Scanner Image¶
secureobs/scanner is the Docker image customers run in CI.
It bundles:
| Scanner | Category |
|---|---|
| Semgrep | SAST |
| Gitleaks | Secrets |
| Trivy | SCA and container |
| Bandit | Python SAST |
| ESLint security | JavaScript SAST |
| OSV-Scanner | SCA |
| Checkov | IaC |
CodeQL, SonarQube, Snyk, and OWASP ZAP are not active scanner drivers in the current image.
Basic Usage¶
Run a scan
docker run --rm \
-v "$(pwd):/workspace" \
-e SECUREOBS_API_KEY="<key>" \
secureobs/scanner:v1 \
scan \
--project-id "<project-id>" \
--tenant-id "<tenant-id>" \
--pipeline-run-id "<unique-run-id>"
Commands¶
| Command | Purpose |
|---|---|
scan |
Fetch enabled scanners, run them locally, upload findings |
gate |
Query blocking findings for the run and return an exit code |
pr-comment |
Post or update one pull request comment |
Environment Variables¶
| Variable | Required | Description |
|---|---|---|
SECUREOBS_API_KEY |
Yes | API key from the SecureObs dashboard |
SECUREOBS_API_URL |
No | Override for self-hosted APIs. Must include /api. |
SECUREOBS_DEBUG |
No | Set to 1 for verbose scanner logging. |
Exit Codes¶
| Code | Meaning |
|---|---|
0 |
Success or gate passed |
1 |
User/configuration/authentication error |
2 |
Transient or API error after retries |
3 |
Build gate blocked |
Versioning¶
Use secureobs/scanner:v1 to receive non-breaking minor and patch updates in
the v1 line. Pin a full version such as v1.2.8 when strict reproducibility is
more important than automatic scanner updates.