CI/CD action

The ANTHRION GitHub Action gates a pipeline on a security scan: it creates a scan, waits for it to finish, writes a job summary, and fails the step when findings breach your severity threshold. It is a thin wrapper over the REST API — no scanning logic in your CI.

Setup#

1. Create a machine API key in the dashboard.
2. Add it to your repository as a secret named ANTHRION_API_KEY (Settings → Secrets and variables → Actions).
3. Add a step that runs the action and reads the secret.

name: Security scan
on: [pull_request]

jobs:
  anthrion:
    runs-on: ubuntu-latest
    steps:
      - uses: anthrion/scan-action@v1
        with:
          api-key: ${{ secrets.ANTHRION_API_KEY }}
          target: https://github.com/owner/repo
          scan-type: white-box
          fail-on: high

Inputs#

| Input | Default | Description | |---|---|---| | api-key | — (required) | Machine API key, from a repo secret | | target | current repo | Public github.com repository URL to scan | | scan-type | white-box | white-box, github-trust or leaked-secrets | | fail-on | high | Minimum severity that fails the build: critical, high, medium, low, never | | timeout-minutes | 15 | How long to wait for the scan to finish | | poll-interval-seconds | 10 | How often to poll the scan status | | api-base-url | https://api.anthrion.xyz | API base URL |

Outputs#

scan-id, status (DONE / FAILED / TIMEOUT), gate (pass / fail), and the finding counts: findings-total, findings-critical, findings-high, findings-medium, findings-low, findings-info. Use them in later steps (post a comment, update a dashboard).

Exit behavior#

• Pass — findings are below fail-on: the step exits 0.
• Fail — findings at or above fail-on: the step exits 1 and the build fails.
• A FAILED or timed-out scan always fails the step — a pipeline never goes green without the code actually being scanned.
• A 402 (payment required) fails with a clear message: CI cannot pay interactively. During launch, scans are free, so this does not occur.