CI/CD Automation

SCC supports non-interactive operation for CI/CD pipelines, automated testing, and scripted workflows.

Non-Interactive Mode

For automation, use flags that prevent interactive prompts:

scc start --non-interactive --team backend ~/project

Key flags:

Flag	Description
--non-interactive	Fail fast instead of prompting
--team TEAM	Specify team (required in non-interactive)
--dry-run	Preview configuration without launching
--json	Machine-readable output

CI Pipeline Examples

Tip

Examples use uv for installs. If you prefer pip, replace uv tool install scc-cli with pip install scc-cli.

GitHub Actions

.github/workflows/scc.yml

name: SCC Validation
on: [push, pull_request]

jobs:
  validate:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4

      - name: Set up Python
        uses: actions/setup-python@v5
        with:
          python-version: '3.12'

      - name: Install uv
        run: |
          curl -LsSf https://astral.sh/uv/install.sh | sh
          echo "$HOME/.local/bin" >> $GITHUB_PATH
          echo "$HOME/.cargo/bin" >> $GITHUB_PATH

      - name: Install SCC
        run: uv tool install scc-cli

      - name: Configure SCC
        run: scc setup --org "$SCC_ORG_SOURCE" --auth env:SCC_ORG_TOKEN --team ci --non-interactive
        env:
          SCC_ORG_SOURCE: ${{ secrets.SCC_ORG_SOURCE }}
          SCC_ORG_TOKEN: ${{ secrets.SCC_ORG_TOKEN }}

      - name: Validate configuration
        run: scc start --dry-run --json --non-interactive --team ci .

GitLab CI

.gitlab-ci.yml

scc-validate:
  image: python:3.12
  script:
    - curl -LsSf https://astral.sh/uv/install.sh | sh
    - export PATH="$HOME/.local/bin:$HOME/.cargo/bin:$PATH"
    - uv tool install scc-cli
    - scc setup --org "$SCC_ORG_SOURCE" --auth env:SCC_ORG_TOKEN --team ci --non-interactive
    - scc start --dry-run --json --non-interactive --team ci .
  variables:
    SCC_ORG_SOURCE: $SCC_ORG_SOURCE
    SCC_ORG_TOKEN: $SCC_ORG_TOKEN

Jenkins

Jenkinsfile

pipeline {
  agent any
  environment {
    SCC_ORG_SOURCE = credentials('scc-org-source')
    SCC_ORG_TOKEN = credentials('scc-org-token')
  }
  stages {
    stage('Validate') {
      steps {
        sh 'curl -LsSf https://astral.sh/uv/install.sh | sh'
        sh 'export PATH="$HOME/.local/bin:$HOME/.cargo/bin:$PATH" && uv tool install scc-cli'
        sh 'export PATH="$HOME/.local/bin:$HOME/.cargo/bin:$PATH" && scc setup --org "$SCC_ORG_SOURCE" --auth env:SCC_ORG_TOKEN --team ci --non-interactive'
        sh 'export PATH="$HOME/.local/bin:$HOME/.cargo/bin:$PATH" && scc start --dry-run --json --non-interactive --team ci .'
      }
    }
  }
}

Dry Run Mode

Preview configuration without actually launching:

scc start --dry-run ~/project

With JSON output for parsing:

scc start --dry-run --json --non-interactive --team backend ~/project

Output:

{
  "apiVersion": "scc.cli/v1",
  "kind": "StartDryRun",
  "metadata": {
    "generatedAt": "2024-01-15T10:30:00Z",
    "cliVersion": "1.6.3"
  },
  "status": {
    "ok": true,
    "errors": [],
    "warnings": []
  },
  "data": {
    "workspace_root": "/home/runner/project",
    "entry_dir": "/home/runner/project",
    "mount_root": "/home/runner/project",
    "container_workdir": "/home/runner/project",
    "team": "backend",
    "plugins": [
      { "name": "scc-safety-net@sandboxed-code-official", "source": "resolved" },
      { "name": "java-analyzer@internal", "source": "resolved" }
    ],
    "blocked_items": [],
    "network_policy": "corp-proxy-only",
    "ready_to_start": true,
    "resolution_reason": "Git repository detected at: /home/runner/project"
  }
}

Exit Codes

Use exit codes for pipeline logic:

Code	Meaning
0	Success
2	Usage error (bad arguments)
3	Configuration error
4	Tool error (Docker, git)
5	Prerequisites not met
6	Governance block
130	Cancelled (SIGINT)

scc start --dry-run --non-interactive --team ci .
exit_code=$?

if [ $exit_code -eq 6 ]; then
  echo "Configuration blocked by governance policy"
  exit 1
fi

CI Secrets (Recommended)

Define secrets in your CI system and pass them into scc setup:

Variable	Description
SCC_ORG_SOURCE	Org config source (URL or shorthand)
SCC_ORG_TOKEN	Auth token for private configs

export SCC_ORG_SOURCE="https://example.com/org-config.json"
export SCC_ORG_TOKEN="your-token"

scc setup --org "$SCC_ORG_SOURCE" --auth env:SCC_ORG_TOKEN --team ci --non-interactive
scc start --dry-run --json --non-interactive --team ci .

CI-Specific Team Profile

Create a minimal CI profile:

{
  "profiles": {
    "ci": {
      "description": "CI/CD pipeline profile",
      "additional_plugins": [],
      "session": {
        "timeout_hours": 1,
        "auto_resume": false
      },
      "network_policy": "isolated"
    }
  }
}

Tip

CI profiles typically need minimal plugins and short timeouts since they’re ephemeral.

Note

session.auto_resume is advisory only in v1. It is accepted but not enforced at runtime.

Validating Team Config

In CI, validate your team config changes:

# Validate team config file
scc team validate --file team-config.json

# Validate the resolved team (requires org config)
scc team validate ci

Plugin Auditing in CI

Audit plugins as part of your pipeline:

scc audit plugins --json

Check for unexpected plugins or changes.

Caching Considerations

CI runners start fresh each time. Consider:

• Pre-warming: Cache ~/.cache/scc/ between runs
• Offline mode: Use --offline if config is embedded
• Config caching: Cache org config to avoid network calls

GitHub Actions

- uses: actions/cache@v4
  with:
    path: ~/.cache/scc
    key: scc-cache-${{ hashFiles('**/org-config.json') }}

Security Considerations

Danger

Never expose SCC_ORG_SOURCE or auth tokens in logs. Use secrets management.

• Store org source and tokens in CI secrets
• Use token auth for private config repos
• Review what gets logged (use --json to control output)
• Consider network isolation for CI containers
• Note: network_policy is partial enforcement in v1 (see Security Model)