Integrations / CI/CD
CI/CD Cryptography Scanning
Korthex turns cryptographic compliance into a pipeline gate: scan on every commit, fail the build above a configurable risk threshold, and keep the Cryptographic Bill of Materials current automatically. GitHub Actions, GitLab CI and Jenkins ship ready-made; every other pipeline works through the CLI exit code. 100% on-premise.
One gate, every pipeline
- GitHub Actions: a step with SARIF output into GitHub Code Scanning and inline pull-request findings
- GitLab CI: a template with SARIF into the GitLab Security Dashboard
- Jenkins: a pipeline snippet gating on the CLI exit code
- Azure DevOps, CircleCI, Bitbucket Pipelines, Drone, Buildkite: the generic CLI exit code works in any job
- IntelliJ and VS Code plugins surface the same findings inline before code ever reaches the pipeline
Why gate cryptography in CI
Cryptographic regressions are silent. A dependency bump reintroduces 3DES, a copy-pasted helper brings MD5 back, a config change weakens TLS, and no unit test notices. A per-commit scan makes the regression visible in the pull request that causes it, when it costs minutes to fix instead of an audit finding later.
There is a second, newer reason: AI coding assistants rewrite cryptography non-deterministically. Korthex is the deterministic gate behind them: let an assistant refactor, then verify that the result is genuinely compliant, that no weak primitive slipped back in, and that the CBOM changed exactly as expected.
Performance and rollout
A typical scan finishes in under two minutes for 50,000 to 500,000 lines of code, fast enough for every push. Roll out in two steps: run report-only first to see the baseline, then enable the threshold (Critical, High, Medium or Low) once the existing findings are triaged, so the gate never blocks a team on day one.
Compliance as a byproduct
Every pipeline run regenerates the CBOM with per-finding compliance status against NIST FIPS 140-3, FIPS 203 / 204 / 205, BSI IT-Grundschutz, TR-02102, PCI-DSS and ISO 27001. The recurring inventory that PCI DSS 12.3.3 and every migration framework demand stops being a manual exercise.
Frequently asked questions
Which CI systems does Korthex support?
GitHub Actions, GitLab CI and Jenkins with ready-made integrations; Azure DevOps, CircleCI, Bitbucket Pipelines, Drone, Buildkite and anything else through the generic CLI exit code.
How does the gating work?
The CLI returns a non-zero exit code when findings exceed the configured risk threshold (Critical, High, Medium or Low). The pipeline treats it like a failing test.
Which tools consume the SARIF output?
GitHub Code Scanning (inline pull-request annotations) and the GitLab Security Dashboard; SARIF 2.1 is a standard format, so other SARIF consumers work too.
How do I roll this out without breaking builds?
Start report-only to establish the baseline, triage the existing findings with the migration plan, then enable the threshold. New regressions fail from that point on; legacy findings are burned down on the plan's order.
Does the pipeline need internet access?
No. Scans run fully on-premise, including air-gapped runners. Only the optional dashboard report transmits anonymized metadata.