How long does a Penetrify scan take inside a CI/CD pipeline?

A typical scan of a medium-complexity web application or API completes in 8–18 minutes. Lightweight scans (targeted at a specific feature or endpoint) can complete in under 5 minutes. The scan runs asynchronously and the pipeline step polls for results, so it adds minimal wall-clock time compared to your existing build and test steps.

What happens when Penetrify finds a critical vulnerability?

The pipeline step exits with a non-zero status code, failing the build. The finding details — vulnerability type, affected endpoint, severity, and a reproduction guide — are written to the pipeline log and optionally to a JSON or HTML report artifact. Your team sees exactly what was found and how to fix it before the build is allowed to merge or deploy.

Can I configure which severity levels block the pipeline?

Yes. The --fail-on flag accepts a comma-separated list of severity levels: critical, high, medium, low. Most teams gate on critical and high, allowing medium and low findings to surface in the report without blocking the build. You can also exclude specific finding types by ID if a known issue is being tracked separately.

Does Penetrify work with monorepos or microservice architectures?

Yes. Each Penetrify scan targets a specific URL or set of endpoints. In a monorepo or microservices setup, you can run parallel scan steps targeting each service's staging URL independently. Each service gets its own scan report, and you can gate per-service deployments on their own scan results.

How do I handle authenticated testing in CI/CD?

Pass credentials as environment variables to the scan step. Penetrify accepts username/password pairs, API keys, or session tokens — the agent logs in, maintains the session, and tests the full authenticated surface. Credentials are never logged or stored; they are used only for the duration of the scan.

Can I run Penetrify scans in parallel with other pipeline steps?

Yes. The Penetrify scan step can run in parallel with other non-blocking steps like end-to-end tests or performance benchmarks. Because it targets a live staging URL, it only requires that the deployment step has completed before the scan begins. Configure it as a job dependency in your pipeline YAML.

CI/CD Integration

Security testing on
every deployment

Add one step to your GitHub Actions or GitLab CI pipeline. Penetrify scans your staging environment and fails the build when it finds something exploitable — before it reaches production.

Get API key — free See the code

< 18 min

per full scan

1 step

to add to any pipeline

0 agents

to install

The problem

Security and CI/CD are still running in separate worlds

Your pipelines run tests, lint checks, type checks, and end-to-end suites on every commit. Then once a year, you book a penetration test — and wait three weeks for results that cover the code you shipped last quarter.

Penetrify closes that gap. A single pipeline step runs a full penetration test against your staging environment after every deployment. Critical findings fail the build. Low findings surface in the report. Security becomes part of your definition of done.

❌Before Penetrify

Annual pentest · 3-week wait · findings land after code ships · 51 weeks of unreviewed changes

✓After Penetrify

Scan on every deploy · findings in <18 min · critical = build fails · zero unreviewed deploys

Setup in 3 steps

From zero to continuous security testing in 30 minutes

Get your API key

Sign up at app.penetrify.cloud. Your API key is on the dashboard — copy it into your CI secrets store as PENETRIFY_API_KEY.

< 2 minutes

Settings → API Keys → Generate

Add the pipeline step

Paste the Penetrify scan step into your pipeline YAML, after your staging deployment job. Set the target URL and tell it which severities should fail the build.

< 10 minutes

--fail-on critical,high

Push and watch it run

Open a pull request. Penetrify scans staging automatically. Findings appear in the pipeline log and a full report is saved as a build artifact.

< 18 min per scan

✓ No findings → merge. ✗ Critical → build fails.

Pipeline flow

Where Penetrify fits in your pipeline

⚙️

Build

Compile, lint, unit tests

🚀

Deploy staging

Push to staging env

🔍

Penetrify scan

Full pentest — ~18 min

🔒

Gate

Critical/High → fail build

✓

Deploy prod

Only clean code ships

CRITICAL/HIGHBuild fails · deployment blocked · team notified

MEDIUM/LOWReported in artifact · build continues · tracked

Integration code

Copy, paste, ship

name: CI
 
on:
  push:
    branches: [main, develop]
  pull_request:
    branches: [main]
 
jobs:
  deploy-staging:
    runs-on: ubuntu-latest
    outputs:
      staging_url: ${{ steps.deploy.outputs.url }}
    steps:
      - uses: actions/checkout@v4
      - name: Deploy to staging
        id: deploy
        run: echo "url=https://staging-${{ github.sha }}.myapp.io" >> $GITHUB_OUTPUT
 
  penetrify-scan:
    needs: deploy-staging
    runs-on: ubuntu-latest
    steps:
      - name: Run Penetrify security scan
        uses: penetrify/scan-action@v1
        with:
          url: ${{ needs.deploy-staging.outputs.staging_url }}
          api-key: ${{ secrets.PENETRIFY_API_KEY }}
          fail-on: critical,high
          report-format: html
          output: penetrify-report.html
 
      - name: Upload scan report
        if: always()
        uses: actions/upload-artifact@v4
        with:
          name: security-report
          path: penetrify-report.html

Get API key →Full docs →

Why it matters

What changes when security lives in the pipeline

⚡

Vulnerabilities caught before production

A finding in CI costs a developer 20 minutes to fix. The same vulnerability discovered by a customer — or an attacker — costs weeks of incident response, breach notification, and reputational damage. Penetrify finds it first.

🔁

Regressions caught automatically

Fixed a vulnerability last sprint? Penetrify re-tests it on every subsequent scan. If the fix is accidentally reverted — in a dependency update, a merge conflict, or a refactor — the build fails before the regression reaches staging.

📋

Compliance evidence, automatically

SOC 2, PCI DSS, and ISO 27001 require evidence of regular security testing. Every Penetrify scan produces a timestamped, structured report. Your audit evidence grows automatically with every deployment.

👩‍💻

No security team required

Penetrify is designed for development teams. Findings come with reproduction steps and fix guidance written for engineers — not security analysts. Developers fix vulnerabilities in the same workflow they use to fix test failures.

🚀

Ship faster with confidence

The fastest teams are the ones who catch problems early. Penetrify removes the security-shaped bottleneck at the end of the release cycle — there's nothing to gate on at release if every PR has already been tested.

💰

Replaces the annual pentest cost

One manual penetration test engagement costs $10,000–$50,000 and tests your code on one day. Penetrify's Professional plan is $600/month — for continuous coverage that manual testing can't match.

Works with any pipeline

GitHub ActionsGitLab CICircleCIJenkinsBitbucket PipelinesAzure DevOpsAWS CodePipelineAny CLI

FAQ

CI/CD integration questions

Penetration testing for SaaS teams Penetrify vs. Manual Penetration Testing Penetration testing cost: AI vs. Traditional

Get started

Add security to your pipeline today

One API key. One pipeline step. Security testing on every deployment. Starts at $50/month.

Get API key free See pricing

Security testing onevery deployment