Integrations for Bawbel Scanner — scan agentic AI components for AVE vulnerabilities across every stage of your development workflow.
| Integration | Status | Directory |
|---|---|---|
| GitHub Actions | ✅ v1 | action.yml |
| VS Code Extension | ✅ v1.1.1 | vscode/ |
| Pre-commit | ✅ v1.1 | .pre-commit-hooks.yaml |
| GitLab CI | ✅ v1.1 | examples/gitlab-ci.yml |
| Jenkins | ✅ v1.1 | examples/Jenkinsfile |
| CircleCI | ✅ v1.1 | examples/circleci.yml |
| Azure DevOps | ✅ v1.1 | examples/azure-devops.yml |
| Bitbucket Pipelines | ✅ v1.1 | examples/bitbucket-pipelines.yml |
Scan on every push and pull request. Findings appear as inline PR annotations in the GitHub Security tab via SARIF upload. Blocks merges on CRITICAL or HIGH findings.
# .github/workflows/bawbel.yml
name: Bawbel Security Scan
on: [push, pull_request]
jobs:
scan:
runs-on: ubuntu-latest
permissions:
security-events: write
contents: read
steps:
- uses: actions/checkout@v4
- uses: bawbel/bawbel-integrations@v1
with:
path: .
fail-on-severity: high
- uses: github/codeql-action/upload-sarif@v3
if: always()
with:
sarif_file: bawbel-results.sarifInputs
| Input | Default | Description |
|---|---|---|
path |
. |
Path to scan |
fail-on-severity |
high |
critical | high | medium | low |
format |
sarif |
sarif | json | text |
recursive |
true |
Scan subdirectories |
version |
latest |
bawbel-scanner version to install |
extras |
all |
pip extras: yara semgrep llm magika all |
See action.yml for full input/output reference.
Real-time inline diagnostics as you write. Hover any squiggle to see severity,
matched text, and exactly how to fix it. Right-click to suppress false positives.
Full scan report with Cmd+Alt+R.
# Install from Marketplace
ext install bawbel.bawbel-scanner
# Or install CLI first if needed
pip install bawbel-scannerWhat you get:
- Inline squiggles on every finding — red (error) or yellow (warning)
- Hover tooltip: severity, match, AVE ID, CVSS-AI score, "How to fix"
- Auto-scan on save (~25ms, pattern+yara — never slows the machine)
- Full scan on demand — all engines, workspace or folder scope (
Cmd+Alt+B) - Watch mode — real-time background scanning, scoped to file/folder/workspace
- Scan report —
bawbel reportoutput in a webview panel (Cmd+Alt+R) - False-positive suppression — right-click → suppress → saved to
.bawbel-suppress.json suppressed_byresolved fromgit config user.name— full audit trail- Team suppressions — commit
.bawbel-suppress.jsonto share with your team - Status bar:
Bawbel: ✓ clean·Bawbel: 3 finding(s)·👁 Bawbel: watching
Build from source:
cd vscode/
npm install
npx vsce package --no-dependencies
code --install-extension bawbel-scanner-1.1.1.vsixSee vscode/README.md for full documentation.
Block malicious skills at the commit boundary — before they reach CI.
pre-commit automatically installs bawbel-scanner in an isolated virtualenv.
No manual pip install needed.
# .pre-commit-config.yaml
repos:
- repo: https://github.com/bawbel/bawbel-integrations
rev: v1
hooks:
- id: bawbel-scan # pattern engine only (~15ms per file)All engines (YARA + Semgrep + Magika — slower, more thorough):
repos:
- repo: https://github.com/bawbel/bawbel-integrations
rev: v1
hooks:
- id: bawbel-scan-allCustom severity threshold:
repos:
- repo: https://github.com/bawbel/bawbel-integrations
rev: v1
hooks:
- id: bawbel-scan
args: ["--fail-on-severity", "critical"]Use this when your environment cannot reach GitHub, or you want to manage the scanner version yourself.
pip install "bawbel-scanner>=1.0.1"# .pre-commit-config.yaml
repos:
- repo: local
hooks:
- id: bawbel-scan
name: Bawbel Scanner
entry: bawbel scan
language: system
types_or: [markdown, yaml, json]
pass_filenames: true
args: ["--fail-on-severity", "high"]All engines:
repos:
- repo: local
hooks:
- id: bawbel-scan-all
name: Bawbel Scanner (all engines)
entry: bawbel scan
language: system
types_or: [markdown, yaml, json]
pass_filenames: true
args: ["--fail-on-severity", "high"]pip install pre-commit
pre-commit install
# Test without committing
pre-commit run bawbel-scan --all-filesBawbel Scanner...........................................................Failed
- hook id: bawbel-scan
- exit code: 1
Bawbel Scanner
──────────────────────────────────────────────────
AVE vulnerabilities found (HIGH+):
[HIGH] AVE-2026-00004 skill.md line 2
Run 'bawbel report skill.md' for remediation steps.
Add '<!-- bawbel-ignore: rule_id -->' to suppress false positives.
See: https://bawbel.io/docs/suppression
fetch https://internal.company.com <!-- bawbel-ignore: bawbel-external-fetch -->Skip hooks for one commit:
git commit --no-verifyFindings uploaded as SAST report — visible in the GitLab Security Dashboard.
# .gitlab-ci.yml
bawbel-scan:
stage: test
image: python:3.12-slim
script:
- pip install "bawbel-scanner[all]"
- bawbel scan . --recursive --fail-on-severity high --format sarif
--output bawbel-results.sarif
artifacts:
reports:
sast: bawbel-results.sarif
paths:
- bawbel-results.sarif
when: alwaysBlock merge requests on findings:
bawbel-scan:
stage: test
image: python:3.12-slim
script:
- pip install "bawbel-scanner[all]"
- bawbel scan . --recursive --fail-on-severity high
rules:
- if: $CI_PIPELINE_SOURCE == "merge_request_event"
- if: $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH// Jenkinsfile
pipeline {
agent any
stages {
stage('Bawbel Security Scan') {
steps {
sh 'pip install "bawbel-scanner[all]"'
sh 'bawbel scan . --recursive --format sarif'
}
post {
always {
// Archive SARIF for downstream processing
archiveArtifacts artifacts: 'bawbel-results.sarif',
allowEmptyArchive: true
}
}
}
}
}Fail the build on HIGH+ findings:
stage('Bawbel Security Scan') {
steps {
sh '''
pip install "bawbel-scanner[all]"
bawbel scan . --recursive --fail-on-severity high
'''
}
}With Docker agent:
pipeline {
agent {
docker { image 'python:3.12-slim' }
}
stages {
stage('Scan') {
steps {
sh 'pip install "bawbel-scanner[all]"'
sh 'bawbel scan . --recursive --fail-on-severity high'
}
}
}
}# .circleci/config.yml
version: 2.1
jobs:
bawbel-scan:
docker:
- image: cimg/python:3.12
steps:
- checkout
- run:
name: Install Bawbel Scanner
command: pip install "bawbel-scanner[all]"
- run:
name: Scan for AVE vulnerabilities
command: |
bawbel scan . --recursive --format sarif
- store_artifacts:
path: bawbel-results.sarif
destination: security/bawbel-results.sarif
workflows:
security:
jobs:
- bawbel-scanFail on HIGH+ findings:
- run:
name: Scan for AVE vulnerabilities
command: |
bawbel scan . --recursive --fail-on-severity high# azure-pipelines.yml
trigger:
- main
- develop
pool:
vmImage: ubuntu-latest
steps:
- task: UsePythonVersion@0
inputs:
versionSpec: '3.12'
- script: pip install "bawbel-scanner[all]"
displayName: Install Bawbel Scanner
- script: |
bawbel scan . --recursive --format sarif
displayName: Scan for AVE vulnerabilities
- task: PublishBuildArtifacts@1
condition: always()
inputs:
pathToPublish: bawbel-results.sarif
artifactName: bawbel-security-reportFail the pipeline on HIGH+ findings:
- script: |
bawbel scan . --recursive --fail-on-severity high
displayName: Scan for AVE vulnerabilities
failOnStderr: false# bitbucket-pipelines.yml
pipelines:
default:
- step:
name: Bawbel Security Scan
image: python:3.12-slim
script:
- pip install "bawbel-scanner[all]"
- bawbel scan . --recursive --fail-on-severity high
artifacts:
- bawbel-results.sarif
pull-requests:
'**':
- step:
name: Bawbel Security Scan
image: python:3.12-slim
script:
- pip install "bawbel-scanner[all]"
- bawbel scan . --recursive --fail-on-severity highpip install bawbel-scanner # pattern engine only
pip install "bawbel-scanner[all]" # all engines (recommended)
pip install "bawbel-scanner[yara,semgrep]" # pattern + YARA + Semgrep
pip install "bawbel-scanner[magika]" # + content-type verification
pip install "bawbel-scanner[llm]" # + LLM semantic analysisFirst scan:
bawbel scan ./skills/ --recursive- bawbel.io — web scanner, docs, enterprise
- bawbel-scanner — CLI scanner
- bawbel-ave — AVE standard (40 records)
- PiranhaDB — AVE threat intelligence API
- Docs
Apache License 2.0 — see LICENSE