codesecure-cicd 1.0.29

CodeSecure CI/CD Templates and Integration

CodeSecure CI/CD Integrations (codesecure-cicd)

The codesecure-cicd package provides automated security scanning integration for CI/CD pipelines with quality gates, PR decoration, baseline comparison, and security scoring.

🎯 Headless Runner & Docker

CodeSecure CI/CD is primarily distributed as a production-grade Docker image. This multi-stage image bundles all 9 security scanners and the CodeSecure platform into a single, self-contained environment.

• Registry: gcr.io/codesecure-479807/codesecure
• Scanners Included: Semgrep, Bandit, Checkov, Detect-Secrets, Syft (SBOM), npm-audit, pip-audit, pip-licenses, and Grype (SCA).

🔒 Licensing & Beta Access

CodeSecure CI/CD is currently in Beta and is free to use.

• Beta Mode: No token required. Free access to all scanning features.
• Post-Beta: A valid CODESECURE_TOKEN will be required for licensed use.
• Enterprise: Custom on-premise deployments or air-gapped images available.

📦 Installation & Usage

🐋 Docker (Recommended)

This is the fastest and most reliable way to run scans in CI/CD without managing dependencies.

docker run --rm -v $(pwd):/workspace \
  -e GOOGLE_API_KEY=${GOOGLE_API_KEY} \
  gcr.io/codesecure-479807/codesecure:1.0.23 \
  scan /workspace --format sarif,html --output reports

🐍 Python (Development)

uv pip install codesecure-cicd

🔌 Pipeline Templates

Integration	Template	Deployment Method
GitHub Actions	templates/github-action.yml	Docker Container (ghcr.io/gcr.io)
GitLab CI	templates/gitlab-ci.yml	Docker Image (gcr.io)
Azure Pipelines	templates/azure-pipelines.yml	Docker Container (gcr.io)
GitHub Public	templates/github/codesecure-public.yml	Docker Container
GitHub Private	templates/github/codesecure-private.yml	Docker Container

🛠️ Quick Start (GitHub Actions)

jobs:
  scan:
    runs-on: ubuntu-latest
    container:
      image: gcr.io/codesecure-479807/codesecure:1.0.23
      env:
        CODESECURE_TOKEN: ${{ secrets.CODESECURE_TOKEN }}
    steps:
      - uses: actions/checkout@v4
      - run: codesecure scan . --fail-on critical,high

🧠 AI Enriched Reports: CodeSecure natively injects AI Findings directly into SARIF and Markdown exports. False positives are tagged in the properties bag to prevent alert fatigue, and AI Remediation steps are embedded in the markdown field to render seamlessly in the GitHub PR/GitLab MR interfaces!

⚙️ Configuration

Place .codesecure.yml at your repository root:

scanners:
  enabled: [semgrep, bandit, checkov, detect-secrets, pip-audit]

quality_gate:
  fail_on: [critical, high]
  max_total: 50
  new_only: true
  baseline: .codesecure-baseline.json
  min_score: B

ai:
  enabled: true
  provider: google
  fp_detection: true
  remediation: true

reports:
  formats: [sarif, html, json, markdown]

📁 Package Structure

packages/cicd/
├── src/codesecure_cicd/
│   ├── __init__.py          # Package exports
│   ├── quality_gate.py      # Quality gate evaluation
│   ├── baseline.py          # Baseline comparison engine
│   ├── security_score.py    # A–F score calculator
│   ├── pr_decorator.py      # PR comment generator
│   ├── license_gate.py      # Beta/Licensed mode gate
│   └── runner.py            # Headless CI runner
├── templates/
│   ├── github-action.yml    # Advanced GitHub workflow
│   ├── gitlab-ci.yml        # GitLab CI pipeline
│   ├── azure-pipelines.yml  # Azure DevOps pipeline
│   └── github/
│       ├── codesecure-public.yml
│       └── codesecure-private.yml
├── Dockerfile               # Production multi-stage build
├── entrypoint.sh            # License check + CLI bridge
├── pyproject.toml
└── README.md