Skip to main content

Vulkro on CircleCI

Add Vulkro to a project's .circleci/config.yml as a job that installs the CLI, runs vulkro scan ci, archives the SARIF and JUnit reports, and gates pull requests against a base ref. The config below is self-contained.

Minimal config

version: 2.1

jobs:
vulkro:
docker:
- image: cimg/base:current
environment:
VULKRO_OFFLINE: "1"
steps:
- checkout
- run:
name: Install Vulkro
command: curl -fsSL https://vulkro.com/install.sh | sh
- run:
name: Scan
command: |
vulkro scan ci . --format sarif --output vulkro.sarif
vulkro scan ci . --format junit --output vulkro.junit.xml
- store_artifacts:
path: vulkro.sarif
- store_test_results:
path: vulkro.junit.xml
- run:
name: Gate on new findings
command: vulkro gate --base origin/main

workflows:
security:
jobs:
- vulkro

What each step does

  • The install step downloads the Vulkro CLI for the executor's platform.
  • vulkro scan ci runs the scan in CI mode and writes the requested format to the --output path. Run it once per format you want to publish.
  • store_artifacts and store_test_results surface the SARIF artefact and the JUnit report in the CircleCI UI.
  • vulkro gate fails the build only on findings that are new relative to the base ref, so pre-existing debt never blocks a build. See vulkro gate.

VULKRO_OFFLINE=1 keeps the scanner from making outbound calls. Remove it if a pipeline needs live CVE-feed updates inside the scan.

Exit codes

CodeMeaning
0Clean: no findings or gate cleared.
1Findings present or gate failed. The workflow step fails.
2Internal error. The workflow step fails.