CI/CD Integration
Cybrium integrates into your CI/CD pipeline to enforce security policies — block PR merges when critical vulnerabilities are found.
GitHub Action
name: Security Scan
on: [push, pull_request]
jobs:
scan:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Install cyscan
run: |
curl -sL https://github.com/cybrium-ai/cyscan/releases/latest/download/cyscan_$(uname -m | sed 's/x86_64/x86_64/')-unknown-linux-gnu.tar.gz | tar -xzf - --strip-components=1
chmod +x cyscan
- name: Security scan
run: ./cyscan scan . --format sarif --fail-on critical > results.sarif
- name: Upload SARIF
if: always()
uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: results.sarif
Scan Policies
Create a policy in Settings → Scan Policies that defines:
| Setting | Description |
|---|---|
fail_on_critical | Any critical finding fails the build |
fail_on_high | Any high finding fails the build |
max_critical | Maximum critical findings allowed (0 = none) |
max_high | Maximum high findings (-1 = unlimited) |
blocked_cwes | Specific CWE IDs that always fail (e.g., CWE-89, CWE-79) |
Policy Gate API
For programmatic evaluation:
curl -X POST https://app.cybrium.ai/api/scans/ci/gate/ \
-H "Content-Type: application/json" \
-d '{"api_key": "YOUR_KEY", "scan_id": "SCAN_UUID"}'
Returns:
- 200 — PASS (safe to merge)
- 422 — FAIL (policy violation, block the PR)
GitLab CI
security_scan:
image: rust:latest
script:
- curl -sL https://github.com/cybrium-ai/cyscan/releases/latest/download/cyscan_x86_64-unknown-linux-gnu.tar.gz | tar -xzf - --strip-components=1
- ./cyscan scan . --format json --fail-on critical
artifacts:
reports:
sast: results.json