Getting Started with CAST
This guide walks you through adding a production-grade DevSecOps pipeline to your repository in under five minutes.
Prerequisites
- A GitHub repository with GitHub Actions enabled
- Python 3.9+ (only required for the
castCLI)
No external accounts, tokens, or SaaS subscriptions are required.
Step 1 โ Install the CLI
pip install castops
Verify the installation:
cast --help
Step 2 โ Initialize Your Pipeline
Navigate to your project root and run:
cast init
CAST will auto-detect your project type and write the workflow file:
โญโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโฎ
โ CAST โ CI/CD Automation & Security Toolkit โ
โฐโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโฏ
Detected project type: python
Downloading template... done
โ Created .github/workflows/devsecops.yml
Commit and push to activate your DevSecOps pipeline:
git add .github/workflows/devsecops.yml
git commit -m 'ci: add CAST DevSecOps pipeline'
git push
If auto-detection fails (no pyproject.toml, requirements.txt, etc.), specify the
type explicitly:
cast init --type python
Step 3 โ Commit and Push
git add .github/workflows/devsecops.yml
git commit -m "ci: add CAST DevSecOps pipeline"
git push
GitHub Actions will pick up the workflow and run your first pipeline immediately.
Step 4 โ Review Your First Run
- Go to your repository on GitHub
- Click the Actions tab
- You should see "CAST DevSecOps" running
The pipeline runs six jobs:
| Job | Tool | What to Expect |
|---|---|---|
| Secrets Detection | Gitleaks | Pass if no secrets in git history |
| SAST | Semgrep | Pass with open-source rules; configure cloud token for more |
| SCA | pip-audit | Pass if no CVEs in your dependencies |
| Container Security | Trivy | Skipped if no Dockerfile |
| Code Quality | Ruff | Pass if code meets style rules |
| Security Gate | Built-in | Passes if all critical checks pass |
Step 5 โ View Security Findings
All findings from Semgrep and Trivy are uploaded to GitHub's Security tab:
- Go to your repository โ Security tab
- Click "Code scanning alerts"
- Review any findings
New findings will also appear as inline comments on future pull requests.
Step 6 โ Enforce the Gate (Optional but Recommended)
To prevent merging pull requests that fail the Security Gate:
- Go to Settings โ Branches
- Click "Add branch protection rule"
- Set Branch name pattern to
main - Enable "Require status checks to pass before merging"
- Search for and select "Security Gate"
- Save the rule
From now on, any pull request with security failures will be blocked from merging.
Optional: Enable Semgrep Cloud
For additional security rules and a centralized findings dashboard:
- Sign up at semgrep.dev (free tier available)
- Go to Settings โ Tokens and create a CI token
- In your GitHub repository, go to Settings โ Secrets and variables โ Actions
- Add a secret named
SEMGREP_APP_TOKENwith your token value
The pipeline will automatically use your cloud token on the next run.
Manual Installation (No CLI)
If you prefer not to install the CLI, copy the template directly:
# Create the workflows directory
mkdir -p .github/workflows
# Download the Python template
curl -o .github/workflows/devsecops.yml \
https://raw.githubusercontent.com/castops/cast/main/src/cast_cli/templates/python/devsecops.yml
# Commit and push
git add .github/workflows/devsecops.yml
git commit -m "ci: add CAST DevSecOps pipeline"
git push
Next Steps
- Read the Pipeline Reference for a full technical breakdown of each job, how to customize thresholds, and how to suppress false positives
- Read the CLI Reference for all available options
- See CONTRIBUTING.md to add support for a new language stack