Circle CI
Integrating ZeroThreat with CircleCI enables your team to run security scans as part of your CI/CD workflows. This helps identify vulnerabilities earlier in the development process, reducing risk and saving time in remediation.
This guide walks you through setting up ZeroThreat inside a CircleCI pipeline using a real-world example. While the example uses manual pipeline setup, the integration is fully customizable to fit your own workflow triggers, environments, and repository structure.
Prerequisites
Before starting, make sure:
Your target is verified on ZeroThreat.
You have a working CircleCI account.
Your repository (GitHub, GitLab, or Bitbucket) is connected to CircleCI.
You have basic familiarity with config.yml files and CircleCI pipelines.
Step 1: Enable CircleCI Integration in ZeroThreat
Navigate to the Targets (
) section in ZeroThreat.Click on the Continuous Integration (
) button for your desired target.In the CI/CD configuration drawer, locate and enable the CircleCI integration.
Once confirmed, a unique ZT_Token will be generated. This token is used to start scans CI/CD for its associated target from the CI/CD.
Step 2: Choose Scan Settings
Select or create a Scan Profile suitable for your environment.
A scan profile is required for API scans in CI/CD integration. Without it, the integration pipeline cannot start the scan.
If you're scanning authenticated sections of your app, select the appropriate Login Template for authenticated scans.
Make sure to select a working Login template for Authenticated Scan.
Step 3: Open the CircleCI Orb Marketplace
Click on the CircleCI (
) in ZeroThreat. This will redirect you to the ZeroThreat Orb page on the CircleCI Orb Marketplace. Go through this page for Quick Start guide, Required inputs and other necessary information.
Step 4: Create a Project in CircleCI
Click “Add Project” and connect your GitHub, GitLab, or Bitbucket repository.
Select the repository you'd like to use with ZeroThreat.
CircleCI will prompt you to configure a new pipeline using a
config.ymlfile.
Step 5: Define Your Pipeline in config.yml
Using the Pipeline Editor, paste the configuration from the ZeroThreat Orb Marketplace. Below is a basic example:
version: '2.1'
orbs:
vuln-scan: zerothreat-ai/dast-scanner@0.0.2
workflows:
zerothreat-security-scan:
jobs:
- vuln-scan/scan-job:
ZT_TOKEN: AWD4TRX
wait_for_analysis: falseInstead of hard coding the ZT_TOKEN in your config file, add it as an Environment Variable in your CircleCI Project Settings. This keeps your token secure and avoids accidental exposure in source control.
Step 6: Enable Uncertified Public Orbs
To use the ZeroThreat Orb, you need to enable uncertified orbs:
Go to your Organization Settings in CircleCI.
Click on Security.
Enable the option: "Allow Uncertified Orbs".
Step 7: Trigger the Pipeline
Go back to your project pipeline in CircleCI.
Click “Trigger Pipeline” (
) button.In the popup, choose your config source and repository.
Click “Run Pipeline” to start the scan.
You’ll see the pipeline initiate and the scan begin in your ZeroThreat dashboard.
Flexible Automation Options
While this guide uses a manual trigger for demonstration purposes, CircleCI allows you to automate scan execution in many ways:
Automatically trigger scans on push events to specific branches.
Run on pull requests to validate security before merges.
Schedule scans at specific times using cron jobs.
Trigger based on custom workflow logic.
This gives your team the flexibility to align security testing with your development lifecycle.
Finished setting up your CI/CD integration? Head over to our guide on Reviewing Scan Reports to learn and analyze different sections of the scan report.
Last updated