Vulkro on CircleCI
Vulkro ships a CircleCI orb so adding the scanner to a project's
.circleci/config.yml is one line. The orb source lives at
integrations/circleci/orb.yml
in the main repository.
Minimal config
version: 2.1
orbs:
workflows:
security:
jobs:
- vulkro/scan:
base: origin/main
fail_on: high
That's the whole integration. The orb installs the matching Vulkro
release binary on the executor, runs vulkro scan ci with SARIF +
JUnit emit, archives both artifacts, and runs vulkro gate against
the configured base ref. The build fails only on new
Critical / High findings since the base; pre-existing tech debt
does not gate.
Orb surface
The orb exposes three commands and one self-contained job:
vulkro/install
Downloads the matching Vulkro release for the executor's platform.
- vulkro/install:
version: 1.5.0 # leave empty to pull `latest`
vulkro/scan
Runs a full vulkro scan ci and persists SARIF + JUnit.
- vulkro/scan:
path: .
offline: true # exports VULKRO_OFFLINE=1 so the scanner makes no
# outbound calls (default)
vulkro/gate
Fails the build on new findings since a base ref. Pre-existing debt never blocks the build.
- vulkro/gate:
base: origin/main
fail_on: high # critical | high | medium | low
vulkro/scan (job)
Glues the three commands together so most projects need only
jobs: - vulkro/scan. Parameters mirror the commands above.
Pinning
Pin a release tag in production builds (vulkro/[email protected]),
and the explicit version parameter on vulkro/install if you
need to pin to an even-older binary than the orb's default.
Exit codes
Every orb command honours the CLI contract:
| Code | Meaning |
|---|---|
0 | Clean: no findings or gate cleared. |
1 | Findings present or gate failed. The workflow step fails. |
2 | Internal error. The workflow step fails. |