Circle Ci
This guide walks you through setting up ZeroThreat inside a CircleCI pipeline using a real-world example. While the example uses manual pipeline setup, the integration is fully customizable to fit your own workflow triggers, environments, and repository structure.
Prerequisites
Before starting, make sure:
- Your target is verified on ZeroThreat.
- You have a working CircleCI account.
- Your repository (GitHub, GitLab, or Bitbucket) is connected to CircleCI.
- You have basic familiarity with config.yml files and CircleCI pipelines.
Step 1: Enable CircleCI Integration in ZeroThreat
- Navigate to the Targets (
.png)
) section in ZeroThreat. - Click on the Continuous Integration (
.png)
) button for your desired target. - In the CI/CD configuration drawer, locate and enable the CircleCI integration.
.png)
Once confirmed, a unique ZT_Token will be generated. This token is used to start scans CI/CD for its associated target from the CI/CD.
Step 2: Choose Scan Settings
- Select or create a Scan Profile suitable for your environment.
.png)
- If you're scanning authenticated sections of your app, select the appropriate Login Template for authenticated scans.
Make sure to select a appropriate working Login template for Authenticated Scan.
Step 3: Open the CircleCI Orb Marketplace
Click on the CircleCI (.png)
) in ZeroThreat. This will redirect you to the ZeroThreat Orb page on the CircleCI Orb Marketplace. Go through this page for Quick Start guide, Required inputs and other necessary information.
Step 4: Create a Project in CircleCI
- Click “Add Project” and connect your GitHub, GitLab, or Bitbucket repository.
.png)
- Select the repository you'd like to use with ZeroThreat.
- CircleCI will prompt you to configure a new pipeline using a
config.ymlfile.
Step 5: Define Your Pipeline in config.yml
Using the Pipeline Editor, paste the configuration from the ZeroThreat Orb Marketplace. Below is a basic example:
Learn more about customizing and using Orbs in CircleCI’s official documentation: Using Orbs in CircleCI
version: '2.1'
orbs:
vuln-scan: zerothreat-ai/dast-scanner@0.0.2
workflows:
zerothreat-security-scan:
jobs:
- vuln-scan/scan-job:
ZT_TOKEN: AWD4TRX
wait_for_analysis: false
Always use the latest version of the zerothreat-ai/dast-scanner. In the example above, replace @0.0.2 with the latest available version.
Instead of hard coding the ZT_TOKEN in your config file, add it as an Environment Variable in your CircleCI Project Settings. This keeps your token secure and avoids accidental exposure in source control.
Step 6: Enable Uncertified Public Orbs
To use the ZeroThreat Orb, you need to enable uncertified orbs:
- Go to your Organization Settings in CircleCI.
- Click on Security.
- Enable the option: "Allow Uncertified Orbs".
.png)
This is required only once per organization and allows you to use community-published orbs like ZeroThreat.
Step 7: Trigger the Pipeline
- Go back to your project pipeline in CircleCI.
- Click “Trigger Pipeline” (
.png)
) button. - In the popup, choose your config source and repository.
- Click “Run Pipeline” to start the scan.
You’ll see the pipeline initiate and the scan begin in your ZeroThreat dashboard.
Flexible Automation Options
While this guide uses a manual trigger for demonstration purposes, CircleCI allows you to automate scan execution in many ways:
- Automatically trigger scans on push events to specific branches.
- Run on pull requests to validate security before merges.
- Schedule scans at specific times using cron jobs.
- Trigger based on custom workflow logic.
This gives your team the flexibility to align security testing with your development lifecycle.
Finished setting up your CI/CD integration?
Head over to our guide on Reviewing Scan Reports to learn and analyze different sections of the scan report.