Skip to main content
Integrate Indie Security into your CI/CD pipeline for continuous security testing on every deployment.

Overview

Automated Scans

Trigger security assessments on every deployment.

Pipeline Gates

Block deployments with critical vulnerabilities.

PR Comments

Security findings posted to pull requests.

Reports

Automatic report generation per build.

Quick Start

# Install CLI
npm install -g @indiesecurity/cli

# Authenticate
indiesec auth login

# Run scan
indiesec scan --target target_123 --wait

GitHub Actions

1

Add Secret

Add your API key to GitHub Secrets:SettingsSecretsActionsNew repository secret
  • Name: INDIE_SECURITY_API_KEY
  • Value: is_live_xxxxxxxxxxxxx
2

Create Workflow

Create .github/workflows/security.yml:
name: Security Assessment

on:
  push:
    branches: [main]
  pull_request:
    branches: [main]

jobs:
  security-scan:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout
        uses: actions/checkout@v4
      
      - name: Run Indie Security Scan
        uses: indiesecurity/github-action@v1
        with:
          api-key: ${{ secrets.INDIE_SECURITY_API_KEY }}
          target-id: target_123
          mode: quick
          fail-on: critical,high
      
      - name: Upload Report
        uses: actions/upload-artifact@v3
        with:
          name: security-report
          path: security-report.pdf
3

Configure Settings

Customize the action:
OptionDescriptionDefault
modequick, standard, deepquick
fail-onSeverities that fail the buildcritical
waitWait for scan completiontrue
timeoutMax wait time (minutes)30

GitLab CI

# .gitlab-ci.yml

stages:
  - test
  - security
  - deploy

security-scan:
  stage: security
  image: indiesecurity/cli:latest
  script:
    - indiesec auth login --api-key $INDIE_SECURITY_API_KEY
    - indiesec scan --target target_123 --mode quick --wait
    - indiesec report --format junit --output security-results.xml
  artifacts:
    reports:
      junit: security-results.xml
    paths:
      - security-report.pdf
  rules:
    - if: $CI_PIPELINE_SOURCE == "merge_request_event"
    - if: $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH

Jenkins

// Jenkinsfile

pipeline {
    agent any
    
    environment {
        INDIE_SECURITY_API_KEY = credentials('indie-security-api-key')
    }
    
    stages {
        stage('Security Scan') {
            steps {
                sh '''
                    npm install -g @indiesecurity/cli
                    indiesec auth login --api-key $INDIE_SECURITY_API_KEY
                    indiesec scan --target target_123 --mode quick --wait
                '''
            }
            post {
                always {
                    archiveArtifacts artifacts: 'security-report.pdf'
                    junit 'security-results.xml'
                }
            }
        }
    }
    
    post {
        failure {
            slackSend channel: '#security', 
                      message: "Security scan failed: ${env.BUILD_URL}"
        }
    }
}

CLI Reference

# Login with API key
indiesec auth login --api-key is_live_xxx

# Check auth status
indiesec auth status

# Logout
indiesec auth logout

# Start scan and wait
indiesec scan --target target_123 --wait

# Quick scan without waiting
indiesec scan --target target_123 --mode quick --no-wait

# Deep scan with custom timeout
indiesec scan --target target_123 --mode deep --timeout 120

# Scan specific URL (creates temporary target)
indiesec scan --url https://staging.example.com

# Generate PDF report
indiesec report --target target_123 --format pdf

# Generate JUnit XML for CI
indiesec report --format junit --output results.xml

# Get JSON for processing
indiesec report --format json --output results.json

# Check scan status
indiesec check --scan scan_456

# Fail if critical issues exist
indiesec check --target target_123 --fail-on critical

# Exit code interpretation:
# 0 = no issues at specified severity
# 1 = issues found at specified severity
# 2 = error running command

Configuration File

Create .indiesec.yml in your repository: 
# .indiesec.yml
target: target_123
mode: quick
fail-on:
  - critical
  - high
timeout: 30
report:
  format: pdf
  path: ./security-report.pdf
notifications:
  slack:
    webhook: $SLACK_WEBHOOK_URL
    on: [failure, critical]

Pipeline Gates

Block deployments based on security findings: 
# Only block on critical findings
fail-on: critical
Most strict—only critical vulnerabilities stop deployment.

Best Practices

  • Run deep scans on staging before production release
  • Run quick scans on production for continuous monitoring
  • Use stricter gates for production deployments
Post findings as PR comments:
- name: Comment on PR
  uses: indiesecurity/pr-comment-action@v1
  if: github.event_name == 'pull_request'
Run security scans in parallel with other tests:
jobs:
  tests:
    # ... unit tests, etc.
  
  security:
    # ... security scan
    # runs in parallel

Next Steps

API Reference

Build custom integrations with the REST API.

Reports

Customize automated report generation.