CI/CD Pipeline Integration
CI/CD Pipeline Integration
Section titled “CI/CD Pipeline Integration”Run CBOM compliance checks directly in your CI/CD pipeline. Prevent quantum-vulnerable cryptography, weak algorithms, or policy violations from reaching production by failing builds at the source.
What It Does
Section titled “What It Does”The CI/CD integration acts as a policy gate in your build pipeline:
- Export CBOM at build time — Scan your application’s cryptographic dependencies during the build
- Assess against policy via API — Submit the CBOM to the platform for policy evaluation
- Fail pipeline if violations found — Block deployment when crypto policy violations are detected
This enables shift-left crypto compliance — catching issues when developers introduce them, not weeks later during a security audit.
Planned Platform Support
Section titled “Planned Platform Support”| Platform | Method | Status |
|---|---|---|
| GitHub Actions | Custom action (qcecuring/cbom-action) | 🔜 Coming Soon |
| GitLab CI | Docker image + CI template | 🔜 Coming Soon |
| Jenkins | Plugin + pipeline step | 🔜 Coming Soon |
| Azure DevOps | Marketplace extension | 🔜 Coming Soon |
How It Works
Section titled “How It Works”┌──────────┐ ┌──────────────┐ ┌──────────────┐ ┌──────────┐│ Build │───▶│ CBOM Export │───▶│ Policy Check │───▶│ Deploy ││ Stage │ │ (scan deps) │ │ (API call) │ │ Stage │└──────────┘ └──────────────┘ └──────────────┘ └──────────┘ │ ▼ (if violations) ┌──────────────┐ │ FAIL BUILD │ │ + Report │ └──────────────┘Example: GitHub Actions (Planned)
Section titled “Example: GitHub Actions (Planned)”name: Crypto Compliance Check
on: pull_request: branches: [main] push: branches: [main]
jobs: cbom-check: runs-on: ubuntu-latest steps: - uses: actions/checkout@v4
- name: Build Application run: ./gradlew build
- name: CBOM Compliance Check uses: qcecuring/cbom-action@v1 with: api-url: ${{ secrets.CBOM_API_URL }} api-key: ${{ secrets.CBOM_API_KEY }} policy: "NIST-PQC" fail-on-violation: true scan-path: "./build/libs"
- name: Upload CBOM Report if: always() uses: actions/upload-artifact@v4 with: name: cbom-report path: cbom-report.jsonExample: GitLab CI (Planned)
Section titled “Example: GitLab CI (Planned)”cbom-compliance: stage: test image: qcecuring/cbom-scanner:latest script: - cbom scan --path ./build --output cbom-report.json - cbom assess --report cbom-report.json --policy NIST-PQC --fail-on-violation artifacts: reports: cbom: cbom-report.json variables: CBOM_API_URL: $CBOM_API_URL CBOM_API_KEY: $CBOM_API_KEYExample: Jenkins Pipeline (Planned)
Section titled “Example: Jenkins Pipeline (Planned)”pipeline { agent any stages { stage('Build') { steps { sh './gradlew build' } } stage('CBOM Compliance') { steps { withCredentials([string(credentialsId: 'cbom-api-key', variable: 'CBOM_API_KEY')]) { sh ''' cbom scan --path ./build/libs --output cbom-report.json cbom assess --report cbom-report.json \ --api-url ${CBOM_API_URL} \ --api-key ${CBOM_API_KEY} \ --policy NIST-PQC \ --fail-on-violation ''' } } } } post { always { archiveArtifacts artifacts: 'cbom-report.json' } }}Configuration Options
Section titled “Configuration Options”| Option | Description | Default |
|---|---|---|
api-url | CBOM platform API endpoint | Required |
api-key | API authentication key | Required |
policy | Policy name to evaluate against | "default" |
fail-on-violation | Whether to fail the build on violations | true |
scan-path | Path to scan for crypto artifacts | "." |
severity-threshold | Minimum severity to trigger failure (CRITICAL, HIGH, MEDIUM, LOW) | "HIGH" |
output-format | Report format (json, sarif, cyclonedx) | "json" |
Pipeline Output
Section titled “Pipeline Output”When violations are found, the action outputs a summary:
╔══════════════════════════════════════════════════════════════╗║ CBOM Policy Check: FAILED ║╠══════════════════════════════════════════════════════════════╣║ Policy: NIST-PQC ║║ Assets Scanned: 47 ║║ Violations: 3 ║╠══════════════════════════════════════════════════════════════╣║ ❌ RSA-2048 key in /src/auth/jwt.config ║║ → Quantum-vulnerable. Migrate to ML-KEM-768 ║║ ❌ SHA-1 signature in /lib/legacy-signer.jar ║║ → Deprecated. Use SHA-256 or SHA-3 ║║ ❌ 3DES cipher in /config/payment-gateway.yml ║║ → Prohibited. Use AES-256-GCM ║╚══════════════════════════════════════════════════════════════╝Use Cases
Section titled “Use Cases”- Shift-left crypto compliance — Catch quantum-vulnerable algorithms at PR time, not in production audits
- Prevent weak algorithms — Block SHA-1, 3DES, RC4, and other deprecated crypto from entering the codebase
- Enforce PQC migration — Require post-quantum algorithms for new services while tracking legacy exceptions
- Audit trail — Every build produces a CBOM report for compliance evidence
Related
Section titled “Related”- Integrations Overview — All available integrations
- Policies — Define the rules your pipeline checks against
- SBOM Integration — Link CBOM reports to your SBOM
- API Reference — Build custom CI/CD integrations