CI/CD Integration
CI/CD Integration
Block secrets and unprotected code from reaching production. Pretense integrates with any CI system that runs shell commands.
CI scan modes
The pretense scan command has two modes designed for CI pipelines.
pretense scan ciFull repository scan. Scans all tracked files against the .pretense.yaml config. Designed for CI pipelines with machine-readable output.
Flags
--format <fmt>Output format: text, json, sarif, csv (default: text)--output <file>Write results to file instead of stdout--severity <lvl>Minimum severity to report: low, medium, high, critical--exit-codeExit with code 2 if any findings match the severity threshold--baseline <file>Ignore findings present in a baseline SARIF filepretense scan commit-range <from>..<to>Scan only files changed between two commits. Useful for incremental CI on pull requests where a full scan is too slow.
Flags
--format <fmt>Output format: text, json, sarif (default: text)--exit-codeExit with code 2 if secrets found in the changed filesGitHub Actions
Add a Pretense scan step to your GitHub Actions workflow. Results appear in the Security tab when you upload SARIF output.
name: Pretense Scan
on:
pull_request:
branches: [main]
push:
branches: [main]
jobs:
pretense-scan:
runs-on: ubuntu-latest
permissions:
contents: read
security-events: write # Required for SARIF upload
steps:
- uses: actions/checkout@v4
- name: Install Pretense
run: curl -fsSL https://pretense.ai/install.sh | sh
- name: Scan for secrets
run: pretense scan ci --format sarif --output results.sarif
continue-on-error: true
- name: Upload SARIF to GitHub Security
uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: results.sarif
- name: Fail on critical findings
run: pretense scan ci --severity critical --exit-codeThe security-events: write permission is required to upload SARIF results to GitHub Advanced Security. This works on public repos and GitHub Enterprise with Advanced Security enabled.
GitLab CI
Add Pretense to your .gitlab-ci.yml. Output is formatted as a GitLab Code Quality report for merge request integration.
pretense-scan:
stage: test
image: node:20-slim
before_script:
- curl -fsSL https://pretense.ai/install.sh | sh
script:
- pretense scan ci --format json --output gl-code-quality-report.json
- pretense scan ci --severity critical --exit-code
artifacts:
reports:
codequality: gl-code-quality-report.json
paths:
- gl-code-quality-report.json
when: always
rules:
- if: $CI_MERGE_REQUEST_IDSARIF output
SARIF (Static Analysis Results Interchange Format) is the standard for security tool output. Pretense generates SARIF 2.1.0 compatible with GitHub Advanced Security, Azure DevOps, and other SARIF consumers.
{
"$schema": "https://json.schemastore.org/sarif-2.1.0.json",
"version": "2.1.0",
"runs": [{
"tool": {
"driver": {
"name": "Pretense",
"version": "0.6.0",
"rules": [{
"id": "PRETENSE-001",
"shortDescription": { "text": "API key detected" },
"defaultConfiguration": { "level": "error" }
}]
}
},
"results": [{
"ruleId": "PRETENSE-001",
"level": "error",
"message": { "text": "AWS access key detected in source" },
"locations": [{
"physicalLocation": {
"artifactLocation": { "uri": "src/config.ts" },
"region": { "startLine": 42, "startColumn": 15 }
}
}]
}]
}]
}SARIF output includes:
- •Rule definitions for each secret pattern Pretense detects
- •Precise file locations (line and column) for every finding
- •Severity levels mapped to SARIF error/warning/note
- •Fingerprints for stable deduplication across runs
Other CI systems
Pretense works with any CI system that can run shell commands: Jenkins, CircleCI, Buildkite, Azure Pipelines, and more. The pattern is the same everywhere.
# 1. Install curl -fsSL https://pretense.ai/install.sh | sh # 2. Scan (exit code 2 = secrets found) pretense scan ci --severity high --exit-code # 3. Optional: export results pretense scan ci --format json --output pretense-results.json
| Exit code | Meaning |
|---|---|
0 | No findings above the severity threshold |
1 | General error (bad config, missing files, etc.) |
2 | Findings detected above the severity threshold |
Next steps
CI pipeline is protected. Here is where to go deeper.