CI/CD Integration

qtz-discovery-cli is designed for headless CI/CD execution. Use --fail-on to gate deployments, --format sarif to surface findings in code review, and --baseline to detect only new issues on each commit.

GitHub Actions

Basic — fail on critical findings

name: Cryptographic Security Scan

on:
  push:
    branches: [main, develop]
  pull_request:

jobs:
  crypto-scan:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4

      - name: Install qtz-discovery-cli
        run: |
          curl -Lo qtz-discovery-cli https://quantizant.io/downloads/releases/qtz-discovery-cli-linux-amd64
          chmod +x qtz-discovery-cli
          sudo mv qtz-discovery-cli /usr/local/bin/

      - name: Scan cryptographic assets
        run: |
          qtz-discovery-cli scan source . \
            --fail-on critical \
            --format sarif \
            --output results.sarif

      - name: Upload SARIF to GitHub Security
        if: always()
        uses: github/codeql-action/upload-sarif@v3
        with:
          sarif_file: results.sarif
          category: quantizant-crypto-scan

Advanced — CBOM artifact + baseline diff

name: Cryptographic Inventory

on:
  push:
    branches: [main]

jobs:
  crypto-inventory:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
        with:
          fetch-depth: 0

      - name: Install qtz-discovery-cli
        run: |
          curl -Lo qtz-discovery-cli https://quantizant.io/downloads/releases/qtz-discovery-cli-linux-amd64
          chmod +x qtz-discovery-cli
          sudo mv qtz-discovery-cli /usr/local/bin/

      - name: Restore baseline
        uses: actions/cache@v4
        with:
          path: .qtz-baseline.json
          key: qtz-baseline-${{ github.ref_name }}

      - name: Scan with baseline diff
        run: |
          qtz-discovery-cli scan source . \
            --format cbom \
            --output cbom.json \
            --baseline .qtz-baseline.json \
            --update-baseline \
            --show-score
        env:
          QTZ_SERVER_API_KEY: ${{ secrets.QTZ_SERVER_API_KEY }}

      - name: Upload CBOM artifact
        uses: actions/upload-artifact@v4
        with:
          name: cbom-${{ github.sha }}
          path: cbom.json
          retention-days: 90

Source + network matrix

jobs:
  crypto-scan:
    runs-on: ubuntu-latest
    strategy:
      matrix:
        include:
          - scan: source
            args: "scan source ."
          - scan: network
            args: "scan network api.example.com:443"
    steps:
      - uses: actions/checkout@v4

      - name: Install qtz-discovery-cli
        run: |
          curl -Lo qtz-discovery-cli https://quantizant.io/downloads/releases/qtz-discovery-cli-linux-amd64
          chmod +x qtz-discovery-cli
          sudo mv qtz-discovery-cli /usr/local/bin/

      - name: Run ${{ matrix.scan }} scan
        run: |
          qtz-discovery-cli ${{ matrix.args }} \
            --format sarif \
            --output ${{ matrix.scan }}-results.sarif \
            --fail-on high

      - name: Upload SARIF
        if: always()
        uses: github/codeql-action/upload-sarif@v3
        with:
          sarif_file: ${{ matrix.scan }}-results.sarif
          category: qtz-${{ matrix.scan }}

GitLab CI

crypto-scan:
  image: ubuntu:22.04
  stage: test
  before_script:
    - apt-get update -qq && apt-get install -y curl
    - curl -Lo qtz-discovery-cli https://quantizant.io/downloads/releases/qtz-discovery-cli-linux-amd64
    - chmod +x qtz-discovery-cli && mv qtz-discovery-cli /usr/local/bin/
  script:
    - qtz-discovery-cli scan source .
        --fail-on critical
        --format sarif
        --output gl-sast-report.json
  artifacts:
    reports:
      sast: gl-sast-report.json
    paths:
      - gl-sast-report.json
    when: always
    expire_in: 30 days
  rules:
    - if: $CI_PIPELINE_SOURCE == "merge_request_event"
    - if: $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH

Exit Codes

Code	Meaning
`0`	Success
`1`	General error (bad config, auth failure, unreachable target, etc.)
`2`	Scan completed but `--fail-on` threshold was exceeded — pipeline should fail

Environment Variables

Use these in CI secrets to avoid hardcoding credentials:

Variable	Description
`QTZ_SERVER_API_KEY`	Portal API key (for upload and AI analysis features)
`QTZ_SERVER_ORG_ID`	Organization ID (required with API key)
`QTZ_SERVER_URL`	Portal server URL (default: `https://discovery.quantizant.io/`)

 Tips for CI
  Use --baseline to only fail on new findings per PR, not existing technical debt.
 The binary at https://quantizant.io/downloads/releases/qtz-discovery-cli-linux-amd64 always points to the latest release. Check the download page for the current version number.
 Upload the CBOM artifact for every main-branch build to track your inventory over time.
 Set --fail-on critical as a hard gate and --fail-on high as a soft warning in separate steps.
 Use the SARIF upload action with if: always() so results appear in Security even on failed runs.