Other CI/CD platforms

Safe Chain works on all major CI/CD platforms. Select your platform below for a complete configuration example.

Azure Pipelines
CircleCI
Jenkins
Bitbucket Pipelines
GitLab Pipelines

Add the Safe Chain install script as a script step after your Node.js setup task.

- task: NodeTool@0
  inputs:
    versionSpec: "22.x"
  displayName: "Install Node.js"

- script: curl -fsSL https://github.com/AikidoSec/safe-chain/releases/latest/download/install-safe-chain.sh | sh -s -- --ci
  displayName: "Install safe-chain"

- script: npm ci
  displayName: "Install dependencies"

Use run steps within your job definition. The --ci flag ensures shims are placed in PATH for the non-interactive shell.

version: 2.1
jobs:
  build:
    docker:
      - image: cimg/node:lts
    steps:
      - checkout
      - run: |
          curl -fsSL https://raw.githubusercontent.com/AikidoSec/safe-chain/main/install-scripts/install-safe-chain.sh | sh -s -- --ci
      - run: npm ci
workflows:
  build_and_test:
    jobs:
      - build

Jenkins does not automatically persist PATH updates from one stage to the next. You must declare the Safe Chain shims and binary directories explicitly in the pipeline-level environment block so they are available to all stages.

This example assumes Node.js and npm are already installed on the Jenkins agent.

pipeline {
  agent any

  environment {
    // Jenkins does not automatically persist PATH updates from setup-ci,
    // so add the shims + binary directory explicitly for all stages.
    PATH = "${env.HOME}/.safe-chain/shims:${env.HOME}/.safe-chain/bin:${env.PATH}"
  }

  stages {
    stage('Install safe-chain') {
      steps {
        sh '''
          set -euo pipefail

          # Install Safe Chain for CI
          curl -fsSL https://github.com/AikidoSec/safe-chain/releases/latest/download/install-safe-chain.sh | sh -s -- --ci
        '''
      }
    }

    stage('Install project dependencies etc...') {
      steps {
        sh '''
          set -euo pipefail
          npm ci
        '''
      }
    }
  }
}

After running the installer, explicitly export the shims directory into PATH before calling any package manager commands. Bitbucket Pipelines does not reload PATH between script lines automatically.

image: node:22

steps:
  - step:
      name: Install
      script:
        - curl -fsSL https://github.com/AikidoSec/safe-chain/releases/latest/download/install-safe-chain.sh | sh -s -- --ci
        - export PATH=~/.safe-chain/shims:$PATH
        - npm ci

GitLab CI jobs run in ephemeral Docker containers, so Safe Chain must be baked into the image used by the pipeline rather than installed at runtime in each job.Step 1 — Define a Dockerfile with Safe Chain pre-installed

FROM node:lts

# Install safe-chain
RUN curl -fsSL https://github.com/AikidoSec/safe-chain/releases/latest/download/install-safe-chain.sh | sh -s -- --ci

# Add safe-chain to PATH
ENV PATH="/root/.safe-chain/shims:/root/.safe-chain/bin:${PATH}"

Step 2 — Build and push the image, then use it in your pipeline

stages:
  - build-image
  - install

build-image:
  stage: build-image
  image: docker:latest
  services:
    - docker:dind
  script:
    - docker login -u $CI_REGISTRY_USER -p $CI_REGISTRY_PASSWORD $CI_REGISTRY
    - docker build -t $CI_REGISTRY_IMAGE:latest .
    - docker push $CI_REGISTRY_IMAGE:latest

npm-ci:
  stage: install
  image: $CI_REGISTRY_IMAGE:latest
  script:
    - npm ci

Get Started

Configuration

CI/CD

Reference

Build docs developers (and LLMs) love