Back to Docs

CI/CD Pipelines

Integrate ImageSentinel into your continuous integration and deployment workflows.

GitHub Actions

Use our official GitHub Action to scan and harden images:

.github/workflows/build.yml
name: Build and Harden

on:
  push:
    branches: [main]

jobs:
  build:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4

      - name: Build image
        run: docker build -t myapp:${{ github.sha }} .

      - name: Scan with ImageSentinel
        uses: imagesentinel/scan-action@v1
        with:
          image: myapp:${{ github.sha }}
          fail-on: critical,high

      - name: Harden and push
        uses: imagesentinel/harden-action@v1
        with:
          image: myapp:${{ github.sha }}
          push-to: ghcr.io/${{ github.repository }}:${{ github.sha }}
          sign: true
          sbom: true
        env:
          IMAGESENTINEL_API_KEY: ${{ secrets.IMAGESENTINEL_API_KEY }}

GitLab CI

Integrate with GitLab CI/CD pipelines:

.gitlab-ci.yml
stages:
  - build
  - scan
  - harden

build:
  stage: build
  script:
    - docker build -t $CI_REGISTRY_IMAGE:$CI_COMMIT_SHA .
    - docker push $CI_REGISTRY_IMAGE:$CI_COMMIT_SHA

scan:
  stage: scan
  image: registry.imagesentinel.io/cli:latest
  script:
    - imagesentinel scan $CI_REGISTRY_IMAGE:$CI_COMMIT_SHA
        --fail-on critical,high
  variables:
    IMAGESENTINEL_API_KEY: $IMAGESENTINEL_API_KEY

harden:
  stage: harden
  image: registry.imagesentinel.io/cli:latest
  script:
    - imagesentinel harden $CI_REGISTRY_IMAGE:$CI_COMMIT_SHA
        --sign --sbom
        --push $CI_REGISTRY_IMAGE:$CI_COMMIT_SHA-hardened
  variables:
    IMAGESENTINEL_API_KEY: $IMAGESENTINEL_API_KEY

Jenkins

Add ImageSentinel to your Jenkins pipeline:

Jenkinsfile
pipeline {
    agent any

    environment {
        IMAGESENTINEL_API_KEY = credentials('imagesentinel-api-key')
    }

    stages {
        stage('Build') {
            steps {
                sh 'docker build -t myapp:${BUILD_NUMBER} .'
            }
        }

        stage('Scan') {
            steps {
                sh '''
                    docker run --rm \
                        -v /var/run/docker.sock:/var/run/docker.sock \
                        -e IMAGESENTINEL_API_KEY \
                        registry.imagesentinel.io/cli:latest \
                        scan myapp:${BUILD_NUMBER} --fail-on critical
                '''
            }
        }

        stage('Harden') {
            steps {
                sh '''
                    docker run --rm \
                        -v /var/run/docker.sock:/var/run/docker.sock \
                        -e IMAGESENTINEL_API_KEY \
                        registry.imagesentinel.io/cli:latest \
                        harden myapp:${BUILD_NUMBER} \
                        --sign --sbom \
                        --push registry.example.com/myapp:${BUILD_NUMBER}
                '''
            }
        }
    }
}

Environment Variables

Configure the CLI using environment variables:

VariableDescription
IMAGESENTINEL_API_KEYYour API key for authentication
IMAGESENTINEL_REGISTRYCustom registry URL (default: registry.imagesentinel.io)
IMAGESENTINEL_LOG_LEVELLogging verbosity: debug, info, warn, error