Nixer GitHub Action
GitHub Actions · CI/CD Security

Security Scan on Every PR

Polsia-Inc/nixer-action@v1 plugs Nixer into GitHub Actions. Grade + findings in every PR comment. SARIF in the Security tab. Build fails on critical findings. Zero config required.

PR Comments SARIF Upload A–F Grade Badge Injection Fail-on-severity

30-second quickstart

Paste this into .github/workflows/security.yml. Done.

.github/workflows/security.yml
name: Nixer Security Scan

on: [push, pull_request]

permissions:
  security-events: write   # required for SARIF upload
  contents: read
  pull-requests: write     # required for PR comments

jobs:
  nixer:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4

      - name: Run Nixer AI security scan
        id: nixer
        uses: Polsia-Inc/nixer-action@v1
        with:
          api-key: ${{ secrets.NIXER_API_KEY }}
          severity-threshold: high
Two permissions required. security-events: write enables SARIF upload to the Security tab. pull-requests: write enables the sticky PR comment. Both default to true in the action — add them to your workflow's permissions: block or uploads/comments will silently fail.

What you get on every PR

A single sticky comment — updated in-place on re-runs — with grade, score, and the top findings pinned to file:line.

🔒
nixer-bot commented just now
🔴 Nixer Security Scan — Grade F
MetricValue
Risk Score75/100
Total Findings4
Critical2
High1
Top findings:
🔴 criticalpwn-request: pull_request_target + Attacker Checkout.github/workflows/ci.yml:14
🔴 criticalExposed OpenAI API Keysrc/agent.js:34
🟠 highUnvalidated Tool Call Chainsrc/tools/browser.js:8
View full report →

The same findings also appear inline in your PR diff and in Security → Code scanning via SARIF — with exact file:line locations and remediation steps in the detail pane.

Example workflows

Standard Node.js project — scans entire repo, posts PR comment, uploads SARIF, fails on high+.

.github/workflows/security.yml
name: Nixer Security Scan

on: [push, pull_request]

permissions:
  security-events: write
  contents: read
  pull-requests: write

jobs:
  nixer:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4

      - name: Nixer AI security scan
        id: nixer
        uses: Polsia-Inc/nixer-action@v1
        with:
          api-key: ${{ secrets.NIXER_API_KEY }}
          scan-targets: ./
          severity-threshold: high

      - name: Print grade
        run: |
          echo "Grade: ${{ steps.nixer.outputs.grade }}"
          echo "Score: ${{ steps.nixer.outputs.score }}/100"

Python ML project — scan agent configs and workflow files; report-only on push, block on PR.

.github/workflows/security.yml
name: Nixer Security Scan

on:
  push:
    branches: [main]
  pull_request:

permissions:
  security-events: write
  contents: read
  pull-requests: write

jobs:
  nixer:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4

      - name: Nixer scan (report-only on push)
        if: github.event_name == 'push'
        uses: Polsia-Inc/nixer-action@v1
        with:
          api-key: ${{ secrets.NIXER_API_KEY }}
          fail-on-findings: 'false'

      - name: Nixer scan (blocking on PR)
        if: github.event_name == 'pull_request'
        uses: Polsia-Inc/nixer-action@v1
        with:
          api-key: ${{ secrets.NIXER_API_KEY }}
          severity-threshold: critical

Monorepo — scan each agent service independently, export both SARIF and JSON artifacts.

.github/workflows/security.yml
name: Nixer Security Scan

on: [pull_request]

permissions:
  security-events: write
  contents: read
  pull-requests: write

jobs:
  nixer:
    runs-on: ubuntu-latest
    strategy:
      matrix:
        service: [agents/customer-support, agents/code-review, agents/data-pipeline]
    steps:
      - uses: actions/checkout@v4

      - name: Scan ${{ matrix.service }}
        id: nixer
        uses: Polsia-Inc/nixer-action@v1
        with:
          api-key: ${{ secrets.NIXER_API_KEY }}
          scan-targets: ./${{ matrix.service }}
          sarif-output: nixer-${{ matrix.service }}.sarif
          severity-threshold: high

      - uses: actions/upload-artifact@v4
        if: always()
        with:
          name: nixer-sarif-${{ matrix.service }}
          path: nixer-${{ matrix.service }}.sarif

Enable add-badge: 'true' to open a PR adding the Nixer badge to your README. Skipped if badge already present.

.github/workflows/security.yml
name: Nixer Security Scan

on:
  push:
    branches: [main]
  pull_request:

permissions:
  security-events: write
  contents: write          # required for add-badge PR
  pull-requests: write

jobs:
  nixer:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4

      - name: Nixer scan + badge PR
        uses: Polsia-Inc/nixer-action@v1
        with:
          api-key: ${{ secrets.NIXER_API_KEY }}
          add-badge: 'true'

The badge links to your leaderboard entry and updates automatically on each scan. Requires contents: write permission to open the badge PR.

Inputs reference

InputDefaultDescription
api-key Nixer API key. Store as secrets.NIXER_API_KEY. Omit for anonymous mode.
scan-targets ./ Paths or globs to scan (e.g. ./ or ./src/**). Overrides target.
severity-threshold high Fail the build on findings at or above this severity: critical | high | medium | low | none.
comment-pr true Post a sticky PR comment with grade, score, and top findings. Only fires on pull_request events.
upload-sarif true Upload SARIF to GitHub Security tab. Requires security-events: write.
add-badge false Open a PR to add the Nixer score badge to your README when absent. Requires contents: write.
fail-on-findings true Set false for report-only mode — findings reported but build never fails.
sarif-output nixer.sarif Path to write the SARIF artifact.
format sarif Output format: sarif (default), json, or text.

Outputs reference

OutputDescription
grade Letter grade: A | B | C | D | F
score Risk score 0–100. Lower is better. Weighted by severity.
findings-count Total findings across all severity levels.
critical-count Number of critical findings.
high-count Number of high findings.
report-url URL to the full Nixer report on nixer.polsia.app.
sarif-file Path to the SARIF artifact (empty when format != sarif).
Using outputs in downstream steps
- name: Fail if grade is F
  if: steps.nixer.outputs.grade == 'F'
  run: |
    echo "Security grade F — blocking merge"
    exit 1

- name: Post Slack alert on critical findings
  if: steps.nixer.outputs.critical-count > 0
  run: |
    curl -s -X POST "$SLACK_WEBHOOK" \
      -d '{"text":"🔴 Critical findings in ${{ github.repository }}: ${{ steps.nixer.outputs.critical-count }} critical. Grade: ${{ steps.nixer.outputs.grade }}"}'

Also: scan in your IDE (MCP server)

The GitHub Action is the pre-merge gate. The Nixer MCP server is the in-editor companion — scan repos, explain findings, and get remediation inline as you write code. Zero context-switching.

MCP Server →
Cursor, Claude Code, Windsurf, Claude Desktop. Scan from your AI assistant.
Try in browser →
Free public scan playground. No signup. Any public GitHub repo.
Detection rules →
17 rules across 7 modules. See exactly what gets flagged.

Install from GitHub Marketplace

Available in the GitHub Marketplace under Code quality and Security. Pin a version or use @v1 for the latest compatible release.