Skip to main content
ZZeriFlowv2.0
Back to blog
February 25, 2026|7 min read|Security

How to Add Security Scanning to Your GitHub Actions Pipeline

A step-by-step guide to setting up automated security scanning on every pull request using GitHub Actions and ZeriFlow.

ZeriFlow Team

800 words

Why Security Scanning in CI/CD Matters

Every line of code you push to production is a potential attack vector. SQL injection, hardcoded API keys, vulnerable dependencies — these issues slip through code reviews more often than anyone likes to admit.

The solution? Automated security scanning on every pull request. When security checks run automatically, nothing gets merged without being analyzed first.

This guide walks you through setting up ZeriFlow in your GitHub Actions pipeline. By the end, every PR in your repository will get a security score and actionable findings — automatically.

Table of Contents

  1. 1What ZeriFlow CI/CD Scans For
  2. 2Prerequisites
  3. 3Step 1: Create a ZeriFlow Account
  4. 4Step 2: Connect Your Repository
  5. 5Step 3: Add the GitHub Actions Workflow
  6. 6Step 4: Open a Pull Request
  7. 7Understanding the Results
  8. 8Comparison with Alternatives
  9. 9Conclusion

What ZeriFlow CI/CD Scans For {#what-it-scans}

ZeriFlow runs a two-layer analysis on every pull request:

### Layer 1: Static Analysis (Free) Runs directly in your GitHub Actions runner at zero cost: - Secrets detection — API keys, tokens, passwords, .env files (powered by Gitleaks) - Dependency vulnerabilities — Known CVEs in npm, pip, and other package managers (npm audit) - Code patterns — SQL injection, XSS, command injection, eval usage (Semgrep)

### Layer 2: AI Contextual Analysis Claude Sonnet 4 reviews each finding with full code context: - Authentication & authorization — Missing middleware, JWT misuse, IDOR - Business logic — Race conditions, mass assignment, privilege escalation - Configuration — CORS wildcards, debug mode, stack trace exposure - Rate limiting — Missing brute-force protection, no CAPTCHA - Error handling — Empty try/catch, unhandled promise rejections - Performance — N+1 queries, missing indexes, bundle bloat - Accessibility — Missing alt text, unlabeled form inputs

The AI layer is critical: it filters false positives by understanding your code's context, not just pattern-matching.

Prerequisites {#prerequisites}

  • A GitHub repository (public or private)
  • A ZeriFlow account (free to create)
  • A Pro ($4.99/mo) or Business ($19.99/mo) plan for CI/CD scans

Step 1: Create a ZeriFlow Account {#step-1}

  1. 1Go to zeriflow.com/signup
  2. 2Sign up with GitHub or Google
  3. 3Choose a plan (Pro includes 5 CI/CD scans/month)

Step 2: Connect Your Repository {#step-2}

  1. 1Navigate to Dashboard → CI/CD
  2. 2Click Connect Repository
  3. 3Enter your repository name (e.g., my-org/my-app)
  4. 4Click Create Project
  5. 5Copy your API key — you'll need it in the next step
Important: The API key is shown only once. Copy it immediately and store it safely.

Step 3: Add the GitHub Actions Workflow {#step-3}

  1. 1In your GitHub repository, go to Settings → Secrets and variables → Actions
  2. 2Click New repository secret
  3. 3Name: ZERIFLOW_API_KEY
  4. 4Value: paste your API key from Step 2
  5. 5Create the workflow file .github/workflows/zeriflow.yml:
yaml
name: ZeriFlow Security
on:
  pull_request:
    branches: [main, master]

permissions:
  contents: read
  pull-requests: write

jobs:
  security:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
        with:
          fetch-depth: 0
      - uses: Fame29/security-scan@v1
        with:
          api-key: ${{ secrets.ZERIFLOW_API_KEY }}
  1. 1Commit and push the file to your main branch.

That's it. 3 minutes of setup.

Step 4: Open a Pull Request {#step-4}

Create a new branch, make any change, and open a PR. ZeriFlow will:

  1. 1Run static analysis (Semgrep, Gitleaks, npm audit) in the Action runner
  2. 2Send results to ZeriFlow's API for AI analysis
  3. 3Post a comment on your PR with the security score and findings
  4. 4Set a pass/fail check status based on your threshold (default: 60/100)

Understanding the Results {#results}

ZeriFlow posts a comment on your PR that looks like this:

✅ ZeriFlow Security Check — PASSED - Score: 82/100 — Threshold: 60 - Findings: 0 critical, 2 warnings, 1 info

Each finding includes: - Severity (critical / warning / info) - File and line number - Description of the issue - Suggested fix with code example - Confidence level (how sure the AI is)

Comparison with Alternatives {#comparison}

FeatureZeriFlowSnykSonarCloud
Setup time3 min30+ min15+ min
AI false-positive filtering
Price (solo dev)$4.99/mo$25/dev/mo$30/mo
Security + PerformanceSecurity onlyQuality focus
PR comments

ZeriFlow is purpose-built for small teams and indie developers who want enterprise-grade security scanning without the enterprise price tag.

Conclusion {#conclusion}

Adding security scanning to your CI/CD pipeline doesn't have to be complicated or expensive. With ZeriFlow:

  • Setup takes 3 minutes — one secret, one YAML file
  • Every PR gets scanned — no manual reviews needed
  • AI filters noise — you only see real issues
  • Pricing is fair — $4.99/mo for solo devs

[Try ZeriFlow CI/CD →](https://zeriflow.com/ci-cd)

Stop shipping insecure code. Start scanning every PR.

Ready to check your site?

Run a free security scan in 30 seconds.

Scan now — freeSee plans

Related articles

Keep reading

February 25, 2026

Why AI-Generated Code Needs Automated Security Scanning

February 25, 2026

ZeriFlow vs Snyk vs SonarCloud: CI/CD Security Scanner Comparison 2026