Guide Docs API keys Start 14-day Pro trial

CVERiskPilotAPI Docs

Developer Guide API Reference Resources Release Notes

Docs

Pipeline

Pipeline compliance scanner

Setup guide

Add compliance scanning to CI workflows and map findings to NIST 800-53, SOC 2, CMMC, FedRAMP, ASVS, and SSDF automatically.

Prerequisites

Node.js 20+
npm, yarn, or pnpm
GitHub or GitLab repository

Quick Start

Three steps. Under five minutes.

Install

npm install -g @cveriskpilot/scan

Scan

npx crp-scan --preset startup

Review

Findings are normalized into review-ready cases for analyst triage. Compliance results are mapped automatically to NIST 800-53, CMMC, SOC 2, FedRAMP, ASVS, and SSDF.

CLI Options

Flag	Description
`--preset startup`	SBOM + secrets + IaC scan
`--preset enterprise`	Full scan with all rules
`--framework nist`	Filter to specific framework
`--severity HIGH`	Minimum severity threshold
`--format json`	Output format (json, table, sarif, markdown)
`--exclude <glob>`	Exclude paths from scanning (repeatable)
`--ci`	CI mode (non-interactive, exit code on failures)

GitHub Actions Integration

Add this workflow to your repository at .github/workflows/compliance.yml

Option 1: GitHub Action (recommended)

Scans your code, posts a compliance summary as a PR comment, and fails the check on severity threshold.

.github/workflows/compliance.yml

# CVERiskPilot Compliance Scan with PR Comment
name: Compliance Scan
on: [pull_request]
jobs:
  compliance:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - uses: devbrewster/cveriskpilot-scan/action@main
        with:
          preset: 'startup'
          fail-on: 'critical'
          api-key: ${{ secrets.CRP_API_KEY }}

Option 2: npx (manual setup)

Run the CLI directly if you want full control over the workflow steps.

.github/workflows/compliance.yml

name: Compliance Scan
on: [pull_request]
jobs:
  compliance:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - uses: actions/setup-node@v4
        with:
          node-version: '20'
      - run: npx @cveriskpilot/scan@latest --ci --preset startup
        env:
          CRP_API_KEY: ${{ secrets.CRP_API_KEY }}

What Gets Scanned

Dependencies (SBOM)

npm, yarn, pnpm lockfiles

Secrets

API keys, tokens, credentials in source

Infrastructure as Code

Terraform, CloudFormation, Docker

Auto-Triage

Every finding is automatically classified to cut through noise.

TRUE_POSITIVEActionable finding that requires attention

FALSE_POSITIVEAuto-dismissed: test fixtures, .env.example, regex definitions, charset constants, sample data

NEEDS_REVIEWRequires human review: gitignored secrets, unknown package versions, test files with non-obvious values

Compliance Mapping

Each finding maps through CWE to NIST 800-53 to framework controls. One vulnerability, multiple compliance impacts surfaced automatically.

Finding	CWE	NIST 800-53	SOC 2	CMMC
SQL Injection	CWE-89	SI-10	CC6.1	SI.L2-3.14.2
XSS	CWE-79	SI-10	CC6.1	SI.L2-3.14.1
Hardcoded Secret	CWE-798	IA-5	CC6.1	IA.L2-3.5.10

Next Steps

GitHub Action

Use the hosted action path for pull-request and CI workflow coverage.

Open page

Start Pro trial

Create a workspace and move from local scans into hosted API workflows with a 14-day Pro trial.

Start Pro trial

Manage keys

Review the org-owned key model, usage visibility, and hosted access flow.

Manage keys

Back to Documentation

Developer guide Docs API keys Support

CVERiskPilot developer surface

CLI Options

Flag	Description
`--preset startup`	SBOM + secrets + IaC scan
`--preset enterprise`	Full scan with all rules
`--framework nist`	Filter to specific framework
`--severity HIGH`	Minimum severity threshold
`--format json`	Output format (json, table, sarif, markdown)
`--exclude <glob>`	Exclude paths from scanning (repeatable)
`--ci`	CI mode (non-interactive, exit code on failures)

GitHub Actions Integration

Add this workflow to your repository at .github/workflows/compliance.yml

Option 1: GitHub Action (recommended)

Scans your code, posts a compliance summary as a PR comment, and fails the check on severity threshold.

.github/workflows/compliance.yml

# CVERiskPilot Compliance Scan with PR Comment
name: Compliance Scan
on: [pull_request]
jobs:
  compliance:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - uses: devbrewster/cveriskpilot-scan/action@main
        with:
          preset: 'startup'
          fail-on: 'critical'
          api-key: ${{ secrets.CRP_API_KEY }}

Option 2: npx (manual setup)

Run the CLI directly if you want full control over the workflow steps.

.github/workflows/compliance.yml

name: Compliance Scan
on: [pull_request]
jobs:
  compliance:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - uses: actions/setup-node@v4
        with:
          node-version: '20'
      - run: npx @cveriskpilot/scan@latest --ci --preset startup
        env:
          CRP_API_KEY: ${{ secrets.CRP_API_KEY }}

Auto-Triage

Every finding is automatically classified to cut through noise.

TRUE_POSITIVEActionable finding that requires attention

FALSE_POSITIVEAuto-dismissed: test fixtures, .env.example, regex definitions, charset constants, sample data

NEEDS_REVIEWRequires human review: gitignored secrets, unknown package versions, test files with non-obvious values

Finding

CWE

NIST 800-53

SOC 2

CMMC

SQL Injection

CWE-89

SI-10

CC6.1

SI.L2-3.14.2

XSS

CWE-79

SI-10

CC6.1

SI.L2-3.14.1

Hardcoded Secret

CWE-798

IA-5

CC6.1

IA.L2-3.5.10