CI/CD Pipeline

Integrate Azath into your CI/CD pipeline for automated secret scanning on every build.

GitHub Actions

Create .github/workflows/secrets.yml:

name: Secret Scan

on:
  push:
    branches: [main, master]
  pull_request:
    branches: [main, master]

jobs:
  scan:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      
      - name: Install Azath
        uses: azathsh/azath-action@v1
      
      - name: Scan for secrets
        run: azath scan-all --strict

With Cloud Sync (Pro/Enterprise)

- name: Scan with Cloud Sync
  uses: azathsh/azath-action@v1
  with:
    api-key: ${{ secrets.AZATH_API_KEY }}
    project-id: ${{ github.repository }}

GitLab CI

Add to your .gitlab-ci.yml:

secret-scan:
  stage: test
  image: alpine:latest
  before_script:
    - apk add --no-cache curl
    - curl -sSL https://azath.sh/install.sh | sh
    - export PATH="$HOME/.local/bin:$PATH"
  script:
    - azath scan-all --strict
  rules:
    - if: '$CI_PIPELINE_SOURCE == "merge_request_event"'
    - if: '$CI_COMMIT_BRANCH == "main"'

CircleCI

Add to your .circleci/config.yml:

version: 2.1

jobs:
  secret-scan:
    docker:
      - image: cimg/base:stable
    steps:
      - checkout
      - run:
          name: Install Azath
          command: curl -sSL https://azath.sh/install.sh | sh
      - run:
          name: Scan for secrets
          command: ~/.local/bin/azath scan-all --strict

workflows:
  security:
    jobs:
      - secret-scan

Azure DevOps

Add to your pipeline:

trigger:
  - main

pool:
  vmImage: 'ubuntu-latest'

steps:
  - script: |
      curl -sSL https://azath.sh/install.sh | sh
      export PATH="$HOME/.local/bin:$PATH"
      azath scan-all --strict
    displayName: 'Secret Scan'

Jenkins

Add to your Jenkinsfile:

pipeline {
    agent any
    
    stages {
        stage('Secret Scan') {
            steps {
                sh '''
                    curl -sSL https://azath.sh/install.sh | sh
                    export PATH="$HOME/.local/bin:$PATH"
                    azath scan-all --strict
                '''
            }
        }
    }
}

Security Best Practices

  • Fail on secrets — Always use --strict flag in CI
  • Full history — Use fetch-depth: 0 for complete scanning
  • Require status checks — Block merges until scan passes
  • Scheduled scans — Run weekly deep scans for existing secrets
  • SARIF output — Upload results to GitHub Security tab

Configuration File

Commit an .azath.yml to your repository:

# Ignore test directories
exclude:
  - "**/test/**"
  - "**/tests/**"
  - "**/testdata/**"

# Allowlist test credentials
allowlist:
  - "sk-example-key"
  - "test-token-12345"

# Output for CI
output:
  format: "table"
  color: "never"