Use Docker to run CybeDefend local scans in your TeamCity pipeline, keeping your code in-house while uploading only the needed data for security analysis.

Prerequisites

  • API Key: Create one in your CybeDefend profile.
  • Agent Permissions: Ensure your self-hosted agent can install or run the CybeDefend CLI.
  • TeamCity Access: Sufficient rights to modify your pipeline definition.

Best Practices

  • Scan the main branch only
    By default, all scan results unify under a single “main” or “master” branch in CybeDefend. Limiting scans to your default branch prevents mixing partial results from feature branches.
  • Use Docker
    This container-based approach simplifies environment setup, avoiding any installation overhead.

Example TeamCity Configuration (YAML)

If you’re using a YAML-based approach or the TeamCity DSL, a script build step might look like:

jobs:
  local_security_scan:
    steps:
      - type: script
        name: CybeDefend Local Scan
        docker-image: cybedefend/local-scanner:latest
        script-content: >-
          cybedefend scan ./ --ci 
            --api-key %CYBEDEFEND_API_KEY% 
            --project-id %CYBEDEFEND_PROJECT_ID%

Explanation

  • docker-image: Points to a Docker image (e.g., cybedefend/local-scanner) that already has the CybeDefend CLI installed.
  • script-content: Runs cybedefend scan, zipping your current directory (./) and securely uploading it to CybeDefend.
  • —ci: Outputs minimal logs for a cleaner CI experience.
  • Environment Variables: %CYBEDEFEND_API_KEY% and %CYBEDEFEND_PROJECT_ID% are typically stored in TeamCityProject SettingsParameters, masking sensitive data.

If this is your first time scanning the repo, CybeDefend will automatically create a new project (assuming the Project ID is valid or left empty to be generated). Subsequent scans append results to the same project.

Verifying Results

  1. Console Output
    After the step finishes, TeamCity logs display a summary of any critical or high-severity issues.
  2. Further Exploration
    Add a subsequent step to fetch results in JSON, HTML, or SARIF formats: 
    cybedefend results --project-id %CYBEDEFEND_PROJECT_ID% --output sarif --all
  3. CybeDefend Dashboard
    Visit your CybeDefend account to see the complete vulnerability list, including severity breakdowns and recommended fixes.

For large codebases, scanning can take a few minutes. Make sure your TeamCity job does not have overly strict timeouts.

You can restrict scanning to main by adjusting your TeamCity triggers. This avoids mixing partial or experimental features in your final security reports.