as baseline
--quietfalseSuppress progress output
--verbosefalseShow debug output + suppression details

Exit codes

CodeMeaning
0Quality gate passed (or --no-fail set)
1Quality gate failed
2Usage error (bad arguments)
3Scan error (path not found)

Next Steps

Want to...See
Upload to GitHub Security tabSARIF Export
Configure quality gate thresholdsQuality Gate
Generate HTML reportEnterprise Reporting
Use in VS CodeVS Code Extension