CI/CD Integration

Integrate NAT into your CI/CD pipeline to automatically scan your API on every pull request, deployment, or scheduled run.

GitHub Actions (recommended)

Use the official nat-action for zero-config GitHub Actions integration:

# .github/workflows/nat-scan.yml
name: API Security Scan
 
on:
  push:
    branches: [main, develop]
  pull_request:
    branches: [main]
 
jobs:
  nat-scan:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
 
      - name: Run NAT API Security Scan
        uses: bg-playground/nat-action@v1
        with:
          api-url: ${{ vars.STAGING_API_URL }}
          api-key: ${{ secrets.NAT_API_KEY }}
          spec: ./openapi.yaml
          fail-on: high
          output-format: sarif
 
      - name: Upload SARIF to GitHub Code Scanning
        uses: github/codeql-action/upload-sarif@v3
        if: always()
        with:
          sarif_file: nat-results.sarif

`nat-action` inputs

Input	Required	Description	Default
`api-url`	✅	Target API base URL	—
`api-key`	✅	NAT API key (use a secret)	—
`spec`		Path to OpenAPI/Swagger spec	Auto-discover
`auth-type`		`bearer`, `header`, `oauth2`, `none`	`none`
`token`		Auth token	—
`fail-on`		Severity level that fails the build	`high`
`output-format`		`html`, `json`, `sarif`	`sarif`
`output-file`		Report output path	`nat-results.sarif`
`exclude`		Comma-separated path patterns to exclude	—
`concurrency`		Parallel request count	`5`

`nat-action` outputs

Output	Description
`scan-id`	Unique scan identifier
`finding-count`	Total findings count
`critical-count`	Critical severity count
`high-count`	High severity count
`report-url`	URL to full report in NAT dashboard

Other CI/CD platforms

# .gitlab-ci.yml
nat-security-scan:
  stage: test
  image: python:3.11
  script:
    - pip install nat-engine
    - nat scan
        --url "$STAGING_API_URL"
        --spec ./openapi.yaml
        --auth-type bearer
        --token "$API_TOKEN"
        --format sarif
        --output nat-results.sarif
        --fail-on high
  artifacts:
    reports:
      sast: nat-results.sarif
    paths:
      - nat-results.sarif
    when: always
  variables:
    NAT_API_KEY: $NAT_API_KEY

Scan on staging, not production

⚠️

Run CI/CD scans against a staging or test environment, not production. Active security scanning generates anomalous traffic and will trigger alerts, rate limits, or outages on production systems.

A typical pipeline pattern:

Deploy PR to a per-PR staging environment
Run NAT scan against the staging environment
Gate merge if high/critical findings are discovered
Merge to main → deploy to production (no scan needed)

Caching NAT in CI

Speed up pipelines by caching the NAT pip package:

# GitHub Actions
- uses: actions/cache@v4
  with:
    path: ~/.cache/pip
    key: nat-${{ runner.os }}-${{ hashFiles('**/requirements.txt') }}
 
- run: pip install nat-engine

Troubleshooting CI failures

See CI/CD Issues troubleshooting for common problems:

Authentication failures in CI
Target API not reachable from CI runner
Scan timing out
False positives causing build failures

Next steps

GitHub Action reference — full nat-action input/output reference
Integrate with GitHub Actions (how-to) — step-by-step setup
CI/CD Issues — troubleshoot CI scan failures

Security Scanning Docker Deployment