Skip to main content
The infraudit CLI is designed to work as a security gate in automated pipelines. Use --output json with jq to parse results programmatically and fail the build when critical findings are present.

Authentication in CI

Never store credentials in the repository or hardcode them in pipeline files. Pass them via CI secrets: 
infraudit auth login --email "$CI_EMAIL" --password "$CI_PASSWORD"
Or authenticate with an API token: 
infraudit auth login --token "$INFRAUDIT_TOKEN"
Set INFRAUDIT_SERVER_URL as a CI secret rather than hardcoding your server address: 
export INFRAUDIT_SERVER_URL="$INFRAUDIT_SERVER_URL"

GitHub Actions

The following workflow runs a drift scan and vulnerability scan on every push to main and on a daily schedule. It fails the job if any critical findings are present: 
name: InfraAudit security check

on:
  push:
    branches: [main]
  schedule:
    - cron: "0 6 * * *"

jobs:
  security:
    runs-on: ubuntu-latest
    steps:
      - name: Install infraudit CLI
        run: go install github.com/pratik-mahalle/infraudit/cmd/cli@latest

      - name: Authenticate
        run: infraudit auth login --email "${{ secrets.INFRAUDIT_EMAIL }}" --password "${{ secrets.INFRAUDIT_PASSWORD }}"
        env:
          INFRAUDIT_SERVER_URL: ${{ secrets.INFRAUDIT_SERVER_URL }}

      - name: Run drift scan
        run: infraudit drift detect

      - name: Fail on critical drift findings
        run: |
          CRITICAL=$(infraudit drift list --severity critical -o json | jq 'length')
          if [ "$CRITICAL" -gt 0 ]; then
            echo "FAIL: $CRITICAL critical drift(s) detected"
            infraudit drift list --severity critical
            exit 1
          fi
          echo "PASS: No critical drifts"

GitLab CI

infraudit-security:
  stage: test
  image: golang:1.24
  before_script:
    - go install github.com/pratik-mahalle/infraudit/cmd/cli@latest
    - infraudit auth login --email "$INFRAUDIT_EMAIL" --password "$INFRAUDIT_PASSWORD"
  script:
    - infraudit drift detect
    - infraudit vulnerability scan
    - |
      CRITICAL=$(infraudit drift list --severity critical -o json | jq 'length')
      CRITICAL_VULNS=$(infraudit vulnerability list --severity critical -o json | jq 'length')
      if [ "$CRITICAL" -gt 0 ] || [ "$CRITICAL_VULNS" -gt 0 ]; then
        echo "FAIL: $CRITICAL critical drifts, $CRITICAL_VULNS critical vulnerabilities"
        exit 1
      fi
      echo "PASS: No critical findings"
  variables:
    INFRAUDIT_SERVER_URL: $INFRAUDIT_SERVER_URL

Shell script pattern

For custom pipeline environments or cron jobs: 
#!/bin/bash
set -e

export INFRAUDIT_SERVER_URL="https://api.infraudit.dev"

infraudit auth login --email "$CI_EMAIL" --password "$CI_PASSWORD"

infraudit drift detect
infraudit vulnerability scan

CRITICAL=$(infraudit drift list --severity critical -o json | jq 'length')
CRITICAL_VULNS=$(infraudit vulnerability list --severity critical -o json | jq 'length')

if [ "$CRITICAL" -gt 0 ] || [ "$CRITICAL_VULNS" -gt 0 ]; then
  echo "FAIL: $CRITICAL critical drifts, $CRITICAL_VULNS critical vulnerabilities"
  exit 1
fi

echo "PASS: No critical findings"

Tips

All list commands support -o json. Pipe the output to jq to extract fields or count results:
# Count critical drift findings
infraudit drift list --severity critical -o json | jq 'length'

# Extract resource names from a list
infraudit resource list -o json | jq '.[].name'

# Convert drift list to CSV
infraudit drift list -o json | jq -r '.[] | [.id, .drift_type, .severity, .status] | @csv'
The CLI exits with code 1 on errors and unexpected conditions. Failures propagate naturally to the CI build status without extra logic.
To avoid reinstalling the CLI on every run, cache the $HOME/go/bin directory using your CI platform’s caching mechanism. In GitHub Actions, use actions/cache keyed on the CLI version.