Agnech

GitHub Actions

Automated Security Scanning

Integrate Bloodhound security scanning into GitHub Actions workflows with PR comments, status checks, and Security tab integration.

Setup

Configure your repository to use Bloodhound in GitHub Actions.

1. Add License Secret

Go to Repository Settings → Secrets → Actions → New repository secret. Add BLOODHOUND_LICENSE with your license key.

2. Create Workflow File

Create .github/workflows/security.yml in your repository.

Basic Workflow

.github/workflows/security.yml
YAML
1name: Security Scan
2

3on:
4  push:
5    branches: [main, develop]
6  pull_request:
7    branches: [main]
8

9jobs:
10  security-scan:
11    runs-on: ubuntu-latest
12    permissions:
13      contents: read
14      security-events: write
15      pull-requests: write
16

17    steps:
18      - name: Checkout code
19        uses: actions/checkout@v4
20

21      - name: Setup Node.js
22        uses: actions/setup-node@v4
23        with:
24          node-version: '20'
25

26      - name: Install Bloodhound CLI
27        run: npm install -g @agnech/cli
28

29      - name: Activate License
30        run: bloodhound license activate ${{ secrets.BLOODHOUND_LICENSE }}
31

32      - name: Run Security Scan
33        run: |
34          bloodhound scan \
35            --mode advanced \
36            --report sarif \
37            --output security-results.sarif \
38            ./src
39

40      - name: Upload SARIF to GitHub Security
41        uses: github/codeql-action/upload-sarif@v3
42        if: always()
43        with:
44          sarif_file: security-results.sarif

PR Integration

Add security findings as PR comments and status checks.

.github/workflows/pr-security.yml
YAML
1name: PR Security Check
2

3on:
4  pull_request:
5    types: [opened, synchronize, reopened]
6

7jobs:
8  security:
9    runs-on: ubuntu-latest
10    permissions:
11      contents: read
12      pull-requests: write
13

14    steps:
15      - uses: actions/checkout@v4
16

17      - name: Setup Node.js
18        uses: actions/setup-node@v4
19        with:
20          node-version: '20'
21

22      - name: Install and Activate CLI
23        run: |
24          npm install -g @agnech/cli
25          bloodhound license activate ${{ secrets.BLOODHOUND_LICENSE }}
26

27      - name: Run Security Scan
28        id: scan
29        run: |
30          bloodhound scan \
31            --mode advanced \
32            --report json \
33            --output results.json \
34            ./src
35        continue-on-error: true
36

37      - name: Comment on PR
38        uses: actions/github-script@v7
39        with:
40          script: |
41            const fs = require('fs');
42            const results = JSON.parse(fs.readFileSync('results.json', 'utf8'));
43

44            const critical = results.findings.filter(f => f.severity === 'critical').length;
45            const high = results.findings.filter(f => f.severity === 'high').length;
46

47            let body = '## 🔒 Security Scan Results\n\n';
48            body += '| Severity | Count |\n|----------|-------|\n';
49            body += `| Critical | ${critical} |\n`;
50            body += `| High | ${high} |\n`;
51            body += `| Total | ${results.findings.length} |\n\n`;
52

53            if (critical > 0 || high > 0) {
54              body += '⚠️ **Action required:** Please fix critical/high severity issues before merging.';
55            } else {
56              body += '✅ **No critical or high severity issues found.**';
57            }
58

59            github.rest.issues.createComment({
60              issue_number: context.issue.number,
61              owner: context.repo.owner,
62              repo: context.repo.repo,
63              body: body
64            });
65

66      - name: Fail on Critical Issues
67        run: |
68          CRITICAL=$(jq '.findings | map(select(.severity == "critical")) | length' results.json)
69          if [ "$CRITICAL" -gt 0 ]; then
70            echo "Found $CRITICAL critical vulnerabilities"
71            exit 1
72          fi

SARIF Upload

Upload results to GitHub's Security tab for native integration.

GitHub Advanced Security

SARIF results appear in the Security tab and can trigger alerts. This feature may require GitHub Advanced Security for private repositories.
workflow snippet
YAML
1# Generate SARIF format
2bloodhound scan --report sarif --output results.sarif ./src
3

4# Upload to GitHub Security
5- name: Upload SARIF
6  uses: github/codeql-action/upload-sarif@v3
7  with:
8    sarif_file: results.sarif
9    category: bloodhound-security

Advanced Configuration

.github/workflows/advanced-security.yml
YAML
1name: Advanced Security Pipeline
2

3on:
4  push:
5    branches: [main]
6  pull_request:
7  schedule:
8    - cron: '0 0 * * 0'  # Weekly full scan
9

10jobs:
11  quick-scan:
12    if: github.event_name == 'pull_request'
13    runs-on: ubuntu-latest
14    steps:
15      - uses: actions/checkout@v4
16      - run: npm install -g @agnech/cli
17      - run: bloodhound license activate ${{ secrets.BLOODHOUND_LICENSE }}
18      - run: bloodhound scan --mode quick ./src
19

20  full-scan:
21    if: github.event_name == 'push' || github.event_name == 'schedule'
22    runs-on: ubuntu-latest
23    steps:
24      - uses: actions/checkout@v4
25      - run: npm install -g @agnech/cli
26      - run: bloodhound license activate ${{ secrets.BLOODHOUND_LICENSE }}
27      - run: |
28          bloodhound scan \
29            --mode ultimate \
30            --report executive,technical,sarif \
31            --output ./reports \
32            ./src
33

34      - name: Upload Reports
35        uses: actions/upload-artifact@v4
36        with:
37          name: security-reports
38          path: ./reports
39

40      - name: Upload SARIF
41        uses: github/codeql-action/upload-sarif@v3
42        with:
43          sarif_file: ./reports/results.sarif