CI/CD Integration
Automate security scanning in your CI/CD pipeline.GitHub Actions #
The easiest way to add Doorman to GitHub Actions is with the official action:
# .github/workflows/doorman.yml
name: Doorman Security Scan
on:
push:
branches: [main]
pull_request:
branches: [main]
jobs:
scan:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: tiago520/doorman@v1
with:
min-score: 70The action automatically:
- Installs Doorman
- Runs a full scan on your codebase
- Fails the check if the score falls below
min-score - Posts a summary comment on pull requests
Action Inputs
| Input | Description | Default |
|---|---|---|
min-score | Minimum passing score (0-100). | 70 |
path | Path to scan. | . |
category | Limit to specific categories (comma-separated). | all |
severity | Minimum severity to report. | low |
sarif | Upload SARIF results to GitHub Code Scanning. | false |
Generic CI Setup #
For any CI system that supports Node.js, use the CLI directly:
npx getdoorman check --ci --min-score 70The --ci flag:
- Disables color output for clean logs
- Returns exit code 1 if the score is below
--min-score - Returns exit code 0 if the score meets the threshold
- Returns exit code 2 on scan errors
GitLab CI #
# .gitlab-ci.yml
doorman:
stage: test
image: node:20
script:
- npx getdoorman check --ci --min-score 70
rules:
- if: $CI_PIPELINE_SOURCE == "merge_request_event"
- if: $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCHSARIF Upload to GitHub Code Scanning #
Doorman can output results in SARIF format for GitHub's Code Scanning feature. This shows findings inline on pull request diffs. (This makes issues appear directly on your pull requests in GitHub)
# .github/workflows/doorman-sarif.yml
name: Doorman SARIF
on:
push:
branches: [main]
pull_request:
jobs:
scan:
runs-on: ubuntu-latest
permissions:
security-events: write
steps:
- uses: actions/checkout@v4
- name: Run Doorman
run: npx getdoorman check --sarif > results.sarif
continue-on-error: true
- name: Upload SARIF
uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: results.sarifNote: SARIF upload requires the security-events: write permission. GitHub Code Scanning is available on public repos and GitHub Enterprise.
Exit Codes #
| Code | Meaning | CI Behavior |
|---|---|---|
0 | Pass | Score meets or exceeds --min-score. Pipeline continues. |
1 | Fail | Score below --min-score. Pipeline fails. |
2 | Error | Scan error, invalid config, or timeout. Pipeline fails. |
Baseline Comparisons #
For large projects with existing issues, use baselines to only flag new issues:
# Save a baseline on main branch
npx getdoorman check --save-baseline .doorman-baseline.json
# In CI: compare against baseline (only new issues fail)
npx getdoorman check --ci --baseline .doorman-baseline.json --min-score 70Commit the baseline file to your repo. New issues will cause CI failures, but existing (known) issues will not.
This is perfect if you have a large project with existing issues and want to prevent NEW issues from merging.
Pre-Commit Hook Alternative #
Instead of (or in addition to) CI scanning, you can use a pre-commit hook to catch issues before they reach the repo:
# Install the hook
npx getdoorman init
# Or install just the hook (without config file)
npx getdoorman hookThe hook runs Doorman on staged files before each commit. If the score is below the configured threshold, the commit is blocked.
JSON Output for Custom Integrations #
Use --json to get machine-readable output for custom CI integrations:
npx getdoorman check --json | jq '.score'The JSON output includes the full scan result: score, findings, categories, file paths, severity, and auto-fix availability.