To install soluble in your CI environment, use the following command, which can be specified as a build step.

curl -sL | sh

The CLI will be installed in the current directory with the execute bit set. You are welcome to move it somewhere else, but leaving it in the current directory works well with all of the modern CI platforms.

The following is an example for Circle CI:

version: 2.1

      - build:
          context: my-env-context

      image: ubuntu-1604:202010-01
      - checkout
      - run: "curl -sL | sh"
      - run: "soluble tf-scan tfsec --upload"
      - run: "soluble tf-scan checkov  --upload"
      - run: "soluble secrets-scan --upload"

In order to communicate with the Soluble Fusion platform, the CLI needs an API token, which it expects to find in ~/.soluble/cli-config.json. The file will typically look something like this:

  "Profiles": {
    "default": {
      "APIServer": "",
      "APIToken": "<SOLUBLE_API_TOKEN>",
      "TLSNoVerify": false,
      "Organization": "<SOLUBLE_ORG_ID>",
      "Email": "",
      "DefaultClusterID": ""
  "CurrentProfile": "default",
  "ModelLocations": null

You have two choices to configure this:

1) Set SOLUBLE_API_TOKEN and SOLUBLE_ORG_ID as secrets in your CI platform. When you run the installation curl command above, ~/.soluble/cli-config.json will be configured automatically. In the example above, with Circle CI, these values were stored in a Context named my-env-context.

If you are using GitHub Actions, you can use GitHub Secrets.

There is no magic here. When the CLI is installed, it just uses these values to write its configuration file.


2) If you want to handle this yourself, just make sure that cli-config.json is distributed and placed in ~/.soluble/cli-config.json using your preferred mechanism for this kind of thing.

GitHub Actions

We have some first-class support for GitHub Actions. Contact us for details.

Circle CI, Jenkins, GitLabl, Buildkite, Tekton etc.

The instructions above should be sufficient in most cases.

The Soluble CLI will extract the CI platform-specific environment variables for relevant contextual data (Git commit, Git branch, CI pipeline name, etc) and send that metadata to the Fusion platform.

If you are interested in a Circle CI Orb or other first-class support for CI integration, let us know.

Source Control


If you have the official GitHub CLI installed and configured on your machine, you can use its credentials to crawl all of the repos available to you.

It will clone each of the available repos, identifiy where there IaC in those repos and send that metadata back to Soluble.

soluble inventory github

If you aren't using GitHub or don't have that capability available to you, you can run the inventory on a repo-by-repo basis by running the following from a cloned git repo:

soluble inventory local

Soluble GitHub App

We provide a GitHub App that can be installed to your GitHub organization. This app allows the CLI to post status checks to GitHub PRs from CI.

To in install the app:

  1. Log in to Soluble
  2. Go to and follow the instructions

Once installed you can add soluble build update-pr to your CI job that performs the assessments. The CLI will obtain an ephemeral token, and post status checks to the GitHub pull request, if one exists.

Note: This GitHub app does not have access to the code in your repositories.


We have a Slack app that can be used to push notifications and interact with the Soluble platform.

This can be configured from the Integrations Page.


You can delegate IAM permissions with the Security Audit role in order to enable security configuration checks to be run against your AWS accounts.

This can be configured from the Integrations Page