Prerequisites

STAR drives your own toolchain to build and run the target application, so a few tools need to be available on your CI runner.

Required tools

ToolWhy STAR needs it
DockerBuilds and runs the target application (and its companion services) in a container
Docker ComposeOrchestrates multi-service apps (database, cache, etc.) alongside your application
GitChecks out the target repository and commits/pushes the fix branch

These are not bundled in the STAR binary — install them on the runner before running STAR. On hosted CI runners (GitHub-hosted ubuntu-latest, Azure Pipelines' ubuntu-latest image, CircleCI's ubuntu-2404 machine image, Bitbucket's atlassian/default-image:4) all three are already preinstalled. Self-hosted runners and Jenkins nodes must provide them.

🚧

CircleCI and GitLab note

On CircleCI, use the machine executor (a full VM) — the docker executor with remote Docker can't reach the scanned app on localhost.
On GitLab, use a runner that runs Docker on its host (a shell executor on a Docker host, or a docker executor with docker-in-docker configured) — a plain docker executor without dind/networking can't reach the app on localhost either.

Credentials you'll need

CredentialWhere to get it
Bright API token (BRIGHT_TOKEN)app.brightsec.com → your account → API keys
Inference (AI) token (INFERENCE_TOKEN / OPENAI_API_KEY)Your chosen AI provider — see AI / Inference Providers
Repository access token (REPO_ACCESS_TOKEN)Required on GitLab, Bitbucket, CircleCI, and Jenkins. Not needed as a separate secret on GitHub Actions (GITHUB_TOKEN) or Azure Pipelines (System.AccessToken) — see Secrets

Network access

STAR needs outbound network access to:

  • Your Bright hostname (app.brightsec.com by default) — to drive the dynamic scan engine through a Bright Repeater
  • Your inference endpoint — OpenAI, GitHub Models, Ollama, or your own gateway
  • Your source-control provider — to push the fix branch and open the pull request

No inbound access is required. This is why STAR works in private networks and air-gapped environments — see Intro → Where it runs.

Once these are in place, continue to Configuration & CI Integration.