CI/CD Integration

The Vulnlog CLI runs on developer machines and in CI pipelines.

A common pattern is dynamic suppression: generate suppression files in the CI pipeline just before the scanner runs, so they are always in sync with the Vulnlog file and never need to be committed. See Static and Dynamic Suppression for more details on both approaches.

Gradle

For Gradle-based builds, the Vulnlog Gradle plugin wires validate, suppress, and init into your build. See Gradle Plugin for details.

GitHub Actions

Example workflow using dynamic suppression — the suppression file is generated, used by the scanner, and discarded after the pipeline completes:

jobs:
  security-scan:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4

      - name: Generate suppression files
        continue-on-error: true
        run: |
          docker run --rm \
            -u "$(id -u):$(id -g)" \
            -v "${{ github.workspace }}:/work" \
            -w /work \
            ghcr.io/vulnlog/vulnlog:0.12.0 \
            suppress --reporter trivy vulnlog.yaml -o /work

      - name: Ensure suppression file exists
        run: |
          [ -f .trivyignore.yaml ] || touch .trivyignore.yaml

      - name: Run Trivy scan
        uses: aquasecurity/trivy-action@master
        with:
          scan-type: fs
          scan-ref: .
          format: sarif
          output: trivy-results.sarif
          trivyignores: .trivyignore.yaml

      - name: Upload Trivy SARIF to GitHub
        uses: github/codeql-action/upload-sarif@v4
        with:
          sarif_file: trivy-results.sarif
          category: trivy

      - name: Generate Vulnlog HTML report
        if: always()
        run: |
          docker run --rm \
            -u "$(id -u):$(id -g)" \
            -v "${{ github.workspace }}:/work" \
            -w /work \
            ghcr.io/vulnlog/vulnlog:0.12.0 \
            report vulnlog.yaml -o /work

      - name: Upload Vulnlog HTML report
        if: always()
        uses: actions/upload-artifact@v4
        with:
          name: vulnerability-report
          path: vulnlog-report.html

Using the Docker Image

In most CI environments (GitHub Actions, Jenkins, GitLab CI) the runner’s workspace is owned by UID 1000, so the container works without extra flags:

docker run --rm -v "$PWD:/work" ghcr.io/vulnlog/vulnlog:0.12.0 suppress vulnlog.yaml --reporter trivy

When the CI runner requires root access, override the user at runtime:

docker run --rm --user root -v "$PWD:/work" ghcr.io/vulnlog/vulnlog:0.12.0 suppress vulnlog.yaml

Validating in CI

Running validation as part of the CI pipeline catches Vulnlog file errors early:

vulnlog validate my-app.vl.yaml --strict

--strict treats warnings as errors.