Connect APVISO with CircleCI

How APVISO Integrates with CircleCI

APVISO's CircleCI integration embeds penetration testing directly into your CI/CD pipeline, ensuring that every deployment candidate is assessed for vulnerabilities before reaching production. By treating security testing as a first-class pipeline step, your team catches vulnerabilities at the point where they are cheapest and easiest to fix.

Pipeline-Native Security Testing

The integration works through a custom CircleCI orb that wraps APVISO's API. After your application deploys to a staging environment within the pipeline, the APVISO orb triggers a targeted scan against that environment. The four AI agents — recon, scanner, lead, and reporter — execute the penetration test while CircleCI monitors progress.

The orb provides several commands: apviso/scan triggers a new scan, apviso/wait polls until the scan completes, and apviso/gate evaluates findings against your configured severity threshold. A typical workflow adds these steps after the staging deployment job.

Quality Gates and Deployment Control

The most valuable aspect of the CircleCI integration is the security quality gate. You define a maximum acceptable severity level — for example, no Critical or High findings — and the pipeline fails if APVISO discovers vulnerabilities exceeding that threshold. This prevents vulnerable code from progressing to production.

When the gate fails, CircleCI marks the job as failed and the scan summary appears in the job output. Developers can click through to the APVISO dashboard to see full finding details, reproduction steps, and remediation guidance. This tight feedback loop means developers fix vulnerabilities while the code changes are still fresh in their minds.

Workflow Configuration

A typical CircleCI configuration uses the APVISO orb in a workflow that first builds and deploys to staging, then runs the APVISO scan. The scan job depends on the deploy job, ensuring the staging environment is ready before testing begins. You can run the scan in parallel with integration tests or other verification steps to minimize total pipeline duration.

The orb supports configuration options including target URL, scan profile (quick scan vs. comprehensive), severity threshold, timeout duration, and notification preferences. These can be set as pipeline parameters so different branches or environments use different scan configurations.

Scan Results as Artifacts

When a scan completes, the orb saves the results as CircleCI artifacts. This includes a JSON summary of all findings and a markdown report. Team members can download these artifacts directly from the CircleCI dashboard without needing APVISO access. For compliance purposes, these artifacts provide an auditable record that security testing was performed as part of the deployment process.

Scheduled Security Scans

Beyond event-driven scans, you can use CircleCI's scheduled pipeline feature to run APVISO scans on a regular cadence. This catches vulnerabilities introduced by dependency updates, infrastructure drift, or newly disclosed CVEs that affect your application. Scheduled scans complement the per-deployment scans by providing continuous coverage even during periods of low deployment activity.