Integrations

Integrations

Flyingduck provides flexible integration options to fit different development environments, whether your source code is hosted in the cloud or on on-premise servers. These integrations ensure that your repositories are continuously monitored for changes, scanned efficiently, and reported with actionable insights. Integrate Flyingduck with your repositories and CI/CD pipelines to enable continuous security analysis, dependency inventory (SBOM), SCA, and secrets detection. Flyingduck supports multiple integration modes so teams can pick the right balance of control, speed, and operational overhead.

Integration options

App Integration

Overview
In the Cloud Native Integration, you install the Flyingduck App in your cloud VCS organization. Once installed, the App monitors repository events and performs lightweight, focused scans—including PR checks—directly in the cloud. This approach does not require setting up a VM, configuring a runner, or using a Flyinduck API key for cloud-hosted repositories.

How it works

  • App receives repo events (push, PR) and triggers scans.
  • Pull requests are scanned for changed files; new issues are surfaced as PR checks.
  • SCA results include Flyingduck recommended versions for vulnerable packages.
  • We require code access in order to perform the security scans directly within Flyingduck.

When to choose

  • Cloud-hosted repositories where fast onboarding and PR feedback are priorities.
  • Teams that want minimal operational setup and immediate PR-level insights.

Runner-based integration

Overview
In the Runner App Integration, you install the Flyingduck App in your cloud VCS organization to monitor repository events. However, the actual scan execution happens locally by deploying a Flyingduck Runner inside your environment (VM). This model is suited for environments that require scanning within private networks or where scan execution needs to remain under your control. The runner must be installed and configured since the scan runs within your infrastructure.

How it works

  • App receives repo events (push, PR) and triggers scans.
  • Runner pulls code, executes containerized scans, and pushes results to the portal.

When to choose

  • Private networks, restricted environments, or where local execution policy is required.

Workflows / Pipelines (CI integration)

Overview
Run Flyingduck scans from your CI/CD pipeline to evaluate commits, branches, or scheduled windows. This mode is flexible and integrates with existing pipeline flows (build, test, deploy).

How it works

  • Add a scan step to your pipeline using the Flyingduck scanner (Docker/CLI).
  • Store the Flyingduck API key as a pipeline secret to authenticate scanner runs.
  • Pipeline scans can run on push, PR, or scheduled triggers.

When to choose

  • Teams that want scans as part of CI (pre-merge full-scan, nightly vulnerability sweeps).
  • Use for deeper or long-running scans that complement PR checks.

CLI / On-Demand

Overview
Run the Flyingduck scanner locally against a checked-out repo for ad-hoc validation (developer workstations, pre-commit checks, or manual investigations).

How it works

  • Clone the repository locally and run the Flyingduck CLI/Docker scanner.
  • Results are available locally and can be uploaded to the portal using the API key.

When to choose

  • Ad-hoc investigations, developer validation, pre-commit checks, or offline scanning.

Express App Integration (GitHub Cloud Only)

We understand that not every team wants to deal with lengthy configurations, branch rules, or setting up a dedicated runner.
To simplify onboarding, Flyingduck now offers a lightweight app integration that works with minimal setup steps.

Key Benefits

  • Minimal Setup – No need to configure runners, environment variables, or branch policies.
  • Developer-Friendly – Quick install and start scanning without complex CI/CD integration.
  • PR-Level Insights – Automatically scans pull requests for changed files and reports findings directly under GitHub checks.

Quick Setup Checklist

CLI Mode

  • Read access to the repository
  • Repository cloned locally
  • Docker installed and running
  • Flyingduck API key generated

Workflows / Pipelines Mode

  • Admin access to the repository
  • Flyingduck API key generated
  • API key stored as an environment variable
  • Docker installed and running in the workflow environment

On-Premise VM (Runner with App Integration)

  • VM setup with Ubuntu 22.04 or 24.04
  • Minimum system requirements met (2 CPU cores, 8 GB RAM, 30 GB disk)
  • Docker installed and running on the VM
  • Admin access to the organization
  • Flyingduck API key generated

For detailed VM setup instructions, refer to the prerequisites section (opens in a new tab).

Supported Version Control Systems (VCS)

Flyingduck provides App and runner-based integrations for major VCS providers.

Click a card to open the provider-specific integration guide.

GitHubGitHub App IntegrationGitLabGitLab App IntegrationBitbucketBitbucket App IntegrationAzure DevOpsAzure DevOps App Integration

Notes & best practices

  • Least privilege: When installing the App, select only the repositories required to start scanning; expand scope as needed.
  • Avoid duplicate scans: If you use both App and pipelines, scope triggers to prevent overlapping scans on the same events.
  • Secrets management: Store Flyingduck API keys as pipeline secrets or in your secrets manager.
  • Runner maintenance: Keep runner OS and Docker updated and monitor resource usage for scheduled scans.
  • PR scan design: Use App-driven PR checks for fast feedback and pipeline scans for deeper validation.
Getting StartedGitHub