CI/CD Integrations
Cerebion Rivet includes a rivet CLI for running code analysis in automated pipelines. This page covers setup and usage for common CI/CD platforms.
Requirements
The rivet CLI is available two ways:
- Standalone CLI โ download the
rivetbinary for your platform from cerebion.com/download. No desktop app required. Ideal for headless servers and CI/CD runners. - Desktop install โ the
rivetCLI is included and added to your PATH automatically when you install the Cerebion Rivet desktop application.
Set your license key as an environment variable on the CI/CD machine. Use the syntax appropriate for your runner's OS:
# Linux / macOS
export RIVET_LICENSE_KEY=your-license-key-here
# Windows (Command Prompt / PowerShell)
set RIVET_LICENSE_KEY=your-license-key-hereFor secrets management, inject the key via your CI/CD platform's secret store rather than hardcoding it (see examples below).
CLI Reference
rivet scan TARGET [OPTIONS]
Arguments:
TARGET Path to directory or file to scan (required)
Options:
--format Output format: text (default), json, sarif
json and sarif require Enterprise license
-o, --output Write output to file instead of stdout
--mode Analysis mode: all (default) or pqc (quantum/crypto rules only)
--exclude Directory to exclude (repeatable, e.g. --exclude tests)
--ext File extension to include (repeatable, e.g. --ext py --ext js)
--no-fail Exit 0 even when findings exist
--timeout Analysis timeout in seconds (default: 600)
-v, --verbose Verbose output
Exit codes:
0 Analysis complete, no findings
1 Analysis complete, findings found
2 Error (license failure, config error, scanner not found)GitHub Actions
Install the standalone rivet CLI on a self-hosted runner, or download it as part of your pipeline setup step. Register your runner at Settings โ Actions โ Runners in your GitHub repository.
name: Quantum Security Analysis
on: [push, pull_request]
jobs:
rivet-analysis:
runs-on: self-hosted
steps:
- uses: actions/checkout@v4
- name: Run Cerebion Rivet analysis
run: rivet scan . --format sarif -o rivet-report.sarif
env:
RIVET_LICENSE_KEY: ${{ secrets.RIVET_LICENSE_KEY }}
- name: Upload SARIF to GitHub Security tab
uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: rivet-report.sarifGitLab CI
Install the standalone rivet CLI on your GitLab Runner. Set RIVET_LICENSE_KEY as a CI/CD variable in your project's Settings โ CI/CD โ Variables.
rivet-analysis:
stage: test
tags:
- rivet # Tag your self-hosted runner with this label
script:
- rivet scan . --format json -o rivet-report.json
variables:
RIVET_LICENSE_KEY: $RIVET_LICENSE_KEY
artifacts:
paths:
- rivet-report.json
reports:
sast: rivet-report.jsonJenkins
Install the standalone rivet CLI on your Jenkins agent node. Store the license key as a Jenkins secret credential.
pipeline {
agent any
environment {
RIVET_LICENSE_KEY = credentials('rivet-license-key')
}
stages {
stage('Quantum Security Analysis') {
steps {
sh 'rivet scan . --format json -o rivet-report.json'
archiveArtifacts artifacts: 'rivet-report.json'
}
}
}
}Common Usage Patterns
Analyze quantum/crypto rules only (faster)
rivet scan ./src --mode pqc --format json -o report.jsonExclude test directories
rivet scan . --exclude tests --exclude vendor --exclude node_modulesAnalyze specific file types only
rivet scan ./src --ext py --ext js --ext tsDon't fail the build on findings (report only)
rivet scan . --no-fail --format json -o report.jsonNotes
- Download the standalone
rivetCLI from cerebion.com/download โ no desktop app required on your runner - JSON and SARIF output formats require an Enterprise license
- Text output (default) is available on all license types
- Store
RIVET_LICENSE_KEYin your CI/CD platform's secret store โ never hardcode it in pipeline files - For questions about CI/CD setup, contact support@cerebion.com