Skip to content

Provider Setup

Step-by-step guides for integrating BeDefended code review with each CI/CD provider.

GitHub Actions

Prerequisites

  • Repository on GitHub (public or private)
  • BeDefended API key (bd_sk_...)

Step 1: Store API Key

  1. Go to Settings -> Secrets and variables -> Actions
  2. Click New repository secret
  3. Name: BD_API_KEY
  4. Value: your bd_sk_... key

Step 2: Create Workflow

Create .github/workflows/code-review.yml:

name: BeDefended Code Review

on:
  pull_request:
    types: [opened, synchronize, reopened]
  push:
    branches: [main]

permissions:
  contents: read
  pull-requests: write
  security-events: write

jobs:
  code-review:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - uses: bedefended/code-review-action@v1
        with:
          api-key: ${{ secrets.BD_API_KEY }}
          fail-on: high
          sarif-upload: true
          pr-comments: true

Step 3: (Optional) Add Config

Create .bedefended.yml in your repo root to customize scanning. See Configuration.

Step 4: Verify

  1. Open a PR with a known vulnerability (e.g., SQL injection)
  2. Check the Actions tab for the workflow run
  3. Check the Security tab for SARIF alerts
  4. Check PR comments for inline findings

GitHub Action Inputs

Input Default Description
api-key - BeDefended API key (required)
mode diff diff (PR only) or full (all files)
quality-gate standard strict / standard / permissive
fail-on high critical / high / medium / none
config-file .bedefended.yml Config file path
sarif-upload true Upload to Security tab
pr-comments true Post inline comments

GitHub Action Outputs

Output Description
findings-count Total findings
critical-count Critical findings
high-count High findings
quality-gate pass or fail
sarif-file Path to SARIF file
review-url Dashboard URL

GitLab CI

Prerequisites

  • Repository on GitLab (SaaS or self-managed)
  • BeDefended API key (bd_sk_...)

Step 1: Store API Key

  1. Go to Settings -> CI/CD -> Variables
  2. Click Add variable
  3. Key: BD_API_KEY
  4. Value: your bd_sk_... key
  5. Check Mask variable

Step 2: Include Template

Add to your .gitlab-ci.yml:

include:
  - remote: 'https://raw.githubusercontent.com/bedefended/bd-app/main/ci/gitlab/.bedefended-ci.yml'

Step 3: (Optional) Override Variables

variables:
  BD_MODE: "full"        # "diff" (default) or "full"
  BD_FAIL_ON: "medium"   # "critical", "high" (default), "medium", "none"

Step 4: Verify

  1. Create a merge request
  2. Check the pipeline for the bedefended-code-review job
  3. Check the Code Quality widget on the merge request
  4. Download artifacts for detailed results

GitLab Artifacts

The template produces two report artifacts:

Artifact Format Purpose
gl-code-quality-report.json GitLab Code Quality MR widget
gl-sast-report.json SARIF 2.1.0 Security dashboard

Azure DevOps

Prerequisites

  • Repository connected to Azure DevOps
  • GitHub service connection (for template reference)
  • BeDefended API key (bd_sk_...)

Step 1: Store API Key

  1. Go to Pipelines -> select your pipeline -> Edit
  2. Click Variables -> New variable
  3. Name: BD_API_KEY
  4. Value: your bd_sk_... key
  5. Check Keep this value secret

Step 2: Create Pipeline

Create azure-pipelines.yml:

trigger:
  branches:
    include: [main]

pr:
  branches:
    include: [main]

resources:
  repositories:
    - repository: bedefended
      type: github
      name: bedefended/bd-app
      endpoint: github-connection   # Your GitHub service connection

extends:
  template: ci/azure/bedefended-review.yml@bedefended
  parameters:
    failOn: 'high'
    mode: 'diff'
    sarifUpload: true

Step 3: Create GitHub Service Connection

  1. Project settings -> Service connections -> New
  2. Type: GitHub
  3. Name: github-connection
  4. Auth: GitHub App or PAT

Step 4: Verify

  1. Create a pull request
  2. Check the pipeline run
  3. Download the SARIF artifact from Build Artifacts
  4. Check PR threads for inline comments

SAST-Only Mode (No API Key)

For teams that only need local SAST scanning without AI enrichment:

# Run SAST scan
docker run --rm -v $(pwd):/work ghcr.io/bedefended/bd-sast:latest \
  bd-review scan --output /work/sast-results.json

# Generate SARIF
docker run --rm -v $(pwd):/work ghcr.io/bedefended/bd-sast:latest \
  bd-review sarif -i /work/sast-results.json -o /work/results.sarif

# Quality gate
docker run --rm -v $(pwd):/work ghcr.io/bedefended/bd-sast:latest \
  bd-review gate -i /work/sast-results.json --fail-on high

No API key needed. The Docker image and SAST tools are free and open. AI enrichment requires a BeDefended subscription.