Buildkite Integration Integrate Code Pathfinder into your Buildkite pipelines using the Docker plugin to run security scans on every build.
Quick Start Add this step to your pipeline.yml. The Docker plugin runs the container with your checked-out code mounted automatically:
steps :
- label : ":shield: Code Pathfinder SAST"
plugins :
- docker #v5.12.0:
image : "shivasurya/code-pathfinder:stable-latest"
command :
- "ci"
- "--project"
- "."
- "--ruleset"
- "python/all"
- "--ruleset"
- "docker/all"
- "--ruleset"
- "docker-compose/all"
- "--output"
- "sarif"
- "--output-file"
- "pathfinder-results.sarif"
- "--fail-on"
- "critical,high"
mount-checkout : true
artifact_paths :
- "pathfinder-results.sarif" Version Pinning
Pin to a specific image tag like shivasurya/code-pathfinder:v2.0.2 instead of stable-latest for reproducible builds. stable-latest always tracks the latest stable release.
Docker plugin command format
Buildkite's Docker plugin passes command as an array of strings — each flag and value is a separate item. Do not use shell string format here.
No native SARIF viewer in Buildkite
Buildkite does not display SARIF files natively. The artifact is downloadable from the build's Artifacts tab. Use Buildkite annotations (via the buildkite-agent annotate command) to surface a summary in the build UI.
Configuration Options All pathfinder ci flags are passed as separate array items under command.
Flag Description Default --rules Path to local Python SDK rules file or directory — --ruleset Remote ruleset(s) from codepathfinder.dev/registry . Use multiple --ruleset flags for multiple rulesets. — --project Path to source code to scan . --skip-tests Skip test files (test_*.py, *_test.py, conftest.py) true --output Output format: sarif, json, or csv sarif --output-file Write output to file. Omit to stream to stdout. — --fail-on Exit code 1 if findings match severities: critical, high, medium, low (comma-separated) — --no-diff Disable diff-aware scanning and scan all files false --verbose Show statistics and timing information false --debug Show detailed debug diagnostics with timestamps false --refresh-rules Force refresh of cached rulesets false
Common Use Cases Python Security Scan Python projects for vulnerabilities:
steps :
- label : ":snake: Python Security Scan"
plugins :
- docker #v5.12.0:
image : "shivasurya/code-pathfinder:stable-latest"
command :
- "ci"
- "--project"
- "."
- "--ruleset"
- "python/all"
- "--fail-on"
- "critical,high"
- "--output"
- "sarif"
- "--output-file"
- "results.sarif"
mount-checkout : true
artifact_paths :
- "results.sarif" Docker Security Scan Dockerfiles and docker-compose files:
steps :
- label : ":whale: Docker Security Scan"
plugins :
- docker #v5.12.0:
image : "shivasurya/code-pathfinder:stable-latest"
command :
- "ci"
- "--project"
- "."
- "--ruleset"
- "docker/all"
- "--ruleset"
- "docker-compose/all"
- "--output"
- "sarif"
- "--output-file"
- "results.sarif"
mount-checkout : true
artifact_paths :
- "results.sarif" Monorepo — Parallel Steps Buildkite runs steps in parallel across agents by default. Use wait to enforce ordering:
steps :
- label : ":snake: Scan Backend"
plugins :
- docker #v5.12.0:
image : "shivasurya/code-pathfinder:stable-latest"
command :
- "ci"
- "--project"
- "./backend"
- "--ruleset"
- "python/all"
- "--output"
- "sarif"
- "--output-file"
- "backend-results.sarif"
mount-checkout : true
artifact_paths :
- "backend-results.sarif"
- label : ":whale: Scan Infrastructure"
plugins :
- docker #v5.12.0:
image : "shivasurya/code-pathfinder:stable-latest"
command :
- "ci"
- "--project"
- "./infrastructure"
- "--ruleset"
- "docker/all"
- "--ruleset"
- "docker-compose/all"
- "--output"
- "sarif"
- "--output-file"
- "infra-results.sarif"
mount-checkout : true
artifact_paths :
- "infra-results.sarif" Viewing Results Buildkite has no native SARIF viewer. Two options:
Stream to build log Omit --output-file — SARIF streams to stdout and appears in the build log:
steps :
- label : ":shield: Code Pathfinder SAST"
plugins :
- docker #v5.12.0:
image : "shivasurya/code-pathfinder:stable-latest"
command :
- "ci"
- "--project"
- "."
- "--ruleset"
- "python/all"
- "--output"
- "sarif"
mount-checkout : true Save as downloadable artifact Use artifact_paths to upload the SARIF file to Buildkite Artifacts:
steps :
- label : ":shield: Code Pathfinder SAST"
plugins :
- docker #v5.12.0:
image : "shivasurya/code-pathfinder:stable-latest"
command :
- "ci"
- "--project"
- "."
- "--ruleset"
- "python/all"
- "--output"
- "sarif"
- "--output-file"
- "pathfinder-results.sarif"
mount-checkout : true
artifact_paths :
- "pathfinder-results.sarif" Scheduled Scans Buildkite schedules are configured in the pipeline settings UI or via the GraphQL API — not in pipeline.yml. Go to Pipeline Settings → Schedules and add a cron expression (e.g. 0 0 * * 0 for weekly). Your pipeline.yml just needs the step defined.
Troubleshooting No vulnerabilities detected Enable debug and verbose mode:
steps :
- label : ":shield: Code Pathfinder SAST"
plugins :
- docker #v5.12.0:
image : "shivasurya/code-pathfinder:stable-latest"
command :
- "ci"
- "--project"
- "."
- "--ruleset"
- "python/all"
- "--debug"
- "--verbose"
- "--output"
- "sarif"
- "--output-file"
- "results.sarif"
mount-checkout : true
artifact_paths :
- "results.sarif" Force full scan Disable diff-aware scanning to scan all files regardless of what changed:
steps :
- label : ":shield: Code Pathfinder SAST"
plugins :
- docker #v5.12.0:
image : "shivasurya/code-pathfinder:stable-latest"
command :
- "ci"
- "--project"
- "."
- "--ruleset"
- "python/all"
- "--no-diff"
- "--output"
- "sarif"
- "--output-file"
- "results.sarif"
mount-checkout : true
artifact_paths :
- "results.sarif" Cache issues with remote rulesets Force refresh cached rulesets:
steps :
- label : ":shield: Code Pathfinder SAST"
plugins :
- docker #v5.12.0:
image : "shivasurya/code-pathfinder:stable-latest"
command :
- "ci"
- "--project"
- "."
- "--ruleset"
- "python/all"
- "--refresh-rules"
- "--output"
- "sarif"
- "--output-file"
- "results.sarif"
mount-checkout : true
artifact_paths :
- "results.sarif"