GitHub Actions
Integrate Inkog into your GitHub Actions workflow to scan every push and pull request.
Basic Workflow
Create .github/workflows/security.yml:
name: Security Scan
on:
push:
branches: [main, master]
pull_request:
branches: [main, master]
jobs:
inkog-scan:
runs-on: ubuntu-latest
steps:
- name: Checkout code
uses: actions/checkout@v4
- name: Set up Go
uses: actions/setup-go@v5
with:
go-version: '1.21'
- name: Install Inkog
run: go install github.com/inkog-io/inkog@latest
- name: Run Security Scan
run: inkog -output json -severity high . > inkog-report.json
- name: Upload Report
uses: actions/upload-artifact@v4
if: always()
with:
name: inkog-report
path: inkog-report.jsonWith HTML Report
Generate both JSON and HTML reports:
name: Security Scan
on: [push, pull_request]
jobs:
inkog-scan:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: actions/setup-go@v5
with:
go-version: '1.21'
- name: Install Inkog
run: go install github.com/inkog-io/inkog@latest
- name: Run Scan
run: |
inkog -output json . > inkog-report.json
inkog -output html . > inkog-report.html
continue-on-error: true
- name: Upload Reports
uses: actions/upload-artifact@v4
if: always()
with:
name: security-reports
path: |
inkog-report.json
inkog-report.htmlPull Request Comments
Post scan results as a PR comment:
name: Security Scan
on:
pull_request:
branches: [main]
jobs:
inkog-scan:
runs-on: ubuntu-latest
permissions:
pull-requests: write
steps:
- uses: actions/checkout@v4
- uses: actions/setup-go@v5
with:
go-version: '1.21'
- name: Install Inkog
run: go install github.com/inkog-io/inkog@latest
- name: Run Scan
id: scan
run: |
inkog -output json . > report.json
echo "findings=$(jq '.summary.total' report.json)" >> $GITHUB_OUTPUT
echo "critical=$(jq '.summary.critical' report.json)" >> $GITHUB_OUTPUT
echo "high=$(jq '.summary.high' report.json)" >> $GITHUB_OUTPUT
continue-on-error: true
- name: Comment on PR
uses: actions/github-script@v7
with:
script: |
const findings = ${{ steps.scan.outputs.findings }};
const critical = ${{ steps.scan.outputs.critical }};
const high = ${{ steps.scan.outputs.high }};
let status = '✅ **PASSED**';
if (critical > 0 || high > 0) {
status = '❌ **BLOCKED**';
}
const body = `## Inkog Security Scan
${status}
| Severity | Count |
|----------|-------|
| Critical | ${critical} |
| High | ${high} |
| Total | ${findings} |
[View full report](${process.env.GITHUB_SERVER_URL}/${process.env.GITHUB_REPOSITORY}/actions/runs/${process.env.GITHUB_RUN_ID})`;
github.rest.issues.createComment({
issue_number: context.issue.number,
owner: context.repo.owner,
repo: context.repo.repo,
body: body
});Scheduled Scans
Run scans on a schedule for continuous monitoring:
name: Scheduled Security Scan
on:
schedule:
- cron: '0 9 * * 1-5' # Weekdays at 9 AM UTC
workflow_dispatch: # Manual trigger
jobs:
inkog-scan:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: actions/setup-go@v5
with:
go-version: '1.21'
- name: Install Inkog
run: go install github.com/inkog-io/inkog@latest
- name: Run Scan
run: inkog -output json . > report.json
- name: Check for Critical Issues
run: |
CRITICAL=$(jq '.summary.critical' report.json)
if [ "$CRITICAL" -gt 0 ]; then
echo "::error::$CRITICAL critical vulnerabilities found!"
exit 1
fiCaching
Speed up workflows by caching the Go installation:
- uses: actions/setup-go@v5
with:
go-version: '1.21'
cache: trueBranch Protection
Configure branch protection to require Inkog scans:
- Go to Settings → Branches → Branch protection rules
- Enable Require status checks to pass
- Add
inkog-scanas a required check
Last updated on