Comment on page
CI

Using lstn CLI in CI environments
As lstn comes in form of a CLI binary supporting a variety of operating systems and host architectures, it can be installed in any CI runner (hosted or on-prem). Please follow the CI installation guide for instructions on integrating lstn with your CI system. 
​
 If you are using GitHub Actions for your CI workflows, we recommend using the lstn action which offers first-class integration with 1-click installation through the GitHub marketplace.  
​
The below example demonstrates a CI workflow in GitHub which uses the lstn CLI to scan a project and enforce policy. The CLI functions as a standalone component in this example and is agnostic of the CI system being used. All integration logic is handled by the user in the workflow file.

Example workflow 

Below is an example of a workflow file demonstrating how to use lstn CLI in a Github workflow (present in .github/workflows). It assumes that: 
You have a package.json file in the directory root 
A rules.yml file in the directory root, containing rule expressions to define policies

name: Example workflow using lstn CLI
​
on:
  push: 
  pull_request:
    branches: ["main"]
​
env:
  LSTN_ENDPOINT: https://npm.listen.dev
  WORKDIR: .
  RULES_FILE: rules.yml
  RULE_NAME: "ignore_priority_medium"
​
jobs:
  lstn-cli-e2e:
    runs-on: ubuntu-latest
    steps:
      - name: Clone repo
        uses: actions/checkout@v3
        with:
          repository: listendev/lstn
​
      - name: Build lstn CLI from source
        uses: actions/setup-go@v3
        with:
          go-version: '1.19.4'
          cache: true
      - run: |
          go build -o make/make make/main.go
          make/make lstn
          mv lstn /usr/local/bin/ && chmod +x /usr/local/bin/lstn
          lstn version 
​
      - name: Checkout the test repo
        uses: actions/checkout@v3
​
      - name: lstn scan
        run: |
          lstn scan ${{ env.WORKDIR }}
​
      - name: Enforce lstn policy with exceptions
        run: |
          RULE_NAME=${{ env.RULE_NAME }}
          RULES_FILE=${{ env.RULES_FILE }}
          TEST_PROJECT_DIR=${{ env.WORKDIR }}
​
          QUERY=$(yq e ".rules[] | select(.name == \"$RULE_NAME\") | .query" "$RULES_FILE")
          BEHAVIOR=$(yq e ".rules[] | select(.name == \"$RULE_NAME\") | .behavior // \"fail\"" "$RULES_FILE")
          lstn_output=$(lstn scan "$TEST_PROJECT_DIR" --json -q "$QUERY")
​
          if [ -z "$lstn_output" ]; then
              echo "No policy violation was detected for rule: $RULE_NAME". Proceeding to build.
          else
              case "$BEHAVIOR" in
                silent)
                  echo "Policy violation detected, but behavior is set to silent for rule: $RULE_NAME"
                  ;;
                ignore)
                  echo "Policy violation detected, but behavior is set to ignore for rule: $RULE_NAME"
                  ;;
                *)
                  echo "A policy violation was detected for rule: $RULE_NAME. Stopping the build."
                  exit 1
                  ;;
              esac
          fi
The example workflow above is using the below rule from rules.yml

rules:
# based on priority levels
​
  - name: ignore_priority_medium
    query: .[] | select(.verdicts[]?.priority == "medium")
    behavior: ignore
    
​
To install lstn binary on any CI runner, refer to Installation
Last modified 8mo ago