GitHub Actions

Prerequisites

Add the following in Settings → Secrets and variables → Actions of your repository:

Type	Name	Description
Secret	GERION_API_KEY	M2M API key for your organization
Variable	GERION_API_URL	Gerion API Gateway URL

Workflows

Scan → API

Results are sent directly to the Gerion dashboard. Copy this file to .github/workflows/gerion-scan.yml:

name: Gerion Security Scan

on:
  push:
    branches: [main, master, develop]
  pull_request:
  workflow_dispatch:

jobs:
  gerion-scan:
    name: Security Scan
    runs-on: ubuntu-latest
    permissions:
      contents: read
    container:
      image: ghcr.io/gerion-appsec/gerion-cli:latest
    steps:
      - uses: actions/checkout@v4
        with:
          fetch-depth: 0
      - name: Run full security scan
        env:
          GERION_API_URL: ${{ vars.GERION_API_URL }}
          GERION_API_KEY: ${{ secrets.GERION_API_KEY }}
        run: gerion scan-all /github/workspace

Scan → SARIF

Upload results to GitHub Advanced Security to see them in the repository’s Security tab and in Pull Request checks.

name: Gerion Security Scan (SARIF)

on:
  push:
    branches: [main, master, develop]
  pull_request:
  workflow_dispatch:

jobs:
  gerion-scan:
    name: Security Scan → SARIF
    runs-on: ubuntu-latest
    permissions:
      contents: read
      security-events: write
    steps:
      - uses: actions/checkout@v4
        with:
          fetch-depth: 0
      - name: Run full security scan
        run: |
          docker run --rm \
            -v "$GITHUB_WORKSPACE:/code" \
            -e GITHUB_REPOSITORY \
            -e GITHUB_REF_NAME \
            -e GITHUB_SHA \
            -e GITHUB_ACTOR \
            ghcr.io/gerion-appsec/gerion-cli:latest \
            scan-all /code \
              --format sarif \
              --output-file /code/gerion-results.sarif
      - name: Upload SARIF to GitHub Advanced Security
        uses: github/codeql-action/upload-sarif@v3
        if: always()
        with:
          sarif_file: gerion-results.sarif
          category: gerion
      - name: Archive SARIF artifact
        uses: actions/upload-artifact@v4
        if: always()
        with:
          name: gerion-sarif-${{ github.run_number }}
          path: gerion-results.sarif
          retention-days: 30

Note

GitHub Advanced Security is available on public repositories and GitHub Enterprise. Requires the security-events: write permission.

Nightly + PDF

Nightly run with PDF report generation as a downloadable artifact.

name: Gerion Nightly Security Report

on:
  schedule:
    - cron: "0 2 * * *"  # Every day at 02:00 UTC
  workflow_dispatch:

jobs:
  gerion-scan:
    name: Nightly Scan
    runs-on: ubuntu-latest
    permissions:
      contents: read
    container:
      image: ghcr.io/gerion-appsec/gerion-cli:latest
    steps:
      - uses: actions/checkout@v4
        with:
          fetch-depth: 0
      - name: Run full security scan
        env:
          GERION_API_URL: ${{ vars.GERION_API_URL }}
          GERION_API_KEY: ${{ secrets.GERION_API_KEY }}
        run: gerion scan-all /github/workspace

  gerion-report:
    name: Generate PDF Report
    runs-on: ubuntu-latest
    needs: gerion-scan
    container:
      image: ghcr.io/gerion-appsec/gerion-cli:latest
    steps:
      - uses: actions/checkout@v4
      - name: Generate PDF report
        env:
          GERION_API_URL: ${{ vars.GERION_API_URL }}
          GERION_API_KEY: ${{ secrets.GERION_API_KEY }}
        run: |
          gerion report \
            --format pdf \
            --output-file /github/workspace/gerion-report.pdf \
            --severity HIGH \
            --active-only
      - uses: actions/upload-artifact@v4
        with:
          name: gerion-report-${{ github.run_number }}
          path: gerion-report.pdf
          retention-days: 90

Reusable Action

You can use the official Gerion Action directly in any workflow without copying the container YAML:

- uses: gerion-appsec/gerion-cli-action@v1
  with:
    api-url: ${{ vars.GERION_API_URL }}
    api-key: ${{ secrets.GERION_API_KEY }}

Available parameters

Parameter	Default	Description
scan-type	all	all | secrets | sca | iac | sast
code-path	.	Subdirectory to scan (relative to workspace)
api-url	—	Gerion API Gateway URL
api-key	—	M2M API key
output-format	—	json | markdown | sarif
output-file	—	Output file (relative to workspace)
log-level	info	debug | info | warning | error
timeout	180	Timeout per scanner in seconds

Outputs

Output	Description
findings-file	Absolute path to the output file (if output-file was set)
exit-code	CLI exit code (0 = success, 1 = execution error)

Notes

• Gerion CLI automatically detects GITHUB_REPOSITORY, GITHUB_REF_NAME, and GITHUB_SHA. No manual metadata configuration needed.
• Container jobs mount $GITHUB_WORKSPACE at /github/workspace automatically.
• The CLI returns exit code 0 even when vulnerabilities are found. Use report --severity or parse the JSON to implement quality gates.