Fendix logo
CI/CD Integrations

Integrate with your pipeline

Gate releases by severity threshold, export SARIF/JSON/HTML artifacts, and keep security checks consistent in CI.

SARIF rule identifiers (engine v0.2+) look like fendix.<category>.<title-slug>. Pipeline baselines or suppressions keyed to older per-instance rule IDs must be regenerated against the new SARIF format.

New in v0.5: drop-in GitHub Actions workflow

A complete reference workflow lives at examples/github-actions/fendix-scan.yml — scan + cached baseline + SARIF upload + PR summary comment + --fail-on HIGH gate. Drop it into .github/workflows/ and it works on every PR.

New in v0.7: GitHub App (zero-config PR scans)

Skip the workflow YAML entirely. Install the Fendix GitHub App on a repo and every pull_request opens, synchronises, or reopens triggers a hybrid scan automatically — clone of the head SHA only (no history), fendix scan, then a Markdown PR comment plus a SARIF upload to the Code Scanning tab. Same rendered output as the workflow above (the App reuses the workflow's comment template). Setup: docs/github-app.md covers App registration via app/manifest.yml and self-hosting fendix-app via Dockerfile.app (stateless ~250 MiB image, runs on Fly.io / Cloud Run / Render / Railway / ECS / k8s unchanged).

GitHub Actions

GitHub Actions
- name: Run Fendix scan
  run: |
    fendix scan \
      --url ${{ secrets.API_URL }} \
      --format sarif \
      --fail-on HIGH \
      --baseline ./baseline.json \
      --save-baseline ./baseline.json \
      --output fendix.sarif

- name: Upload SARIF
  if: always()
  uses: github/codeql-action/upload-sarif@v3
  with:
    sarif_file: fendix.sarif

GitLab CI

GitLab CI
fendix_scan:
  script:
    - fendix scan
        --url "$API_URL"
        --format json
        --fail-on HIGH
        --baseline ./baseline.json
        --save-baseline ./baseline.json
        --output fendix.json
  artifacts:
    paths: [fendix.json, baseline.json]

Jenkins

Jenkins
sh '''
  fendix scan \
    --url $API_URL \
    --code ./src \
    --format html \
    --fail-on HIGH \
    --save-baseline ./baseline.json \
    --output fendix.html
'''

Docker Compose

Docker Compose
services:
  fendix:
    image: ghcr.io/fendix/scanner:latest
    command: >
      scan --url http://api:8080
      --code /workspace/src
      --format json --fail-on HIGH
      --save-baseline /workspace/baseline.json
      --output /workspace/results.json
    volumes:
      - .:/workspace
View full setup guide