Automate Security Checks with SecureFlag’s GitHub Actions

Pull Requests (PRs) are where unsafe code gets its last chance to be caught before it’s merged. But what if you could verify that developers have completed their assignments and training before those vulnerabilities ever make it to review?

SecureFlag now offers GitHub Actions that help ensure secure development practices directly in your PR workflow.

Feature image of GitHub Action logo on SecureFlag background

Verify Assignment Completion

SecureFlag Assignments Check GitHub Action verifies that developers have completed their required SecureFlag assignments before code is merged.

When a PR is submitted or updated:

  • The action gets the committer’s email from the PR.

  • It queries SecureFlag’s platform to verify whether the contributor has completed the required assignments based on the specified check type.

  • If the assignments aren’t complete, a PR comment is created, and the merge is temporarily blocked. However, once they are completed, the action can be re-run to unblock the PR.

Screenshot of SecureFlag GitHub Action

Shift Security Training Left

SecureFlag’s Training GitHub Action integrates directly into the development process, allowing teams to close knowledge gaps and maintain a safer codebase. 

When a PR references a vulnerability, such as XSS or command injection, developers get immediate notification with links to complete the specific training they need.

Here’s how it works:

  • Detects relevant vulnerabilities: The action scans the PR title, description, and commit messages for references to GitHub Security Advisories (GHSA) and fetches their titles.

  • Checks contributor training: It then checks SecureFlag’s platform to see if the contributor has completed the relevant training, either based on the advisories in the PR or the specific training assigned to them.

  • Blocks or approves automatically: If training hasn’t been completed, the action posts a helpful comment on the PR with direct links to the relevant training and temporarily blocks the merge. Once the training is completed, the action can be re-run, and the PR is unblocked.

Screenshot of SecureFlag GitHub Action

Augment SARIF Files with Relevant Learning

SecureFlag Knowledge Base for GitHub Actions SARIF enriches SARIF files (for example, from CodeQL or GitHub Code Scanning uploads) with links to relevant SecureFlag labs.

This makes it straightforward for developers to get practical guidance directly related to the issues detected in automated scans. 

Why It’s Useful

Many vulnerabilities arise when developers haven’t had the proper training to recognize potential risks. Connecting PR approvals and SARIF results to SecureFlag is an effective way to:

  • Prevent vulnerable code from being merged before assignments or training are complete.

  • Provide developers with just-in-time learning that’s directly relevant to the code and issues they are working on.

  • Strengthen organizational security knowledge across the software development lifecycle.

Simple to Set Up

All SecureFlag GitHub Actions integrate seamlessly into existing workflows:

  1. Add the action to your repository: Include the desired action(s) in your GitHub workflow so PRs are automatically checked.

  2. Connect to SecureFlag: Provide credentials and API tokens so the action can confirm training or assignment completion.

  3. Set branch protection rules: Block merges until checks pass to enforce compliance.

SecureFlag Brings Learning Directly Into Development

SecureFlag delivers secure coding training and integrates it into the software your teams already use. These GitHub Actions are part of a broader platform created to provide continuous, hands-on learning.

From the first line of code to deployment, security becomes part of how your team codes, not an interruption to it.

Want to see SecureFlag in action? Schedule a demo!

Continue reading