Guide

Wiring CI/CD Pipelines for Pipeline-Triggered Scans

2 min read

Get the document

Tell us where to send it. The PDF lands in your inbox in under a minute.

About

About this guide

From a signed inbound webhook to a gated pull request, this guide covers the branch filter, auto-scan fan-out, commit-status gate, and a verifiable event audit.

This guide wires a CI/CD pipeline into PMAP so code changes trigger scans automatically. You will stand up a connector for one of the six supported vendors, obtain its signed inbound webhook URL, and verify that PMAP rejects every unsigned or wrongly signed event so only authentic, replay-resistant deliveries reach the orchestrator. A branch filter then keeps feature-branch noise out of the pipeline.

Wiring CI/CD Pipelines for Pipeline-Triggered Scans
The Integrations workspace: a vendor marketplace, a CI/CD detail tab set, and an inbound webhook receiver.

It is written for platform and AppSec engineers who want security checks built into the delivery pipeline. By the end you can fan auto-scans out to SAST and SCA integrations with each scan tagged by VCS context, gate pull requests with a threshold-driven commit-status check and security-summary comment, reconstruct the chain from the CI event audit log, and operate the pipeline over time with secret rotation and a vendor-by-vendor rollout.

Inside this guide

  • Understand the orchestrator and the HMAC boundary before you create a connector.
  • Create the CI/CD connector, copy its signed webhook URL, and register it on the platform.
  • Confirm signed delivery and rejection of bad signatures, then read CIEvent normalization across vendors.
  • Set the branch filter to protected branches and configure auto-scan fan-out to SAST and SCA.
  • Confirm VCS source tagging on triggered scans.
  • Set block and warn thresholds, then post the PR comment and commit-status check.
  • Audit the last 200 CI events, rotate the secret, and roll out to more vendors.

Before you start

  • A PMAP account with integration create and edit permissions, since integration writes are auth-protected.
  • Administrative access to one CI/CD platform among GitHub, GitLab, Azure DevOps, Jenkins, Bamboo, or Bitbucket.
  • At least one configured SAST or SCA integration, for example Checkmarx, SonarQube, Snyk, Black Duck, Sonatype, Fortify, or Prisma Cloud, to receive the fan-out.
  • A clear branch policy, since the branch filter separates protected-branch scanning from feature-branch noise.
  • Agreement on your block and warn severity lists, because those lists decide whether the gate returns failure, pending, or success.
  • A secret store and a rotation owner for the webhook secret, since rotation takes effect with no grace window.

All resources

Keep exploring

Related resources

See it live

Ready to see PMAP in action?

Talk to our team or jump straight into a guided tour of the platform.

We use your email only to set up your guided tour. No marketing drip, no third-party tracking.