Skip to main content
You can integrate Strix into your CI/CD pipelines to automatically run security tests on every pull request, commit, or deployment. This helps you catch vulnerabilities early in the development cycle and prevent them from reaching production.

Benefits of CI/CD Integration

Integrating Strix into your CI/CD pipeline provides:
  • Early Detection - Find security issues before they reach production
  • Automated Testing - Run security scans automatically on every code change
  • Fast Feedback - Get security results within your existing workflow
  • Quality Gates - Block deployments when critical vulnerabilities are found
  • Developer Visibility - Security findings appear directly in pull requests

Headless Mode

Strix supports headless mode specifically designed for CI/CD environments. Use the -n or --non-interactive flag to run Strix without the interactive UI. 
strix -n --target https://your-app.com
In headless mode, Strix:
  • Prints real-time vulnerability findings to stdout
  • Outputs a final report before exiting
  • Exits with a non-zero code when vulnerabilities are found
  • Perfect for servers and automated jobs

Quick Scan Mode

For faster CI/CD runs, you can use quick scan mode which reduces testing depth for faster results: 
strix -n --target ./ --scan-mode quick
You can also adjust the reasoning effort for quicker scans: 
export STRIX_REASONING_EFFORT="medium"
The default reasoning effort is “high”. For quick scans in CI/CD, consider using “medium” to balance speed and accuracy.

Environment Variables

You need to configure these environment variables in your CI/CD pipeline:
1

Set your LLM provider

Configure the AI model you want to use:
export STRIX_LLM="openai/gpt-5"
You can use any supported provider or Strix Router with a single API key.
2

Add your API key

Set your LLM API key as a secret:
export LLM_API_KEY="your-api-key"
3

Optional: Configure base URL

If you’re using a local model or custom endpoint:
export LLM_API_BASE="your-api-base-url"
4

Optional: Enable search capabilities

Add Perplexity API key for enhanced reconnaissance:
export PERPLEXITY_API_KEY="your-api-key"

Security Considerations

Always store API keys and sensitive credentials as encrypted secrets in your CI/CD platform. Never commit them to your repository.

Best Practices

  • Use secrets management - Store all API keys in your CI/CD platform’s secrets manager
  • Limit scope - Run Strix only on authorized targets you own or have permission to test
  • Set timeouts - Configure job timeouts to prevent long-running scans in CI/CD
  • Review findings - Set up notifications to review security findings promptly
  • Fail on critical - Configure your pipeline to fail when critical vulnerabilities are detected

Target Options

You can scan different types of targets in your CI/CD pipeline: 
# Scan the checked-out repository
strix -n --target ./

Exit Codes

Strix uses exit codes to integrate with CI/CD pipeline logic:
  • 0 - No vulnerabilities found (success)
  • Non-zero - Vulnerabilities detected or execution error (failure)
You can use these exit codes to create quality gates in your pipeline.

Platform-Specific Guides

See the platform-specific integration guides:

GitHub Actions

Complete GitHub Actions workflow examples

GitLab CI

GitLab CI/CD pipeline configuration

Next Steps

After setting up CI/CD integration:

Build docs developers (and LLMs) love

Get started for freeTalk to us