CI/CD Integration
sandtrace integrates into CI/CD pipelines through SARIF output (for GitHub Code Scanning) and JSON output (for custom pipelines).
GitHub Actions with SARIF
Upload findings directly to GitHub Code Scanning:
name: Security Audit
on:
push:
branches: [main]
pull_request:
jobs:
sandtrace:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Install sandtrace
run: |
cargo install --path .
sandtrace init
- name: Run sandtrace audit
run: sandtrace audit . --format sarif > sandtrace.sarif
- name: Upload SARIF
uses: github/codeql-action/upload-sarif@v4
if: always()
with:
sarif_file: sandtrace.sarif
SARIF findings appear in the Security tab of your GitHub repository under Code scanning alerts.
JSON output for custom pipelines
Use JSON output with exit codes for custom CI logic:
- name: Security audit
run: |
sandtrace audit . --format json --severity high > findings.json
if [ $? -eq 2 ]; then echo "Critical findings detected"; exit 1; fi
Exit codes
| Code | Meaning | CI action |
|---|---|---|
0 | Clean | Pass |
1 | High findings | Fail (or warn, depending on your policy) |
2 | Critical findings | Always fail |
Severity gating
Control which severity levels fail your build:
# Fail on critical only
sandtrace audit . --severity critical
# Fail on high and critical
sandtrace audit . --severity high
# Report everything (never fails on medium/low/info alone)
sandtrace audit . --severity low
Pre-commit hook
Run sandtrace as a git pre-commit hook:
#!/bin/sh
# .git/hooks/pre-commit
sandtrace audit . --severity high --format terminal
JSON output schema
sandtrace audit --format json emits a JSON array of finding objects. Summary counts are written to stderr, and CI gating should use the command exit code.
[
{
"file_path": "src/config.rs",
"line_number": 42,
"rule_id": "cred-aws-key",
"severity": "critical",
"description": "AWS Access Key ID found",
"matched_pattern": "AKIA[0-9A-Z]{16}",
"context_lines": [
"const AWS_KEY = \"<redacted>\";"
]
}
]