DocsGitHub Action
Integrate

GitHub Action Reference

Complete reference for Polsia-Inc/nixer-action@v1. Every input, every output, PR comment behavior, SARIF upload, permissions, and examples for monorepos and matrix builds.

ℹ️
Current version: v1.1.0. Install from GitHub Marketplace.

Inputs

InputRequiredDefaultDescription
api-keyYesYour Nixer API key. Store as a GitHub repository secret.
github-tokenNogithub.tokenGitHub token for PR comments and SARIF upload. Default is the auto-generated GITHUB_TOKEN.
scan-targetsNo.Comma-separated list of paths to scan. Defaults to entire repo. Use for monorepos: services/api,services/worker.
severity-thresholdNohighMinimum severity to consider for fail-on-findings. Options: low, medium, high, critical.
fail-on-findingsNotrueSet to false for report-only mode (no CI failure on findings).
sarif-outputNonixer-results.sarifPath to write SARIF output. Set to empty string to skip SARIF file generation.

Outputs

OutputTypeDescription
scorenumber (0–100)Nixer risk score. 100 = clean, lower = more risk. Matches /leaderboard scores.
gradestring (A–F)Letter grade derived from score. A = 90+, B = 75+, C = 60+, D = 40+, F = below 40.
report-urlstring (URL)Permanent URL to the full scan report on nixer.polsia.app.

Permissions

Add this to your workflow file. All permissions listed are required for full functionality:

.github/workflows/nixer.yml
permissions:
  contents: read           # checkout the repo
  security-events: write  # upload SARIF to Code Scanning
  pull-requests: write   # create/update PR comments
⚠️
Fork PRs: For repos with fork contributors, GitHub restricts pull-requests: write by default. See GitHub's permissions docs. PR comments are skipped gracefully if the permission is absent.

PR Comment Behavior

When a PR triggers the workflow, Nixer posts a sticky comment with:

Comments are in-place updated on subsequent pushes to the same PR using a hidden <!-- nixer-action:report --> marker — one comment per PR, never a thread flood.

SARIF Upload

Nixer automatically uploads SARIF results to GitHub Code Scanning using github/codeql-action/upload-sarif@v3. Findings appear in the Security → Code scanning alerts tab of your repo.

To disable SARIF upload, set sarif-output: '' in your workflow inputs.

Example: Basic scan

.github/workflows/nixer.yml
name: Nixer AI Security

on:
  pull_request:
  push:
    branches: [main]

permissions:
  contents: read
  security-events: write
  pull-requests: write

jobs:
  scan:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - uses: Polsia-Inc/nixer-action@v1
        with:
          api-key: ${{ secrets.NIXER_API_KEY }}

Example: Fail on critical only

.github/workflows/nixer-strict.yml
- uses: Polsia-Inc/nixer-action@v1
  with:
    api-key: ${{ secrets.NIXER_API_KEY }}
    severity-threshold: critical  # only block on critical
    fail-on-findings: true

Example: Monorepo matrix build

.github/workflows/nixer-monorepo.yml
jobs:
  scan:
    strategy:
      matrix:
        service: [api, worker, agent]
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - uses: Polsia-Inc/nixer-action@v1
        with:
          api-key: ${{ secrets.NIXER_API_KEY }}
          scan-targets: services/${{ matrix.service }}
          sarif-output: nixer-${{ matrix.service }}.sarif

Example: Scheduled nightly scan

.github/workflows/nixer-nightly.yml
on:
  schedule:
    - cron: '0 2 * * *'  # 2am UTC daily
  workflow_dispatch:      # manual trigger

jobs:
  nightly-scan:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - uses: Polsia-Inc/nixer-action@v1
        with:
          api-key: ${{ secrets.NIXER_API_KEY }}
          fail-on-findings: false  # report only on scheduled runs

Using outputs

.github/workflows/nixer-outputs.yml
steps:
  - uses: Polsia-Inc/nixer-action@v1
    id: nixer
    with:
      api-key: ${{ secrets.NIXER_API_KEY }}

  - name: Print score
    run: |
      echo "Score: ${{ steps.nixer.outputs.score }}"
      echo "Grade: ${{ steps.nixer.outputs.grade }}"
      echo "Report: ${{ steps.nixer.outputs.report-url }}"
Edit this page on GitHub