GitHub Action

Add automated security scanning to your CI/CD pipeline. Bastion scans every pull request and comments results directly on the PR.

🔒

Privacy-First

All scanning runs inside your GitHub Actions runner. No code is uploaded or shared with external services.

💬

PR Comments

Automatically posts a detailed summary on your pull request with score, pass/fail counts, and critical findings.

🚫

Block on Critical

Optionally fails the CI check when critical security issues are detected, preventing unsafe merges.

📊

Actionable Outputs

Exposes score, finding counts, and critical status as step outputs for use in downstream workflow steps.

Quick Start

Create a file at .github/workflows/bastion-scan.yml in your repository.

Copy one of the workflow configurations below into the file.

Commit, push, and open a pull request. Bastion will scan automatically and comment results.

Workflow Configuration

.github/workflows/bastion-scan.yml

name: Bastion Security Scan

on:
  pull_request:
    branches: [main]

permissions:
  contents: read
  pull-requests: write

jobs:
  security-scan:
    name: Security Scan
    runs-on: ubuntu-latest

    steps:
      - name: Checkout
        uses: actions/checkout@v4

      - name: Run Bastion Scan
        uses: absastreon/bastion/.github/actions/bastion-scan@main
        with:
          path: '.'
          fail-on-critical: 'true'

Inputs

Input	Default	Description
`path`	`'.'`	Path to the project directory to scan
`format`	`'json'`	Output format — json, terminal, or markdown
`fail-on-critical`	`'true'`	Fail the workflow if critical issues are found
`node-version`	`'20'`	Node.js version to use for running the scan

Outputs

Use these outputs in subsequent workflow steps to make decisions based on scan results.

Output	Description
`score`	Security score (0-100)
`total`	Total number of checks run
`passed`	Number of checks passed
`failed`	Number of checks failed
`critical-count`	Number of critical findings
`has-critical`	Whether critical issues were found (true/false)

PR Comment Preview

When the action runs on a pull request, it posts (or updates) a comment like this:

Bastion Security Scan

Score: 85/100 — 1 issue(s) found

Passed	11
Failed	1
Warnings	2
Total Checks	14

Bastion — Privacy-first security for AI-era builders

How It Works

Setup

Installs Node.js and the Bastion CLI on the GitHub Actions runner.

Scan

Runs all security checks against your project directory and produces JSON output.

Parse

Extracts score, finding counts, and critical issues from the scan results.

Comment

Posts or updates a PR comment with a detailed summary of findings.

Gate

Optionally fails the workflow if critical issues are found, blocking the merge.