CircleCI

This page explains how you can integrate HoundDog.ai's code scanner with CircleCI.

Defining the Required Pipeline Variables

First, follow the steps in API Keys to generate a HoundDog.ai API key. Then, follow the steps in the CircleCI documentation to create a environment variable named HOUNDDOG_API_KEY using the value of your new key.

CircleCI provides you multiple ways to inject environment variables into your pipeline (e.g., contexts, project settings). Here is an example screenshot showing the HOUNDDOG_API_KEY environment variable defined in project settings:

Defining the Scan Step in .circleci/config.yml

Next, add a new step in the .circleci/config.yml file at the root of your repository. Here is an example which scans your repository and uploads the results to HoundDog.ai Cloud Platform:

.circleci/config.yml
    
 
version: 2.1jobs:  build:    docker:      - image: hounddogai/hounddog    steps:      - checkout      - run:          name: Run HoundDog.ai Scan          command: hounddog scan
Copy

Note that we did not explicitly reference the HOUNDDOG_API_KEY variable in the YAML configuration above. CircleCI automatically injects them into the build environment for us.

Blocking the Pipeline Upon Detecting Vulnerabilities

HoundDog.ai's code scanner exits with return code 0 (success) by default. To halt the pipeline upon detecting vulnerabilities, provide the --fail-severity-threshold option to the hounddog scan command:

.circleci/config.yml
    
 
version: 2.1jobs:  build:    docker:      - image: hounddogai/hounddog    steps:      - checkout      - run:          name: Run HoundDog.ai scan          # Fail if a vulnerability with severity "medium" or higher is detected.          command: hounddog scan --fail-severity-threshold=medium
Copy

To view all available command-line options for the hounddog scan command, see Scanner Configuration.

Last updated on