GitHub Action (Marketplace)
The official vulkro-security-scan action runs a diff-aware,
offline-first scan against your pull requests and posts a single
PR-scoped comment. It also exposes a fail-on gate so you can block
merges on new Critical/High findings without rewriting your workflow.
Looking for the raw
curl installrecipe instead? See GitHub Actions ->.
Install
name: vulkro
on:
pull_request:
permissions:
contents: read
pull-requests: write
jobs:
scan:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
with:
fetch-depth: 0
- uses: arpitsharma/vulkro/.github/actions/vulkro@v1
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
fetch-depth: 0 is required so git diff <base>...HEAD can resolve
both sides of the merge.
Inputs
| Input | Default | Description |
|---|---|---|
path | . | Project root to scan. |
format | gh-pr | Output formatter for the PR comment. |
gate-vs | ${{ github.event.pull_request.base.sha }} | Git ref to diff against. Findings outside the changed lines are surfaced but excluded from the gate. |
min-confidence | high | Minimum confidence to surface (high | medium | low). |
fail-on | critical,high | Comma-separated severities that fail the job. |
vulkro-version | latest | Release tag to install. |
Outputs
| Output | Description |
|---|---|
findings-json | Path to the JSON scan output produced by the action. |
new-finding-count | Number of findings introduced by this PR vs the base ref. |
PR comment
The action posts a single comment per PR scoped to the diff. To enable
it, the workflow must grant write access to pull requests and surface
GITHUB_TOKEN:
permissions:
contents: read
pull-requests: write
# ...
- uses: arpitsharma/vulkro/.github/actions/vulkro@v1
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
If permissions are missing, the comment is skipped with a warning - the scan and gate still run.
Fail-on gate
Tighten or loosen the gate without touching the rest of the workflow:
- uses: arpitsharma/vulkro/.github/actions/vulkro@v1
with:
fail-on: critical,high,medium # block on anything from medium up
min-confidence: medium # ...but only surface medium+ to begin with
The gate considers only findings that intersect the PR's changed lines
(via --gate-vs). The full-repo finding set is still written to
findings-json for downstream consumers.
Ratchet pinning
For production pipelines, pin to a specific release tag rather than a floating major:
- uses: arpitsharma/vulkro/.github/actions/vulkro@action-v1.0.0
@v1 floats with patch + minor releases; @action-v1.0.0 is
reproducible byte-for-byte.
Monorepo matrix
Each subdirectory gets its own scan and its own PR comment:
jobs:
scan:
runs-on: ubuntu-latest
strategy:
matrix:
service: [api, billing, search]
steps:
- uses: actions/checkout@v4
with:
fetch-depth: 0
- uses: arpitsharma/vulkro/.github/actions/vulkro@v1
with:
path: services/${{ matrix.service }}
fail-on: critical,high,medium
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
Self-hosted / air-gapped runners
The install step skips the download if vulkro is already on $PATH.
Pre-stage the binary at $RUNNER_TEMP/vulkro-bin/vulkro (or anywhere
on PATH) in a prior step and the action reuses it.
The release source repo can also be overridden via the
VULKRO_RELEASE_REPO environment variable if you mirror releases
internally.