You can configure Coana to run on your CircleCI workflows by adding a job to your CircleCI configuration file.

Generate an API key

Go to Settings → API Keys (opens in a new tab) to generate an API key.

Create a CircleCI environment variable with the generated API key

Single repository

If you only need to run Coana on a single repository, you can add the generated API key as an environment variable in CircleCI's project settings. Visit Project Settings → Environment Variables → "Add Environment Variable" and create an environment variable with the name COANA_API_KEY and the value of the generated API key.


If you need to run Coana across many repositories, you can create a context in the CircleCI organization settings, which can be used across all repositories in the organization. Visit Organization Settings → Contexts → "Create Context" and create a context with the name coana, then add the environment variable with the name COANA_API_KEY and the value of the generated API key.

Modify the CircleCI configuration file

You need to add the job below to your CircleCI configuration file (.circleci/config.yml). Remember to substitute <REPOSITORY_URL> with the URL of the repository you want to scan, e.g., (opens in a new tab).

      - image: coana/coana:latest
      - checkout
      - run:
          name: Run Coana
          command: |
              coana run . \
              --api-key $COANA_API_KEY \
              --repo-url <REPOSITORY_URL> \
              --memory-limit 8192

You don't need to install project dependencies, such as by running npm install, before using Coana, as Coana will handle the installation of the dependencies for you. However, if you have specific requirements for the installation command, we recommend adding a step to install the dependencies manually. For example, insert npm install before the "Run Coana" step in the CircleCI configuration file.

Now update the workflows section of your CircleCI configuration file to include the Coana job as a scheduled job as illustrated below.

You should omit the context key if you are adding the environment variable directly to the project settings. Additionally, adjust the cron schedule and branches to match your requirements. We recommend configuring Coana to run daily, for example, every day at 2 AM as shown in the template. This ensures you receive consistent updates regarding vulnerabilities in your dependencies.

      - schedule:
          cron: "0 2 * * *"
                - main
                - master
      - coana:
            - coana
A new project is automatically created in Coana when you submit your first report if a project matching its repository url or project name dosen't already exist. There is no reason to manually create the project in Coana first.