Meterian
  • Meterian
    • The Platform
    • SSO and MFA
    • Support
  • Codebase scanner
    • The Thin Client
      • How does the client work?
      • How does the client authenticate me?
      • How do I get the client?
      • What if I need a previous release?
      • Use the thin client on Windows
    • Using the client from your command line
      • Authorization in interactive mode
      • Interrupting the client
      • Example: running the client in interactive mode
    • Using the client in your CI/CD pipeline
      • Authorization in non-interactive mode
      • Providing the project branch
      • Concurrent mode
      • Two phases build
      • Controlling the exit code
      • Example: running the client in non-interactive mode
    • General operations
      • Running the analysis remotely
      • Interrupting the client
      • Generating a report
      • Forcing or avoiding specific scans
      • Excluding (and including) specific folders
      • Connecting through a proxy
    • System requirements
    • Command line parameters
      • General configuration
      • Overriding scores
      • Overriding scopes
      • Producing reports
      • Selecting scanners
      • Defining projects
      • Advanced options
        • Autofix
        • Pull Requests
      • System information
      • Specific controls
        • Maven specific controls
        • Dotnet specific controls
        • Npm/Yarn specific controls
        • Gradle specific controls
        • Ant/Ivy specific controls
    • The Dockerized Client
      • Basic usage
      • Advanced usage
        • Invoking via Docker
        • Platform-specific images
        • Usage on a CI/CD platform
        • Disable the client auto-update
      • Troubleshooting
        • Client auto update failure
        • Docker specifics
    • How scores work
    • Guide: your first scan!
      • Your first scan (java thin client)
      • Your first scan (dockerized client)
      • Your first scan (GitHub Action)
  • Scan behaviour matrix
  • THE METERIAN DASHBOARD
    • The Web Dashboard
      • Projects
      • Insights
      • Tokens
      • Badges
      • Policies
      • Tags
      • Teams
      • Configuration
        • Automatic Temporary Branches Clean-up
    • Advanced functionalities
      • Safe versions
      • Software Bill Of Materials (SBOM)
      • Auto-grouping
        • Domain auto-grouping
        • Github auto-grouping
      • How to set a vulnerability exclusion
        • From the report page
        • From the dashboard
        • The .meterian file
        • Generate the .meterian file
    • Troubleshooting
      • Login with credentials
  • Notifications
    • Sentinel
      • Notifications for Slack
      • Notifications for Email
    • Allerta
  • Github Badges
    • Introduction
    • Public repository
    • Private repository
  • ONLINE INTEGRATIONS
    • Introduction
    • GitHub Action
      • Using the Thin Client
      • Code scanning
    • Bitbucket Pipe
    • Azure DevOps Pipelines
  • Languages support
    • Introduction
    • C/C++
    • Clojure
    • Dart / Flutter
    • Elixir (erlang)
    • Golang
    • Java/Kotlin/Scala
      • Scanning EAR or WAR files
    • Javascript
    • .NET
      • Scanning DLLs
    • NodeJS
    • Perl
    • PHP
    • Python
    • R
    • Ruby
    • Rust
    • Swift / Objective-C
    • Generic (third party)
  • Special platfoms
  • Unity Packages
  • Jupyter Notebooks
    • License detection
  • Yocto license manifests
  • Container scanner
    • Container Scanner
      • Introduction
      • General usage
      • Command line parameters
        • General configuration
        • Overriding scores
        • Producing reports
        • Defining projects
        • Advanced Options
        • System information
      • How to set a vulnerability exclusion
  • IaC SCANNER
    • Introduction
    • General usage
    • Command line parameters
      • Producing reports
      • Defining projects
    • Policy management page
    • How to set a vulnerability exclusion
  • CI INTEGRATIONS
    • Introduction
    • AWS CodeBuild
    • Azure DevOps
      • Using the Docker image
      • Using the Java Thin client
    • Bamboo
    • Bitrise
    • CircleCI
    • CodeShip
    • Concourse CI
    • Generic CI
    • GitLab CI/CD
      • Docker-in-Docker configuration
      • Meterian Docker image configuration
      • Non-Meterian Docker image configuration
    • Jenkins
      • Pipeline
    • TeamCity
    • TravisCI
  • DevOps Integrations
    • GitLab Ultimate
    • SonarQube
      • Compatibility
      • Download and installation
      • Plugin properties
      • Usage
      • Report page
  • Management Platforms
    • Threadfix
    • DefectDojo
      • Uploading from a CI
    • Armorcode
    • Jira
  • Dedicated Instance
    • Introduction
    • On Cloud (MC/CC)
    • On Premises (OP)
      • Requirements and install
      • Managing the system
        • Admin dashboard
        • Managing your license
        • Managing accounts
    • Using the scanners
      • Thin client
      • Dockerized client
      • Container Scanner
      • IaC Scanner
  • Meterian API
  • API basics
  • Authorizing the APIs
  • Account APIs
    • Knowing your account
    • Listing your projects
  • Samples
  • Guides
    • Managing teams and members
    • Generating reports via APIs
Powered by GitBook
On this page
  • How to integrate Meterian with CircleCI pipeline
  • How does it work
  • Docker executor

Was this helpful?

  1. CI INTEGRATIONS

CircleCI

How to integrate Meterian with CircleCI pipeline

Adding Meterian to your CI pipeline is very simple, and it does not require much effort:

Here is a simple config.yml configuration file that does so:

version: 2.1

orbs:
  docker: circleci/docker@0.5.20
jobs:
  meterian:
    machine: true
    steps:
      - checkout
      - run: |
            docker run --rm \
            --volume ${PWD}:/workspace --env METERIAN_API_TOKEN=$METERIAN_API_TOKEN \
            meterian/cli [Meterian CLI Options]
workflows:
  version: 2
  commit-workflow:
    jobs:
      - meterian

Then on the CircleCI dashboard, open your project and open your project' settings. Here you will be able to set the METERIAN_API_TOKEN as environment variable.

Once the configuration has been committed and pushed on the repository, CircleCI will launch the 'meterian' job.

How does it work

Docker executor

Should you wish to use the Docker executor here's an adaptation of the above example that does just that

version: 2.1

jobs:
  meterian-scan:
    docker:
    - image: meterian/cli:latest
    working_directory: /workspace
    steps:
      - checkout
      - run: /root/circleci_entrypoint.sh
  
workflows:
  version: 2
  commit-workflow:
    jobs:
      - meterian-scan

Jobs that use the Docker executor run within a container created with the specified image (in this case we are using the Meterian Dockerized Client image), hence why you need to invoke the entry point script yourself as part of your steps to have your project scanned (after the source code checkout on line 7 of the snippet).

Here's an adapted example suited to scan a Golang project winch will require private modules to be resolved

version: 2.1

jobs:
  meterian-scan:
    docker:
    - image: meterian/cli:latest
    working_directory: /workspace
    steps:
      - checkout
      - add_ssh_keys:
          fingerprints:
            - "SO:ME:FIN:G:ER:PR:IN:T"
      - run: |
            git config --global url.ssh://git@github.com/.insteadOf https://github.com/
            export GOPRIVATE=PRIVATE_REPOS_GLOB_PATTERNS
            /root/circleci_entrypoint.sh

workflows:
  version: 2
  commit-workflow:
    jobs:
      - meterian-scan
PreviousBitriseNextCodeShip

Last updated 3 years ago

Was this helpful?

To retrieve a Meterian API Token visit the ; in your account select the tab "Tokens" and create a new one, or use an existing one.

API tokens are available only on paid account. To upgrade your subscription, please .

Learn more about the Meterian Client .

The above example uses the CircleCI machine executor which checks out your project's source code and runs the latest tag of the against it through Docker. This image contains the latest version of the Meterian client and the building tools for all the languages we support. Running it ensures that a scan of your project is performed yielding results that will either cause the CircleCI task to pass or fail breaking the workflow.

The circleci_entrypoint.sh script at line 8 is a tailored script designed for these type of jobs covering aspects such as needing SSH access for the scan. An example of a scan that might need this is the one involving a Golang project. Assuming that the project defines modules that live on private repositories only accessible through a pair of SSH keys teaming the latter script with CircleCI's special step will allow you to easily tackle that.

, GIT and GO are configured to download non-public code. The configurations are then appropriately propagated to the Meterian client for the scan that will follow thanks to our tailored script.

Learn more about configuring GO for downloading non-public code .

Meterian Dashboard
contact us
here
Meterian Docker image
add_ssh_keys
After adding SSH keys in the job
here