Automated security scanning for your repositories using GitHub Actions.
Add Epyon to your repository to automatically scan on every push and PR:
-
Download the workflow file to your repository:
# In your repository directory mkdir -p .github/workflows curl -o .github/workflows/epyon-security-scan.yml \ https://raw.githubusercontent.com/MetroStar/epyon/main/.github/workflows/security-scan-for-external-use.yml -
Commit and push:
git add .github/workflows/epyon-security-scan.yml git commit -m "Add Epyon security scanning" git push -
View results in the Actions tab of your repository
How it works:
- The workflow checks out both your repo and Epyon
- Epyon scans your repository code
- Results are uploaded as artifacts
- PRs get automatic security comments
Use Epyon as a centralized security scanning service:
- Go to Actions → Scan External Repository
- Click Run workflow
- Enter the Git repository URL
- Select scan mode (quick/full/baseline)
- View results in artifacts
Automatically scans your repository on push, PR, or schedule.
Triggers:
- Push to
mainordevelop - Pull requests to
mainordevelop - Daily at 2 AM UTC
- Manual dispatch
Features:
- ✅ Runs full Epyon security suite
- ✅ Uploads dashboard and reports as artifacts
- ✅ Posts summary to PR comments
- ✅ Fails build on critical vulnerabilities
- ✅ Generates GitHub Step Summary
Artifacts:
security-dashboard- Interactive HTML dashboardsecurity-reports-html- HTML formatted reportssecurity-reports-markdown- Markdown summariessecurity-reports-csv- CSV exportssecurity-raw-data- Raw JSON data
Manually scan any Git repository.
Usage:
- Navigate to Actions tab
- Select "Scan External Repository"
- Click "Run workflow"
- Enter repository URL (e.g.,
https://github.com/owner/repo.git) - Select scan mode
Artifacts:
external-repo-security-scan- Complete scan results (90 day retention)
- Trivy - Container and dependency vulnerabilities
- Grype - Software composition analysis
- TruffleHog - Secret detection
- Checkov - Infrastructure as Code security
- ClamAV - Malware detection
- Xeol - End-of-life detection
- Syft - SBOM generation
- SonarQube - Code quality analysis
- Critical - Build fails automatically
- High - Warning in PR comments
- Medium/Low - Tracked in reports
Control when the workflow should fail based on security findings:
Default Behavior:
- ✅ Fails on Critical severity findings
⚠️ Warns on High severity findings (does not fail)- ℹ️ Reports Medium and Low findings
Customization Options:
When running manually (workflow_dispatch), you can configure:
fail_on_critical- Fail build on critical findings (default: true)fail_on_high- Fail build on high findings (default: false)
For Scheduled/Push Scans:
Edit the workflow file to change defaults:
env:
SCAN_MODE: full
FAIL_ON_CRITICAL: true # Fail on critical findings
FAIL_ON_HIGH: true # Also fail on high findingsWhat's Checked:
- 🔴 Critical: CVE vulnerabilities, exposed secrets, critical IaC misconfigurations
- 🟠 High: High-severity CVEs, failed security checks
- 🟡 Medium/Low: Tracked but don't fail builds by default
Quick Mode (quick)
- Fast scan for immediate feedback
- Essential security checks only
- ~2-5 minutes
Full Mode (full) - Default
- Comprehensive security analysis
- All scanners enabled
- ~10-20 minutes
Baseline Mode (baseline)
- Creates security baseline
- Compares against previous scans
- Tracks security posture over time
Edit .github/workflows/security-scan.yml:
env:
SCAN_MODE: full # Change default mode
# Fail on high severity (not just critical)
FAIL_ON_HIGH: trueModify the cron schedule:
schedule:
- cron: '0 2 * * *' # Daily at 2 AM UTC
# - cron: '0 */6 * * *' # Every 6 hours
# - cron: '0 0 * * 1' # Weekly on MondayEpyon automatically comments on PRs with:
- Severity summary
- Executive summary (expandable)
- Links to detailed artifacts
- Go to Actions in your repository
- Click on the workflow run
- Scroll to Artifacts section
- Download any report package
- Download
security-dashboardartifact - Extract and open
index.html - Navigate to full dashboard
The workflow needs these permissions:
permissions:
contents: read # Read repository code
pull-requests: write # Comment on PRs
security-events: write # Upload SARIF results
issues: write # Create issues for findingsCreate .epyonignore in your repository root:
# Ignore test data
tests/fixtures/**
data/samples/**
# Ignore build outputs
dist/**
build/**
# Ignore dependencies
node_modules/**
vendor/**
Scan multiple branches or configurations:
strategy:
matrix:
branch: [main, develop, staging]
scan_mode: [quick, full]Only scan on specific conditions:
- name: Run Scan
if: contains(github.event.head_commit.message, '[security-scan]')
run: ./scripts/shell/run-target-security-scan.shSend results to Slack, Teams, or email:
- name: Notify Slack
if: steps.check-severity.outputs.has_issues == 'true'
uses: slackapi/slack-github-action@v1
with:
payload: |
{
"text": "Security issues found in ${{ github.repository }}"
}Problem: Docker daemon not available
Solution: Ensure docker/setup-buildx-action@v3 is included
Problem: Scan directory not found
Solution: Check that scan completed successfully in logs
Problem: CORS restrictions on local files
Solution: Use the provided index.html or serve via HTTP server
Problem: Large repository or many dependencies
Solution: Use quick mode or increase runner disk space
- Start with Quick Mode - Get familiar with results
- Enable Branch Protection - Require passing scans before merge
- Review Weekly - Check scheduled scan results regularly
- Baseline Scans - Track security improvements over time
- Custom Exceptions - Document and justify any ignored findings
Found an issue or want to improve the workflows? See CONTRIBUTING.md
See LICENSE.md