CI Recipes
Drop-in configuration for every major CI platform. Copy, paste, add your API key — done.
GitHub Actions
Basic scan on every PR and push
.github/workflows/nixer.yml
name: Nixer AI Security on: [pull_request, push] permissions: contents: read security-events: write pull-requests: write jobs: scan: runs-on: ubuntu-latest steps: - uses: actions/checkout@v4 - uses: Polsia-Inc/nixer-action@v1 with: api-key: ${{ secrets.NIXER_API_KEY }}
Fail only on critical findings
.github/workflows/nixer-critical.yml
- uses: Polsia-Inc/nixer-action@v1 with: api-key: ${{ secrets.NIXER_API_KEY }} severity-threshold: critical fail-on-findings: true
Scheduled nightly + report-only mode
.github/workflows/nixer-nightly.yml
on: schedule: - cron: '0 2 * * *' workflow_dispatch: jobs: nightly: runs-on: ubuntu-latest steps: - uses: actions/checkout@v4 - uses: Polsia-Inc/nixer-action@v1 with: api-key: ${{ secrets.NIXER_API_KEY }} fail-on-findings: false # report only
Monorepo matrix build
.github/workflows/nixer-monorepo.yml
jobs: scan: strategy: matrix: service: [api, worker, agent] runs-on: ubuntu-latest steps: - uses: actions/checkout@v4 - uses: Polsia-Inc/nixer-action@v1 with: api-key: ${{ secrets.NIXER_API_KEY }} scan-targets: services/${{ matrix.service }} sarif-output: nixer-${{ matrix.service }}.sarif
GitLab CI
.gitlab-ci.yml
nixer-scan: image: node:20-slim stage: security script: - npx nixer scan . --format sarif --output nixer.sarif variables: NIXER_API_KEY: $NIXER_API_KEY # set in CI/CD Variables artifacts: when: always paths: - nixer.sarif expire_in: 30 days only: - merge_requests - main
CircleCI
.circleci/config.yml
version: 2.1 jobs: nixer-scan: docker: - image: cimg/node:20.0 steps: - checkout - run: name: Nixer AI Security Scan command: | npx nixer scan . --format sarif --output nixer.sarif environment: NIXER_API_KEY: ${NIXER_API_KEY} - store_artifacts: path: nixer.sarif workflows: security: jobs: - nixer-scan
Jenkins
Jenkinsfile
pipeline { agent { docker { image 'node:20-slim' } } environment { NIXER_API_KEY = credentials('nixer-api-key') } stages { stage('Nixer AI Security') { steps { sh ''' npx nixer scan . \ --format sarif \ --output nixer.sarif \ --severity-threshold high ''' } post { always { archiveArtifacts artifacts: 'nixer.sarif' } } } } }
The CLI (
npx nixer) works in any CI environment with Node.js 18+. Set NIXER_API_KEY as a CI secret/variable. See the API reference for programmatic scan triggering.