GitHub
.github/workflows/coderocket.yml
Repository settings → Secrets and variables → Actions
Restricted and preview checks
Run the same audit engine from an environment that can reach the page. CodeRocket receives the result, never the private access headers.
Generate a token from the CodeRocket project, store it as a CI secret, and audit the HTTPS URL after your hosting platform finishes deploying it. Public websites need only the project token.
coderocket audit https://preview.example.com \
--page /pricing \
--page /account \
--token "$CODEROCKET_TOKEN" \
--environment preview \
--sha "$GITHUB_SHA" \
--branch "feature/checkout" \
--pr "184"The first URL and each --page stay on the same HTTPS website. Use --environment production for the first trusted check of a private live site; later preview checks compare against that baseline.
Store the required cookie, authorization header, or Cloudflare Access headers in the secret named CODEROCKET_SITE_HEADERS_JSON. The CI process uses them only for requests to the original website origin and never includes them in the submitted result.
{
"cookie": "session=dedicated-test-session",
"cf-access-client-id": "client-id",
"cf-access-client-secret": "client-secret"
}Use a dedicated, least-privileged test account. The current CI check reads returned HTML and response headers; it does not inspect repository source files, execute page JavaScript, or automate a multi-step sign-in journey.
Open a project and choose Set up a CI check. The guided setup creates the correct file and shows where to save the same revocableCODEROCKET_TOKEN for each platform.
.github/workflows/coderocket.yml
Repository settings → Secrets and variables → Actions
.gitlab-ci.yml
Settings → CI/CD → Variables
bitbucket-pipelines.yml
Repository settings → Repository variables
Any environment with Node.js 20+
Save CODEROCKET_TOKEN in the platform secret store
0
No new important problem, or the ruleset requires a fresh baseline.
1
At least one new critical or high-priority finding was introduced.
2
Authentication, network, validation, execution, or an incomplete page check prevented a reliable result.
Keep the package on @latest so the workflow follows the maintained CodeRocket client. Configure the workflow name as a required check in the repository branch protection. The project setup dialog generates the equivalent GitLab, Bitbucket, and generic CI configurations.
name: CodeRocket
on: pull_request
jobs:
frontend-quality:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Audit deployed preview
env:
CODEROCKET_SITE_HEADERS_JSON: "${{ secrets.CODEROCKET_SITE_HEADERS_JSON }}"
run: >-
npx @coderocket/cli@latest audit "${{ vars.PREVIEW_URL }}"
--token "${{ secrets.CODEROCKET_TOKEN }}"
--environment preview
--sha "${{ github.sha }}"
--branch "${{ github.head_ref }}"
--pr "${{ github.event.number }}"