Workflow Tools
Workflow Tools are security scanners and custom scripts that run between the core pipeline stages. Click the + button between stage nodes in the workflow builder to add tools.
Available Tools
| Tool | Stage | Description |
|---|---|---|
| Detect-Secrets | Pre-Build | Scans source code for hardcoded secrets such as API keys, credentials, and passwords. |
| Trivy | Post-Build | Scans the built container image for known security vulnerabilities (CVEs). |
| SonarQube | Post-Build | Runs code quality analysis including bugs, vulnerabilities, code smells, and quality gate checks. |
| Custom Script | Pre-Build, Post-Build, Post-Push, Post-Deploy | Executes custom shell scripts for specialized tasks at any stage. |
Pre-Build Tools
Pre-build tools run after the source code is cloned and before the Docker build begins. Click the + button next to the Source stage to add pre-build tools.
Detect-Secrets
Scans all files in the repository for hardcoded secrets.
| Field | Description |
|---|---|
| Enable/Disable | Toggle to enable or disable the scan. |
| Failure Strategy | Abort — stop the pipeline if secrets are detected. Skip — log the results and continue the pipeline. |
When secrets are detected, a report is generated and available in the Reports tab.
Pre-Build Custom Script
Run a custom shell script before the build stage.
| Field | Description |
|---|---|
| Script | The shell script content to execute. |
| CPU | CPU allocation for the script container (default: 100m). |
| Memory | Memory allocation for the script container (default: 500 Mi). |
| Volume | Storage volume for the script container (default: 10 Gi). |
Post-Build Tools
Post-build tools run after the Docker image is built and before it is pushed to the registry. Click the + button next to the Build stage to add post-build tools.
Trivy
Scans the built container image for known vulnerabilities.
| Field | Description |
|---|---|
| Enable/Disable | Toggle to enable or disable the scan. |
| Max Critical Vulnerabilities | Maximum number of critical-severity CVEs allowed before triggering the failure strategy. |
| Max High Vulnerabilities | Maximum number of high-severity CVEs allowed before triggering the failure strategy. |
| Failure Strategy | Abort — stop the pipeline if thresholds are exceeded. Skip — log the results and continue. |
A CSV report is generated with columns: severity, CVE ID, package name, installed version, and fixed version.
SonarQube
Runs static code analysis for code quality and security.
| Field | Description |
|---|---|
| Enable/Disable | Toggle to enable or disable the analysis. |
| Failure Strategy | Abort — stop the pipeline if the quality gate fails. Skip — log the results and continue. |
SonarQube checks the code against a configured quality gate and reports bugs, vulnerabilities, code smells, and overall quality status.
Post-Build Custom Script
Run a custom shell script after the build stage.
| Field | Description |
|---|---|
| Script | The shell script content to execute. |
| CPU | CPU allocation for the script container. |
| Memory | Memory allocation for the script container. |
| Volume | Storage volume for the script container. |
Post-Push Tools
Post-push tools run after the image is pushed to the container registry and before the deploy stage. You can add a custom script at this stage.
Post-Push Custom Script
| Field | Description |
|---|---|
| Script | The shell script content to execute after the image is pushed. |
| CPU | CPU allocation for the script container. |
| Memory | Memory allocation for the script container. |
| Volume | Storage volume for the script container. |
Post-Deploy Tools
Post-deploy tools run after the application is deployed to the target environment. Click the + button next to the Deploy stage to add post-deploy tools.
Post-Deploy Custom Script
Run a custom script after deployment — commonly used for database migrations, cache warming, or smoke tests.
| Field | Description |
|---|---|
| Environment | The active environment where the post-deploy script will execute. |
| Container Type | The container image used to run the script (see table below). |
| Script | The shell script content to execute. |
Container Types
Select the runtime environment for the post-deploy script:
| Type | Image | Use Case |
|---|---|---|
| Application | Uses the deployed application's own image | Run scripts that require the application runtime. |
| Ubuntu | ubuntu:22.04 | General-purpose scripts. |
| Alpine | alpine:latest | Lightweight scripts. |
| Python | python:3.9-slim | Python-based scripts and migrations. |
| Node | node:18-alpine | Node.js scripts. |
| Golang | golang:1.19-alpine | Go-based scripts. |
| Java | openjdk:17-alpine | Java-based scripts. |
| PHP | php:8.1-cli-alpine | PHP scripts. |
| PostgreSQL | postgres:14 | Database operations. |
| Redis | redis:7-alpine | Redis operations. |
| Nginx | nginx:alpine | Web server configuration scripts. |
| Custom | User-specified image | Provide a custom container image URL. |
Post-deploy scripts run as Kubernetes Jobs in the target environment's namespace. Jobs are automatically cleaned up 1 hour after completion.
Failure Strategies
All tools support a failure strategy that determines what happens when the tool reports an issue:
| Strategy | Behavior |
|---|---|
| Abort | The pipeline stops immediately. Subsequent stages are not executed. The execution status is set to Failed. |
| Skip | The tool's results are logged but the pipeline continues to the next stage. |