CI/CD Integration¶
Gixy integrates seamlessly with CI/CD pipelines to catch NGINX security misconfigurations before they reach production.
Checkstyle XML Output¶
For CI/CD integration, use the --format checkstyle option to generate machine-readable XML output:
gixy --format checkstyle /etc/nginx/nginx.conf > gixy-report.xml
The Checkstyle XML format is a widely-supported standard for static analysis tools, natively consumed by:
- Jenkins (Warnings Next Generation plugin)
- GitLab CI (Code Quality reports)
- GitHub Actions (via reviewdog, super-linter)
- Bitbucket Pipelines (Code Insights)
- SonarQube (External issues import)
- Many IDEs (IntelliJ, Eclipse, VS Code)
Example Output¶
<?xml version="1.0" encoding="UTF-8"?>
<checkstyle version="8.0">
<file name="/etc/nginx/nginx.conf">
<error line="10" column="1" severity="error"
message="[ssrf] SSRF vulnerability: reason"
source="gixy.ssrf"/>
</file>
</checkstyle>
GitHub Actions¶
name: NGINX Security Scan
on: [push, pull_request]
jobs:
gixy:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Install Gixy
run: pip install gixy-ng
- name: Run Gixy
run: gixy --format checkstyle nginx/*.conf > gixy-report.xml
continue-on-error: true
- name: Upload Report
uses: actions/upload-artifact@v4
with:
name: gixy-report
path: gixy-report.xml
With reviewdog¶
For inline PR comments, use reviewdog:
- name: Run Gixy with reviewdog
uses: reviewdog/action-setup@v1
- name: Gixy
env:
REVIEWDOG_GITHUB_API_TOKEN: ${{ secrets.GITHUB_TOKEN }}
run: |
gixy --format checkstyle nginx/*.conf | \
reviewdog -f=checkstyle -reporter=github-pr-review
GitLab CI¶
gixy:
stage: test
image: python:3.11-slim
before_script:
- pip install gixy-ng
script:
- gixy --format checkstyle nginx/*.conf > gl-code-quality-report.xml
artifacts:
reports:
codequality: gl-code-quality-report.xml
when: always
Jenkins¶
Using the Warnings Next Generation Plugin:
pipeline {
agent any
stages {
stage('NGINX Security Scan') {
steps {
sh 'pip install gixy-ng'
sh 'gixy --format checkstyle /etc/nginx/*.conf > gixy-report.xml || true'
}
post {
always {
recordIssues(
tools: [checkStyle(pattern: 'gixy-report.xml')]
)
}
}
}
}
}
Docker¶
For containerized pipelines:
docker run --rm -v /path/to/nginx:/etc/nginx:ro \
getpagespeed/gixy --format checkstyle /etc/nginx/nginx.conf
Exit Codes¶
Gixy uses exit codes to indicate scan results:
| Exit Code | Meaning |
|---|---|
| 0 | No issues found |
| 1 | Issues found |
| 2 | Configuration error |
Use these in your CI/CD pipeline to fail builds on security issues:
gixy /etc/nginx/nginx.conf || exit 1
Pre-commit Hook¶
Add Gixy to your pre-commit configuration:
# .pre-commit-config.yaml
repos:
- repo: https://github.com/dvershinin/gixy
rev: v0.2.24
hooks:
- id: gixy
files: \.conf$
Severity Mapping¶
Gixy severities map to Checkstyle severities as follows:
| Gixy Severity | Checkstyle Severity |
|---|---|
| HIGH | error |
| MEDIUM | warning |
| LOW | info |
| UNSPECIFIED | info |
Configure your CI/CD tool to fail on specific severity levels as needed.
Harden NGINX with maintained RPMs
Use NGINX Extras by GetPageSpeed for continuously updated NGINX and modules on RHEL/CentOS/Alma/Rocky. Learn more.