Skip to main content

GitHub Actions integration

shadowaudit is available as a GitHub Marketplace Action. Add it to your workflow to scan for shadow API routes on every pull request.

Quick start

Create .github/workflows/security.yml in your repo:

name: shadowaudit API Security Scan

on:
pull_request:
branches: [main]

jobs:
shadowaudit:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4

- uses: actions/setup-node@v4
with:
node-version: '20'

- name: Run shadowaudit
uses: darkmaster0345/shadow-Audit@v0.3.0
with:
dir: './src'
spec: './openapi.json'
fail-on: 'critical'
post-comment: 'true'

Inputs

InputDescriptionRequiredDefault
dirDirectory to scanNo'.'
specPath to OpenAPI/Swagger spec fileNo''
formatOutput format: table, json, sarifNo'table'
fail-onFail on: critical, high, infoNo'critical'
frameworkFramework: express, fastapi, django, autoNo'auto'
post-commentPost findings as PR comment (true/false)No'true'
github-tokenGitHub token for PR commentsNo${{ github.token }}

Outputs

OutputDescription
findings-countTotal number of findings
critical-countNumber of critical findings
high-countNumber of high findings

PR comment bot

When post-comment: 'true' (default) and running on a pull_request event, shadowaudit posts a markdown summary directly on the PR:

## 🔍 shadowaudit Scan Results

⚠️ **2 undocumented route(s) detected**

| Severity | Method | Path | File | Line | Auth |
|----------|--------|------|------|------|------|
| 🔴 CRITICAL | GET | /api/debug/reset | routes.js | 21 ||
| 🟡 HIGH | POST | /api/shadow | routes.js | 33 ||

**Summary**
- Total routes scanned: 18
- Documented: 16
- Undocumented: 2
- 🔴 Critical: 1
- 🟡 High: 1

>**Pipeline will fail** — undocumented unauthenticated routes detected.

SARIF + GitHub Code Scanning

For native GitHub Security tab integration, use format: sarif:

- name: Run shadowaudit (SARIF)
uses: darkmaster0345/shadow-Audit@v0.3.0
with:
dir: './src'
spec: './openapi.json'
format: 'sarif'
fail-on: 'critical'
continue-on-error: true

- name: Upload SARIF to GitHub
uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: shadowaudit.sarif

Findings will appear in your repo's Security → Code scanning alerts tab.

Exit codes

ConditionExit code
No findings0
Findings below fail-on threshold0
Findings at or above fail-on threshold1
fail-on valueFails when
critical (default)Any CRITICAL finding
highAny CRITICAL or HIGH finding
infoAny finding at all