CircleCI
Configuración previa
Añade las variables en Project Settings → Environment Variables de tu proyecto:
| Variable | Descripción |
|---|---|
GERION_API_URL | URL del Gerion API Gateway |
GERION_API_KEY | API key M2M de tu organización |
Para compartir credenciales a nivel de organización, crea un Context en Organization Settings → Contexts
y referencialo en el workflow con context: gerion.
Config completa
Copia este contenido en .circleci/config.yml:
version: 2.1
executors: docker-executor: docker: - image: cimg/base:stable resource_class: medium
commands: gerion_scan: description: Ejecuta un escaneo de seguridad con Gerion parameters: scan_type: type: enum enum: [all, secrets, sca, iac, sast] default: all output_format: type: string default: "" output_file: type: string default: "" steps: - run: name: Run Gerion << parameters.scan_type >> scan command: | case "<< parameters.scan_type >>" in all) CMD="scan-all" ;; secrets) CMD="secrets-scan" ;; sca) CMD="sca-scan" ;; iac) CMD="iac-scan" ;; sast) CMD="sast-scan" ;; esac
EXTRA="" [ -n "<< parameters.output_format >>" ] && EXTRA="$EXTRA --format << parameters.output_format >>" [ -n "<< parameters.output_file >>" ] && EXTRA="$EXTRA --output-file /code/<< parameters.output_file >>"
docker run --rm \ -v "$PWD:/code" \ -e GERION_API_URL="${GERION_API_URL}" \ -e GERION_API_KEY="${GERION_API_KEY}" \ -e GERION_REPO_NAME="${CIRCLE_PROJECT_REPONAME}" \ -e GERION_BRANCH_NAME="${CIRCLE_BRANCH}" \ -e GERION_COMMIT_HASH="${CIRCLE_SHA1}" \ -e GERION_BUILD_ID="${CIRCLE_BUILD_NUM}" \ ghcr.io/gerion-appsec/gerion-cli:latest \ "$CMD" /code $EXTRA
jobs: gerion-scan: executor: docker-executor steps: - checkout - setup_remote_docker: docker_layer_caching: true - gerion_scan: scan_type: all
gerion-scan-json: executor: docker-executor steps: - checkout - setup_remote_docker: docker_layer_caching: true - gerion_scan: scan_type: all output_format: json output_file: gerion-results.json - store_artifacts: path: gerion-results.json destination: gerion-results.json
gerion-nightly: executor: docker-executor steps: - checkout - setup_remote_docker: docker_layer_caching: true - gerion_scan: scan_type: all - run: name: Generate PDF report command: | docker run --rm \ -v "$PWD:/code" \ -e GERION_API_URL="${GERION_API_URL}" \ -e GERION_API_KEY="${GERION_API_KEY}" \ -e GERION_REPO_NAME="${CIRCLE_PROJECT_REPONAME}" \ -e GERION_BRANCH_NAME="${CIRCLE_BRANCH}" \ ghcr.io/gerion-appsec/gerion-cli:latest \ gerion report \ --format pdf \ --output-file /code/gerion-report.pdf \ --severity HIGH \ --active-only - store_artifacts: path: gerion-report.pdf destination: gerion-report.pdf
workflows: security-scan: jobs: - gerion-scan: context: gerion # Elimina esta línea si usas variables de proyecto filters: branches: only: - main - master - develop - /feature\/.*/
nightly: triggers: - schedule: cron: "0 2 * * *" filters: branches: only: [main] jobs: - gerion-nightly: context: gerionNotas
- CircleCI no tiene soporte SARIF nativo. Usa el output JSON como artifact o envía los resultados a la API de Gerion.
- Gerion CLI no detecta automáticamente las variables de CircleCI. El config las mapea explícitamente desde
CIRCLE_PROJECT_REPONAME,CIRCLE_BRANCH,CIRCLE_SHA1yCIRCLE_BUILD_NUM. - Si usas un context de organización, asegúrate de que el proyecto esté autorizado para acceder a él.