CI/CD Integration

Automate security scanning with GitHub Actions - scan on every commit, pull request, or scheduled build

Why Build-Time Scanning?

Shift-Left Security

Catch vulnerabilities before they reach production

Automated Compliance

Generate SBOMs and VEX reports automatically

PR Blocking

Optionally fail builds based on vulnerability severity

Shield Your Deployments

Protect your team's deployments by scanning every code build

Prerequisites

GitHub repository access

Prismor API key (Sign up → Profile → Generate API Key)

Basic understanding of GitHub Actions (optional - we'll guide you)

Quick Start: Basic Scan

Create a new file in your repository at .github/workflows/prismor-scan.yml and paste this configuration:

yaml
name: Prismor Security Scan

on: [push, pull_request]

jobs:
  security-scan:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v3
      
      - name: Set up Python
        uses: actions/setup-python@v4
        with:
          python-version: '3.x'
      
      - name: Run Prismor Scan
        run: |
          pip install prismor
          prismor --repo ${{ github.repository }} --fullscan --action_id ${{ github.run_id }}
        env:
          PRISMOR_API_KEY: ${{ secrets.PRISMOR_API_KEY }}
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

Setting Up GitHub Secrets

Never commit your API key directly in the workflow file. Always use GitHub Secrets for sensitive data.

  1. 1Navigate to your repository on GitHub
  2. 2Go to Settings → Secrets and variables → Actions
  3. 3Click "New repository secret"
  4. 4Set Name: PRISMOR_API_KEY
  5. 5Paste your API key from the Prismor Dashboard
  6. 6Click "Add secret"

Scan Types

Full Scan (Recommended)

Includes SBOM generation, vulnerability scanning, and secret detection

yaml
prismor --repo ${{ github.repository }} --fullscan --action_id ${{ github.run_id }}

Vulnerability Scanning Only

Scan for known vulnerabilities in dependencies

yaml
prismor --repo ${{ github.repository }} --scan --action_id ${{ github.run_id }}

SBOM Generation Only

Generate Software Bill of Materials for compliance

yaml
prismor --repo ${{ github.repository }} --sbom --action_id ${{ github.run_id }}

Secret Detection Only

Detect exposed API keys, tokens, and credentials

yaml
prismor --repo ${{ github.repository }} --detect-secret --action_id ${{ github.run_id }}

Custom Combination

Mix and match scan types as needed

yaml
prismor --repo ${{ github.repository }} --scan --sbom --action_id ${{ github.run_id }}

Advanced Configurations

Scan on Specific Branches

Run scans only on main and develop branches

yaml
name: Prismor Security Scan

on:
push:
  branches: [main, develop]
pull_request:
  branches: [main]

jobs:
  security-scan:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v3
      
      - name: Set up Python
        uses: actions/setup-python@v4
        with:
          python-version: '3.x'
      
      - name: Run Prismor Scan
        run: |
          pip install prismor
          prismor --repo ${{ github.repository }} --fullscan --action_id ${{ github.run_id }}
        env:
          PRISMOR_API_KEY: ${{ secrets.PRISMOR_API_KEY }}
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

Scheduled Scans

Run weekly security scans every Monday at 2 AM

yaml
name: Scheduled Security Scan

on:
schedule:
  - cron: '0 2 * * 1'  # Every Monday at 2 AM UTC

jobs:
  security-scan:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v3
      
      - name: Set up Python
        uses: actions/setup-python@v4
        with:
          python-version: '3.x'
      
      - name: Run Prismor Scan
        run: |
          pip install prismor
          prismor --repo ${{ github.repository }} --fullscan --action_id ${{ github.run_id }}
        env:
          PRISMOR_API_KEY: ${{ secrets.PRISMOR_API_KEY }}
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

Upload Scan Results as Artifacts

Save SBOM and scan reports for later download

yaml
- name: Run Prismor Scan
run: |
  pip install prismor
  prismor --repo ${{ github.repository }} --fullscan --action_id ${{ github.run_id }} --json > scan-results.json
env:
  PRISMOR_API_KEY: ${{ secrets.PRISMOR_API_KEY }}
  GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

- name: Upload Scan Results
uses: actions/upload-artifact@v3
if: always()
with:
  name: prismor-scan-results
  path: |
    scan-results.json
    *-sbom.json

Complete Production Example

Full-featured workflow with artifact uploads, notifications, and failure handling

yaml
name: Prismor Production Security Scan

on:
push:
  branches: [main, develop]
pull_request:
  branches: [main]
schedule:
  - cron: '0 2 * * 1'  # Weekly on Monday 2 AM

jobs:
  security-scan:
    runs-on: ubuntu-latest
    permissions:
      contents: read
      pull-requests: write
    
    steps:
      - name: Checkout code
        uses: actions/checkout@v3
      
      - name: Set up Python
        uses: actions/setup-python@v4
        with:
          python-version: '3.x'
      
      - name: Install Prismor
        run: pip install prismor
      
      - name: Run Security Scan
        id: scan
        run: |
          prismor --repo ${{ github.repository }} --fullscan --action_id ${{ github.run_id }} --json > scan-results.json
          echo "scan_complete=true" >> $GITHUB_OUTPUT
        env:
          PRISMOR_API_KEY: ${{ secrets.PRISMOR_API_KEY }}
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
        continue-on-error: true
      
      - name: Upload Scan Results
        uses: actions/upload-artifact@v3
        if: always()
        with:
          name: prismor-scan-${{ github.run_number }}
          path: |
            scan-results.json
            *-sbom.json
            *-vex.json
          retention-days: 90
      
      - name: Comment PR
        if: github.event_name == 'pull_request'
        uses: actions/github-script@v6
        with:
          script: |
            github.rest.issues.createComment({
              issue_number: context.issue.number,
              owner: context.repo.owner,
              repo: context.repo.repo,
              body: '🔒 **Prismor Security Scan Completed**\n\nView detailed results in your [Prismor Dashboard](https://prismor.dev/dashboard)'
            })
      
      - name: Check scan status
        if: steps.scan.outcome == 'failure'
        run: |
          echo "Security scan detected issues. Review the results in your Prismor Dashboard."
          exit 1

Troubleshooting

API Key not found

Issue: Error message "PRISMOR_API_KEY not set"

Solution: Verify you've added PRISMOR_API_KEY to your repository secrets under Settings → Secrets and variables → Actions

Scan timeout

Issue: Scan takes too long and times out

Solution: Use async scanning or increase the timeout in your workflow with timeout-minutes: 30

Permission errors

Issue: "Permission denied" or "403 Forbidden"

Solution: Add permissions block to your workflow and ensure your API key is valid

Installation failures

Issue: "pip install prismor" fails

Solution: Ensure Python 3.x is installed and add the "Set up Python" step before installation

Best Practices

Run on Every PR

Get immediate feedback on security issues before merging

Schedule Weekly Scans

Catch new vulnerabilities in existing dependencies

Store Artifacts

Keep SBOM files for compliance and audit trails

Use Matrix Builds

Scan multiple branches or repositories in parallel

Next Steps

View Results

Check your scan results in the Prismor Dashboard

CLI Reference

Learn more about the CLI commands and options