Guide · 5 min

Add the GitHub Action

Run XploitScan automatically on every push and pull request. Posts a severity-table comment on PRs and uploads SARIF to the GitHub Security tab so findings appear inline in the PR diff.

Create the workflow file

In your repo, create the file .github/workflows/security-scan.yml and paste in the contents below.

.github/workflows/security-scan.yml

name: XploitScan Security Scan
on:
  push:
    branches: [main]
  pull_request:
    branches: [main]

permissions:
  contents: read
  security-events: write
  pull-requests: write

jobs:
  security:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4

      - name: Run XploitScan
        uses: bgage72590/xploitscan-action@v1
        with:
          path: '.'
          fail-on: 'critical'
          comment: 'true'

      - name: Upload SARIF
        if: always()
        uses: github/codeql-action/upload-sarif@v3
        with:
          sarif_file: xploitscan-results.sarif
        continue-on-error: true

Pick a fail threshold

The fail-on input controls when the action returns an error and blocks the merge. Pick the right level for your project:

fail-on: 'none'

Report only, never block. Best for adding the action to an existing repo without breaking anyone's day-1 workflow.

fail-on: 'critical' (recommended)

Block merges that introduce a critical-severity finding. Lets reasonable PRs through but stops “walked into the room and gave away $10k” bugs.

fail-on: 'high'

Block on critical OR high. Stricter — good for production-critical apps and compliance audits.

Commit and push

Commit the workflow file to your default branch and push.

bash

git add .github/workflows/security-scan.yml
git commit -m "Add XploitScan security scan"
git push

Open a test PR

Make any small change on a branch and open a PR. Within a minute or two you should see:

· A green/yellow/red “XploitScan Security Scan” check on the PR

· A bot comment with a severity table:

## 🔴 XploitScan Security Report

**Grade: D** | Score: 35/100 | 13 findings

| Severity | Count |
|----------|-------|
| 🔴 Critical | 7 |
| 🟠 High | 3 |
| 🟡 Medium | 1 |
| 🔵 Low | 2 |

> Run `npx xploitscan scan .` locally for full details with fix suggestions.

· Findings inside the PR diff itself, via the GitHub Security tab

(Optional) Required check on main

In your repo Settings → Branches → main → Branch protection rule → check “Require status checks to pass before merging” and add XploitScan Security Scan. Now nothing merges until the scan passes.

Troubleshooting

PR comment doesn't appear
Check that comment: 'true' is set and that the workflow has pull-requests: write permission. Forks of public repos cannot post comments — that's a GitHub safety restriction.
SARIF upload fails
Make sure security-events: write is in the workflow permissions block. Private repos need GitHub Advanced Security enabled.
Scan times out
Narrow the path: path: 'packages/web/src' instead of .. Avoid scanning node_modules or build outputs.

Want to call the scan engine directly from a custom build script?

Next: Call the API directly →