Complete guide for using PyGuard as a GitHub Action in your Python projects.
Add this workflow to .github/workflows/pyguard.yml:
name: PyGuard Security Scan
on:
push:
branches: [ main, develop ]
pull_request:
branches: [ main, develop ]
permissions:
contents: read
security-events: write # Required for SARIF upload
jobs:
security-scan:
name: PyGuard Security Analysis
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Run PyGuard Security Scan
uses: cboyd0319/PyGuard@main
with:
paths: '.'
scan-only: 'true'
upload-sarif: 'true'That's it! PyGuard will:
- ✅ Scan your Python code for security vulnerabilities
- ✅ Generate a SARIF report
- ✅ Upload results to GitHub Security tab
- ✅ Add inline annotations to pull requests
| Input | Description | Default | Required |
|---|---|---|---|
paths |
Paths to scan (space-separated) | . |
No |
python-version |
Python version to use | 3.13 |
No |
scan-only |
Only scan without fixing issues | true |
No |
security-only |
Only run security checks (skip quality) | false |
No |
| Input | Description | Default | Required |
|---|---|---|---|
severity |
Minimum severity level | LOW |
No |
exclude |
Patterns to exclude (space-separated) | tests/* venv/*... |
No |
Severity levels: LOW, MEDIUM, HIGH, CRITICAL
| Input | Description | Default | Required |
|---|---|---|---|
sarif-file |
Output SARIF file path | pyguard-report.sarif |
No |
upload-sarif |
Upload SARIF to GitHub Security tab | true |
No |
fail-on-issues |
Fail workflow if issues are found | false |
No |
| Input | Description | Default | Required |
|---|---|---|---|
unsafe-fixes |
Enable unsafe auto-fixes | false |
No |
| Output | Description |
|---|---|
issues-found |
Number of security issues detected |
sarif-file |
Path to generated SARIF report |
Scan for security vulnerabilities without fixing code:
- name: Security Scan
uses: cboyd0319/PyGuard@main
with:
paths: 'src/ app/'
scan-only: 'true'
security-only: 'true'
upload-sarif: 'true'Fail the workflow if high or critical security issues are found:
- name: Security Gate
uses: cboyd0319/PyGuard@main
with:
paths: '.'
scan-only: 'true'
severity: 'HIGH'
fail-on-issues: 'true'
upload-sarif: 'true'Scan only production code:
- name: Scan Production Code
uses: cboyd0319/PyGuard@main
with:
paths: 'src/'
exclude: 'tests/* *_test.py venv/* .venv/* build/* dist/*'
scan-only: 'true'Scan specific directories:
- name: Scan Multiple Paths
uses: cboyd0319/PyGuard@main
with:
paths: 'src/ lib/ scripts/'
scan-only: 'true'Access scan results in subsequent steps:
- name: Run PyGuard
id: pyguard-scan
uses: cboyd0319/PyGuard@main
with:
paths: '.'
scan-only: 'true'
upload-sarif: 'true'
- name: Check Results
run: |
echo "Issues found: ${{ steps.pyguard-scan.outputs.issues-found }}"
echo "SARIF file: ${{ steps.pyguard-scan.outputs.sarif-file }}"Run daily security scans:
name: Daily Security Audit
on:
schedule:
- cron: '0 0 * * *' # Daily at midnight UTC
workflow_dispatch: # Allow manual trigger
permissions:
contents: read
security-events: write
jobs:
audit:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: PyGuard Security Audit
uses: cboyd0319/PyGuard@main
with:
paths: '.'
scan-only: 'true'
security-only: 'true'
upload-sarif: 'true'Add inline security annotations to pull requests:
name: PR Security Check
on:
pull_request:
branches: [ main ]
permissions:
contents: read
security-events: write
pull-requests: write # For PR comments
jobs:
security-check:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: PyGuard PR Scan
uses: cboyd0319/PyGuard@main
with:
paths: '.'
scan-only: 'true'
severity: 'MEDIUM'
upload-sarif: 'true'
fail-on-issues: 'false' # Don't block PRTest security across Python versions:
jobs:
security-scan:
runs-on: ubuntu-latest
strategy:
matrix:
python-version: ['3.11', '3.12', '3.13']
steps:
- uses: actions/checkout@v4
- name: PyGuard Scan (Python ${{ matrix.python-version }})
uses: cboyd0319/PyGuard@main
with:
python-version: ${{ matrix.python-version }}
paths: '.'
scan-only: 'true'
upload-sarif: 'true'Full analysis including code quality:
- name: Full PyGuard Analysis
uses: cboyd0319/PyGuard@main
with:
paths: 'src/'
scan-only: 'true'
security-only: 'false' # Include quality checks
upload-sarif: 'true'Specify custom SARIF file location:
- name: Custom SARIF Location
uses: cboyd0319/PyGuard@main
with:
paths: '.'
scan-only: 'true'
sarif-file: 'reports/security-scan.sarif'
upload-sarif: 'true'
- name: Upload SARIF Artifact
uses: actions/upload-artifact@v4
with:
name: security-report
path: reports/security-scan.sarifResults appear in your repository's Security tab:
- Navigate to
https://github.com/OWNER/REPO/security/code-scanning - View detected vulnerabilities with severity, CWE, and OWASP mappings
- Click on issues to see details, location, and fix suggestions
On pull requests, PyGuard adds inline annotations:
- Security issues appear directly on the affected lines
- Click annotations to see full details and remediation steps
- Severity indicated by icon (error, warning, note)
Detailed output in the Actions tab:
- Complete list of issues found
- File-by-file analysis results
- Timing and performance metrics
Combine PyGuard with CodeQL for comprehensive security:
jobs:
codeql:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: github/codeql-action/init@v3
with:
languages: python
- uses: github/codeql-action/analyze@v3
pyguard:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: cboyd0319/PyGuard@main
with:
paths: '.'
scan-only: 'true'
upload-sarif: 'true'Scan dependencies for known vulnerabilities:
# .github/dependabot.yml
version: 2
updates:
- package-ecosystem: "pip"
directory: "/"
schedule:
interval: "weekly"
# .github/workflows/pyguard.yml
on:
pull_request:
branches: [ main ]
jobs:
security-scan:
if: github.actor == 'dependabot[bot]'
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: cboyd0319/PyGuard@main
with:
paths: '.'
scan-only: 'true'Combine CI scanning with local pre-commit hooks:
# .pre-commit-config.yaml
repos:
- repo: https://github.com/cboyd0319/PyGuard
rev: main
hooks:
- id: pyguard
args: ['--scan-only', '--security-only']
# .github/workflows/pyguard.yml
on: [push, pull_request]
jobs:
scan:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: cboyd0319/PyGuard@mainPyGuard supports multiple compliance frameworks:
- name: PCI-DSS Compliance Scan
uses: cboyd0319/PyGuard@main
with:
paths: 'payment_processing/'
scan-only: 'true'
security-only: 'true'
severity: 'MEDIUM'
fail-on-issues: 'true'Supported frameworks:
- OWASP Top 10 & ASVS v5.0
- PCI-DSS
- HIPAA
- SOC 2
- ISO 27001
- NIST
- GDPR
- CCPA
- FedRAMP
- SOX
Always enable SARIF upload to track security trends:
upload-sarif: 'true'Minimal permissions required:
permissions:
contents: read # Read repository code
security-events: write # Upload SARIF reportsUse specific versions or SHA in production:
uses: cboyd0319/PyGuard@v1.0.0 # Recommended
# or
uses: cboyd0319/PyGuard@abc123def456 # SHA pinCatch issues early:
on:
pull_request:
branches: [ main, develop ]Block deployments with security issues:
fail-on-issues: 'true'
severity: 'HIGH'Focus on production code:
exclude: 'tests/* *_test.py build/* dist/* .tox/* htmlcov/*'Issue: "Resource not accessible by integration"
Solution: Add required permission:
permissions:
security-events: writeIssue: PyGuard reports 0 issues but you expect some
Solutions:
- Check
severitysetting - may be filtering issues - Verify
excludepatterns aren't too broad - Check
security-onlyisn't set when you want quality checks
Issue: Workflow times out on large codebases
Solutions:
- Increase timeout:
timeout-minutes: 15
- Exclude unnecessary directories
- Scan in parallel jobs
Issue: Syntax errors on modern Python code
Solution: Match your project's Python version:
python-version: '3.13' # Use your versionSpeed up workflow with caching:
- uses: actions/setup-python@v5
with:
python-version: '3.13'
cache: 'pip'
- uses: cboyd0319/PyGuard@mainScan different paths in parallel:
jobs:
scan-backend:
steps:
- uses: cboyd0319/PyGuard@main
with:
paths: 'backend/'
scan-api:
steps:
- uses: cboyd0319/PyGuard@main
with:
paths: 'api/'- Documentation: docs/README.md
- Security Policy: SECURITY.md
- Contributing: CONTRIBUTING.md
- Issues: https://github.com/cboyd0319/PyGuard/issues
- Discussions: https://github.com/cboyd0319/PyGuard/discussions
See PyGuard in action:
- PyGuard Repository - Uses PyGuard to scan itself
- Check
.github/workflows/pyguard-security-scan.ymlfor our production workflow
- ✅ Set up basic security scanning
- ✅ Configure SARIF upload
- ✅ Add to pull request workflows
- ✅ Set up scheduled scans
- ✅ Explore compliance frameworks
- ✅ Integrate with other security tools
Happy Secure Coding! 🛡️