Skip to content

GitHub Actions

Basic Scan with SARIF

```yaml name: Security Scan on: [push, pull_request]

jobs: scan: runs-on: ubuntu-latest permissions: id-token: write # For OIDC security-events: write # For SARIF upload steps: - uses: actions/checkout@v4 - run: pip install cloud-audit - run: cloud-audit scan --format sarif --output results.sarif env: AWS_REGION: eu-central-1 - uses: github/codeql-action/upload-sarif@v3 with: sarif_file: results.sarif ```

Daily Drift Detection

See daily-scan-with-diff.yml for a complete workflow that:

  1. Runs a daily scan on a schedule
  2. Compares against yesterday's baseline (cached)
  3. Creates an issue if regressions are detected
  4. Updates the baseline cache

Post-Deploy Scan

See post-deploy-scan.yml for scanning before and after terraform apply.

OIDC Authentication

cloud-audit supports OIDC authentication with AWS. Configure your IAM role to trust the GitHub Actions OIDC provider and use aws-actions/configure-aws-credentials:

yaml - uses: aws-actions/configure-aws-credentials@v4 with: role-to-assume: arn:aws:iam::123456789012:role/security-scan aws-region: eu-central-1

See OIDC setup guide for IAM role configuration.