Vulkro on CircleCI
Add Vulkro to a project's .circleci/config.yml as a job that installs the
CLI, runs vulkro scan ci, archives the SARIF and JUnit reports, and gates
pull requests against a base ref. The config below is self-contained.
Minimal config
version: 2.1
jobs:
vulkro:
docker:
- image: cimg/base:current
environment:
VULKRO_OFFLINE: "1"
steps:
- checkout
- run:
name: Install Vulkro
command: curl -fsSL https://vulkro.com/install.sh | sh
- run:
name: Scan
command: |
vulkro scan ci . --format sarif --output vulkro.sarif
vulkro scan ci . --format junit --output vulkro.junit.xml
- store_artifacts:
path: vulkro.sarif
- store_test_results:
path: vulkro.junit.xml
- run:
name: Gate on new findings
command: vulkro gate --base origin/main
workflows:
security:
jobs:
- vulkro
What each step does
- The install step downloads the Vulkro CLI for the executor's platform.
vulkro scan ciruns the scan in CI mode and writes the requested format to the--outputpath. Run it once per format you want to publish.store_artifactsandstore_test_resultssurface the SARIF artefact and the JUnit report in the CircleCI UI.vulkro gatefails the build only on findings that are new relative to the base ref, so pre-existing debt never blocks a build. Seevulkro gate.
VULKRO_OFFLINE=1 keeps the scanner from making outbound calls. Remove it if a
pipeline needs live CVE-feed updates inside the scan.
Exit codes
| Code | Meaning |
|---|---|
0 | Clean: no findings or gate cleared. |
1 | Findings present or gate failed. The workflow step fails. |
2 | Internal error. The workflow step fails. |