CI/CD
Run av sast scan in your pipeline and let its exit code gate the build:
--fail-on red exits non-zero when the worst finding is
RED; --fail-on yellow also fails on
YELLOW.
The pattern
Section titled “The pattern”Every pipeline integration is the same three steps:
- Install the CLI with the one-line installer.
- Run
av sast scan --fail-on red --format jsonover the checked-out source. - Keep the JSON output as a build artifact.
av sast scan --path . --fail-on red --format json > sast.jsonThe scan runs entirely on the build agent: the scan series is auto-downloaded, pinned and checksum-verified, on first use and runs as separate processes. Your source code never leaves the machine, and a local-only scan needs no AlertaVuln login or API key.
The gate itself is --fail-on:
| Value | Behaviour |
|---|---|
red |
Exit non-zero if the worst finding is RED |
yellow |
Exit non-zero if the worst finding is YELLOW or RED |
none |
Never fail the build on findings (default) |
--format json writes machine-readable findings to stdout; status messages
go to stderr, so redirecting stdout captures clean JSON even when the gate
trips.
Exit codes
Section titled “Exit codes”| Code | Meaning |
|---|---|
0 |
Scan completed and no finding is at or above the --fail-on tier |
1 |
Scan failed, or at least one finding is at or above the --fail-on tier |
Pipeline examples
Section titled “Pipeline examples”name: SAST gate
on: [pull_request]
jobs: sast: runs-on: ubuntu-latest steps: - uses: actions/checkout@v4
- name: Install AlertaVuln CLI run: | curl -fsSL https://get.alertavuln.com/cli/install.sh | sh echo "$HOME/.local/bin" >> "$GITHUB_PATH"
- name: Scan and gate run: av sast scan --path . --fail-on red --format json > sast.json
- name: Upload findings if: always() uses: actions/upload-artifact@v4 with: name: sast-findings path: sast.jsontrigger: branches: include: - main
pool: vmImage: ubuntu-latest
steps: - checkout: self
- script: | curl -fsSL https://get.alertavuln.com/cli/install.sh | sh echo "##vso[task.prependpath]$HOME/.local/bin" displayName: Install AlertaVuln CLI
- script: av sast scan --path . --fail-on red --format json > $(Build.ArtifactStagingDirectory)/sast.json displayName: Scan and gate
- task: PublishBuildArtifacts@1 condition: always() inputs: pathToPublish: $(Build.ArtifactStagingDirectory)/sast.json artifactName: sast-findingsScoping the gate
Section titled “Scoping the gate”Every scan runs the full scan series - insecure code patterns, hard-coded
secrets, and infrastructure-as-code checks in a single pass - so one gate
covers everything the series detects. To focus the gate, adjust the two knobs
the scan exposes: point --path at the directory you want to gate, and pick
the tier that should fail the build with --fail-on:
av sast scan --path services/api --fail-on redSee also
Section titled “See also”av sast scan- every flag, default, and exit code- MCP server - query findings from your editor and agents
- Install the CLI - installer options and supported platforms