Skip to content

Example Integrations

The following code snippets are meant as simple example implementations, and illustrate how you might integrate fidesctl using various popular CI pipline tools. Always inspect, understand, and test your production CI configuration files.


GitHub Actions

.github/workflows/fidesctl_ci.yml
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
name: Fidesctl CI

# Only check on Pull Requests that target main
on:
  pull_request:
    branches:
      - main
    paths: # Only run checks when the resource files change or the workflow file changes
      - .fides/**
      - .github/workflows/fidesctl_ci.yml

jobs:
  fidesctl_ci:
    runs-on: ubuntu-latest
    container:
      image: ethyca/fidesctl:latest
    steps:
      - name: Dry Evaluation
        uses: actions/checkout@v2
        run: fidesctl evaluate --dry .fides/
        env:
          FIDESCTL__CLI__SERVER_HOST: "fidesctl.privacyco.com"
.github/workflows/fidesctl_cd.yml
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
name: Fidesctl CD

# Run the check every time a new commit hits the default branch
on:
  push:
    branches:
      - main
    tags:
      - "*"

jobs:
  fidesctl_cd:
    runs-on: ubuntu-latest
    container:
      image: ethyca/fidesctl:latest
    steps:
      - name: Evaluation
        uses: actions/checkout@v2
        run: fidesctl evaluate .fides/
        env:
          FIDESCTL__CLI__SERVER_HOST: "fidesctl.privacyco.com"

GitLab CI

.gitlab-ci.yml
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
stages:
  - test
  - deploy

variables: &global-variables
  FIDESCTL__CLI__SERVER_HOST: "fidesctl.privacyco.com"

fidesctl-ci:
  stage: test
  image: ethyca/fidesctl
  script: fidesctl evaluate --dry .fides/
  only:
    if: '$CI_PIPELINE_SOURCE = merge_request_event'
    changes:
      - .fides/**
      - .gitlab-ci.yml
  variables:
    <<: *global-variables

fidesctl-cd:
  stage: deploy
  image: ethyca/fidesctl
  script: fidesctl evaluate .fides/
  if: '$CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH'
  variables:
    <<: *global-variables

Jenkins

Jenkinsfile (Declarative Syntax)
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
pipeline {
  agent {
    docker {
      image 'ethyca/fidesctl:latest'
    }
  }
  stages {
    stage('test'){
      environment {
          FIDESCTL__CLI__SERVER_HOST: 'fidesctl.privacyco.com'
      }
      steps {
        sh 'fidesctl evaluate --dry .fides/'
      }
      when {
        anyOf {
          changeset '.fides/**'
          changeset 'Jenkinsfile'
        }
        changeRequest()
      }
    }
    stage('deploy') {
      environment {
          FIDESCTL__CLI__SERVER_HOST: 'fidesctl.privacyco.com'
      }
      steps {
        sh 'fidesctl evaluate .fides/'
      }
      when {
        branch 'main'
      }
    }
  }
}

CircleCI

.circleci/config.yml
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
version: 2.1

executors:
  fidesctl:
    docker:
      - image: ethyca/fidesctl:latest
        environment:
          FIDESCTL__CLI__SERVER_HOST: 'fidesctl.privacyco.com'

jobs:
  fidesctl-evaluate-dry:
    executor: fidesctl
    steps:
      - run: fidesctl evaluate --dry .fides/

  fidesctl-evaluate:
    executor: fidesctl
    steps:
      - run: fidesctl evaluate .fides/

workflows:
  version: 2
  test:
    jobs:
      - fidesctl-evaluate-dry:
          filters:
            branches:
              ignore: main

  deploy:
    jobs:
      - fidesctl-evaluate:
          filters:
            branches:
              only: main

Azure Pipelines

.azure-pipelines.yml
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
# Trigger a dry run of the evaluate job on pull requests that target main
pr:
  - main

jobs:
  - job: "fidesctl_evaluate_dry"
    pool:
      vmImage: ubuntu-latest
    container:
      image: ethyca/fidesctl:latest
    steps:
      - checkout: self
      - script: fidesctl evaluate --dry .fides/
        displayName: "Fidesctl Dry Evaluation"


# Trigger the evaluate job on commits to the default branch
trigger: 
  - main

jobs:
  - job: "fidesctl_evaluate"
    pool:
      vmImage: ubuntu-latest
    container:
      image: ethyca/fidesctl:latest
    steps:
      - checkout: self
      - script: fidesctl evaluate .fides/
        displayName: "Fidesctl Evaluation"
Back to top