← Back

GitHub Action

Automatically scan every pull request and create GitHub Issues for security findings.

✅ PR Comments🐛 Auto Issue Creation🔒 Security Scanning

How it works

Step 1 — Add the workflow file

Add a single YAML file to your repository

Step 2 — Open a Pull Request

Every PR automatically triggers a security scan

Step 3 — Get Results

Score posted as PR comment, issues created for findings

Setup

1. Create a GitHub Token

Go to GitHub → Settings → Developer Settings → Personal Access Tokens → Generate new token (classic). Select the repo scope. Copy the token.

2. Add Token as Repository Secret

Go to your repository → Settings → Secrets and variables → Actions → New repository secret.

Name: BREAKMYAPP_TOKEN
Value: (paste your token)

3. Add the Workflow File

Create this file in your repository: .github/workflows/breakmyapp.yml

name: BreakMyApp Security Scan

on:
  pull_request:
    branches:
      - main
      - master

jobs:
  scan:
    runs-on: ubuntu-latest
    permissions:
      issues: write
      pull-requests: write

    steps:
      - name: Checkout code
        uses: actions/checkout@v4

      - name: Start BreakMyApp scan
        id: start_scan
        run: |
          REPO_URL="${{ github.server_url }}/${{ github.repository }}"
          RESPONSE=$(curl -sf -X POST \
            "https://breakmyapp-production-2ec7.up.railway.app/api/v1/scans/" \
            -H "Content-Type: application/json" \
            -d "{\"repo_url\": \"$REPO_URL\"}")
          SCAN_ID=$(echo "$RESPONSE" | jq -r '.id')
          echo "scan_id=$SCAN_ID" >> "$GITHUB_OUTPUT"

      - name: Wait for scan to complete
        id: wait_scan
        run: |
          SCAN_ID="${{ steps.start_scan.outputs.scan_id }}"
          MAX_ATTEMPTS=120
          ATTEMPT=0
          while [ $ATTEMPT -lt $MAX_ATTEMPTS ]; do
            SUMMARY=$(curl -sf \
              "https://breakmyapp-production-2ec7.up.railway.app/api/v1/scans/$SCAN_ID/summary")
            STATUS=$(echo "$SUMMARY" | jq -r '.status')
            if [ "$STATUS" != "pending" ] && [ "$STATUS" != "running" ]; then
              echo "summary=$SUMMARY" >> "$GITHUB_OUTPUT"
              break
            fi
            ATTEMPT=$((ATTEMPT + 1))
            sleep 10
          done

      - name: Post GitHub report
        if: github.event_name == 'pull_request'
        run: |
          SCAN_ID="${{ steps.start_scan.outputs.scan_id }}"
          curl -sf -X POST \
            "https://breakmyapp-production-2ec7.up.railway.app/api/v1/github/report/$SCAN_ID" \
            -H "Content-Type: application/json" \
            -d "{
              \"token\": \"${{ secrets.BREAKMYAPP_TOKEN }}\",
              \"owner\": \"${{ github.repository_owner }}\",
              \"repo\": \"${{ github.event.repository.name }}\",
              \"pr_number\": ${{ github.event.pull_request.number }}
            }"

      - name: Print scan summary
        if: always()
        run: |
          SCORE=$(echo '${{ steps.wait_scan.outputs.summary }}' | jq -r '.score // "N/A"')
          REPORT=$(echo '${{ steps.wait_scan.outputs.summary }}' | jq -r '.report_url // "N/A"')
          echo "Score: $SCORE/100"
          echo "Report: $REPORT"