Skip to content

GitHub Actions

Binary Download + API Scan

Download the binary, run a scan, and upload SARIF results to the GitHub Security tab.

# .github/workflows/security-scan.yml
name: Agent Smith Security Scan

on:
  push:
    branches: [main]
  pull_request:
    branches: [main]

permissions:
  security-events: write  # Required for SARIF upload
  contents: read

jobs:
  api-scan:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4

      - name: Download Agent Smith
        run: |
          curl -fsSL -o agent-smith \
            https://github.com/holgerleichsenring/agent-smith/releases/latest/download/agent-smith-linux-x64
          chmod +x agent-smith

      - name: Run API Security Scan
        env:
          ANTHROPIC_API_KEY: ${{ secrets.ANTHROPIC_API_KEY }}
        run: |
          ./agent-smith api-scan \
            --repo ${{ github.workspace }} \
            --output console,sarif,summary \
            --output-dir ./results

      - name: Upload SARIF to GitHub Security
        if: always()
        uses: github/codeql-action/upload-sarif@v3
        with:
          sarif_file: ./results/results.sarif
          category: agent-smith-api-scan

      - name: Upload Report Artifact
        if: always()
        uses: actions/upload-artifact@v4
        with:
          name: security-report
          path: ./results/

GitHub Security Tab

The github/codeql-action/upload-sarif@v3 action uploads findings to the Security tab of your repository. Findings appear alongside CodeQL results, with full code location links and severity levels.

Full Security Scan

For a broader security analysis beyond API scanning:

      - name: Run Security Scan
        env:
          ANTHROPIC_API_KEY: ${{ secrets.ANTHROPIC_API_KEY }}
        run: |
          ./agent-smith security-scan \
            --repo ${{ github.workspace }} \
            --output console,sarif \
            --output-dir ./results

PR Comment with Findings

Post a Markdown summary as a PR comment:

      - name: Comment on PR
        if: github.event_name == 'pull_request' && always()
        uses: marocchino/sticky-pull-request-comment@v2
        with:
          path: ./results/summary.md
          header: agent-smith-scan

Self-Hosted Runners (ARM64)

For ARM64 runners (e.g., Graviton):

      - name: Download Agent Smith (ARM64)
        run: |
          curl -fsSL -o agent-smith \
            https://github.com/holgerleichsenring/agent-smith/releases/latest/download/agent-smith-linux-arm64
          chmod +x agent-smith

macOS Runners

  api-scan-macos:
    runs-on: macos-latest
    steps:
      - uses: actions/checkout@v4
      - name: Download Agent Smith
        run: |
          curl -fsSL -o agent-smith \
            https://github.com/holgerleichsenring/agent-smith/releases/latest/download/agent-smith-osx-arm64
          chmod +x agent-smith

Quality Gate

Fail the workflow when findings exceed a threshold:

      - name: Check Findings
        if: always()
        run: |
          if [ -f ./results/results.sarif ]; then
            ERRORS=$(jq '[.runs[].results[] | select(.level == "error")] | length' ./results/results.sarif)
            echo "Critical findings: $ERRORS"
            if [ "$ERRORS" -gt 0 ]; then
              echo "::error::Found $ERRORS critical security findings"
              exit 1
            fi
          fi

Secrets Configuration

Add these in Settings > Secrets and variables > Actions:

Secret Required Description
ANTHROPIC_API_KEY Yes Claude API key
GITHUB_TOKEN Auto Provided by Actions runtime