GitHub Actions (Auto-Generated)¶
When you run ges init, 4 GitHub Actions workflows are generated in .github/workflows/:
Generated Workflows¶
compliance.yml — Compliance Check¶
Runs ges audit --ci on every push to main, pull requests, and weekly on schedule.
Fails build if: Critical findings exist.
security.yml — Security Scan¶
Runs Semgrep and ges scan --ci on pushes and PRs.
Fails build if: Scanner failures found.
dependency-scan.yml — Dependency Scan¶
Runs Trivy and npm audit on pushes to main and weekly on schedule.
Fails build if: Known vulnerabilities in dependencies.
secret-scan.yml — Secret Detection¶
Runs Gitleaks on all pushes and pull requests.
Fails build if: Secrets detected in git history.
Enabling the Workflows¶
Simply commit the generated files:
The workflows will run automatically on your next push.
Exit Codes¶
| Code | Meaning |
|---|---|
| 0 | Audit passed — no critical findings |
| 1 | Audit failed — critical findings exist |
Viewing Results¶
After a workflow runs:
- Go to your repository on GitHub
- Click the Actions tab
- Click on the latest workflow run
- Expand the job output to see findings
Exercise: Trigger a Compliance Workflow
- Initialize GESF in a Git repository:
cd your-git-project
ges init -n "My App" -t saas -f "GDPR,OWASP"
git add .github/workflows/
git commit -m "Add compliance workflows"
git push
- Create a PR with a deliberate vulnerability:
git checkout -b test/compliance
echo 'const apiKey = "sk-test-key";' > src/test.js
git add src/test.js
git commit -m "Test: add vulnerable code"
git push -u origin test/compliance
- Open a pull request on GitHub
- Watch the compliance workflow run and fail
- Fix the issue, push, and watch the workflow pass
Exercise: Customize Workflow Triggers
Open .github/workflows/compliance.yml and modify the trigger schedule:
on:
push:
branches: [main, develop]
pull_request:
branches: [main]
schedule:
- cron: '0 6 * * 1' # Every Monday at 6 AM UTC
This adds:
- Scanning on the develop branch
- Weekly schedule changed to Monday at 6 AM UTC