CI/CD Pipelines
Integrate reel into any CI/CD system. Download the binary, run scans, and collect results.
Generic Pipeline
The pattern is the same for any CI system:
# 1. Download reel
curl -sL https://github.com/getreeldev/releases/releases/latest/download/reel_linux_amd64.tar.gz | tar xz
# 2. Run scans
./reel export sbom --image myapp:latest -o sbom.json
./reel export cbom --image myapp:latest -o cbom.json
./reel export malware --image myapp:latest -o malware.json
./reel export sarif --image myapp:latest -o results.sarif
# 3. Collect results
# Upload sbom.json, cbom.json, malware.json, results.sarif as artifacts
GitLab CI
# .gitlab-ci.yml
security-scan:
stage: test
image: docker:latest
services:
- docker:dind
script:
- curl -sL https://github.com/getreeldev/releases/releases/latest/download/reel_linux_amd64.tar.gz | tar xz
- docker build -t myapp:$CI_COMMIT_SHA .
- ./reel export sbom --image myapp:$CI_COMMIT_SHA -o sbom.json
- ./reel export cbom --image myapp:$CI_COMMIT_SHA -o cbom.json
- ./reel export sarif --image myapp:$CI_COMMIT_SHA -o results.sarif
artifacts:
paths:
- sbom.json
- cbom.json
- results.sarif
Jenkins
pipeline {
agent any
stages {
stage('Security Scan') {
steps {
sh 'curl -sL https://github.com/getreeldev/releases/releases/latest/download/reel_linux_amd64.tar.gz | tar xz'
sh './reel export sbom --image myapp:${env.BUILD_TAG} -o sbom.json'
sh './reel export sarif --image myapp:${env.BUILD_TAG} -o results.sarif'
archiveArtifacts artifacts: 'sbom.json,results.sarif'
}
}
}
}
Tips
- Cache
~/.cache/reel/between builds to skip tool downloads - Use
--offlinein air-gapped environments with a pre-populated cache - Pin a specific reel version for reproducible builds
- Use
reel export sariffor SARIF output — works with any CI system, not just GitHub