Securie for GitHub Actions — CI-native security gate

in-progress

The `securie/action@v1` GitHub Action runs Securie review as a CI step, posts annotations on the PR diff where fixes are needed, and fails the build on critical findings. Configuration is minimal - the action reads Securie's remote policy, so fail-severity and reporting style are controlled centrally.

Updated

What it does

Runs Securie as a CI step. Posts annotations on the PR diff (the same GitHub UI that shows ESLint warnings) so every finding appears at the line that caused it. Fails the workflow if Securie review finds critical issues (or your configured threshold). Uploads a SARIF report to GitHub's Code Scanning tab for team-wide visibility. Runs alongside, not instead of, the GitHub App integration - useful if you prefer CI-integrated review over PR-bot review.

When to use it

Best fit: teams where CI is the canonical integration point and other tools (Snyk, CodeQL, Semgrep) are already wired as actions. Good for teams that want the scan to happen in a known environment with cached dependencies, rather than in the GitHub App's sandbox.

Limitations

Managed rollout. Runs as part of the workflow, so the review counts against your GitHub Actions minutes. Requires either a Securie API token (stored as a GitHub secret) or the Securie GitHub App for OAuth. Can't open fix PRs on its own; that feature requires the GitHub App.

Install

  1. When your repo is enabled, add a workflow step to .github/workflows/ci.yml
  2. - uses: securie/action@v1
  3. with:
  4. token: ${{ secrets.SECURIE_TOKEN }} # or OAuth via the GitHub App
  5. fail-on-severity: critical # critical | high | medium | none
  6. Push a PR — findings appear as annotations inline on the diff