GitHub Action
GitHub Action
CVERiskPilot Compliance Scan@cveriskpilot/scan against your codebase, maps findings to compliance controls, and can post results as a PR comment.Quick Start
Add this step to any workflow file. The action installs the scanner via npx --yes @cveriskpilot/scan@latest and runs it with your chosen preset.
# Minimal workflow
name: Compliance Scan
on: [push, pull_request]
jobs:
scan:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: devbrewster/cveriskpilot-scan@v1
Full Workflow Example
A complete workflow using all available options, including SARIF upload to GitHub Code Scanning and platform dashboard upload.
name: Compliance Scan
on:
pull_request:
branches: [main]
push:
branches: [main]
permissions:
contents: read
pull-requests: write
security-events: write
jobs:
compliance:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Run CVERiskPilot Compliance Scan
id: scan
uses: devbrewster/cveriskpilot-scan@v1
with:
preset: enterprise
fail-on: high
format: sarif
comment: 'true'
api-key: ${{ secrets.CRP_API_KEY }}
# Upload SARIF to GitHub Code Scanning
- name: Upload SARIF
if: always()
uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: crp-scan-results.sarif
Inputs
All inputs are optional. Configure them under the with: key in your workflow step.
| Input | Description | Options | Default |
|---|---|---|---|
preset | Framework preset to use for compliance mapping. | federal, defense, enterprise, startup, devsecops, all | all |
fail-on | Severity threshold that causes the action to fail. Any finding at or above this level triggers a non-zero exit code. | critical, high, medium, low | critical |
format | Additional output format written to disk alongside the default table output. | json, sarif, markdown | (none) |
scanners | Limit which scanners run. Comma-separated list. | deps, secrets, iac | (all scanners) |
exclude | Glob patterns to exclude from scanning. Comma-separated. | Any valid glob pattern | (none) |
api-key | CVERiskPilot API key for uploading results to the platform dashboard. Use a GitHub secret. | API key string | (none) |
comment | Whether to post scan results as a PR comment. | true, false | true |
github-token | GitHub token used for posting PR comments. The default token works for most cases. | GitHub token string | github.token |
Outputs
Access outputs from subsequent steps using steps.<step-id>.outputs.<name>.
| Output | Description |
|---|---|
exit-code | 0 = pass, 1 = fail (findings met threshold), 2 = error (scan could not complete). |
total-findings | Total number of findings discovered across all scanners. |
critical-count | Number of findings with CRITICAL severity. |
high-count | Number of findings with HIGH severity. |
controls-affected | Number of unique compliance controls affected by the findings. |
comment-id | GitHub comment ID if a PR comment was posted. Empty if comment was not posted. |
PR Comments
When comment: 'true' (the default), the action posts a detailed summary comment on the pull request. The comment includes:
- Severity summary with color-coded counts (critical, high, medium, low)
- Findings table with file paths, CWE identifiers, and matched compliance controls
- Compliance impact breakdown showing which framework controls are affected
- AI-powered triage verdicts with remediation suggestions
The action uses a hidden HTML marker <!-- crp-scan-comment --> to identify its comments. On subsequent runs, it updates the existing comment instead of posting a new one, keeping your PR clean and free of duplicate reports.
Internally, the action uses actions/github-script@v7 to interact with the GitHub API for comment management.
Common Workflow Examples
- uses: devbrewster/cveriskpilot-scan@v1
with:
preset: startup
fail-on: critical
- name: CMMC Compliance Scan
uses: devbrewster/cveriskpilot-scan@v1
with:
preset: defense
fail-on: high
- name: Compliance Scan
id: scan
uses: devbrewster/cveriskpilot-scan@v1
with:
format: sarif
- name: Upload SARIF
if: always()
uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: crp-scan-results.sarif
- uses: devbrewster/cveriskpilot-scan@v1
with:
scanners: deps
fail-on: high
- uses: devbrewster/cveriskpilot-scan@v1
with:
preset: enterprise
exclude: '**/test/**,**/fixtures/**,docs/**'
Using Outputs
Reference outputs from the scan step in subsequent steps to build conditional workflows, send notifications, or gate deployments.
steps:
- uses: actions/checkout@v4
- name: Run Compliance Scan
id: scan
uses: devbrewster/cveriskpilot-scan@v1
with:
preset: enterprise
fail-on: high
- name: Check Results
if: always()
run: |
echo "Exit code: ${{ steps.scan.outputs.exit-code }}"
echo "Total findings: ${{ steps.scan.outputs.total-findings }}"
echo "Critical: ${{ steps.scan.outputs.critical-count }}"
echo "High: ${{ steps.scan.outputs.high-count }}"
echo "Controls affected: ${{ steps.scan.outputs.controls-affected }}"
- name: Block Deploy on Critical
if: steps.scan.outputs.critical-count != '0'
run: |
echo "Blocking deployment: ${{ steps.scan.outputs.critical-count }} critical findings"
exit 1
How It Works
The GitHub Action is a composite action that orchestrates three steps internally:
Setup Node.js
Uses actions/setup-node@v4 to ensure Node.js 20 is available in the runner environment.
Run Scanner
Executes npx --yes @cveriskpilot/scan@latest with the configured preset, scanners, and output options.
Post Comment
Uses actions/github-script@v7 to post or update the PR comment with scan results.
The action outputs SARIF 2.1.0 format when format: sarif is specified, making it compatible with GitHub Code Scanning and other SARIF-compatible tools. Branding uses a shield icon with blue color in the GitHub Marketplace listing.