CI/CD Integration

Integrate FirePan security scanning directly into your development workflow. Catch vulnerabilities before they reach production.

GitHub Integration

GitHub App (Recommended)

The fastest way to integrate is via our GitHub App:

Install FirePan GitHub App
Select the repositories you want to monitor
Automatic PR checks are enabled immediately

GitHub Actions

For more control, use our GitHub Action:

name: Security Check

on:
  push:
    branches: [main]
  pull_request:
    branches: [main]

jobs:
  security:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4

      - name: FirePan Security Scan
        uses: firepan-labs/security-action@v1
        with:
          # Fail the build if critical issues found
          fail-on: critical
          # Optional: specify contracts directory
          path: contracts/
        env:
          FIREPAN_API_KEY: ${{ secrets.FIREPAN_API_KEY }}

Configuration Options

Option	Description	Default
`fail-on`	Minimum severity to fail build: `critical`, `high`, `medium`, `low`	`critical`
`path`	Directory containing contracts	Repository root
`format`	Output format: `github`, `json`, `sarif`	`github`
`ignore-paths`	Comma-separated paths to ignore	`node_modules,test`

PR Check Behavior

When a pull request is opened or updated:

Scan triggered - FirePan analyzes the changed contracts
Status check - Results appear as a PR check
Annotations - Issues are annotated directly on the code
Comments - Summary posted as a PR comment

Example PR Check Output

FirePan Security Check

Risk Score: 45 (Medium)

Findings:
  - [HIGH] Potential reentrancy in withdraw() - contracts/Vault.sol:142
  - [MEDIUM] Missing zero-address validation - contracts/Token.sol:28
  - [LOW] Consider using custom errors - contracts/Utils.sol:55

View full report: https://app.firepan.com/reports/abc123

Configuration File

Create .firepan.yml in your repository root for advanced configuration:

# .firepan.yml

# Scanning behavior
scan:
  # Only scan these directories
  include:
    - contracts/
    - src/

  # Skip these directories
  exclude:
    - contracts/mocks/
    - contracts/test/

  # Skip specific patterns
  ignore_patterns:
    - "**/Test*.sol"
    - "**/Mock*.sol"

# PR check behavior
checks:
  # Minimum severity to report
  report_threshold: low

  # Minimum severity to fail
  fail_threshold: high

  # Block merge on failure
  required: true

# Notifications
notifications:
  # Slack webhook for critical findings
  slack:
    webhook_url: ${SLACK_WEBHOOK_URL}
    on: critical

  # Email for daily summaries
  email:
    recipients:
      - security@yourcompany.com
    frequency: daily

SARIF Integration

FirePan supports SARIF output for integration with GitHub's code scanning:

- name: FirePan Security Scan
  uses: firepan-labs/security-action@v1
  with:
    format: sarif
    output: results.sarif

- name: Upload SARIF results
  uses: github/codeql-action/upload-sarif@v2
  with:
    sarif_file: results.sarif

This enables:

Security alerts in the GitHub Security tab
Code scanning alerts on PRs
Historical tracking of vulnerabilities

GitLab Integration

For GitLab CI/CD:

# .gitlab-ci.yml

security-scan:
  image: ghcr.io/firepan-labs/scanner:latest
  stage: test
  script:
    - firepan scan . --format json --output gl-sast-report.json
  artifacts:
    reports:
      sast: gl-sast-report.json
  rules:
    - if: $CI_MERGE_REQUEST_ID

Local Pre-commit Hook

Run security checks before committing:

# Install pre-commit
pip install pre-commit

# Add to .pre-commit-config.yaml
repos:
  - repo: https://github.com/firepan-labs/pre-commit-hook
    rev: v1.0.0
    hooks:
      - id: firepan-scan
        args: [--fail-on, high]

# Install the hook
pre-commit install

API Integration

For custom CI/CD pipelines, use the API directly:

# Trigger a scan
curl -X POST https://api.firepan.com/v1/scans \
  -H "Authorization: Bearer $FIREPAN_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{
    "repo_url": "https://github.com/your-org/your-repo",
    "ref": "main"
  }'

# Get scan results
curl https://api.firepan.com/v1/scans/{scan_id} \
  -H "Authorization: Bearer $FIREPAN_API_KEY"

Best Practices

Start Permissive, Tighten Over Time

Week 1: fail-on: critical - Only block on critical issues
Month 1: fail-on: high - Block on high severity
Quarter 1: fail-on: medium - Full security enforcement

Handle False Positives

Add inline comments to suppress specific findings:

// firepan-ignore: REENTRANCY-001 - Intentional pattern, see audit report
function withdraw() external {
    // ...
}

Or use .firepan-ignore:

# .firepan-ignore
# Format: pattern_id:file_path:line_number

REENTRANCY-001:contracts/Vault.sol:142
ACCESS-001:contracts/Token.sol:*  # Ignore entire file

Monitor Trends

Use the dashboard to track:

Finding counts over time
Average time to remediation
Most common vulnerability types
Developer security awareness

Next Steps

Dashboard Overview - Monitor your security posture
CLI Reference - Full command documentation
Pricing - See CI/CD quotas by tier

GitHub Integration​

GitHub App (Recommended)​

GitHub Actions​

Configuration Options​

PR Check Behavior​

Example PR Check Output​

Configuration File​

SARIF Integration​

GitLab Integration​

Local Pre-commit Hook​

API Integration​

Best Practices​

Start Permissive, Tighten Over Time​

Handle False Positives​

Monitor Trends​

Next Steps​