GitHub Action Reference
Complete reference for Polsia-Inc/nixer-action@v1. Every input, every output, PR comment behavior, SARIF upload, permissions, and examples for monorepos and matrix builds.
Current version: v1.1.0. Install from GitHub Marketplace.
Inputs
| Input | Required | Default | Description |
|---|---|---|---|
api-key | Yes | — | Your Nixer API key. Store as a GitHub repository secret. |
github-token | No | github.token | GitHub token for PR comments and SARIF upload. Default is the auto-generated GITHUB_TOKEN. |
scan-targets | No | . | Comma-separated list of paths to scan. Defaults to entire repo. Use for monorepos: services/api,services/worker. |
severity-threshold | No | high | Minimum severity to consider for fail-on-findings. Options: low, medium, high, critical. |
fail-on-findings | No | true | Set to false for report-only mode (no CI failure on findings). |
sarif-output | No | nixer-results.sarif | Path to write SARIF output. Set to empty string to skip SARIF file generation. |
Outputs
| Output | Type | Description |
|---|---|---|
score | number (0–100) | Nixer risk score. 100 = clean, lower = more risk. Matches /leaderboard scores. |
grade | string (A–F) | Letter grade derived from score. A = 90+, B = 75+, C = 60+, D = 40+, F = below 40. |
report-url | string (URL) | Permanent URL to the full scan report on nixer.polsia.app. |
Permissions
Add this to your workflow file. All permissions listed are required for full functionality:
.github/workflows/nixer.yml
permissions: contents: read # checkout the repo security-events: write # upload SARIF to Code Scanning pull-requests: write # create/update PR comments
Fork PRs: For repos with fork contributors, GitHub restricts
pull-requests: write by default. See GitHub's permissions docs. PR comments are skipped gracefully if the permission is absent.PR Comment Behavior
When a PR triggers the workflow, Nixer posts a sticky comment with:
- Severity breakdown table (critical / high / medium / low counts)
- Top-5 findings with
file:lineblob links anchored to the PR head SHA - Per-finding
<details>collapsibles with evidence and remediation steps - A ✅ green comment when the scan finds zero issues
- Links to the full report and false-positive instructions
Comments are in-place updated on subsequent pushes to the same PR using a hidden <!-- nixer-action:report --> marker — one comment per PR, never a thread flood.
SARIF Upload
Nixer automatically uploads SARIF results to GitHub Code Scanning using github/codeql-action/upload-sarif@v3. Findings appear in the Security → Code scanning alerts tab of your repo.
To disable SARIF upload, set sarif-output: '' in your workflow inputs.
Example: Basic scan
.github/workflows/nixer.yml
name: Nixer AI Security on: pull_request: push: branches: [main] permissions: contents: read security-events: write pull-requests: write jobs: scan: runs-on: ubuntu-latest steps: - uses: actions/checkout@v4 - uses: Polsia-Inc/nixer-action@v1 with: api-key: ${{ secrets.NIXER_API_KEY }}
Example: Fail on critical only
.github/workflows/nixer-strict.yml
- uses: Polsia-Inc/nixer-action@v1 with: api-key: ${{ secrets.NIXER_API_KEY }} severity-threshold: critical # only block on critical fail-on-findings: true
Example: Monorepo matrix build
.github/workflows/nixer-monorepo.yml
jobs: scan: strategy: matrix: service: [api, worker, agent] runs-on: ubuntu-latest steps: - uses: actions/checkout@v4 - uses: Polsia-Inc/nixer-action@v1 with: api-key: ${{ secrets.NIXER_API_KEY }} scan-targets: services/${{ matrix.service }} sarif-output: nixer-${{ matrix.service }}.sarif
Example: Scheduled nightly scan
.github/workflows/nixer-nightly.yml
on: schedule: - cron: '0 2 * * *' # 2am UTC daily workflow_dispatch: # manual trigger jobs: nightly-scan: runs-on: ubuntu-latest steps: - uses: actions/checkout@v4 - uses: Polsia-Inc/nixer-action@v1 with: api-key: ${{ secrets.NIXER_API_KEY }} fail-on-findings: false # report only on scheduled runs
Using outputs
.github/workflows/nixer-outputs.yml
steps: - uses: Polsia-Inc/nixer-action@v1 id: nixer with: api-key: ${{ secrets.NIXER_API_KEY }} - name: Print score run: | echo "Score: ${{ steps.nixer.outputs.score }}" echo "Grade: ${{ steps.nixer.outputs.grade }}" echo "Report: ${{ steps.nixer.outputs.report-url }}"