How to Add Security Scanning to Your GitHub Actions Pipeline

Why Security Scanning in CI/CD Matters

Every line of code you push to production is a potential attack vector. SQL injection, hardcoded API keys, vulnerable dependencies — these issues slip through code reviews more often than anyone likes to admit.

<div class="zf-stat-callout" style="background:#0d1117;border:1px solid rgba(16,185,129,0.25);border-left:3px solid #10b981;border-radius:4px;padding:16px 20px;margin:24px 0"> <p style="margin:0 0 4px;font-size:10px;font-weight:700;text-transform:uppercase;letter-spacing:0.15em;color:#10b981;font-family:monospace">ZeriFlow Data — 12,400+ sites analyzed</p> <p style="margin:0;font-size:13px;color:#e2e8f0;line-height:1.6;font-family:monospace">Across 12,400+ sites scanned on ZeriFlow, 19% expose sensitive paths such as /.git/, /backup, or /admin without authentication — providing attackers a direct window into application internals.</p> </div>

The solution? [Automated security](https://zeriflow.com/blog/automated-security-testing-guide) scanning on every pull request. When security checks run automatically, nothing gets merged without being analyzed first.

This guide walks you through setting up ZeriFlow in your GitHub Actions pipeline. By the end, every PR in your repository will get a security score and actionable findings — automatically.

Table of Contents

1. 1What ZeriFlow CI/CD Scans For
2. 2Prerequisites
3. 3Step 1: Create a ZeriFlow Account
4. 4Step 2: Connect Your Repository
5. 5Step 3: Add the GitHub Actions Workflow
6. 6Step 4: Open a Pull Request
7. 7Understanding the Results
8. 8Comparison with Alternatives
9. 9Conclusion

What ZeriFlow CI/CD Scans For {#what-it-scans}

ZeriFlow runs a two-layer analysis on every pull request:

### Layer 1: Static Analysis (Free) Runs directly in your GitHub Actions runner at zero cost: - Secrets detection — API keys, tokens, passwords, .env files (powered by Gitleaks) - Dependency vulnerabilities — Known CVEs in npm, pip, and other package managers (npm audit) - Code patterns — SQL injection, XSS, command injection, eval usage (Semgrep)

### Layer 2: AI Contextual Analysis Claude Sonnet 4 reviews each finding with full code context: - Authentication & authorization — Missing middleware, JWT misuse, IDOR - Business logic — Race conditions, mass assignment, privilege escalation - Configuration — CORS wildcards, debug mode, stack trace exposure - Rate limiting — Missing brute-force protection, no CAPTCHA - Error handling — Empty try/catch, unhandled promise rejections - Performance — N+1 queries, missing indexes, bundle bloat - Accessibility — Missing alt text, unlabeled form inputs

The AI layer is critical: it filters false positives by understanding your code's context, not just pattern-matching.

Prerequisites {#prerequisites}

• A GitHub repository (public or private)
• A ZeriFlow account (free to create)
• A Pro ($4.99/mo) or Business ($19.99/mo) plan for CI/CD scans

Step 1: Create a ZeriFlow Account {#step-1}

1. 1Go to zeriflow.com/signup
2. 2Sign up with GitHub or Google
3. 3Choose a plan (Pro includes 5 CI/CD scans/month)

Step 2: Connect Your Repository {#step-2}

1. 1Navigate to Dashboard → CI/CD
2. 2Click Connect Repository
3. 3Enter your repository name (e.g., my-org/my-app)
4. 4Click Create Project
5. 5Copy your API key — you'll need it in the next step

Important: The API key is shown only once. Copy it immediately and store it safely.

Step 3: Add the GitHub Actions Workflow {#step-3}

1. 1In your GitHub repository, go to Settings → Secrets and variables → Actions
2. 2Click New repository secret
3. 3Name: ZERIFLOW_API_KEY
4. 4Value: paste your API key from Step 2
5. 5Create the workflow file .github/workflows/zeriflow.yml:

name: ZeriFlow Security
on:
  pull_request:
    branches: [main, master]

permissions:
  contents: read
  pull-requests: write

jobs:
  security:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
        with:
          fetch-depth: 0
      - uses: Fame29/security-scan@v1
        with:
          api-key: ${{ secrets.ZERIFLOW_API_KEY }}

1. 1Commit and push the file to your main branch.

That's it. 3 minutes of setup.

Step 4: Open a Pull Request {#step-4}

Create a new branch, make any change, and open a PR. ZeriFlow will:

1. 1Run static analysis (Semgrep, Gitleaks, npm audit) in the Action runner
2. 2Send results to ZeriFlow's API for AI analysis
3. 3Post a comment on your PR with the security score and findings
4. 4Set a pass/fail check status based on your threshold (default: 60/100)

Understanding the Results {#results}

ZeriFlow posts a comment on your PR that looks like this:

✅ ZeriFlow Security Check — PASSED - Score: 82/100 — Threshold: 60 - Findings: 0 critical, 2 warnings, 1 info

Each finding includes: - Severity (critical / warning / info) - File and line number - Description of the issue - Suggested fix with code example - Confidence level (how sure the AI is)

Comparison with Alternatives {#comparison}

ZeriFlow is purpose-built for small teams and indie developers who want enterprise-grade security scanning without the enterprise price tag.

Conclusion {#conclusion}

Adding security scanning to your CI/CD pipeline doesn't have to be complicated or expensive. With ZeriFlow:

• Setup takes 3 minutes — one secret, one YAML file
• Every PR gets scanned — no manual reviews needed
• AI filters noise — you only see real issues
• Pricing is fair — $4.99/mo for solo devs

[Try ZeriFlow CI/CD →](https://zeriflow.com/ci-cd)

Stop shipping insecure code. Start scanning every PR.

Further Reading

• OWASP Top 10 Web Application Security Risks

<!-- zf-internal-links -->