Use CircleCI version 2.1 at the top of your .circleci/config.yml file.
1
version: 2.1
Add the orbs
stanza below your version, invoking the orb:
1
2
orbs:
nightfall_code_scanner: nightfall/nightfall_code_scanner@3.2.0
Use nightfall_code_scanner
elements in your existing workflows and jobs.
Opt-in to use of uncertified orbs on your organization’s Security settings page.
Scan diff for potential sensitive items.
1
2
3
4
5
6
7
8
version: '2.1'
orbs:
nightfall_code_scanner: nightfall/nightfall_code_scanner@3.0.1
workflows:
build:
jobs:
- nightfall_code_scanner/scan:
event_before: << pipeline.git.base_revision >>
Scan Pull Requests and Commits for sensitive findings. You must set the NIGHTFALL_API_KEY as a CircleCI project environment variable to use this orb. View this orb's source and README for usage instructions.
PARAMETER | DESCRIPTION | REQUIRED | DEFAULT | TYPE |
---|---|---|---|---|
base_branch | Parent branch to diff against | No | '' | string |
event_before | Commit SHA that triggered the previous workflow | No | '' | string |
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
# This code is licensed from CircleCI to the user under the MIT license.
# See here for details: https://circleci.com/developer/orbs/licensing
version: 2.1
description: |
Scan your application code for sensitive data on every CircleCI build using Nightfall’s Data Loss Prevention (DLP) orb. Classify and protect your credentials, PII, credit card numbers and more to avoid committing sensitive information to your repositories.
display:
home_url: https://nightfall.ai
source_url: https://github.com/nightfallai/nightfall_circle_orb
jobs:
scan:
description: |
Scan Pull Requests and Commits for sensitive findings. You must set the NIGHTFALL_API_KEY as a CircleCI project environment variable to use this orb. View this orb's source and README for usage instructions.
docker:
- image: nightfallai/nightfall_code_scanner:v2.2.0
parameters:
base_branch:
default: ""
description: Parent branch to diff against
type: string
event_before:
default: ""
description: Commit SHA that triggered the previous workflow
type: string
steps:
- run:
command: |
apk add --no-cache git openssh
name: Install Git & SSH
- checkout
- run:
command: |
chmod +x /nightfall_code_scanner
/nightfall_code_scanner
environment:
EVENT_BEFORE: << parameters.event_before >>
GITHUB_BASE_BRANCH: << parameters.base_branch >>
GITHUB_WORKSPACE: /root/project
name: Scan Diff for Findings
examples:
scan_findings:
description: Scan diff for potential sensitive items.
usage:
version: "2.1"
orbs:
nightfall_code_scanner: nightfall/nightfall_code_scanner@3.0.1
workflows:
build:
jobs:
- nightfall_code_scanner/scan:
event_before: << pipeline.git.base_revision >>