KORTHEXkorthex.flowence.cc

Integrations / CI/CD

CI/CD Cryptography Scanning

Korthex turns cryptographic compliance into a pipeline gate: scan on every commit, fail the build above a configurable risk threshold, and keep the Cryptographic Bill of Materials current automatically. GitHub Actions, GitLab CI and Jenkins ship ready-made; every other pipeline works through the CLI exit code. 100% on-premise.

One gate, every pipeline

  • GitHub Actions: a step with SARIF output into GitHub Code Scanning and inline pull-request findings
  • GitLab CI: a template with SARIF into the GitLab Security Dashboard
  • Jenkins: a pipeline snippet gating on the CLI exit code
  • Azure DevOps, CircleCI, Bitbucket Pipelines, Drone, Buildkite: the generic CLI exit code works in any job
  • IntelliJ and VS Code plugins surface the same findings inline before code ever reaches the pipeline

Why gate cryptography in CI

Cryptographic regressions are silent. A dependency bump reintroduces 3DES, a copy-pasted helper brings MD5 back, a config change weakens TLS, and no unit test notices. A per-commit scan makes the regression visible in the pull request that causes it, when it costs minutes to fix instead of an audit finding later.

There is a second, newer reason: AI coding assistants rewrite cryptography non-deterministically. Korthex is the deterministic gate behind them: let an assistant refactor, then verify that the result is genuinely compliant, that no weak primitive slipped back in, and that the CBOM changed exactly as expected.

Performance and rollout

A typical scan finishes in under two minutes for 50,000 to 500,000 lines of code, fast enough for every push. Roll out in two steps: run report-only first to see the baseline, then enable the threshold (Critical, High, Medium or Low) once the existing findings are triaged, so the gate never blocks a team on day one.

Compliance as a byproduct

Every pipeline run regenerates the CBOM with per-finding compliance status against NIST FIPS 140-3, FIPS 203 / 204 / 205, BSI IT-Grundschutz, TR-02102, PCI-DSS and ISO 27001. The recurring inventory that PCI DSS 12.3.3 and every migration framework demand stops being a manual exercise.

Frequently asked questions

Which CI systems does Korthex support?

GitHub Actions, GitLab CI and Jenkins with ready-made integrations; Azure DevOps, CircleCI, Bitbucket Pipelines, Drone, Buildkite and anything else through the generic CLI exit code.

How does the gating work?

The CLI returns a non-zero exit code when findings exceed the configured risk threshold (Critical, High, Medium or Low). The pipeline treats it like a failing test.

Which tools consume the SARIF output?

GitHub Code Scanning (inline pull-request annotations) and the GitLab Security Dashboard; SARIF 2.1 is a standard format, so other SARIF consumers work too.

How do I roll this out without breaking builds?

Start report-only to establish the baseline, triage the existing findings with the migration plan, then enable the threshold. New regressions fail from that point on; legacy findings are burned down on the plan's order.

Does the pipeline need internet access?

No. Scans run fully on-premise, including air-gapped runners. Only the optional dashboard report transmits anonymized metadata.