CI/CD Integration

Overview

Corsair runs in any CI/CD pipeline that supports Bun. Use it for continuous compliance signing and verification — sign tool output into CPOEs and verify existing attestations on every release cycle.

GitHub Actions

name: Corsair Compliance Signing
on:
  schedule:
    - cron: '0 6 * * 1'  # Weekly Monday 6am UTC
  workflow_dispatch:

jobs:
  corsair:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4

      - uses: oven-sh/setup-bun@v2
        with:
          bun-version: latest

      - name: Install Corsair
        run: |
          git clone https://github.com/Arudjreis/corsair.git /tmp/corsair
          cd /tmp/corsair && bun install

      - name: Run scanner
        run: |
          ./scripts/run-scanner.sh --output ./scan-results/tool-output.json

      - name: Sign scan results into CPOE
        run: |
          cd /tmp/corsair
          corsair sign \
            --file ${{ github.workspace }}/scan-results/tool-output.json \
            --mapping ${{ github.workspace }}/mappings/toolx.json \
            --output /tmp/cpoe.jwt

      - name: Verify CPOE
        run: |
          cd /tmp/corsair
          corsair verify --file /tmp/cpoe.jwt
          # Optional strict evidence check
          # corsair verify --file /tmp/cpoe.jwt --evidence ./evidence/corsair-evidence.jsonl
          # Optional strict policy checks (receipts + SCITT + input binding)
          # corsair verify --file /tmp/cpoe.jwt --receipts ./receipts.json --require-receipts --require-scitt
          # corsair verify --file /tmp/cpoe.jwt --source-document ./scan-results/tool-output.json --require-input-binding

      - uses: actions/upload-artifact@v4
        with:
          name: corsair-cpoe
          path: /tmp/cpoe.jwt

GitLab CI

corsair:
  image: oven/bun:latest
  stage: test
  only:
    - schedules
  script:
    - git clone https://github.com/Arudjreis/corsair.git /tmp/corsair
    - cd /tmp/corsair && bun install
    - corsair sign --file scan-results/tool-output.json --mapping ./mappings/toolx.json --output cpoe.jwt
    - corsair verify --file cpoe.jwt
  artifacts:
    paths:
      - cpoe.jwt
    expire_in: 90 days

Jenkins

pipeline {
    agent any
    triggers { cron('H 6 * * 1') }
    stages {
        stage('Corsair Compliance Signing') {
            steps {
                sh '''
                    corsair sign \
                        --file compliance/tool-output.json \
                        --mapping ./mappings/toolx.json \
                        --output evidence/cpoe-${BUILD_ID}.jwt
                '''
            }
        }
        stage('Verify CPOE') {
            steps {
                sh 'corsair verify --file evidence/cpoe-${BUILD_ID}.jwt'
            }
        }
    }
    post {
        always {
            archiveArtifacts artifacts: 'evidence/*.jwt'
        }
    }
}

Best Practices

Schedule weekly — Run tool scans and CPOE signing on a recurring schedule, not just on deploys
Archive CPOEs — Store signed JWT-VC artifacts for audit trail
Diff between runs — Use corsair diff to compare CPOEs across release cycles
Verify CPOEs — Use corsair verify to validate existing CPOEs in your pipeline
Track provenance — Record which tools produced the evidence at each cycle
Chain with tool scans — Run your scanners first, then sign the results with corsair sign

GitHub Actions

name: Corsair Compliance Signing on: schedule: - cron: '0 6 * * 1' # Weekly Monday 6am UTC workflow_dispatch: jobs: corsair: runs-on: ubuntu-latest steps: - uses: actions/checkout@v4 - uses: oven-sh/setup-bun@v2 with: bun-version: latest - name: Install Corsair run: | git clone https://github.com/Arudjreis/corsair.git /tmp/corsair cd /tmp/corsair && bun install - name: Run scanner run: | ./scripts/run-scanner.sh --output ./scan-results/tool-output.json - name: Sign scan results into CPOE run: | cd /tmp/corsair corsair sign \ --file ${{ github.workspace }}/scan-results/tool-output.json \ --mapping ${{ github.workspace }}/mappings/toolx.json \ --output /tmp/cpoe.jwt - name: Verify CPOE run: | cd /tmp/corsair corsair verify --file /tmp/cpoe.jwt # Optional strict evidence check # corsair verify --file /tmp/cpoe.jwt --evidence ./evidence/corsair-evidence.jsonl # Optional strict policy checks (receipts + SCITT + input binding) # corsair verify --file /tmp/cpoe.jwt --receipts ./receipts.json --require-receipts --require-scitt # corsair verify --file /tmp/cpoe.jwt --source-document ./scan-results/tool-output.json --require-input-binding - uses: actions/upload-artifact@v4 with: name: corsair-cpoe path: /tmp/cpoe.jwt

GitLab CI

corsair: image: oven/bun:latest stage: test only: - schedules script: - git clone https://github.com/Arudjreis/corsair.git /tmp/corsair - cd /tmp/corsair && bun install - corsair sign --file scan-results/tool-output.json --mapping ./mappings/toolx.json --output cpoe.jwt - corsair verify --file cpoe.jwt artifacts: paths: - cpoe.jwt expire_in: 90 days

Jenkins

pipeline { agent any triggers { cron('H 6 * * 1') } stages { stage('Corsair Compliance Signing') { steps { sh ''' corsair sign \ --file compliance/tool-output.json \ --mapping ./mappings/toolx.json \ --output evidence/cpoe-${BUILD_ID}.jwt ''' } } stage('Verify CPOE') { steps { sh 'corsair verify --file evidence/cpoe-${BUILD_ID}.jwt' } } } post { always { archiveArtifacts artifacts: 'evidence/*.jwt' } } }

Best Practices

Schedule weekly — Run tool scans and CPOE signing on a recurring schedule, not just on deploys

Archive CPOEs — Store signed JWT-VC artifacts for audit trail

Diff between runs — Use corsair diff to compare CPOEs across release cycles

Verify CPOEs — Use corsair verify to validate existing CPOEs in your pipeline

Track provenance — Record which tools produced the evidence at each cycle

Chain with tool scans — Run your scanners first, then sign the results with corsair sign