// `#cicd` — explainer for the Sekura GitHub Actions integration. function GithubActionsPage() { const { React } = window; const { useEffect } = React; useEffect(() => { document.title = 'Sekura — CI/CD with GitHub Actions'; }, []); const workflow = `name: Sekura Security Scan on: push: branches: [main, master] pull_request: workflow_dispatch: permissions: contents: read pull-requests: write security-events: write jobs: sekura: runs-on: ubuntu-latest timeout-minutes: 30 steps: - uses: actions/checkout@v4 with: fetch-depth: 0 - uses: sekuraai/sekura-scan-action@v1 with: scan-type: sast intensity: standard min-severity: medium sekura-token: \${{ secrets.SEKURA_TOKEN }} auto-fix-pr: false`; return (
SEKURA

Sekura runs on your GitHub Actions runner.

Source code never leaves your repo. We dispatch a workflow, the runner executes the scan, and we receive only the findings. SARIF flows back into the GitHub Security tab; PR review comments arrive inline on the lines we found issues on.

What gets installed

When you run npx sekura@latest init, the Sekura GitHub App commits this file to your repo's default branch: 

{workflow}

The SEKURA_TOKEN repo secret is provisioned automatically via the GitHub Actions secrets API (encrypted with the repo's public key). You never have to paste a token by hand.

What runs on every push and PR

  1. GitHub triggers the workflow on push to main / pull_request.
  2. actions/checkout@v4 clones your code into the runner's workspace.
  3. sekuraai/sekura-scan-action@v1 pulls our slim Docker image and runs the scan against the workspace.
  4. LLM calls are routed through proxy.sekura.ai using SEKURA_TOKEN — the only metered resource.
  5. SARIF is uploaded via github/codeql-action/upload-sarif. Review comments are posted by the Sekura GitHub App.
  6. If auto-fix-pr: true (Pro tier), a follow-up PR opens with proposed code changes for the fixable findings.
Wire Sekura into a repo now →
); } window.GithubActionsPage = GithubActionsPage;