Skip to Content
Alprina is in active development. Join us in building the future of security scanning.
IntegrationsGitHub Actions Integration

GitHub Actions Integration

Automate Alprina security scans in your GitHub Actions workflows.

Quick Start

Create .github/workflows/security-scan.yml:

name: Security Scan
 
on:
  push:
    branches: [main, develop]
  pull_request:
    branches: [main]
 
jobs:
  alprina-scan:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout code
        uses: actions/checkout@v3
 
      - name: Set up Python
        uses: actions/setup-python@v4
        with:
          python-version: '3.10'
 
      - name: Install Alprina
        run: pip install alprina-cli
 
      - name: Run security scan
        run: alprina scan ./src --output results.json --fail-on high
        env:
          ALPRINA_API_KEY: ${{ secrets.ALPRINA_API_KEY }}
 
      - name: Upload results
        if: always()
        uses: actions/upload-artifact@v3
        with:
          name: alprina-results
          path: results.json

Setup Steps

1. Add API Key to Secrets

  1. Go to your repository on GitHub
  2. Navigate to SettingsSecrets and variablesActions
  3. Click New repository secret
  4. Name: ALPRINA_API_KEY
  5. Value: Your API key from dashboard 
  6. Click Add secret

2. Create Workflow File

Create .github/workflows/security-scan.yml with the configuration above.

3. Commit and Push

git add .github/workflows/security-scan.yml
git commit -m "Add Alprina security scanning"
git push

Workflow Configurations

Basic Scan on Push

Scan code on every push to main:

name: Security Scan
on:
  push:
    branches: [main]
jobs:
  scan:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v3
      - run: pip install alprina-cli
      - run: alprina scan ./src
        env:
          ALPRINA_API_KEY: ${{ secrets.ALPRINA_API_KEY }}

Fail Build on High Severity

Block merges if high-severity vulnerabilities are found:

- name: Security scan with failure threshold
  run: alprina scan ./src --fail-on high
  env:
    ALPRINA_API_KEY: ${{ secrets.ALPRINA_API_KEY }}

Scan Only Changed Files

Optimize scan performance by scanning only changed files:

- name: Get changed files
  id: changed-files
  uses: tj-actions/changed-files@v39
 
- name: Scan changed files
  if: steps.changed-files.outputs.all_changed_files != ''
  run: |
    for file in ${{ steps.changed-files.outputs.all_changed_files }}; do
      alprina scan "$file" || true
    done
  env:
    ALPRINA_API_KEY: ${{ secrets.ALPRINA_API_KEY }}

Matrix Strategy for Multiple Languages

Scan different parts of a monorepo in parallel:

strategy:
  matrix:
    target:
      - path: './frontend'
        language: 'javascript'
      - path: './backend'
        language: 'python'
      - path: './api'
        language: 'go'
steps:
  - uses: actions/checkout@v3
  - run: pip install alprina-cli
  - name: Scan ${{ matrix.target.path }}
    run: alprina scan ${{ matrix.target.path }} --language ${{ matrix.target.language }}
    env:
      ALPRINA_API_KEY: ${{ secrets.ALPRINA_API_KEY }}

Schedule Weekly Deep Scans

Run comprehensive scans weekly:

on:
  schedule:
    - cron: '0 0 * * 0'  # Every Sunday at midnight
jobs:
  comprehensive-scan:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v3
      - run: pip install alprina-cli
      - run: alprina scan ./src --profile comprehensive --output weekly-scan.json
        env:
          ALPRINA_API_KEY: ${{ secrets.ALPRINA_API_KEY }}
      - uses: actions/upload-artifact@v3
        with:
          name: weekly-scan
          path: weekly-scan.json
          retention-days: 90

Advanced Configurations

With Caching

Speed up workflow by caching pip packages:

- name: Cache pip packages
  uses: actions/cache@v3
  with:
    path: ~/.cache/pip
    key: ${{ runner.os }}-pip-${{ hashFiles('**/requirements.txt') }}
    restore-keys: |
      ${{ runner.os }}-pip-
 
- name: Install Alprina
  run: pip install alprina-cli

Comment on PR with Results

Post scan results as PR comments:

- name: Run scan
  id: scan
  run: alprina scan ./src --output results.json
  continue-on-error: true
  env:
    ALPRINA_API_KEY: ${{ secrets.ALPRINA_API_KEY }}
 
- name: Comment PR
  uses: actions/github-script@v6
  if: github.event_name == 'pull_request'
  with:
    script: |
      const fs = require('fs');
      const results = JSON.parse(fs.readFileSync('results.json', 'utf8'));
      const comment = `
      ## Alprina Security Scan Results
 
      **Findings:** ${results.summary.total_findings}
      - Critical: ${results.summary.critical || 0}
      - High: ${results.summary.high || 0}
      - Medium: ${results.summary.medium || 0}
      - Low: ${results.summary.low || 0}
      `;
 
      github.rest.issues.createComment({
        issue_number: context.issue.number,
        owner: context.repo.owner,
        repo: context.repo.repo,
        body: comment
      });

Generate HTML Report

Create and publish HTML reports:

- name: Run scan
  run: alprina scan ./src --output report.html
  env:
    ALPRINA_API_KEY: ${{ secrets.ALPRINA_API_KEY }}
 
- name: Deploy report to GitHub Pages
  uses: peaceiris/actions-gh-pages@v3
  with:
    github_token: ${{ secrets.GITHUB_TOKEN }}
    publish_dir: ./
    keep_files: true

Conditional Scans

Run scans only on specific conditions:

- name: Check if security-sensitive files changed
  id: security-check
  run: |
    if git diff --name-only ${{ github.event.before }} ${{ github.sha }} | grep -E '(auth|security|crypto)'; then
      echo "security_changed=true" >> $GITHUB_OUTPUT
    fi
 
- name: Run security scan
  if: steps.security-check.outputs.security_changed == 'true'
  run: alprina scan ./src --fail-on medium
  env:
    ALPRINA_API_KEY: ${{ secrets.ALPRINA_API_KEY }}

Integration with Branch Protection

Require security scans to pass before merging:

1. Add Status Check

Your workflow must have a clear job name:

jobs:
  security-scan:  # This name appears in branch protection
    runs-on: ubuntu-latest
    steps:
      # ... scan steps

2. Configure Branch Protection

  1. Go to SettingsBranches
  2. Add rule for main branch
  3. Enable Require status checks to pass
  4. Select security-scan from the list
  5. Save changes

Now PRs cannot be merged until the security scan passes.

Troubleshooting

API Key Not Found

Error: ALPRINA_API_KEY not set

Solution:

  1. Verify secret is added to repository
  2. Check secret name matches workflow file
  3. Ensure secret is not empty

Permission Denied

Error: 403 Forbidden

Solution:

  1. Regenerate API key in dashboard
  2. Update GitHub secret
  3. Retry workflow

Scan Timeout

Error: Workflow times out after 6 hours

Solution:

jobs:
  scan:
    timeout-minutes: 30  # Add timeout

Cache Issues

Clear cache if builds become inconsistent:

  1. Go to Actions tab
  2. Click Caches in sidebar
  3. Delete old caches

Best Practices

  1. Use Secrets: Never hardcode API keys
  2. Cache Dependencies: Reduce build time
  3. Fail on High Severity: Block critical vulnerabilities
  4. Save Artifacts: Keep scan results for compliance
  5. Run on PRs: Catch issues before merging
  6. Schedule Deep Scans: Regular comprehensive audits
  7. Monitor Credits: Track usage in dashboard

Examples Repository

See complete examples at:

Last updated on
IntegrationsPlaybooks