--- title: "GitHub actions" slug: "github-actions" description: "Integrate Traceable’s API security testing with GitHub Actions to automate vulnerability scans in CI/CD workflows. Detect threats early in the SDLC, configure workflows, and generate actionable security reports." updated: 2024-12-12T06:46:56Z published: 2024-12-12T06:46:56Z --- > ## Documentation Index > Fetch the complete documentation index at: https://traceabledocs.document360.io/llms.txt > Use this file to discover all available pages before exploring further. # GitHub actions GitHub Actions is an automation and workflow tool that GitHub provides. It allows developers to automate tasks and define workflows using YAML files. Workflows are triggered by events such as code pushes or pull requests and can include a series of actions. Actions are reusable tasks that can be combined to create workflows. GitHub Actions is commonly used for continuous integration/continuous deployment (CI/CD) pipelines. Traceable integrates with GitHub Actions by running security scans in staging environments. Traceable helps you by finding vulnerabilities in the early stages of SDLC, giving developers and product security engineers more time and context to prioritize the mitigation of vulnerabilities and build secure APIs. The topic explains how to configure and use Traceable XAST CI/CD integration and how to run the scan during the build step. --- ## Before you begin Make a note of the following before integrating GitHub actions with Traceable: - Make sure that you have an active account and repository on GitHub. - It is helpful if you have a basic understanding of GitHub actions and workflows. For information, see [GitHub actions documentation](https://docs.github.com/en/actions). --- ## Integration Integrating Traceable xAST with GitHub workflows using GitHub actions entails finding a GitHub action, understanding the inputs, outputs, and a sample GitHub action workflow. ### GitHub action All the GitHub actions by Traceable are currently available in [GitHub repository](https://github.com/Traceableai/traceable-github-actions). In addition, the Traceable AST actions are available in a YAML file at: [https://github.com/Traceableai/ast-action/blob/main/action.yml](https://github.com/Traceableai/ast-action/blob/main/action.yml) ### Understand the inputs The following table explains the various inputs. | Input | Description | | --- | --- | | `step_name` | Scan action: init/ run/ init and run/stop. | | `scan_name` | The name of the scan. | | `client_scan_token` | Access the token from the Traceable Platform. You can fetch the access token by navigating to **Your Account**(![image-1638268402925](https://cdn.document360.io/24f14f07-13d1-4684-8fae-6d8f811768ee/Images/Documentation/image-1638268402925.png)) → **My Preferences**→ **API Tokens**. For more information, see [Public APIs](/docs/public-apis). | | `cli_version` | The Traceable CLI version to be used. For more information, see [Traceable CLI](https://docs.traceable.ai/docs/security-testing#traceable-cli). | | `traffic_env` | The environment for which AST should observe the traffic. | | `plugins` | List of plugins you wish to run the AST scan for. | | `include_url_regex` | Include the URL patterns to test. | | `exclude_url_regex` | Exclude URL patterns from the scan. | | `target_URL` | Target URL for the tests. | | `traceable_server` | URL for the Traceable server. This does not apply to SaaS users. | | `idle_timeout` | Timeout for a scan when it goes in the IDLE state. | | `reference_env` | Reference environment from where AST should pick up the API specifications. | | `max_retries` | Max retries for the scan after a failure. | | `scan_suite` | The AST suite name as defined on the Traceable platform. | | `graphql_schema_ids` | A comma-separated list of GraphQL schema IDs uploaded to the Traceable platform. | | `graphql_schema_files` | A comma-separated list of GraphQL SDL file paths. | | `graphql_introspection_enabled` | Enables extracting the GraphQL schema by running introspection on the target URL. | ### Sample GitHub actions workflow The following is a sample workflow showing how to configure the AST GitHub action. ```yaml name: Test Traceable AST Init And Run Action With AST Scan Suite on:  push:    branches:      - main  pull_request:  workflow_dispatch: jobs:  InitAndRunAstScan:    runs-on: ubuntu-20.04    steps:      - name: Checkout        uses: actions/checkout@v3      - name: Init and run scan action        uses: Traceableai/ast-action@main        with:          step_name: 'init and run'          client_scan_token: ${{ secrets.CLIENT_SCAN_TOKEN_DEMO }}          cli_version: 'latest'          scan_suite: 'github-actions-test-suite'          traceable_server: ${{ secrets.TRACEABLE_SERVER_DEMO }}      - name: Stop Scan        if: always()        uses: Traceableai/ast-action@main        with:          step_name: 'stop'          client_scan_token: ${{ secrets.CLIENT_SCAN_TOKEN_DEMO }}          traceable_server: ${{ secrets.TRACEABLE_SERVER_DEMO }}  functionalTest:    runs-on: ubuntu-20.04    steps:      - name: Run a loop as functional test (This is sample)        run: |          for ((i=1;i<=100;i++));          do             echo $i          done ``` As you can see in the above workflow: 1. A scan is initiated with the scan action steps that take the following parameters as input: You can also configure additional parameters mentioned in the [inputs table](/v1/docs/github-actions#understand-the-inputs) above. Alternatively, you can configure assets, attacks, evaluation criteria, etc., and create a scan suite on the Traceable platform. You can then initiate a scan by only using the suite name as the value in the `scan_suite` parameter above. - `client_scan_token` - `scan_suite` - `traceable_server` 2. Traceable executes functional tests and runs scans that take the the following parameters as input: - `client_scan_token` - `traffic_env` - `cli_version` ### Triggers GitHub workflow supports a wide range of triggers. You can read more about them at [Events that trigger workflows](https://docs.github.com/en/actions/using-workflows/events-that-trigger-workflows). ### Report The following is a sample AST report once the scan is executed. The report shows various details about vulnerability categories, subcategories, and severity. ![](https://cdn.document360.io/24f14f07-13d1-4684-8fae-6d8f811768ee/Images/Documentation/traceable_github_actions_report.png) You can view the report from the summary section as shown below: ![](https://cdn.document360.io/24f14f07-13d1-4684-8fae-6d8f811768ee/Images/Documentation/traceable_github_actions_report_summary.png) XAST is a general term that refers to different types of application security testing methodologies that are focused on testing specific components or areas of an application. The "X" in XAST can refer to any of the different testing techniques, such as: 1. SAST (Static Application Security Testing) 2. DAST (Dynamic Application Security Testing) 3. IAST (Interactive Application Security Testing) 4. Mobile Application Security Testing (MAST) 5. Web Application Security Testing (WAST) 6. API Security Testing (AST) SDL stands for Schema Definition Language. In the context of GraphQL, SDLis a way to define the schema of GraphQL APIs using a human-readable syntax. It is used to specify the types, queries, and mutations available in the API.