GitHub Actions Integration
Automate Alprina security scanning in your GitHub CI/CD workflows. This guide shows you how to integrate Alprina with GitHub Actions for continuous security monitoring.
Quick Start
Create .github/workflows/alprina.yml in your repository:
.github/workflows/alprina.yml
name: Alprina Security Scan
on:
push:
branches: [ main, develop ]
pull_request:
branches: [ main ]
jobs:
security-scan:
runs-on: ubuntu-latest
steps:
- name: Checkout code
uses: actions/checkout@v4
- name: Set up Python
uses: actions/setup-python@v5
with:
python-version: '3.11'
- name: Install Alprina
run: pip install alprina-cli
- name: Run Security Scan
run: alprina scan ./src --output results.json
- name: Upload Results
if: always()
uses: actions/upload-artifact@v4
with:
name: alprina-results
path: results.jsonNote: Local scans don’t require authentication! For remote scans, add your API key as a secret.
Setup API Key (Optional)
Only needed for remote scanning (URLs, IPs). Skip this for local file scans.
Add Secret to Repository
- Go to your repository on GitHub
- Click Settings → Secrets and variables → Actions
- Click New repository secret
- Name:
ALPRINA_API_KEY - Value: Your API key from alprina.com/dashboard
- Click Add secret
Use Secret in Workflow
- name: Run Remote Scan
run: alprina scan https://staging-api.example.com
env:
ALPRINA_API_KEY: ${{ secrets.ALPRINA_API_KEY }}Complete Workflow Examples
Basic Workflow - Scan on Push
.github/workflows/alprina-basic.yml
name: Security Scan
on:
push:
branches: [ main, develop ]
pull_request:
branches: [ main ]
jobs:
scan:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: actions/setup-python@v5
with:
python-version: '3.11'
- name: Install Alprina
run: pip install alprina-cli
- name: Scan Codebase
run: alprina scan ./src
- name: Generate Report
if: always()
run: alprina report --format html --output report.html
- name: Upload Report
if: always()
uses: actions/upload-artifact@v4
with:
name: security-report
path: report.htmlAdvanced Workflow - Fail on HIGH Severity
.github/workflows/alprina-strict.yml
name: Strict Security Check
on:
push:
branches: [ main ]
pull_request:
branches: [ main ]
jobs:
security-check:
runs-on: ubuntu-latest
steps:
- name: Checkout code
uses: actions/checkout@v4
- name: Set up Python
uses: actions/setup-python@v5
with:
python-version: '3.11'
cache: 'pip'
- name: Install Alprina
run: pip install alprina-cli
- name: Run Security Scan
id: scan
run: |
alprina scan ./src --output results.json
EXIT_CODE=$?
echo "exit_code=$EXIT_CODE" >> $GITHUB_OUTPUT
exit 0 # Don't fail yet, we'll handle it below
- name: Generate HTML Report
if: always()
run: alprina report --format html --output security-report.html
- name: Upload Artifacts
if: always()
uses: actions/upload-artifact@v4
with:
name: alprina-results
path: |
results.json
security-report.html
- name: Check for HIGH Severity
if: steps.scan.outputs.exit_code == '10'
run: |
echo "::error::HIGH severity vulnerabilities detected!"
echo "::error::Review the security report for details"
exit 1
- name: Summary
if: always()
run: |
echo "### Security Scan Results" >> $GITHUB_STEP_SUMMARY
echo "" >> $GITHUB_STEP_SUMMARY
if [ "${{ steps.scan.outputs.exit_code }}" == "0" ]; then
echo "✅ No vulnerabilities found" >> $GITHUB_STEP_SUMMARY
else
echo "⚠️ Vulnerabilities detected - check artifacts" >> $GITHUB_STEP_SUMMARY
fiPR Comment Workflow
Post scan results as PR comments:
.github/workflows/alprina-pr-comment.yml
name: Security Scan with PR Comment
on:
pull_request:
branches: [ main, develop ]
permissions:
contents: read
pull-requests: write
jobs:
scan:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: actions/setup-python@v5
with:
python-version: '3.11'
- name: Install Alprina
run: pip install alprina-cli
- name: Run Scan
id: scan
run: |
alprina scan ./src --output results.json || true
# Create summary for PR comment
cat > scan-summary.md << 'EOF'
## 🛡️ Alprina Security Scan Results
EOF
# Add results summary
python3 << 'PYTHON'
import json
with open('results.json') as f:
data = json.load(f)
summary = data.get('summary', {})
total = summary.get('total_findings', 0)
high = summary.get('high', 0)
medium = summary.get('medium', 0)
low = summary.get('low', 0)
if total == 0:
print("✅ **No vulnerabilities found!**")
else:
print(f"⚠️ **Found {total} findings:**")
print(f"- 🔴 HIGH: {high}")
print(f"- 🟡 MEDIUM: {medium}")
print(f"- 🟢 LOW: {low}")
PYTHON
# Append to summary
cat >> scan-summary.md
- name: Comment PR
uses: actions/github-script@v7
with:
script: |
const fs = require('fs');
const summary = fs.readFileSync('scan-summary.md', 'utf8');
github.rest.issues.createComment({
issue_number: context.issue.number,
owner: context.repo.owner,
repo: context.repo.name,
body: summary
});Scan Only Changed Files
Optimize CI time by scanning only modified files:
.github/workflows/alprina-changed-files.yml
name: Scan Changed Files
on:
pull_request:
branches: [ main ]
jobs:
scan-changes:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
with:
fetch-depth: 0 # Need full history for diff
- uses: actions/setup-python@v5
with:
python-version: '3.11'
- name: Install Alprina
run: pip install alprina-cli
- name: Get Changed Files
id: changed-files
uses: tj-actions/changed-files@v44
with:
files: |
**/*.py
**/*.js
**/*.ts
**/*.go
**/*.java
- name: Scan Changed Files
if: steps.changed-files.outputs.any_changed == 'true'
run: |
echo "Scanning changed files:"
echo "${{ steps.changed-files.outputs.all_changed_files }}"
for file in ${{ steps.changed-files.outputs.all_changed_files }}; do
echo "Scanning: $file"
alprina scan "$file"
done
- name: No Changes
if: steps.changed-files.outputs.any_changed != 'true'
run: echo "No source files changed"Scheduled Security Scans
Run periodic scans on a schedule:
.github/workflows/alprina-scheduled.yml
name: Weekly Security Audit
on:
schedule:
# Run every Sunday at 00:00 UTC
- cron: '0 0 * * 0'
workflow_dispatch: # Allow manual trigger
jobs:
weekly-audit:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: actions/setup-python@v5
with:
python-version: '3.11'
- name: Install Alprina
run: pip install alprina-cli
- name: Deep Security Audit
run: alprina scan ./src --profile code-audit --output audit-results.json
- name: Generate PDF Report
run: alprina report --format pdf --output weekly-audit-$(date +%Y%m%d).pdf
- name: Upload Report
uses: actions/upload-artifact@v4
with:
name: weekly-audit-$(date +%Y%m%d)
path: |
audit-results.json
weekly-audit-*.pdf
retention-days: 90
- name: Notify on Slack (if issues found)
if: failure()
uses: slackapi/slack-github-action@v1
with:
payload: |
{
"text": "🚨 Weekly security audit found vulnerabilities in ${{ github.repository }}"
}
env:
SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }}Matrix Strategy - Multiple Environments
Test across multiple Python versions or directories:
.github/workflows/alprina-matrix.yml
name: Multi-Environment Scan
on:
push:
branches: [ main ]
jobs:
scan-matrix:
runs-on: ubuntu-latest
strategy:
matrix:
python-version: ['3.9', '3.10', '3.11', '3.12']
target: ['./frontend', './backend', './api']
fail-fast: false
steps:
- uses: actions/checkout@v4
- uses: actions/setup-python@v5
with:
python-version: ${{ matrix.python-version }}
- name: Install Alprina
run: pip install alprina-cli
- name: Scan ${{ matrix.target }} with Python ${{ matrix.python-version }}
run: |
alprina scan ${{ matrix.target }} \
--output results-${{ matrix.python-version }}-$(basename ${{ matrix.target }}).json
- name: Upload Results
uses: actions/upload-artifact@v4
with:
name: results-py${{ matrix.python-version }}-$(basename ${{ matrix.target }})
path: results-*.jsonPerformance Optimization
Cache Dependencies
Speed up workflows by caching Alprina CLI:
- name: Cache Alprina
uses: actions/cache@v4
with:
path: ~/.cache/pip
key: ${{ runner.os }}-alprina-${{ hashFiles('**/requirements.txt') }}
restore-keys: |
${{ runner.os }}-alprina-
- name: Install Alprina
run: pip install alprina-cliConditional Scans
Only run on relevant changes:
on:
pull_request:
paths:
- 'src/**'
- 'api/**'
- 'config/**'
- '**.py'
- '**.js'Integration with Other CI Tools
CodeQL Integration
Combine with GitHub CodeQL:
name: Security Analysis
jobs:
codeql:
# ... CodeQL setup ...
alprina:
needs: codeql # Run after CodeQL
runs-on: ubuntu-latest
steps:
# ... Alprina steps ...Dependabot Integration
Run Alprina after Dependabot PRs:
on:
pull_request:
branches: [ main ]
jobs:
scan-dependencies:
if: github.actor == 'dependabot[bot]'
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- # ... run Alprina scan ...Status Badge
Add a status badge to your README:
[](https://github.com/your-org/your-repo/actions/workflows/alprina.yml)Troubleshooting
”Permission denied” Error
Issue: Workflow fails with permission error
Solution: Add execute permissions:
- name: Fix Permissions
run: chmod +x alprinaLast updated on