Skip to main content

CircleCI

Basic example

Here's how you can integrate Escape into your CircleCI pipeline using a .circleci/config.yml configuration:

version: 2.1

jobs:
deploy:
docker:
- image: node:alpine
steps:
- checkout
# Your deployment steps here

escape_scan:
docker:
- image: node:alpine
steps:
- checkout
- run:
name: Install Escape CLI
command: |
npm install -g @escape.tech/action
npm show @escape.tech/action version
- run:
name: Run Escape Scan
command: escape-action
environment:
ESCAPE_APPLICATION_ID: $ESCAPE_APPLICATION_ID
ESCAPE_API_KEY: $ESCAPE_API_KEY

workflows:
version: 2
deploy_and_scan:
jobs:
- deploy
- escape_scan:
requires:
- deploy
filters:
branches:
only: staging

Failure behavior

By default, Escape cli will fail if any High issues are flagged, and will exit with an error code 1.

Available variables

ESCAPE_APPLICATION_ID string required

The id of the application on Escape that will be scanned continuously.
You can find it in your Escape application settings.

ESCAPE_API_KEY string required

Your API key on the Escape platform.
You can find it in your Escape settings.

SCHEMA_URL string

The URL to your API schema, that you want to upload to the specific application ESCAPE_APPLICATION_ID

SCHEMA_FILE string

The filepath to your API schema, that you want to upload to the specific application ESCAPE_APPLICATION_ID

FAIL_ON_SEVERITIES string

A csv-delimited string that should contain either of these severities to define a failure of the cli (exit code 1):

  • HIGH
  • MEDIUM
  • LOW
  • INFO

For example, export FAIL_ON_SEVERITIES=HIGH,MEDIUM will make the cli fail if any HIGH or MEDIUM issues are flagged.

TIMEOUT number

The timeout of the job. If set to 0, the scan will be started, but the job will not wait for it to be finished before terminating.

The triggered scan will run asynchronously on Escape, and your team will be notified once it is done using your desired notifications settings.

CONFIGURATION_OVERRIDE string

See the configuration override section.

CONFIGURATION_OVERRIDE_PATH string

See the configuration override section.

REF_NAME string

See the commit identification section.

COMMIT_HASH string

See the commit identification section.

USER_EMAIL string

See the commit identification section.

INTROSPECTION_FILE path

See the introspection update section.

Command-line options

--output <path> string

The path to the output file that will contain the scan results.

--r boolean

Include remediations in the report. Remediations are recommended actions that can be taken to address any security vulnerabilities that are found during the scan.

--pdf boolean

Download a PDF report of the scan results.

--zip boolean

Download a exchange archive (zip file) of the scan results.