Skip to main content

GitHub Actions Integration

Integrate Cloudgeni security scanning into your GitHub Actions workflows to automatically check Infrastructure as Code for security issues on every push and pull request.

What You'll Get

  • Automated security scanning in your CI/CD pipeline - PR status checks that block insecure code - Inline annotations showing issues directly in diffs - Fail-on-severity configuration for quality gates - SARIF upload for GitHub Security tab integration

Prerequisites

  • GitHub repository with Actions enabled - Cloudgeni account and API key - Repository containing IaC files (.tf, .bicep, .hcl, .yaml, etc.)

Quick Start

Step 1: Create API Key

  1. Go to SettingsAPI Keys in Cloudgeni
  2. Click Create API Key
  3. Name it github-actions
  4. Copy the generated key

Step 2: Add Repository Secret

  1. Go to your GitHub repository
  2. Navigate to SettingsSecrets and variablesActions
  3. Click New repository secret
  4. Name: CLOUDGENI_API_KEY
  5. Value: Your API key from Step 1
  6. Click Add secret

Step 3: Create Workflow

Create .github/workflows/cloudgeni.yml: 
name: Cloudgeni Security Scan

on:
  push:
    branches: [main]
  pull_request:
    branches: [main]

jobs:
  security-scan:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4

      - name: Run Cloudgeni Scan
        uses: cloudgeni/github-action@v1
        with:
          api-key: ${{ secrets.CLOUDGENI_API_KEY }}

Configuration Options

Action Inputs

InputDescriptionDefault
api-keyCloudgeni API keyRequired
fail-on-criticalFail if critical findingstrue
fail-on-highFail if high severity findingsfalse
fail-on-mediumFail if medium severity findingsfalse
scan-pathDirectory to scan.
excludePaths to exclude (comma-separated)-
output-formatOutput format (text, json, sarif)text

Basic Workflow

- name: Run Cloudgeni Scan
  uses: cloudgeni/github-action@v1
  with:
    api-key: ${{ secrets.CLOUDGENI_API_KEY }}

Strict Mode

- name: Run Cloudgeni Scan
  uses: cloudgeni/github-action@v1
  with:
    api-key: ${{ secrets.CLOUDGENI_API_KEY }}
    fail-on-critical: true
    fail-on-high: true

Custom Path

- name: Run Cloudgeni Scan
  uses: cloudgeni/github-action@v1
  with:
    api-key: ${{ secrets.CLOUDGENI_API_KEY }}
    scan-path: ./infrastructure
    exclude: ./infrastructure/test,./infrastructure/examples

Workflow Examples

Basic PR Workflow

name: Security Scan

on:
  pull_request:
    paths:
      - "**/*.tf"
      - "**/*.bicep"
      - "**/*.hcl"

jobs:
  scan:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4

      - name: Cloudgeni Scan
        uses: cloudgeni/github-action@v1
        with:
          api-key: ${{ secrets.CLOUDGENI_API_KEY }}
          fail-on-critical: true

Production Workflow

name: Infrastructure Security

on:
  push:
    branches: [main]
  pull_request:
    branches: [main]
    paths:
      - "infrastructure/**"

permissions:
  contents: read
  security-events: write
  pull-requests: write

jobs:
  security-scan:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4

      - name: Run Cloudgeni Scan
        uses: cloudgeni/github-action@v1
        with:
          api-key: ${{ secrets.CLOUDGENI_API_KEY }}
          scan-path: ./infrastructure
          fail-on-critical: true
          fail-on-high: true
          output-format: sarif

      - name: Upload SARIF
        uses: github/codeql-action/upload-sarif@v3
        if: always()
        with:
          sarif_file: cloudgeni-results.sarif

Multi-Environment Workflow

name: Multi-Environment Scan

on:
  push:
    branches: [main, develop]

jobs:
  scan-dev:
    if: github.ref == 'refs/heads/develop'
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - uses: cloudgeni/github-action@v1
        with:
          api-key: ${{ secrets.CLOUDGENI_API_KEY }}
          scan-path: ./environments/dev
          fail-on-critical: true

  scan-prod:
    if: github.ref == 'refs/heads/main'
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - uses: cloudgeni/github-action@v1
        with:
          api-key: ${{ secrets.CLOUDGENI_API_KEY }}
          scan-path: ./environments/prod
          fail-on-critical: true
          fail-on-high: true

Terraform Plan Integration

name: Terraform with Security

on:
  pull_request:
    paths:
      - "terraform/**"

jobs:
  security-scan:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4

      - name: Security Scan
        uses: cloudgeni/github-action@v1
        with:
          api-key: ${{ secrets.CLOUDGENI_API_KEY }}
          scan-path: ./terraform
          fail-on-critical: true

  terraform-plan:
    needs: security-scan
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4

      - uses: hashicorp/setup-terraform@v3

      - name: Terraform Init
        run: terraform init
        working-directory: ./terraform

      - name: Terraform Plan
        run: terraform plan
        working-directory: ./terraform

GitHub Security Integration

SARIF Upload

Upload results to GitHub Security tab: 
- name: Run Cloudgeni Scan
  uses: cloudgeni/github-action@v1
  with:
    api-key: ${{ secrets.CLOUDGENI_API_KEY }}
    output-format: sarif

- name: Upload SARIF
  uses: github/codeql-action/upload-sarif@v3
  if: always()
  with:
    sarif_file: cloudgeni-results.sarif

PR Annotations

The action automatically adds annotations to PRs showing:
  • Finding location (file and line)
  • Severity level
  • Description and remediation

Branch Protection

Required Status Checks

  1. Go to SettingsBranches
  2. Click Add rule for your target branch
  3. Enable Require status checks to pass
  4. Search for and select Cloudgeni Security Scan
  5. Save changes
Now PRs cannot be merged until the security scan passes.

Organization Secrets

For multiple repositories:
  1. Go to Organization SettingsSecrets and variablesActions
  2. Click New organization secret
  3. Add CLOUDGENI_API_KEY
  4. Select repository access policy
  5. All selected repositories can use the secret

Troubleshooting

Secret Not Found:
  • Verify secret name matches exactly
  • Check secret is available to the repository
  • Ensure workflow has correct permissions
Scan Timeout:
  • Large repositories take longer
  • Consider scanning specific paths
  • Check for large binary files
No Findings Reported:
  • Verify IaC files exist in scan path
  • Check file extensions are supported
  • Review exclude patterns
SARIF Upload Failed:
  • Ensure security-events: write permission
  • Check SARIF file was generated
  • Verify file path is correct

GitHub Setup

Connect GitHub repositories

PR Reviews

Automated security reviews

Static Analysis

Understanding scan results

API Reference

API authentication details