Skip to content

CI/CD

Run av sast scan in your pipeline and let its exit code gate the build: --fail-on red exits non-zero when the worst finding is RED; --fail-on yellow also fails on YELLOW.

Every pipeline integration is the same three steps:

  1. Install the CLI with the one-line installer.
  2. Run av sast scan --fail-on red --format json over the checked-out source.
  3. Keep the JSON output as a build artifact.
Terminal window
av sast scan --path . --fail-on red --format json > sast.json

The scan runs entirely on the build agent: the scan series is auto-downloaded, pinned and checksum-verified, on first use and runs as separate processes. Your source code never leaves the machine, and a local-only scan needs no AlertaVuln login or API key.

The gate itself is --fail-on:

Value Behaviour
red Exit non-zero if the worst finding is RED
yellow Exit non-zero if the worst finding is YELLOW or RED
none Never fail the build on findings (default)

--format json writes machine-readable findings to stdout; status messages go to stderr, so redirecting stdout captures clean JSON even when the gate trips.

Code Meaning
0 Scan completed and no finding is at or above the --fail-on tier
1 Scan failed, or at least one finding is at or above the --fail-on tier
.github/workflows/sast.yml
name: SAST gate
on: [pull_request]
jobs:
sast:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Install AlertaVuln CLI
run: |
curl -fsSL https://get.alertavuln.com/cli/install.sh | sh
echo "$HOME/.local/bin" >> "$GITHUB_PATH"
- name: Scan and gate
run: av sast scan --path . --fail-on red --format json > sast.json
- name: Upload findings
if: always()
uses: actions/upload-artifact@v4
with:
name: sast-findings
path: sast.json

Every scan runs the full scan series - insecure code patterns, hard-coded secrets, and infrastructure-as-code checks in a single pass - so one gate covers everything the series detects. To focus the gate, adjust the two knobs the scan exposes: point --path at the directory you want to gate, and pick the tier that should fail the build with --fail-on:

Terminal window
av sast scan --path services/api --fail-on red