← Back

Security Gate Action

A GitHub Action that scans repositories for secrets, dependency vulnerabilities, IaC misconfigurations, and Dockerfile issues with configurable policy enforcement.

GitHub ActionsTypeScriptSecuritySARIFTrivyOSV
Visit project
Security Gate Action screenshot

Highlights

  • Four scanners: secrets, dependencies, IaC, and container
  • Configurable thresholds and SARIF output for GitHub Code Scanning
  • 550 unit tests and published to GitHub Marketplace

Security Gate is a GitHub Action that orchestrates multiple security scanners against a repository and enforces pass/fail policy based on configurable severity thresholds. It produces inline annotations, a job summary, and optional SARIF output for integration with GitHub Code Scanning.

What it demonstrates

  • A multi-scanner architecture that runs secrets, dependencies, IaC, and container checks in a single action
  • Policy-driven enforcement with high, medium, and low severity thresholds
  • SARIF generation for native GitHub Code Scanning integration
  • Auto mode that detects relevant scanners based on repository content

Scanners

The action includes four built-in scanners, each with its own detection logic and configuration options.

  • Secrets: detects 15+ credential patterns including AWS keys, GitHub tokens, Slack tokens, and private keys
  • Dependencies: queries the OSV API for known vulnerabilities in npm, yarn, pip, and pipenv lockfiles
  • IaC: runs Trivy against Terraform and Kubernetes manifests to find misconfigurations
  • Container: validates Dockerfile best practices and optionally scans images with Trivy

Configuration

The action reads a YAML configuration file from the repository. Settings include scanner toggles, severity thresholds, custom secret rules, path exclusions, and allowlists with optional expiry dates.

  • Auto mode enables scanners based on detected files; explicit mode requires opt-in
  • Custom rules let organisations define patterns specific to their internal secrets
  • Allowlists suppress known false positives with optional expiry for temporary exceptions
  • JSON Schema provided for IDE validation and autocompletion

Output and integration

  • Inline annotations: errors for high, warnings for medium, notices for low severity
  • Job summary with finding counts, scanner status, and threshold result
  • SARIF file output for upload to GitHub Code Scanning
  • Outputs exposed for downstream workflow steps (findings_count, passed, sarif_path)

Implementation details

The action is written in TypeScript and bundled into a single file with esbuild. It runs on Node.js 20 and downloads Trivy on demand if not already present. Secrets are masked in logs and output using GitHub's core.setSecret API.

  • Runtime: Node.js 20, TypeScript, esbuild for bundling
  • Testing: Vitest with 550 unit tests covering scanners, policy, config, and output
  • Trivy: pinned to v0.58.0 and auto-downloaded for Linux and macOS
  • CI: lint, typecheck, test, build, and dist freshness check on every push

Why I built it

I wanted a single action that could replace several standalone security tools while remaining configuration-driven and easy to adopt. The goal was to provide a sensible default experience with auto-detection, while still offering enough flexibility for teams that need explicit control or custom rules.