GitHub Actions Integration
Overview:
Deptic integrates into GitHub Actions workflows to automatically scan repositories on every push, block builds when critical CVEs are found, and upload SBOM artifacts.
Installation:
1
Generate an API key:
Navigate to Settings → API Keys → Generate New Key. Give it a name like 'GitHub Actions CI'. Copy the full key immediately — it is shown only once.
2
Add secret to repository:
In your GitHub repository: Settings → Secrets and variables → Actions → New repository secret
Name: DEPTIC_API_KEY
Value: depticio_your_full_key_here3
Add workflow file:
yaml
name: Deptic Security Scan
on:
push:
branches: [main, master]
paths:
- 'package.json'
- 'requirements.txt'
- 'pom.xml'
- 'go.mod'
- '**/package.json'
pull_request:
branches: [main]
jobs:
security-scan:
runs-on: ubuntu-latest
name: Supply Chain Security Scan
steps:
- name: Checkout code
uses: actions/checkout@v4
- name: Install Deptic CLI
run: npm install -g deptic-scan
- name: Run security scan
env:
DEPTIC_API_KEY: ${{ secrets.DEPTIC_API_KEY }}
run: |
deptic-scan --api-key=$DEPTIC_API_KEY --output=json > deptic-results.json
cat deptic-results.json
- name: Check for critical vulnerabilities
run: |
CRITICAL=$(cat deptic-results.json | jq '.vulnerability_summary.critical')
if [ "$CRITICAL" -gt "0" ]; then
echo "FAILED: $CRITICAL critical CVEs detected"
exit 1
fi
echo "PASSED: No critical vulnerabilities"
- name: Upload SBOM artifact
uses: actions/upload-artifact@v4
with:
name: sbom-${{ github.sha }}
path: |
deptic-sbom-*.cyclonedx.json
deptic-sbom-*.spdx
deptic-report-*.pdf
retention-days: 90Exit codes:
| Exit Code | Meaning | CI/CD behavior |
|---|---|---|
| 0 | Scan complete, no critical CVEs | Build continues |
| 1 | Error (invalid key, connection, no manifests) | Build fails with error |
| 2 | Scan complete, critical CVEs found | Build fails — blocks merge |