🧪 CI/CD examples
OpenDoor can be used in CI/CD pipelines as an exposure check or regression gate.
Basic CI command
opendoor \
--host https://example.com \
--reports json,sqlite,sarif
Fail on selected buckets
opendoor \
--host https://example.com \
--fail-on-bucket success,auth,forbidden,blocked,bypass
OpenDoor completes the scan and exits with code 1 if selected result buckets are found.
Use the bypass bucket when Header Injection Bypass candidates should fail the pipeline.
Low-noise CI gate
opendoor \
--host https://example.com \
--method GET \
--auto-calibrate \
--include-status 200-299,301,302,403 \
--exclude-status 404,429,500-599 \
--reports json,sqlite,csv,sarif \
--fail-on-bucket success,auth,forbidden,bypass
CI gate with Header Injection Bypass
opendoor \
--host https://example.com \
--method GET \
--waf-detect \
--header-bypass \
--header-bypass-limit 32 \
--reports json,sqlite,csv,sarif \
--fail-on-bucket success,auth,forbidden,bypass
Use this only for authorized exposure regression checks.
Batch CI gate
opendoor \
--hostlist targets.txt \
--auto-calibrate \
--reports json,sqlite,csv,sarif \
--fail-on-bucket success,auth,forbidden,bypass
Differential report comparison
Use differential comparison when a pipeline already has a previous OpenDoor report artifact and a current report artifact. This command compares the two local files and does not send traffic to the target.
opendoor \
--diff reports/baseline/example.com.sqlite:reports/current/example.com.sqlite \
--reports std,json \
--reports-dir ./diff
The same workflow works with JSON-to-JSON reports:
opendoor \
--diff reports/baseline/example.com.json:reports/current/example.com.json \
--reports std,json \
--reports-dir ./diff
The diff output highlights new, removed and changed findings. Unsupported or mixed input formats are rejected gracefully, which keeps CI failures explicit and easy to diagnose.
GitHub Actions example
name: OpenDoor exposure check
on:
workflow_dispatch:
schedule:
- cron: "0 3 * * *"
jobs:
opendoor:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Install OpenDoor
run: |
python3 -m pip install --user pipx
python3 -m pipx ensurepath
pipx install opendoor
- name: Run OpenDoor
run: |
opendoor \
--host https://example.com \
--method GET \
--auto-calibrate \
--header-bypass \
--header-bypass-limit 32 \
--reports json,sqlite,csv,sarif \
--reports-dir ./reports \
--fail-on-bucket success,auth,forbidden,bypass
- name: Upload reports
if: always()
uses: actions/upload-artifact@v4
with:
name: opendoor-reports
path: reports/
GitHub Code Scanning with SARIF
name: OpenDoor SARIF scan
on:
workflow_dispatch:
permissions:
contents: read
security-events: write
jobs:
opendoor-sarif:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v6
- name: Install OpenDoor
run: |
python3 -m pip install --user pipx
python3 -m pipx ensurepath
pipx install opendoor
- name: Run OpenDoor
run: |
opendoor \
--host https://example.com \
--method GET \
--auto-calibrate \
--reports sarif,json \
--reports-dir ./reports \
--fail-on-bucket success,auth,forbidden,bypass
- name: Upload OpenDoor SARIF
if: always()
uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: reports/example.com/example.com.sarif
category: opendoor
Use security-events: write so GitHub Actions can upload SARIF into Code Scanning.
GitLab CI example
opendoor:
image: python:3.13
script:
- python -m pip install --upgrade pip pipx
- python -m pipx ensurepath
- pipx install opendoor
- |
opendoor \
--host https://example.com \
--method GET \
--auto-calibrate \
--header-bypass \
--header-bypass-limit 32 \
--reports json,sqlite,csv,sarif \
--reports-dir ./reports \
--fail-on-bucket success,auth,forbidden,bypass
artifacts:
when: always
paths:
- reports/
CI safety notes
Do not put secrets directly in repository workflows.
Use CI secret stores for:
- tokens;
- cookies;
- authenticated raw requests;
- proxy credentials;
- VPN credentials.
Do not upload public artifacts containing sensitive findings.