Skip to main content

Shield — CI/CD Security Scanner

BleedWatch Shield is an AI-powered CI/CD security autopilot. It scans your GitHub repositories for misconfigurations in GitHub Actions workflows, Dockerfiles, Docker Compose files, and other CI/CD assets.

How Shield Works

Shield uses the BleedWatch GitHub App to:

  1. Receive webhook events when you push code
  2. Analyze changed files against 61+ security rules
  3. Post findings as pull request comments with fix suggestions
  4. Track security scores per repository over time

Installation

Step 1: Connect GitHub

Navigate to Shield in the dashboard sidebar and click Install GitHub App.

A GitHub popup will open. Select your organization or personal account and grant repository access.

State Parameter

BleedWatch embeds a signed state token in the install URL. If the popup is blocked or the redirect fails, BleedWatch will automatically search for your recent installation after the connection wizard times out.

Step 2: Sync Repositories

After the GitHub App is installed, click Sync Repositories to import your repos.

Step 3: Run a Scan

Click Scan on any repository to trigger an immediate analysis.

Security Rules

Shield checks for:

CategoryExamples
GitHub ActionsUnpinned actions, secrets in env vars, GITHUB_TOKEN misuse
DockerfilesRunning as root, latest image tags, exposed ports, secrets via ARG
Docker ComposePrivileged containers, host network mode, writable bind mounts
General.env files tracked in git, hardcoded credentials

Security Scores

Each repository receives a score from 0–100 based on open findings:

  • 80–100 — Good security posture
  • 50–79 — Some issues to address
  • 0–49 — Critical issues present

Troubleshooting

Connection Not Detected

If BleedWatch doesn't detect your GitHub App installation after 60 seconds:

  1. The wizard will automatically search for recent installations
  2. If not found, click Re-check connection in the troubleshooting toolbar
  3. If still failing, click Reset & start over and reinstall the GitHub App

Some browsers block popups by default. Allow popups for app.bleedwatch.com in your browser settings, then click Install GitHub App again.

No Permission to Install

Ask your GitHub organization owner to install the BleedWatch GitHub App on your behalf.