SecOSS GitHub Action
Composite ActionAutomatically scan your dependencies for CVEs on every pull request and post a formatted vulnerability report as a PR comment โ completely free, no API key required.
Quick Setup
Create the workflow file
Create .github/workflows/secoss.yml in your repository with this content:
name: SecOSS Security Scan
on:
pull_request:
branches: ['*']
jobs:
secoss:
runs-on: ubuntu-latest
permissions:
pull-requests: write
contents: read
steps:
- uses: actions/checkout@v4
- uses: rafraf-ops/SecurityForOpenSource-@main
with:
github-token: ${{ secrets.GITHUB_TOKEN }}
fail-on: criticalOpen a pull request
The workflow triggers automatically on every new PR. No further configuration needed.
Review the comment
SecOSS posts a formatted vulnerability table. On subsequent commits to the same PR, the comment is updated in place rather than creating a new one.
Example PR Comment
This is what the comment looks like on a PR with vulnerabilities:
๐ก๏ธ SecOSS Security Scan
โ ๏ธ Found 3 vulnerabilities across 2 lockfiles.
| Severity | Count |
|---|---|
| ๐ด Critical | 1 |
| ๐ High | 2 |
| ๐ก Medium | 0 |
| ๐ต Low | 0 |
๐ฆ Lockfile details
package-lock.json
Packages: 214 ยท Vulnerable: 2 ยท Critical: 1 ยท High: 1
requirements.txt
Packages: 18 ยท Vulnerable: 1 ยท Critical: 0 ยท High: 1
Powered by SecOSS ยท API docs ยท fail-on: critical
When no vulnerabilities are found, the comment shows a โ green status instead. The comment is automatically updated on every new commit push.
Inputs
| Input | Default | Description |
|---|---|---|
| github-token | github.token | Token used to post PR comments and call the GitHub API for scanning. The built-in token works for public repos. |
| fail-on | critical | Severity threshold that fails the workflow. Options: critical ยท high ยท medium ยท any ยท never |
| secoss-api | https://app.cloudrf.xyz | SecOSS API base URL. Override only if self-hosting the API. |
Outputs
Use outputs to make decisions in downstream steps:
| Output | Description |
|---|---|
| critical | Number of critical vulnerabilities found across all lockfiles. |
| high | Number of high vulnerabilities found. |
| medium | Number of medium vulnerabilities found. |
| low | Number of low vulnerabilities found. |
| total | Total vulnerabilities found. |
Full Workflow Example
Advanced setup with outputs and push-to-main scanning:
name: SecOSS Security Scan
on:
pull_request:
branches: ['*']
push:
branches: [main] # also scan the main branch on merge
jobs:
secoss:
runs-on: ubuntu-latest
permissions:
pull-requests: write # needed to post PR comments
contents: read
steps:
- uses: actions/checkout@v4
- name: SecOSS โ dependency CVE scan
id: secoss
uses: rafraf-ops/SecurityForOpenSource-@main
with:
github-token: ${{ secrets.GITHUB_TOKEN }}
fail-on: critical # critical | high | medium | any | never
# Optional: use outputs in downstream steps
- name: Print summary
if: always()
run: |
echo "Critical : ${{ steps.secoss.outputs.critical }}"
echo "High : ${{ steps.secoss.outputs.high }}"
echo "Total : ${{ steps.secoss.outputs.total }}"How it works
- On a pull request event, the Action calls
POST https://app.cloudrf.xyz/api/scan/githubwith your repo URL and the built-in GitHub token. - SecOSS fetches your repository, discovers all lockfiles (
package-lock.json,yarn.lock,requirements.txt, and more), and queries OSV.dev + GitHub Advisory DB for matching CVEs. - A markdown comment is posted (or the existing SecOSS comment is updated) on the pull request.
- If
fail-onthreshold is exceeded the Action exits with code 1, failing the workflow check.
No data is retained โ all scan results are computed in-memory and discarded after the API response.
Supported Lockfiles
Required permissions
The workflow needs pull-requests: write to post comments, and contents: read to allow SecOSS to fetch your repository. These permissions are shown in the workflow template above.
For private repositories the built-in GITHUB_TOKEN works automatically. No additional secrets needed.