Back to Blog
Tutorial

Building Compliance Checks Into Your CI/CD Pipeline

Shift compliance left: run sanctions screening, export control checks, and document validation as part of your deployment pipeline. Here's a practical guide with GitHub Actions examples.

Engineering Team December 8, 2025 8 min read
CI/CD GitHub Actions Automation DevOps

Why Shift Compliance Left?

Most teams treat compliance checks as a post-deployment concern — screening happens at transaction time, and failures are handled reactively. But what if you could catch compliance issues before they reach production?

By integrating ComplianceGrid into your CI/CD pipeline, you can:

  • Validate that new vendor records pass sanctions screening before they're added to your database
  • Ensure product catalog entries have valid HS classifications before going live
  • Run regression tests against your compliance logic with every deploy
  • Catch configuration errors (wrong API keys, expired tokens) before they cause production incidents

GitHub Actions Example

Here's a workflow that screens new vendors added in a PR:

yaml
name: Compliance Check
on:
  pull_request:
    paths:
      - 'data/vendors/**'

jobs:
  screen-vendors:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4

      - name: Get changed vendor files
        id: vendors
        run: |
          FILES=$(git diff --name-only origin/main -- data/vendors/)
          echo "files=$FILES" >> $GITHUB_OUTPUT

      - name: Screen new vendors
        env:
          CG_CLIENT_ID: ${{ secrets.CG_CLIENT_ID }}
          CG_CLIENT_SECRET: ${{ secrets.CG_CLIENT_SECRET }}
        run: |
          # Get Bearer token
          TOKEN=$(curl -s -X POST https://sandbox.api.compliancegrid.ai/oauth/token \
            -d "grant_type=client_credentials" \
            -d "client_id=$CG_CLIENT_ID" \
            -d "client_secret=$CG_CLIENT_SECRET" | jq -r '.access_token')

          # Screen each vendor
          for file in ${{ steps.vendors.outputs.files }}; do
            NAME=$(jq -r '.name' $file)
            COUNTRY=$(jq -r '.country' $file)
            RESULT=$(curl -s -X POST https://sandbox.api.compliancegrid.ai/v1/compliance/restricted-party-screening \
              -H "Authorization: Bearer $TOKEN" \
              -H "Content-Type: application/json" \
              -d "{\"parties\": [{\"name\": \"$NAME\", \"country\": \"$COUNTRY\"}]}")
            STATUS=$(echo $RESULT | jq -r '.overallResult')
            if [ "$STATUS" != "CLEAR" ]; then
              echo "::error::Vendor $NAME flagged: $STATUS"
              exit 1
            fi
          done

Using the Sandbox for CI/CD

Use sandbox credentials (cg_sk_) for CI/CD pipelines. Sandbox calls are free, rate-limited to 60 req/min, and return realistic mock data. This lets you validate your integration logic without incurring production costs or querying live government databases.

Testing Compliance Logic

Write integration tests that verify your application handles all screening outcomes correctly:

  • CLEAR — Transaction proceeds normally
  • MATCH — Transaction is blocked, alert is generated
  • POTENTIAL_MATCH — Transaction is queued for human review
  • API error — Transaction is held pending retry (fail-closed)

Best Practices

  • Fail closed: If the compliance API is unreachable, block the transaction rather than allowing it through
  • Store CI secrets securely: Use GitHub Secrets, not environment files
  • Use sandbox for tests: Never run CI/CD against production APIs
  • Log everything: Capture screening results in CI artifacts for audit purposes
← Previous

How AI-Powered HS Code Classification Actually Works (And Its Limits)

Next →

Export Controls for Software Developers: What You Actually Need to Know