Skip to main content
By default, CybeDefend can scan GitHub repos in the cloud. If you prefer not to grant direct GitHub access, you can run local scans in your GitHub Actions pipeline, uploading code to CybeDefend yourself. The easiest way to achieve this is by using the official CybeDefend GitHub Action.

Prerequisites

  • Personal Access Token (PAT): Create and store it in your repository’s Settings → SecretsActions (e.g., CYBEDEFEND_PAT).
  • Project ID: You should also store your CybeDefend Project ID as a secret (e.g., CYBEDEFEND_PROJECT_ID).
The api_key input is deprecated. Use token with a Personal Access Token (PAT) instead.

Using the CybeDefend Action

The CybeDefend Action runs security scans easily in your CI/CD pipelines using the official CybeDefend CLI, powered by Docker (ghcr.io/cybedefend/cybedefend-cli:latest).

Inputs

NameDescriptionRequiredDefault
tokenPersonal Access Token (PAT)
project_idProject ID for the scan

Example Workflow: .github/workflows/cybedefend-scan.yml

Add the following steps to your workflow file: 
name: CybeDefend Security Scan

on:
  push:
    branches:
      - main  # Or your desired branch

jobs:
  cybedefend_scan:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout code
        uses: actions/checkout@v3 # Or a later version

      - name: Run CybeDefend Security Scan
        uses: CybeDefend/cybedefend-action@v1
        with:
          token: ${{ secrets.CYBEDEFEND_PAT }}
          project_id: ${{ secrets.CYBEDEFEND_PROJECT_ID }}
This workflow checks out your code and then runs the CybeDefend action, which handles the scanning process using the provided API key and project ID.

Checking Your Results

  • Action Logs: The job logs in GitHub Actions show a brief summary of vulnerabilities discovered during the scan.
  • CybeDefend Dashboard: Log in to your CybeDefend account to view full vulnerability details, manage issues, and track historical scan data for your project.
Consider restricting scanning to your main development branch (e.g., main or develop). Use scans on feature branches if you want to catch new issues before they are merged.