Appearance
CI/CD Workflow Integration on GitHub
Integrate Noxtara security scans directly into your GitHub repository to automatically analyze code for vulnerabilities on every commit or on a scheduled basis.
What You Need
Before you begin, make sure you have:
- A Noxtara account with API access
- A GitHub repository you want to scan
- Repository admin access to configure secrets and workflows
Step 1: Generate Your API Key
- Log in to your Noxtara dashboard
- Navigate to Settings → API Keys
- Click Generate New Key
- Copy the key immediately (you will not see it again)
Store this key securely. You will add it to your repository secrets in the next step.
Step 2: Add Repository Secrets
The GitHub Action needs your API credentials to authenticate with Noxtara.
- Go to your GitHub repository
- Click Settings → Secrets and variables → Actions
- Click New repository secret
- Add the following secrets:
| Secret Name | Value | Required |
|---|---|---|
NOXTARA_API_KEY | Your Noxtara API key | Yes |
NOXTARA_BASE_URL | Your Noxtara API base URL (e.g., https://app.noxtara.com/api/main/client) | No (uses default if omitted) |
The GITHUB_TOKEN is automatically provided by GitHub Actions and does not need to be manually created.
Step 3: Add the GitHub Action Workflow
Create a workflow file that runs scans on a schedule or on demand.
- In your repository, create
.github/workflows/noxtara-scan.yml - Add the following workflow:
yaml
name: Noxtara Security Scan
on:
schedule:
# Run daily at midnight UTC
- cron: "0 0 * * *"
workflow_dispatch:
# Allow manual trigger from Actions tab
jobs:
scan:
runs-on: ubuntu-24.04
permissions:
contents: write
pull-requests: write
steps:
- uses: actions/checkout@v6
- uses: noxtara/run@v1
with:
api-key: YOUR_API_KEY_HERE
base-url: YOUR_BASE_URL_HERE
auto-pr: true
github-token: YOUR_GITHUB_TOKEN_HERENote: Replace the placeholder values with your actual GitHub Actions secret and variable references.
Step 4: Create the Configuration File
Add a noxtara.yaml file to your repository root to define what to scan.
yaml
baseUrl: "https://app.noxtara.com/api/main/client"
scan:
scaSast:
from: .This tells Noxtara to scan the entire repository starting from the root directory.
Understanding the Auto-PR Feature
When auto-pr: true is enabled, Noxtara automatically creates a pull request to update your noxtara.yaml file with a new entryId after the first scan.
Why this matters: The entryId links subsequent scans to the same entry in the Noxtara dashboard, keeping your scan history together instead of creating a new entry every time.
After your first scan, your noxtara.yaml will look like this:
yaml
baseUrl: "https://app.noxtara.com/api/main/client"
scan:
code:
from: .
entryId: abc123def456 # Added automatically via PRMerge this PR to enable continuous tracking of your repository's security posture.
Ignoring Files
To exclude files or directories from scanning, add an ignore array to your configuration:
yaml
scan:
scaSast:
from: .
ignore:
- "node_modules/**"
- "dist/**"
- "*.test.ts"Patterns use glob syntax. Common patterns to ignore:
| Pattern | What It Excludes |
|---|---|
node_modules/** | Dependency directories |
dist/** | Build output directories |
.git/** | Git metadata |
*.min.js | Minified files |
test/** | Test files |
Verifying Your Setup
- Commit and push the workflow file and
noxtara.yaml - Go to Actions tab in your repository
- Select Noxtara Security Scan
- Click Run workflow to trigger manually
- Check the Noxtara dashboard for scan results
Troubleshooting
| Issue | Solution |
|---|---|
| "Authentication failed" | Verify NOXTARA_API_KEY is set correctly in repository secrets |
| "No files found" | Check that from path in noxtara.yaml points to a valid directory |
| PR not created | Ensure GITHUB_TOKEN has contents: write and pull-requests: write permissions |
| Action fails on macOS/Windows | This action requires ubuntu-24.04 or later |
Next Steps
- Review scan results in the Noxtara dashboard
- Set up branch protection rules to require security reviews
- Configure notification webhooks for new vulnerabilities