Features
STRIDE Detection IaC Support Rego Policy Engine AI Analysis Discovery & DFDs CI/CD Integration Output Formats Plugin System Threat Tracking Performance
Security Documentation
Documentation Get Started
DevSecOps

CI/CD Integration

Severity-based exit codes, CI-optimized commands, and SARIF output for GitHub Advanced Security. Works with any CI system.

Severity-Based Exit Codes

Pipeline gating with configurable exit codes based on the highest severity threat found.

CI-Optimized Commands

The check-drift command is designed for CI pipelines with JSON output and severity thresholds.

SARIF for GitHub Security

Upload results directly to GitHub Advanced Security for native integration.

Works Everywhere

GitHub Actions, GitLab CI, Jenkins, CircleCI, and any CI system with command-line support.

Severity-Based Exit Codes

ThreatMitigator returns exit codes based on the highest severity threat found, enabling pipeline gating:

Exit CodeMeaning
0No threats found (or all below threshold)
1Error - invalid config, parse failure
2Highest threat is Low or Info severity
3Highest threat is Medium severity
4Highest threat is High or Critical severity

Control the threshold with --severity-threshold:

1
2

# Only fail the build on High or Critical threats
threatmitigator scan terraform ./infra --severity-threshold high

CI-Optimized Command

The check-drift command is designed for CI pipelines:

1

threatmitigator check-drift ./infra --format json --severity-threshold medium
  • Never modifies .threatmodel.yaml
  • JSON output by default
  • Severity-based exit codes for pass/fail gating

SARIF for GitHub Security

Upload results directly to GitHub Advanced Security:

1
2
3
4
5
6
7

# GitHub Actions
- name: Scan infrastructure
  run: threatmitigator scan terraform ./infra --format sarif --output results.sarif
- name: Upload to GitHub Security
  uses: github/codeql-action/upload-sarif@v3
  with:
    sarif_file: results.sarif

Pipeline Examples

Works with any CI system: GitHub Actions, GitLab CI, Jenkins, CircleCI, and more. Severity-based exit codes and machine-readable output formats make integration straightforward.

GitHub Actions

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14

name: Security Scan
on: [push, pull_request]

jobs:
  threat-model:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - name: Scan Infrastructure
        run: threatmitigator scan terraform ./infra --format sarif --output results.sarif
      - name: Upload to GitHub Security
        uses: github/codeql-action/upload-sarif@v3
        with:
          sarif_file: results.sarif

GitLab CI

1
2
3
4
5
6
7

threat-scan:
  stage: test
  script:
    - threatmitigator check-drift ./infra --format json --severity-threshold medium
  artifacts:
    reports:
      sast: threats.json

Jenkins

 1
 2
 3
 4
 5
 6
 7
 8
 9
10

stage('Security Scan') {
    steps {
        sh 'threatmitigator scan terraform ./infra --format json --output threats.json'
    }
    post {
        always {
            archiveArtifacts artifacts: 'threats.json'
        }
    }
}

See it in action

Integrate threat detection into your CI/CD pipeline with severity-based gating and machine-readable output.

Demo

Ready to Secure Your Infrastructure?

Join teams already using ThreatMitigator to identify security threats in their Terraform, CloudFormation, Docker, and Helm configurations.

Get Started Free View Documentation