Prerequisites
STAR drives your own toolchain to build and run the target application, so a few tools need to be available on your CI runner.
Required tools
| Tool | Why STAR needs it |
|---|---|
| Docker | Builds and runs the target application (and its companion services) in a container |
| Docker Compose | Orchestrates multi-service apps (database, cache, etc.) alongside your application |
| Git | Checks out the target repository and commits/pushes the fix branch |
These are not bundled in the STAR binary — install them on the runner before running STAR. On hosted CI runners (GitHub-hosted ubuntu-latest, Azure Pipelines' ubuntu-latest image, CircleCI's ubuntu-2404 machine image, Bitbucket's atlassian/default-image:4) all three are already preinstalled. Self-hosted runners and Jenkins nodes must provide them.
CircleCI and GitLab noteOn CircleCI, use the
machineexecutor (a full VM) — thedockerexecutor with remote Docker can't reach the scanned app onlocalhost.
On GitLab, use a runner that runs Docker on its host (a shell executor on a Docker host, or adockerexecutor with docker-in-docker configured) — a plaindockerexecutor without dind/networking can't reach the app onlocalhosteither.
Credentials you'll need
| Credential | Where to get it |
|---|---|
Bright API token (BRIGHT_TOKEN) | app.brightsec.com → your account → API keys |
Inference (AI) token (INFERENCE_TOKEN / OPENAI_API_KEY) | Your chosen AI provider — see AI / Inference Providers |
Repository access token (REPO_ACCESS_TOKEN) | Required on GitLab, Bitbucket, CircleCI, and Jenkins. Not needed as a separate secret on GitHub Actions (GITHUB_TOKEN) or Azure Pipelines (System.AccessToken) — see Secrets |
Network access
STAR needs outbound network access to:
- Your Bright hostname (
app.brightsec.comby default) — to drive the dynamic scan engine through a Bright Repeater - Your inference endpoint — OpenAI, GitHub Models, Ollama, or your own gateway
- Your source-control provider — to push the fix branch and open the pull request
No inbound access is required. This is why STAR works in private networks and air-gapped environments — see Intro → Where it runs.
Once these are in place, continue to Configuration & CI Integration.