From a signed inbound webhook to a gated pull request, this guide covers the branch filter, auto-scan fan-out, commit-status gate, and a verifiable event audit.
This guide wires a CI/CD pipeline into PMAP so code changes trigger scans automatically. You will stand up a connector for one of the six supported vendors, obtain its signed inbound webhook URL, and verify that PMAP rejects every unsigned or wrongly signed event so only authentic, replay-resistant deliveries reach the orchestrator. A branch filter then keeps feature-branch noise out of the pipeline.
It is written for platform and AppSec engineers who want security checks built into the delivery pipeline. By the end you can fan auto-scans out to SAST and SCA integrations with each scan tagged by VCS context, gate pull requests with a threshold-driven commit-status check and security-summary comment, reconstruct the chain from the CI event audit log, and operate the pipeline over time with secret rotation and a vendor-by-vendor rollout.
Inside this guide
- Understand the orchestrator and the HMAC boundary before you create a connector.
- Create the CI/CD connector, copy its signed webhook URL, and register it on the platform.
- Confirm signed delivery and rejection of bad signatures, then read CIEvent normalization across vendors.
- Set the branch filter to protected branches and configure auto-scan fan-out to SAST and SCA.
- Confirm VCS source tagging on triggered scans.
- Set block and warn thresholds, then post the PR comment and commit-status check.
- Audit the last 200 CI events, rotate the secret, and roll out to more vendors.
Before you start
- A PMAP account with integration create and edit permissions, since integration writes are auth-protected.
- Administrative access to one CI/CD platform among GitHub, GitLab, Azure DevOps, Jenkins, Bamboo, or Bitbucket.
- At least one configured SAST or SCA integration, for example Checkmarx, SonarQube, Snyk, Black Duck, Sonatype, Fortify, or Prisma Cloud, to receive the fan-out.
- A clear branch policy, since the branch filter separates protected-branch scanning from feature-branch noise.
- Agreement on your block and warn severity lists, because those lists decide whether the gate returns failure, pending, or success.
- A secret store and a rotation owner for the webhook secret, since rotation takes effect with no grace window.
