> For the complete documentation index, see [llms.txt](https://docs.sec1.io/user-docs/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://docs.sec1.io/user-docs/2-integration-with-sec1/6-ci-cd-integrations/7-circleci-orb-integration.md). # Integration with CircleCI Using the Sec1 Orb Enhance the security of your applications with the seamless integration of Sec1 and [CircleCI](https://circleci.com) using the **Sec1 Orb**. This integration allows for thorough scanning of your application dependencies, identifying and addressing open source security vulnerabilities as an integral part of your continuous integration/continuous delivery (CI/CD) workflow. CircleCI simplifies CI/CD workflows through the use of ready-to-use commands, known as [Orbs](https://circleci.com/orbs/), which can be effortlessly added to your configuration file. By leveraging the Sec1 Orb, you can effortlessly incorporate Sec1 Security into your CI/CD process, scanning for open source vulnerabilities based on your specified configurations. ## Prerequisites for CircleCI Integration Ensure a smooth implementation of CircleCI integration with Sec1 by following these prerequisites: 1. **Sec1 Account:** Create a Sec1 account and retrieve the **Sec1 API token** from your **Account settings**. 2. **Repo Import:** Import the relevant repository into CircleCI. 3. **Security Settings:** In CircleCI, navigate to `Organization Settings -> Security -> Orb security settings` and enable `opt-in to third party (partner and community) Orbs`. 4. **Environment Variables:** Add the environment variables to CircleCI, navigate to `Project Settings -> Environment Variables -> Add Environmnent Variable`. Set the key as 'SEC1\_API\_KEY' and value as your sec1 api token. ## Implementing the Sec1 Orb Follow the comprehensive information provided in the [Sec1 Circle CI README](https://circleci.com/developer/orbs/orb/sec1/sec1-orb) to seamlessly set up your CI/CD with Sec1. The README includes a detailed list of parameters and sample configurations to ensure a successful integration. ## Example ### Sec1 Security Scan Update below code in your .circleci/config.yml file. > Be sure to use the latest version of the [Sec1 ORB](https://circleci.com/developer/orbs/orb/sec1/sec1-orb) ```yaml version: 2.1 orbs: sec1-orb: sec1/sec1-orb@1.0.14 jobs: build: docker: - image: cimg/node:lts steps: - sec1-orb/scan: api_key: ${SEC1_API_KEY} workflows: my-workflow: jobs: - build ``` ### Customizing Scan Thresholds Sec1 scan supports setting up threshold values. If the scan reports vulnerabilities exceeding the specified thresholds, Sec1 Security will mark the build as failed. You can set threshold values for different severities such as critical, high, medium, and low. Update below code in your .circleci/config.yml file. > Be sure to use the latest version of the [Sec1 ORB](https://circleci.com/developer/orbs/orb/sec1/sec1-orb) ```yaml version: 2.1 orbs: sec1-orb: sec1/sec1-orb@1.0.14 jobs: build: docker: - image: cimg/node:lts steps: - sec1-orb/scan: api_key: ${SEC1_API_KEY} scan_threshold: critical=0 high=0 medium=0 workflows: my-workflow: jobs: - build ``` ## Understanding CircleCI Integration Upon integrating your project with CircleCI and seamlessly integrating the Sec1 Orb into your configuration file, each build execution initiates the Sec1 Orb to execute essential tasks: 1. **Dependency Scan:** Rigorously examines your application dependencies, meticulously identifying potential vulnerabilities and presenting a comprehensive list of issues for your attention. 2. **Build Outcome:** Aligned with your precision-configured thresholds, Sec1 diligently evaluates the scan results. In the event of detected vulnerabilities surpassing the defined threshold, the build process is aptly flagged as unsuccessful. This approach ensures a stringent adherence to your predetermined security standards, contributing to the creation of a resilient and secure codebase with each build iteration.. Your CircleCI/CD environment is now configured to harness the capabilities of Sec1, facilitating continuous security assessments within your projects. This integration establishes a robust mechanism for ongoing security checks throughout your CI/CD pipeline, ensuring a proactive approach to identifying and addressing potential vulnerabilities in your software development lifecycle. --- # Agent Instructions This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com. ## Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter, and the optional `goal` query parameter: ``` GET https://docs.sec1.io/user-docs/2-integration-with-sec1/6-ci-cd-integrations/7-circleci-orb-integration.md?ask=&goal= ``` `ask` is the immediate question: it should be specific, self-contained, and written in natural language. `goal` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.