Quickstart

Get your first scan running in under 10 minutes.

Prerequisites

A Musha account with an active trial or subscription (sign up)
A repository hosted on GitHub, GitLab, Azure DevOps, or Bitbucket
Admin access to the repository (to configure the CI pipeline)

Step 1 — Create a project

Open app.mushasec.com and go to Projects.
Click New project.
Enter a name and the repository URL (e.g. https://github.com/acme/backend-api).
Select the platform (GitHub, GitLab, Azure DevOps, or Bitbucket).
Connect your OAuth integration in Settings → Integrations if you haven't already — Musha needs read access to clone the repo.

Step 2 — Create an API key

Go to Settings → API Keys.
Click New API key, give it a name (e.g. ci-prod), and set an expiry date.
Copy the key immediately — it is shown only once.
Store it as a secret in your CI platform:
- GitHub: Settings → Secrets and variables → Actions → New secret
- GitLab: Settings → CI/CD → Variables
- Azure DevOps: Pipelines → Library → + Variable group
- Bitbucket: Repository settings → Repository variables

Step 3 — Add the CI workflow

Add the following to your repository. Choose the tab for your platform:

GitHub Actions
GitLab CI
Azure DevOps
Bitbucket Pipelines

Create .github/workflows/musha.yml:

name: Musha Security Scan

on:
  push:
    branches: [main, master]
  pull_request:

jobs:
  musha-scan:
    name: Security scan
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
        with:
          fetch-depth: 2

      - name: Package files
        run: tar -czf scan.tar.gz --exclude='.git' --exclude='node_modules' --exclude='vendor' .

      - name: Upload to Musha
        run: |
          curl -fsS -X POST "${{ vars.MUSHA_API_URL }}/v1/scans" \
            -H "Authorization: Bearer ${{ secrets.MUSHA_API_KEY }}" \
            -F "files=@scan.tar.gz" \
            -F "project_id=${{ vars.MUSHA_PROJECT_ID }}" \
            -F "branch=${{ github.head_ref || github.ref_name }}" \
            -F "pr_id=${{ github.event.pull_request.number }}" \
            -F "commit_hash=${{ github.sha }}" \
            -F "scan_type=full"

Add to .gitlab-ci.yml:

musha-scan:
  stage: test
  image: alpine:latest
  before_script:
    - apk add --no-cache curl tar
  script:
    - tar -czf scan.tar.gz --exclude='.git' --exclude='node_modules' --exclude='vendor' .
    - |
      curl -fsS -X POST "$MUSHA_API_URL/v1/scans" \
        -H "Authorization: Bearer $MUSHA_API_KEY" \
        -F "files=@scan.tar.gz" \
        -F "project_id=$MUSHA_PROJECT_ID" \
        -F "branch=$CI_COMMIT_REF_NAME" \
        -F "pr_id=$CI_MERGE_REQUEST_IID" \
        -F "commit_hash=$CI_COMMIT_SHA" \
        -F "scan_type=full"

Add to azure-pipelines.yml:

- job: MushaScan
  displayName: 'Musha Security Scan'
  pool:
    vmImage: ubuntu-latest
  steps:
    - bash: |
        tar -czf scan.tar.gz --exclude='.git' --exclude='node_modules' .
        curl -fsS -X POST "$(MUSHA_API_URL)/v1/scans" \
          -H "Authorization: Bearer $(MUSHA_API_KEY)" \
          -F "files=@scan.tar.gz" \
          -F "project_id=$(MUSHA_PROJECT_ID)" \
          -F "branch=$(Build.SourceBranchName)" \
          -F "pr_id=$(System.PullRequest.PullRequestId)" \
          -F "commit_hash=$(Build.SourceVersion)" \
          -F "scan_type=full"
      displayName: 'Upload scan to Musha'

Add to bitbucket-pipelines.yml:

pipelines:
  default:
    - step:
        name: Musha Security Scan
        image: alpine:latest
        script:
          - apk add --no-cache curl tar
          - tar -czf scan.tar.gz --exclude='.git' --exclude='node_modules' .
          - |
            curl -fsS -X POST "$MUSHA_API_URL/v1/scans" \
              -H "Authorization: Bearer $MUSHA_API_KEY" \
              -F "files=@scan.tar.gz" \
              -F "project_id=$MUSHA_PROJECT_ID" \
              -F "branch=$BITBUCKET_BRANCH" \
              -F "commit_hash=$BITBUCKET_COMMIT" \
              -F "scan_type=full"

Required variables

Variable	Where to set it	Example
`MUSHA_API_URL`	CI variable (not secret)	`https://api.mushasec.com`
`MUSHA_API_KEY`	CI secret	`msk_live_...`
`MUSHA_PROJECT_ID`	CI variable (not secret)	`01960000-...`

Your Project ID is visible in the project detail page URL: app.mushasec.com/projects → click the project.

Step 4 — Push and verify

Push a commit (or open a PR). Within 60–90 seconds:

The scan appears in Repo Scans with status completed.
If it's a PR, a comment is posted to the PR with a pass/fail summary.
Any findings appear in the Security dashboard.

If the scan stays in pending for more than 2 minutes, see Troubleshooting.

Next steps

Scan types — understand what SCA, IaC, and Secrets scanning detects.
Vulnerability states — triage and track findings as a team.
Technical debt — why pre-existing vulns don't block your PRs.

Prerequisites​

Step 1 — Create a project​

Step 2 — Create an API key​

Step 3 — Add the CI workflow​

Required variables​

Step 4 — Push and verify​

Next steps​