This is a guide to setting up and configuring Safety to scan your GitHub repositories for dependency security vulnerabilities using Safety as a GitHub Action. This enables you to configure security and compliance scans on your repositories on new commits, new branches, pull requests, and more.
On your GitHub repository, navigate to Settings -> Secrets -> Actions, and add your Safety API key as a secret that matches the variable name you've used in the workflow YAML file (
SAFETY_API_KEYin all the examples here). Once added, it should look similar to the screenshot below:
GitHub Actions are an easy and powerful way to run CI/CD processes on your codebases hosted on GitHub. Adding Safety security scans to your repositories is as easy as adding a few lines of code to your Github Action workflow configuration file to run Safety.
We've created some full pipeline examples below if you don't have one set up yet. If you need help configuring your Python workflow, you can read more on getting startup with GitHub workflows in Python.
GitHub Actions are configured using YAML workflow files in a special
.github/workflows/folder. Here is an example YAML file that runs Safety to scan your project for security vulnerabilities. This will scan in auto-detect mode, which will try and scan the most appropriate thing automatically.
You can read more about Safety's scan modes and different options.
# This workflow will run Safety security scans on all dependencies that are installed into the environment.
# For more information see: https://help.github.com/actions/language-and-framework-guides/using-python-with-github-actions
# Saved to `.github/workflows/safety.yml`
name: Safety Security Scan
push: # Run on every push to any branch
pull_request: # Run on new pull requests
- uses: safety/[email protected]