Overview
Integrate KafkaCode into your CI/CD pipeline to automatically scan for privacy issues on every commit, pull request, or deployment.GitHub Actions
Basic Integration
Create.github/workflows/privacy-scan.yml:
Copy
name: Privacy Scan
on:
push:
branches: [ main, develop ]
pull_request:
branches: [ main ]
jobs:
privacy-scan:
runs-on: ubuntu-latest
steps:
- name: Checkout code
uses: actions/checkout@v3
- name: Setup Node.js
uses: actions/setup-node@v3
with:
node-version: '18'
- name: Install KafkaCode
run: npm install -g kafkacode
- name: Run Privacy Scan
run: kafkacode scan ./src --verbose
- name: Check scan results
if: failure()
run: echo "Privacy issues detected. Please review the scan output above."
Advanced Configuration
With grade checking and artifact upload:Copy
name: Advanced Privacy Scan
on:
push:
pull_request:
jobs:
privacy-scan:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
- name: Setup Node.js
uses: actions/setup-node@v3
with:
node-version: '18'
- name: Install KafkaCode
run: npm install -g kafkacode
- name: Run scan and save output
run: |
kafkacode scan ./src --verbose | tee scan-results.txt
continue-on-error: true
- name: Upload scan results
uses: actions/upload-artifact@v3
with:
name: privacy-scan-results
path: scan-results.txt
- name: Check for critical issues
run: |
if grep -q "CRITICAL" scan-results.txt; then
echo "::error::Critical privacy issues detected!"
exit 1
fi
- name: Comment PR with results
if: github.event_name == 'pull_request'
uses: actions/github-script@v6
with:
script: |
const fs = require('fs');
const results = fs.readFileSync('scan-results.txt', 'utf8');
github.rest.issues.createComment({
issue_number: context.issue.number,
owner: context.repo.owner,
repo: context.repo.repo,
body: `## Privacy Scan Results\n\n\`\`\`\n${results}\n\`\`\``
});
Only on Changed Files
Scan only files changed in PR:Copy
name: Scan Changed Files
on:
pull_request:
jobs:
scan-changes:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
with:
fetch-depth: 0
- name: Setup Node.js
uses: actions/setup-node@v3
with:
node-version: '18'
- name: Install KafkaCode
run: npm install -g kafkacode
- name: Get changed files
id: changed-files
run: |
git diff --name-only origin/${{ github.base_ref }}...HEAD > changed-files.txt
cat changed-files.txt
- name: Scan changed directories
run: |
# Extract unique directories from changed files
DIRS=$(cat changed-files.txt | xargs -n1 dirname | sort -u)
for dir in $DIRS; do
if [ -d "$dir" ]; then
echo "Scanning $dir..."
kafkacode scan "$dir"
fi
done
GitLab CI
Basic Pipeline
Create.gitlab-ci.yml:
Copy
stages:
- security
privacy-scan:
stage: security
image: node:18
before_script:
- npm install -g kafkacode
script:
- kafkacode scan ./src --verbose
allow_failure: false
only:
- main
- merge_requests
With Artifacts
Copy
privacy-scan:
stage: security
image: node:18
before_script:
- npm install -g kafkacode
script:
- kafkacode scan ./src --verbose | tee scan-results.txt
artifacts:
paths:
- scan-results.txt
expire_in: 1 week
when: always
allow_failure: false
Merge Request Integration
Copy
privacy-scan-mr:
stage: security
image: node:18
before_script:
- npm install -g kafkacode
script:
- kafkacode scan ./src --verbose
- |
if [ $? -ne 0 ]; then
echo "Privacy issues detected. Blocking merge."
exit 1
fi
only:
- merge_requests
allow_failure: false
CircleCI
Create.circleci/config.yml:
Copy
version: 2.1
jobs:
privacy-scan:
docker:
- image: cimg/node:18.0
steps:
- checkout
- run:
name: Install KafkaCode
command: npm install -g kafkacode
- run:
name: Run Privacy Scan
command: kafkacode scan ./src --verbose
- store_artifacts:
path: scan-results.txt
workflows:
version: 2
build-and-scan:
jobs:
- privacy-scan:
filters:
branches:
only:
- main
- develop
Jenkins
Declarative Pipeline
CreateJenkinsfile:
Copy
pipeline {
agent any
tools {
nodejs "Node18"
}
stages {
stage('Install KafkaCode') {
steps {
sh 'npm install -g kafkacode'
}
}
stage('Privacy Scan') {
steps {
script {
def scanResult = sh(
script: 'kafkacode scan ./src --verbose',
returnStatus: true
)
if (scanResult != 0) {
error("Privacy issues detected!")
}
}
}
}
}
post {
always {
archiveArtifacts artifacts: '**/scan-results.txt', allowEmptyArchive: true
}
failure {
mail to: '[email protected]',
subject: "Privacy Scan Failed: ${env.JOB_NAME} - ${env.BUILD_NUMBER}",
body: "Privacy issues detected. Check ${env.BUILD_URL}"
}
}
}
Scripted Pipeline
Copy
node {
stage('Checkout') {
checkout scm
}
stage('Install KafkaCode') {
sh 'npm install -g kafkacode'
}
stage('Privacy Scan') {
try {
sh 'kafkacode scan ./src --verbose | tee scan-results.txt'
} catch (Exception e) {
currentBuild.result = 'FAILURE'
throw e
} finally {
archiveArtifacts 'scan-results.txt'
}
}
}
Travis CI
Create.travis.yml:
Copy
language: node_js
node_js:
- "18"
install:
- npm install -g kafkacode
script:
- kafkacode scan ./src --verbose
after_script:
- |
if [ $TRAVIS_TEST_RESULT -ne 0 ]; then
echo "Privacy scan failed"
fi
notifications:
email:
recipients:
- [email protected]
on_failure: always
Azure Pipelines
Createazure-pipelines.yml:
Copy
trigger:
- main
- develop
pool:
vmImage: 'ubuntu-latest'
steps:
- task: NodeTool@0
inputs:
versionSpec: '18.x'
displayName: 'Install Node.js'
- script: |
npm install -g kafkacode
displayName: 'Install KafkaCode'
- script: |
kafkacode scan ./src --verbose
displayName: 'Run Privacy Scan'
continueOnError: false
- task: PublishBuildArtifacts@1
inputs:
pathToPublish: 'scan-results.txt'
artifactName: 'privacy-scan-results'
condition: always()
Bitbucket Pipelines
Createbitbucket-pipelines.yml:
Copy
pipelines:
default:
- step:
name: Privacy Scan
image: node:18
script:
- npm install -g kafkacode
- kafkacode scan ./src --verbose
artifacts:
- scan-results.txt
pull-requests:
'**':
- step:
name: Privacy Scan (PR)
image: node:18
script:
- npm install -g kafkacode
- kafkacode scan ./src --verbose
- |
if [ $? -ne 0 ]; then
echo "Privacy issues detected. Fix before merging."
exit 1
fi
Pre-commit Hooks
Using Husky
Install Husky:Copy
npm install --save-dev husky
npx husky install
.husky/pre-commit:
Copy
#!/bin/sh
. "$(dirname "$0")/_/husky.sh"
echo "🔍 Running KafkaCode privacy scan..."
kafkacode scan ./src
if [ $? -ne 0 ]; then
echo "❌ Privacy issues detected. Commit aborted."
echo "Run 'kafkacode scan ./src --verbose' for details"
exit 1
fi
echo "✅ Privacy scan passed"
Using lint-staged
Install:Copy
npm install --save-dev husky lint-staged
package.json:
Copy
{
"husky": {
"hooks": {
"pre-commit": "lint-staged"
}
},
"lint-staged": {
"*.{js,ts,py,java,go,rb,php}": [
"kafkacode scan"
]
}
}
Using pre-commit framework
Create.pre-commit-config.yaml:
Copy
repos:
- repo: local
hooks:
- id: kafkacode-scan
name: KafkaCode Privacy Scan
entry: kafkacode scan
language: system
pass_filenames: false
always_run: true
Docker Integration
Dockerfile
Copy
FROM node:18-alpine
# Install KafkaCode
RUN npm install -g kafkacode
# Copy source code
COPY ./src /app/src
# Run scan
WORKDIR /app
RUN kafkacode scan ./src --verbose
# Continue with app build...
Docker Compose
Copy
version: '3.8'
services:
privacy-scan:
image: node:18-alpine
volumes:
- ./src:/app/src
working_dir: /app
command: sh -c "npm install -g kafkacode && kafkacode scan ./src --verbose"
Deployment Gating
Block on Critical Issues
Copy
#!/bin/bash
echo "Running privacy scan..."
kafkacode scan ./src --verbose | tee scan-results.txt
# Check for critical issues
if grep -q "CRITICAL" scan-results.txt; then
echo "❌ CRITICAL privacy issues detected. Deployment blocked!"
exit 1
fi
# Check for high severity issues
if grep -q "HIGH" scan-results.txt; then
echo "⚠️ HIGH severity issues detected. Review required."
read -p "Continue deployment? (yes/no): " response
if [ "$response" != "yes" ]; then
exit 1
fi
fi
echo "✅ Privacy scan passed. Proceeding with deployment..."
Grade-Based Gating
Copy
#!/bin/bash
# Run scan and extract grade
SCAN_OUTPUT=$(kafkacode scan ./src)
GRADE=$(echo "$SCAN_OUTPUT" | grep "Privacy Grade" | awk '{print $NF}')
echo "Privacy Grade: $GRADE"
# Define acceptable grades per environment
case "$DEPLOY_ENV" in
production)
if [[ "$GRADE" != "A+" && "$GRADE" != "A" && "$GRADE" != "A-" ]]; then
echo "❌ Grade $GRADE not acceptable for production. Requires A- or better."
exit 1
fi
;;
staging)
if [[ "$GRADE" == "D" || "$GRADE" == "F" ]]; then
echo "❌ Grade $GRADE not acceptable for staging."
exit 1
fi
;;
esac
echo "✅ Grade $GRADE acceptable for $DEPLOY_ENV"
Scheduled Scans
Cron Job
Copy
# Daily scan at 2 AM
0 2 * * * cd /path/to/project && kafkacode scan ./src > /var/log/privacy-scan.log 2>&1
# Weekly scan on Monday at 9 AM
0 9 * * 1 cd /path/to/project && kafkacode scan . --verbose | mail -s "Weekly Privacy Scan" [email protected]
GitHub Actions (Scheduled)
Copy
name: Scheduled Privacy Scan
on:
schedule:
- cron: '0 2 * * *' # Daily at 2 AM UTC
workflow_dispatch: # Manual trigger
jobs:
scheduled-scan:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
- uses: actions/setup-node@v3
with:
node-version: '18'
- run: npm install -g kafkacode
- run: kafkacode scan . --verbose
- name: Create issue if failures
if: failure()
uses: actions/github-script@v6
with:
script: |
github.rest.issues.create({
owner: context.repo.owner,
repo: context.repo.repo,
title: 'Privacy Scan Failed - ' + new Date().toISOString(),
body: 'The scheduled privacy scan detected issues. Please review.',
labels: ['security', 'privacy']
});
Best Practices
Run on Every PR
Run on Every PR
Always scan pull requests before merging:
Copy
on:
pull_request:
types: [opened, synchronize, reopened]
Block Critical Issues
Block Critical Issues
Never allow deployment with critical issues:
Copy
if grep -q "CRITICAL" scan-results.txt; then
exit 1
fi
Notify Teams
Notify Teams
Alert relevant teams when issues are found:
Copy
- name: Notify Slack
if: failure()
uses: slackapi/slack-github-action@v1
Track Trends
Track Trends
Monitor privacy grades over time:
Copy
# Store grade in metrics system
GRADE=$(kafkacode scan . | grep "Privacy Grade" | awk '{print $NF}')
echo "privacy_grade{env=prod} $GRADE" | curl --data-binary @- http://pushgateway:9091/metrics
Fail Fast
Fail Fast
Run privacy scans early in pipeline:
Copy
stages:
- security # First
- test
- build
- deploy