CI/CD Integration

Run Tachyonic security scans in GitHub Actions, GitLab CI, and other CI/CD pipelines

Overview

Tachyonic integrates with CI/CD pipelines via SARIF output. Run scans on every PR or deployment and surface findings directly in your code review workflow.

GitHub Actions

Basic Scan

name: AI Security Scan

on:
  pull_request:
  push:
    branches: [main]

jobs:
  security-scan:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4

      - name: Install Tachyonic
        run: curl -fsSL https://tachyonic.sh/install | bash

      - name: Run security scan
        env:
          ANTHROPIC_API_KEY: ${{ secrets.ANTHROPIC_API_KEY }}
        run: |
          tachyonic scan \
            --target ${{ vars.TARGET_URL }} \
            --provider anthropic \
            --categories prompt-injection,system-prompt-extraction,tool-abuse \
            --max-attacks 20 \
            --format sarif \
            --output results.sarif \
            --no-progress

      - name: Upload SARIF to GitHub
        if: always()
        uses: github/codeql-action/upload-sarif@v3
        with:
          sarif_file: results.sarif

Findings appear in the Security tab under Code scanning alerts.

Cloud Scan (Platform)

Submit to the Tachyonic platform for team visibility:

      - name: Run cloud scan
        env:
          TACHYONIC_PLATFORM_API_KEY: ${{ secrets.TACHYONIC_API_KEY }}
        run: |
          tachyonic login --platform-api-key "$TACHYONIC_PLATFORM_API_KEY"
          tachyonic scan \
            --target ${{ vars.TARGET_URL }} \
            --provider anthropic \
            --cloud

Fail on Findings

Block the pipeline if vulnerabilities are found:

      - name: Run scan
        id: scan
        env:
          ANTHROPIC_API_KEY: ${{ secrets.ANTHROPIC_API_KEY }}
        run: |
          tachyonic scan \
            --target ${{ vars.TARGET_URL }} \
            --provider anthropic \
            --format json \
            --output results.json \
            --no-progress
          
          FINDINGS=$(python3 -c "import json; r=json.load(open('results.json')); print(r['scan']['vulnerabilities_found'])")
          echo "findings=$FINDINGS" >> "$GITHUB_OUTPUT"
          
      - name: Check findings
        if: steps.scan.outputs.findings != '0'
        run: |
          echo "Security scan found ${{ steps.scan.outputs.findings }} vulnerabilities"
          exit 1

GitLab CI

ai-security-scan:
  stage: test
  image: ubuntu:latest
  before_script:
    - curl -fsSL https://tachyonic.sh/install | bash
  script:
    - |
      tachyonic scan \
        --target "$TARGET_URL" \
        --provider anthropic \
        --categories prompt-injection,tool-abuse \
        --max-attacks 20 \
        --format sarif \
        --output gl-sast-report.sarif \
        --no-progress
  artifacts:
    reports:
      sast: gl-sast-report.sarif
  variables:
    ANTHROPIC_API_KEY: "$ANTHROPIC_API_KEY"

Generic Pipeline

Any CI system that can run shell commands:

# Install
curl -fsSL https://tachyonic.sh/install | bash

# Scan
tachyonic scan \
  --target "$TARGET_URL" \
  --provider anthropic \
  --format json \
  --output results.json \
  --no-progress

# Check results
SCORE=$(python3 -c "import json; print(json.load(open('results.json'))['score']['total'])")
echo "Resistance score: $SCORE"

if [ "$SCORE" -lt 80 ]; then
  echo "FAIL: Score below threshold"
  exit 1
fi

Environment Variables

Set these as CI secrets:

Variable	Required	Description
`ANTHROPIC_API_KEY`	Yes (if using Anthropic)	Provider API key
`OPENAI_API_KEY`	Yes (if using OpenAI)	Provider API key
`TARGET_URL`	Yes	Endpoint to scan
`TACHYONIC_PLATFORM_API_KEY`	Optional	For `--cloud` scans

Cost Control

Limit scan cost in CI to avoid surprise bills:

tachyonic scan \
  --target "$TARGET_URL" \
  --provider anthropic \
  --max-attacks 20 \
  --max-cost 5.00 \
  --no-progress

On this page