CI/CD Integration
GitHub Actions
Scan every pull request automatically. Block merges when critical vulnerabilities are found. Takes 2 minutes to set up.
Quick Setup
1
Get your CLI token
Run this in your terminal to authenticate and get a token:
npx @ship-safe/cli login2
Add the secret to your repo
Go to your repo → Settings → Secrets → Actions → New repository secret. Name it SHIPSAFE_TOKEN and paste your token.
3
Add the workflow file
Create .github/workflows/shipsafe.yml with one of the configs below:
Workflow Configs
.github/workflows/shipsafe.yml
name: ShipSafe Security Scan
on:
pull_request:
branches: [main]
push:
branches: [main]
jobs:
security-scan:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Run ShipSafe scan
run: npx @ship-safe/cli scan . --ci
env:
SHIPSAFE_TOKEN: ${{ secrets.SHIPSAFE_TOKEN }}CLI Flags for CI
| Flag | Description |
|---|---|
| --ci | Exit code 1 on high/critical findings |
| --severity <level> | Minimum severity to fail on: critical, high, medium, low |
| --output sarif | Output SARIF format for GitHub Security tab integration |
| --output json | JSON output for custom CI scripts |
Suppressing False Positives
If a finding is a false positive, suppress it so it doesn't block your PRs:
# Suppress a specific rule
npx @ship-safe/cli ignore secrets/generic-api-key -r "Test API key, not real"
# Findings suppressed via .shipsafeignore still show in the dashboard as "suppressed"
# To re-enable a rule:
npx @ship-safe/cli unignore secrets/generic-api-key