Sekura runs on your GitHub Actions runner.

Source code never leaves your repo. We dispatch a workflow, the runner executes the scan, and we receive only the findings. SARIF flows back into the GitHub Security tab; PR review comments arrive inline on the lines we found issues on.

~/your-repo · zsh · npx sekura

$npx sekura@latest init

↳ fetching @sekura/cli@latest from registry.npmjs.org

~30 seconds end-to-end. Loops automatically.

What gets installed

When you run npx sekura@latest init, the Sekura GitHub App commits this file to your repo's default branch:

name: Sekura Security Scan

on:
  push:
    branches: [main, master]
  pull_request:
  workflow_dispatch:

permissions:
  contents: read
  pull-requests: write
  security-events: write

jobs:
  sekura:
    runs-on: ubuntu-latest
    timeout-minutes: 30
    steps:
      - uses: actions/checkout@v4
        with:
          fetch-depth: 0
      - uses: sekuraai/sekura-scan-action@v1
        with:
          scan-type: sast
          intensity: standard
          min-severity: medium
          sekura-token: ${{ secrets.SEKURA_TOKEN }}
          auto-fix-pr: false

The SEKURA_TOKEN repo secret is provisioned automatically via the GitHub Actions secrets API (encrypted with the repo's public key). You never have to paste a token by hand.

What runs on every push and PR

GitHub triggers the workflow on push to main / pull_request.
actions/checkout@v4 clones your code into the runner's workspace.
sekuraai/sekura-scan-action@v1 pulls our slim Docker image and runs the scan against the workspace.
LLM calls are routed through proxy.sekura.ai using SEKURA_TOKEN — the only metered resource.
SARIF is uploaded via github/codeql-action/upload-sarif. Review comments are posted by the Sekura GitHub App.
If auto-fix-pr: true (Pro tier), a follow-up PR opens with proposed code changes for the fixable findings.

Wire Sekura into a repo now →

paste a repo. get proof.

scan your repo →see pricing