CI/CD Secure Code Review¶

Automated security analysis on every pull request. SAST scanning + AI-powered enrichment integrated directly into your existing CI/CD pipeline.

How It Works¶

graph TB
    A["Developer pushes code<br/>PR / Merge Request"] --> B["CI Runner<br/>(GitHub Actions / GitLab CI / Azure)"]
    B --> C["bd-sast Docker container<br/>semgrep, bandit, gosec,<br/>gitleaks, trivy, brakeman"]
    C --> D["SAST Results<br/>(sast-results.json)"]
    D --> E{"BeDefended API<br/>api.bedefended.com"}
    E -->|Essentials| F["Normalize + SARIF"]
    E -->|Professional| G["Claude AI Analysis<br/>taint flow, remediation"]
    E -->|Enterprise| H["Claude + Codex<br/>dual-engine verify"]
    F --> I["PR Comments +<br/>Security Tab +<br/>Quality Gate"]
    G --> I
    H --> I

    style A fill:#4a148c,color:#fff
    style B fill:#6a1b9a,color:#fff
    style C fill:#7b1fa2,color:#fff
    style E fill:#0277bd,color:#fff
    style G fill:#00838f,color:#fff
    style H fill:#00695c,color:#fff
    style I fill:#2e7d32,color:#fff

Key Features¶

Feature	Essentials	Professional	Enterprise
SAST scanning (7 tools)	Yes	Yes	Yes
SARIF export (GitHub Security tab)	Yes	Yes	Yes
PR inline comments	Yes	Yes	Yes
Quality gate (pass/fail)	Yes	Yes	Yes
GitLab Code Quality widget	Yes	Yes	Yes
AI taint flow analysis	-	Yes	Yes
AI remediation + suggested fixes	-	Yes	Yes
Dual-engine verification (Claude + Codex)	-	-	Yes
Pentest cross-reference	-	-	Yes
Priority support	-	Yes	Yes

Quick Setup (5 minutes)¶

GitHub ActionsGitLab CIAzure DevOps

# .github/workflows/code-review.yml
name: Code Review
on: [pull_request]
permissions:
  contents: read
  pull-requests: write
  security-events: write

jobs:
  review:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - uses: bedefended/code-review-action@v1
        with:
          api-key: ${{ secrets.BD_API_KEY }}
          fail-on: high
          sarif-upload: true
          pr-comments: true

# .gitlab-ci.yml
include:
  - remote: 'https://raw.githubusercontent.com/bedefended/bd-app/main/ci/gitlab/.bedefended-ci.yml'

# Set BD_API_KEY as masked CI/CD variable in
# Settings > CI/CD > Variables

# azure-pipelines.yml
resources:
  repositories:
    - repository: bedefended
      type: github
      name: bedefended/bd-app
      endpoint: github-connection

extends:
  template: ci/azure/bedefended-review.yml@bedefended
  parameters:
    failOn: 'high'

SAST Tools Included¶

The bd-sast Docker image (~800MB) includes:

Tool	Language Coverage	Detection Focus
semgrep	Python, JS/TS, Go, Java, Ruby, PHP, C#	OWASP Top 10, injection, auth flaws
bandit	Python	Hardcoded secrets, eval(), SQL injection
gosec	Go	Buffer overflow, SQL injection, crypto
brakeman	Ruby / Rails	XSS, CSRF, mass assignment, command injection
gitleaks	Any (git history)	API keys, tokens, passwords in commits
trufflehog	Any (filesystem)	High-entropy secrets, verified credentials
trivy	Any (dependencies)	CVE scanning for npm, pip, go, maven, etc.

Pricing¶

Plan	Per Repo / Month	Scans / Month	AI Analysis	Dual Engine
Essentials	EUR 49	500	-	-
Professional	EUR 149	2,000	Claude	-
Enterprise	Custom	Unlimited	Claude	+ Codex
Bundle (CI + Pentest)	EUR 99	2,000	Claude	-

Bundle Discount

Clients with an active pentest engagement for the same repository get ~33% off the Professional tier (EUR 99 vs EUR 149). Findings from CI/CD reviews are automatically cross-referenced with blackbox pentest results.

Documentation¶

Page	Description
Architecture	System design, API gateway, AI engine, data flow
CLI Reference	`bd-review` commands: scan, submit, sarif, gate, comment
Configuration	`.bedefended.yml` options and quality gate presets
SARIF & Reporting	SARIF 2.1.0 mapping, GitLab Code Quality, PR comments
Provider Setup	Step-by-step for GitHub, GitLab, Azure DevOps
Client Onboarding	End-to-end client activation guide
API Reference	REST endpoints for CI/CD reviews
Cross-Reference	How CI findings correlate with pentest results