# GitHub CI Integration

#### The action is located at <https://github.com/sec3dev/pro-action>.

### &#x31;**. Setup integration**

First, find the sec3 secret token on the dashboard under “Account -> Security” section.

![Fig 1. Find sec3 token](/files/3IA7RVwdtFsQ6WT8vsCZ)

After acquiring the token, navigate to your GitHub repository. Click through **Settings -> Secrets and variables -> Actions -> New Repository Secret** to add a new action secret. Name the secret as **SEC3\_TOKEN** in the **Name** field, paste the token value in the **Secret** field and click **Add secret**.

<figure><img src="/files/hGaqffxfRxNcWhw7kiFe" alt=""><figcaption><p>Fig 2. Set up sec3 token on GitHub</p></figcaption></figure>

#### Next, add a workflow (*<mark style="color:green;">.github/workflows/sec3.yml</mark>*):

```yaml
name: Sec3 Pro Audit
     # update to match your branch names and requirements
on:
  push:
    branches: main
  pull_request:
    branches: "*"
jobs:
  audit:
    runs-on: ubuntu-latest
    steps:
      - name: Check-out the repository
        uses: actions/checkout@v2
      - name: Sec3 Pro Audit
        continue-on-error: false    # set to true if you don't want to fail jobs
        uses: sec3dev/pro-action@v1
        with:
          sec3-token: ${{ secrets.SEC3_TOKEN }}
```

<mark style="color:red;">**Warning: DO NOT**</mark> <mark style="color:red;"></mark><mark style="color:red;">explicitly include your token in the workflow.</mark>‍

A full sample *<mark style="color:green;">**sec3.yml**</mark>* file can be found [here](https://github.com/sec3dev/ci-test/blob/main/.github/workflows/sec3.yml). The following shows a snapshot of the GitHub action result:

![](/files/UucAs9F1HbeHl9hYwwfU)

The detailed audit report can be viewed by following the link (with authentication).

If you would like to hide the detailed report link, add a `hide-report-link` boolean variable in the .yml file. Example:&#x20;

```yaml
- name: Sec3 Pro Audit
  continue-on-error: false    # set to true if you don't want to fail jobs
  uses: sec3dev/pro-action@v1
  with:
    sec3-token: ${{ secrets.SEC3_TOKEN }}
    hide-report-link: true
```

If you would like to scan a certain program in the repo, add a `path` variable specifying the path of an individual program. Example:

```yaml
- name: Sec3 Pro Audit
  continue-on-error: false    # set to true if you don't want to fail jobs
  uses: sec3dev/pro-action@v1
  with:
    sec3-token: ${{ secrets.SEC3_TOKEN }}
    path: one-program
```

### **2. Code scanning alerts integration**

Sec3 X-ray also saves in the workspace a report in SARIF format, named `sec3-report.sarif`, which can be integrated with other jobs such as Code scanning alerts on GitHub:

<div align="left"><img src="https://uploads-ssl.webflow.com/62825907e488804fe456dd80/628c618b04f98bd8fe771404_1*MkQRja_-tVRMJkXWsCAe6g.png" alt=""></div>

**Note**: to enable this feature for *private repos*, GitHub requires an organization account and a [*GitHub Advanced Security*](https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/setting-up-code-scanning-for-a-repository) license.

The configuration has two steps:

#### (1) **Set up code scanning** (follow [GitHub’s docs](https://docs.github.com/en/enterprise-server@3.4/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/setting-up-code-scanning-for-a-repository))

#### (2) add a workflow (***.github/workflows/sec3-alerts.yml***):

```yaml
name: Sec3 Pro Audit
     # update to match your branch names and requirements
on:
  push:
    branches: main
  pull_request:
    branches: "*"
jobs:
  audit:
    runs-on: ubuntu-latest
    timeout-minutes: 15
    steps:
      - name: Check-out the repository
        uses: actions/checkout@v2
      - name: Sec3 Pro Audit
        continue-on-error: true    # set to true if you don't want to fail jobs
        uses: sec3dev/pro-action@v1
        with:
          sec3-token: ${{ secrets.SEC3_TOKEN }}
      - name: Upload Sarif Report
        uses: github/codeql-action/upload-sarif@v2
        with:
          sarif_file: sec3-report.sarif
```

A full sample sec3-alerts.yml file can be found [here](https://github.com/sec3dev/ci-test/blob/main/.github/workflows/sec3-alerts.yml).

![](https://uploads-ssl.webflow.com/62825907e488804fe456dd80/628c618b64eab85e97095495_1*lXEoJqL9Zzh24jzYsI1jNw.png)

The screenshot above shows a detected missing signer check issue in Code scanning alerts.

‍‍


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://doc.sec3.dev/sec3-x-ray/github-ci-integration.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.