Home / Developers / GitHub Action
CI/CD

GitHub Action & CI/CD

Automate security scanning in every PR. SARIF output for GitHub Security tab, configurable fail thresholds, and support for GitHub Actions, Bitbucket Pipes, and any CI system.

GitHub Action & CI/CD

Automate security scanning in every pull request and deployment

GitHub Action

Add Fortly scanning to your GitHub Actions workflow. Create .github/workflows/fortly.yml in your repository.

name: Fortly Security Scan
on:
  pull_request:
    branches: [main, develop]
  push:
    branches: [main]
jobs:
  security-scan:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - name: Run Fortly Scan
        uses: fortly/fortly-action@v2
        with:
          api-key: ${{ secrets.FORTLY_API_KEY }}
          scan-type: full           # full | quick | sast | secrets | sca
          fail-threshold: 70        # Fail if score < 70
          sarif-upload: true        # Upload results to GitHub Security tab

Action Options

Input Description Default
api-keyFortly API key (use GitHub Secrets)required
scan-typeType of scan: full, quick, sast, secrets, scafull
fail-thresholdMinimum score to pass (0-100). Fails the job if below.0 (disabled)
sarif-uploadGenerate SARIF file for GitHub Security tabfalse
target-urlURL to scan (for DAST). Omit for SAST-only.-

GitHub Security Tab Integration

When sarif-upload: true is set, Fortly generates a SARIF (Static Analysis Results Interchange Format) file that integrates directly with GitHub's Security tab.

  • Vulnerabilities appear in Security > Code scanning alerts
  • PR annotations show inline warnings on affected lines
  • Branch protection rules can require Fortly to pass before merge
  • Supports dismiss, reopen, and false positive workflows

Bitbucket Pipe

pipelines:
  pull-requests:
    '**':
      - step:
          name: Fortly Security Scan
          script:
            - pipe: fortly/fortly-pipe:2.0
              variables:
                FORTLY_API_KEY: $FORTLY_API_KEY
                SCAN_TYPE: "full"
                FAIL_THRESHOLD: "70"

CLI in CI Mode

Use the Fortly CLI directly in any CI system (Jenkins, GitLab CI, CircleCI, etc.).

# Install the CLI
npm install -g fortly-cli
# Configure API key
export FORTLY_API_KEY=$FORTLY_API_KEY
# Run scan in CI mode (exits with code 1 if score < threshold)
fortly scan https://staging.myapp.com --ci --fail-threshold 70
# Or scan local code (SAST only)
fortly scan . --ci --fail-threshold 80 --format sarif

Next Steps