GitHub Actions Quickstart¶
This guide adds SecureObs scanning to one GitHub repository.
1. Create Repository Secrets¶
In GitHub, open Settings -> Secrets and variables -> Actions and add:
| Secret | Value |
|---|---|
SECUREOBS_API_KEY |
Raw API key from the SecureObs dashboard |
SECUREOBS_TENANT_ID |
Tenant ID from SecureObs |
SECUREOBS_PROJECT_ID |
Project ID from SecureObs |
SECUREOBS_TENANT_ID and SECUREOBS_PROJECT_ID are not secret values, but
storing them as secrets keeps the workflow simple.
2. Add The Workflow¶
Create .github/workflows/secureobs-scan.yml:
name: SecureObs scan
on:
push:
branches: [main]
pull_request:
jobs:
scan:
runs-on: ubuntu-latest
permissions:
contents: read
steps:
- uses: actions/checkout@v4
- name: Run SecureObs scanners
run: |
docker run --rm \
-v "${PWD}:/workspace" \
-e SECUREOBS_API_KEY=${{ secrets.SECUREOBS_API_KEY }} \
secureobs/scanner:v1 \
scan \
--project-id "${{ secrets.SECUREOBS_PROJECT_ID }}" \
--tenant-id "${{ secrets.SECUREOBS_TENANT_ID }}" \
--pipeline-run-id "${{ github.run_id }}"
- name: Enforce build gate
run: |
docker run --rm \
-e SECUREOBS_API_KEY=${{ secrets.SECUREOBS_API_KEY }} \
secureobs/scanner:v1 \
gate \
--project-id "${{ secrets.SECUREOBS_PROJECT_ID }}" \
--tenant-id "${{ secrets.SECUREOBS_TENANT_ID }}" \
--pipeline-run-id "${{ github.run_id }}"
3. Verify¶
The first run should:
- mount the repository at
/workspace; - fetch enabled scanners from SecureObs;
- post findings to the API;
- run the build gate for that pipeline run.
The scan, gate, and pr-comment commands require --project-id,
--tenant-id, and --pipeline-run-id. The image does not read those values
from environment variables.
Self-hosted API
Do not set SECUREOBS_API_URL unless you self-host. If you do set it, the
value must include the /api suffix.
Remove The Integration¶
Delete the workflow file, revoke the API key in SecureObs, and remove the GitHub secrets. Existing dashboard findings remain until deleted or removed by the retention policy.