CI/CD Integration Guide

Overview

Fleet CRA integrates with CI/CD at three levels:

1. Scanner: fleet scan --ci runs in any CI environment
2. Platform: Results uploaded to Fleet API for tracking over time
3. Feedback: PR checks, inline annotations, compliance gates

Quick Start

All CI integrations follow the same pattern:

fleet scan --path . --ci --sbom --cbom --output json --output-file results.json

GitHub Actions

Use the composite action at integrations/github-action/action.yml:

name: CRA Compliance
on: [pull_request, push]

permissions:
  contents: read
  checks: write
  security-events: write

jobs:
  cra-scan:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4

      - name: CRA Assessment
        uses: crabnebula/fleet-scan-action@v1
        with:
          api-url: ${{ secrets.FLEET_API_URL }}
          api-key: ${{ secrets.FLEET_API_KEY }}
          fail-on: fail
          sarif: true

      - name: Upload SARIF
        if: always()
        uses: github/codeql-action/upload-sarif@v3
        with:
          sarif_file: ${{ runner.temp }}/fleet-scan-results.sarif

      - name: Upload Evidence
        uses: actions/upload-artifact@v4
        with:
          name: cra-evidence
          path: ${{ runner.temp }}/fleet-scan-results.json
          retention-days: 3650

Features: SARIF upload to Code Scanning, GitHub Step Summary, compliance gate, 10-year artifact retention.

GitLab CI

Include the template from integrations/gitlab-ci/template.yml:

include:
  - local: 'integrations/gitlab-ci/template.yml'

fleet-cra-scan:
  extends: .fleet-cra-scan
  stage: test
  variables:
    FLEET_API_URL: $FLEET_API_URL
    FLEET_API_KEY: $FLEET_API_KEY

Features: GitLab SAST report format (appears in MR security widget), 10-year artifact retention.

Jenkins

Copy integrations/jenkins/Jenkinsfile.example to your project:

pipeline {
    agent any
    environment {
        FLEET_API_URL = credentials('fleet-api-url')
        FLEET_API_KEY = credentials('fleet-api-key')
    }
    stages {
        stage('CRA Assessment') {
            steps {
                sh 'fleet scan --path . --ci --output json --output-file fleet-scan-results.json --sbom --cbom'
            }
            post {
                always {
                    archiveArtifacts artifacts: 'fleet-scan-results.json', fingerprint: true
                }
            }
        }
    }
}

Features: JUnit output, HTML report, artifact fingerprinting.

Bitbucket Pipelines

pipelines:
  pull-requests:
    '**':
      - step:
          name: CRA Scan
          image: crabnebula/fleet-scanner:latest
          script:
            - fleet scan --path . --ci --output json --output-file fleet-scan-results.json --sbom --cbom
          artifacts:
            - fleet-scan-results.json

Azure DevOps

See integrations/azure-devops/azure-pipelines.yml for a complete pipeline.

CircleCI

See integrations/circleci/config.yml for a complete config with orb.

Drone CI

See integrations/drone/.drone.yml.

Woodpecker CI (Forgejo/Gitea)

See integrations/woodpecker/.woodpecker.yml.

Docker Scanner Image

All Docker-based CI systems can use the pre-built scanner image:

docker run --rm -v $(pwd):/workspace crabnebula/fleet-scanner:latest \
  fleet scan --path /workspace --ci --output json

Build the image:

docker build -f integrations/Dockerfile.scanner -t crabnebula/fleet-scanner:latest .

Compliance Gate

The scanner exits with code 1 when findings with fail status are detected in --ci mode. Configure what triggers failure:

• Strict: Gate on any fail -> --ci (default behavior)
• Report-only: Don’t gate, just report -> run without --ci, or ignore exit code

In the GitHub Action, use fail-on to control:

fail-on: fail              # Gate on failures only (default)
fail-on: fail,needs_review # Gate on failures + unreviewed findings

Evidence Retention

For CRA’s 10-year retention obligation:

Platform	Mechanism	Config
GitHub	actions/upload-artifact	retention-days: 3650
GitLab	artifacts: expire_in	expire_in: 10 years
Jenkins	archiveArtifacts	fingerprint: true
All	Fleet API upload	Stored in Fleet database + S3

Feature Matrix

Feature	GitHub	GitLab	Jenkins	Bitbucket	Azure	CircleCI	Drone	Woodpecker
Scanner	Action	Image	curl	Image	Task	Image	Image	Image
PR Feedback	Checks API	MR widget	-	Reports	Comment	-	-	-
SARIF	Code Scanning	SAST format	-	-	-	-	-	-
Build Gate	Required check	allow_failure	error()	Build status	Condition	Job deps	exit code	exit code
Artifact Retention	10yr	10yr	Fingerprint	Artifacts	Artifacts	Workspace	-	-