Automate zero-knowledge code scanning at every push, PR, and scheduled interval. Block insecure code before it reaches production with rulesets enforced directly from your dashboard.
Four stages from commit to report. No source code persists after the scan.
A push, pull request, or scheduled cron fires the CI/CD workflow. The pipeline runner installs the Kedgr CLI in seconds.
The repository is cloned into the CI runner. The CLI packages your code and sends it to the Kedgr scan engine.
Project-bound rulesets run against the codebase. Heuristics, secret detection, and pattern analysis execute in isolated memory.
Results stream back — warnings, errors, and line-level findings. The pipeline passes or fails based on your configured thresholds.
The @kedgr/cli package must be available in your CI environment. Install it globally or as a dev dependency.
Generate a CI/CD-scoped API key from your dashboard Settings. Store it as a secret in your CI provider — never commit it.
Bind your scan to a dashboard project. The project's active rulesets become the single source of truth for every pipeline run.
The most common setup. Add to any GitHub repository.
Navigate to Settings → Secrets and variables → Actions and add these repository secrets:
API key generated from your Kedgr dashboard settings.
The project ID from your Kedgr dashboard.
Create .github/workflows/kedgr-scan.yml in your repository:
name: Kedgr Security Scan
on:
push:
branches: [main, develop]
pull_request:
branches: [main]
schedule:
- cron: '0 9 * * 1' # Every Monday at 9am
jobs:
kedgr_scan:
runs-on: ubuntu-latest
steps:
- name: Checkout Code
uses: actions/checkout@v4
- name: Setup Node
uses: actions/setup-node@v4
with:
node-version: 20
- name: Install Kedgr CLI
run: npm install -g @kedgr/cli
- name: Run Security Scan
env:
KEDGR_API_KEY: ${{ secrets.KEDGR_API_KEY }}
run: kedgr scan . --project-id ${{ secrets.KEDGR_PROJECT_ID }}
- name: Upload Scan Results
if: always()
uses: actions/upload-artifact@v4
with:
name: kedgr-results
path: .kedgr/results.jsonPush to a watched branch or open a pull request. The workflow runs automatically. Results appear in the Actions tab and stream to your Kedgr dashboard under Pipeline Logs. If errors exceed your threshold, the pipeline fails and blocks the merge.
For GitLab SaaS and self-hosted instances.
Go to Settings → CI/CD → Variables and add:
Protected and masked variable.
Your Kedgr project identifier.
# .gitlab-ci.yml
stages:
- scan
kedgr_security_scan:
stage: scan
image: node:20
before_script:
- npm install -g @kedgr/cli
script:
- kedgr scan . --project-id $KEDGR_PROJECT_ID
artifacts:
when: always
paths:
- .kedgr/results.json
expire_in: 30 days
only:
- main
- develop
- merge_requestsFor Bitbucket Cloud repositories.
Go to Repository Settings → Pipelines → Repository Variables and add KEDGR_API_KEY and KEDGR_PROJECT_ID.
# bitbucket-pipelines.yml
image: node:20
pipelines:
branches:
main:
- step:
name: Kedgr Security Scan
deployment: production
script:
- npm install -g @kedgr/cli
- kedgr scan . --project-id $KEDGR_PROJECT_ID
artifacts:
- .kedgr/results.json
pull-requests:
'**':
- step:
name: Kedgr PR Security Check
script:
- npm install -g @kedgr/cli
- kedgr scan . --project-id $KEDGR_PROJECT_IDJenkins, CircleCI, Travis CI, Buildkite, or custom scripts.
The Kedgr CLI works with any CI system that can run Node.js. Install the CLI, set two environment variables, and call the scan command. The CLI exits with a non-zero code when errors are found, so the pipeline fails automatically.
#!/bin/bash
# Generic CI/CD script — works with any CI provider
set -e
echo "=== Kedgr Security Scan ==="
# Install Kedgr CLI
npm install -g @kedgr/cli
# Run scan with project binding
kedgr scan . \
--project-id "${KEDGR_PROJECT_ID}" \
--format json \
--output .kedgr/results.json
# Parse results
ERRORS=$(cat .kedgr/results.json | jq '.errors')
WARNINGS=$(cat .kedgr/results.json | jq '.warnings')
echo "Errors: $ERRORS"
echo "Warnings: $WARNINGS"
# Fail pipeline if errors found
if [ "$ERRORS" -gt 0 ]; then
echo "=== SECURITY ISSUES DETECTED ==="
exit 1
fi
echo "=== Scan Passed ==="
exit 0Zero warnings and zero errors. The scan found no violations against your active rulesets. Exit code 0.
Non-blocking issues found. Review the flagged code but the pipeline continues. Exit code 0 by default.
Blocking violations found. The pipeline fails and the PR cannot merge until issues are resolved. Exit code 1.
All results are available in your dashboard under Pipeline Logs for historical review and team visibility.
Generate separate API keys for production, staging, and development pipelines. This limits blast radius if a key is compromised and gives you per-environment audit trails in the dashboard.
Verify KEDGR_API_KEY is set and not expired. Generate a new key from Settings if needed.
Confirm KEDGR_PROJECT_ID matches the project in your dashboard. IDs are case-sensitive.
Ensure your CI runner has outbound HTTPS access to the Kedgr API. Check firewall rules.
Use Node.js 18+. Add a setup-node step before installing. Check your runner's npm registry access.
Add if: always() to your result upload step so it runs even when the scan fails.
Set a CI timeout for the job (GitHub Actions default is 360 min — set to 10 min for scans).
Generate your API key, bind your project, and add the workflow. First scan completes in under two minutes.