Extend Arnica’s security scanning into complex build environments that pull dependencies from multiple sources or compile packages from source. When real-time checks aren’t enough, post-build scanning validates SBOMs directly from your CI/CD pipelines via API, returning pass/fail results to enforce security gates before merges or deployments. Ensure consistent policy enforcement and centralized visibility in Arnica’s dashboard, even for environments with intricate dependency resolution.
Add a workflow that runs on PR events and merges to SLA branches for complete security coverage.
name: Arnica Dependency Security Scan
on:
pull_request:
types: [opened, synchronize]
push:
branches: [main, develop, staging, production] # Add your SLA branches
workflow_dispatch:
jobs:
security-scan:
runs-on: ubuntu-latest
permissions:
contents: read
steps:
- name: Checkout repository
uses: actions/checkout@v4
with:
persist-credentials: false
- name: Dependency Security Scan with Arnica
id: arnica
uses: arnica-io/dependency-scan@v1.0.18
env:
ARNICA_API_TOKEN: ${{ secrets.ARNICA_API_TOKEN }}
with:
repository-url: ${{ github.server_url }}/${{ github.repository }}
branch: ${{ github.head_ref | github.ref_name }} # Uses the PR source branch for pull requests, or the current branch for pushes
scan-path: .
- name: Print scan results
run: |
echo "Scan ID: ${{ steps.arnica.outputs['scan-id'] }}"
echo "Status: ${{ steps.arnica.outputs.status }}"For complete security coverage and accurate issue lifecycle tracking:
- Pull Requests:
opened,synchronize- Catches issues before merge - Main/Release Branches:
pushtomain,develop,staging,production - Build Pipelines: Add to any workflow where code is built or deployed
- Manual Runs:
workflow_dispatchfor on-demand scans
Security scan results appear in multiple locations:
- GitHub Step Summary: Detailed findings report in the workflow run
- Arnica Dashboard: Full vulnerability management at
https://app.arnica.io - Workflow Logs: Console output with scan details
- PR Comments (if configured): Summary posted to pull requests
| Name | Required | Default | Description |
|---|---|---|---|
repository-url |
Yes | Repository URL associated with the scan | |
branch |
Yes | main |
Branch to associate with the scan |
scan-path |
No | . |
Directory path to scan and generate SBOM for (e.g., . or services/api) |
api-base-url |
No | https://api.app.arnica.io |
Arnica API base URL |
api-token |
No | Arnica API token; prefer secret env ARNICA_API_TOKEN |
|
scan-timeout-seconds |
No | 900 |
Timeout (seconds) to wait for scan completion |
on-findings |
No | fail |
Behavior when findings are detected: fail, alert, or pass |
- scan-id: Arnica scan identifier.
- status: Final status, one of
Success,Failure,Error,Skipped, orTimeout.
- ARNICA_API_TOKEN: Alternative to the
api-tokeninput. Recommended to pass via${{ secrets.ARNICA_API_TOKEN }}.
This action does not require repository write permissions. For least privilege, set:
permissions:
contents: readScan a subdirectory and alert (do not fail) on policy violations:
- name: Generate SBOM and scan with Arnica
id: arnica
uses: arnica-io/dependency-scan@v1.0.18
env:
ARNICA_API_TOKEN: ${{ secrets.ARNICA_API_TOKEN }}
with:
repository-url: https://github.com/owner/repo
branch: ${{ github.ref_name }}
scan-path: services/payments
on-findings: alert- Sign in to Arnica with a privileged
adminaccount. Sign in athttps://app.arnica.io.
Create an Arnica API key with only the SBOM scopes:
- Navigate to Admin → API.
- Create a new API key.
- Select scopes:
sbom-api:readandsbom-api:writeonly. - Store the token as a repository secret named
ARNICA_API_TOKEN.
See CONTRIBUTING.md for development, testing, and release guidance. Please open an Issue first for substantial changes.
This project adheres to a Code of Conduct. By participating, you agree to uphold it. See CODE_OF_CONDUCT.md.
MIT — see LICENSE.md.
Questions or issues? Open a GitHub Issue. You can also propose enhancements via a feature request Issue or PR.