Skip to main content
CodeRocket

Restricted and preview checks

Connect the CI you already use.

Run the same audit engine from an environment that can reach the page. CodeRocket receives the result, never the private access headers.

Command contract

Generate a token from the CodeRocket project, store it as a CI secret, and audit the HTTPS URL after your hosting platform finishes deploying it. Public websites need only the project token.

Shell
coderocket audit https://preview.example.com \
  --page /pricing \
  --page /account \
  --token "$CODEROCKET_TOKEN" \
  --environment preview \
  --sha "$GITHUB_SHA" \
  --branch "feature/checkout" \
          --pr "184"

The first URL and each --page stay on the same HTTPS website. Use --environment production for the first trusted check of a private live site; later preview checks compare against that baseline.

Access protected server-rendered pages

Store the required cookie, authorization header, or Cloudflare Access headers in the secret named CODEROCKET_SITE_HEADERS_JSON. The CI process uses them only for requests to the original website origin and never includes them in the submitted result.

JSON
{
  "cookie": "session=dedicated-test-session",
  "cf-access-client-id": "client-id",
  "cf-access-client-secret": "client-secret"
}

Use a dedicated, least-privileged test account. The current CI check reads returned HTML and response headers; it does not inspect repository source files, execute page JavaScript, or automate a multi-step sign-in journey.

Choose your CI platform

Open a project and choose Set up a CI check. The guided setup creates the correct file and shows where to save the same revocableCODEROCKET_TOKEN for each platform.

GitHub

.github/workflows/coderocket.yml

Repository settings → Secrets and variables → Actions

GitLab

.gitlab-ci.yml

Settings → CI/CD → Variables

Bitbucket

bitbucket-pipelines.yml

Repository settings → Repository variables

Another CI

Any environment with Node.js 20+

Save CODEROCKET_TOKEN in the platform secret store

0

Healthy

No new important problem, or the ruleset requires a fresh baseline.

1

Blocked

At least one new critical or high-priority finding was introduced.

2

Operational error

Authentication, network, validation, execution, or an incomplete page check prevented a reliable result.

GitHub Actions example

Keep the package on @latest so the workflow follows the maintained CodeRocket client. Configure the workflow name as a required check in the repository branch protection. The project setup dialog generates the equivalent GitLab, Bitbucket, and generic CI configurations.

YAML
name: CodeRocket
on: pull_request
 
jobs:
  frontend-quality:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - name: Audit deployed preview
        env:
          CODEROCKET_SITE_HEADERS_JSON: "${{ secrets.CODEROCKET_SITE_HEADERS_JSON }}"
        run: >-
          npx @coderocket/cli@latest audit "${{ vars.PREVIEW_URL }}"
          --token "${{ secrets.CODEROCKET_TOKEN }}"
          --environment preview
          --sha "${{ github.sha }}"
          --branch "${{ github.head_ref }}"
          --pr "${{ github.event.number }}"

Token and replay safety

  • A token belongs to exactly one project and is shown only once.
  • Only its SHA-256 hash is stored by CodeRocket.
  • Commit-based idempotency prevents the same CI submission from creating duplicate runs.
  • Audit payloads are validated and limited to 5 MB before persistence.