Polsia-Inc/nixer-action@v1 plugs Nixer into GitHub Actions.
Grade + findings in every PR comment. SARIF in the Security tab. Build fails on critical findings. Zero config required.
Paste this into .github/workflows/security.yml. Done.
name: Nixer Security Scan
on: [push, pull_request]
permissions:
security-events: write # required for SARIF upload
contents: read
pull-requests: write # required for PR comments
jobs:
nixer:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Run Nixer AI security scan
id: nixer
uses: Polsia-Inc/nixer-action@v1
with:
api-key: ${{ secrets.NIXER_API_KEY }}
severity-threshold: high
security-events: write enables SARIF upload to the Security tab. pull-requests: write enables the sticky PR comment. Both default to true in the action — add them to your workflow's permissions: block or uploads/comments will silently fail.
A single sticky comment — updated in-place on re-runs — with grade, score, and the top findings pinned to file:line.
The same findings also appear inline in your PR diff and in Security → Code scanning via SARIF — with exact file:line locations and remediation steps in the detail pane.
Standard Node.js project — scans entire repo, posts PR comment, uploads SARIF, fails on high+.
name: Nixer Security Scan
on: [push, pull_request]
permissions:
security-events: write
contents: read
pull-requests: write
jobs:
nixer:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Nixer AI security scan
id: nixer
uses: Polsia-Inc/nixer-action@v1
with:
api-key: ${{ secrets.NIXER_API_KEY }}
scan-targets: ./
severity-threshold: high
- name: Print grade
run: |
echo "Grade: ${{ steps.nixer.outputs.grade }}"
echo "Score: ${{ steps.nixer.outputs.score }}/100"
Python ML project — scan agent configs and workflow files; report-only on push, block on PR.
name: Nixer Security Scan
on:
push:
branches: [main]
pull_request:
permissions:
security-events: write
contents: read
pull-requests: write
jobs:
nixer:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Nixer scan (report-only on push)
if: github.event_name == 'push'
uses: Polsia-Inc/nixer-action@v1
with:
api-key: ${{ secrets.NIXER_API_KEY }}
fail-on-findings: 'false'
- name: Nixer scan (blocking on PR)
if: github.event_name == 'pull_request'
uses: Polsia-Inc/nixer-action@v1
with:
api-key: ${{ secrets.NIXER_API_KEY }}
severity-threshold: critical
Monorepo — scan each agent service independently, export both SARIF and JSON artifacts.
name: Nixer Security Scan
on: [pull_request]
permissions:
security-events: write
contents: read
pull-requests: write
jobs:
nixer:
runs-on: ubuntu-latest
strategy:
matrix:
service: [agents/customer-support, agents/code-review, agents/data-pipeline]
steps:
- uses: actions/checkout@v4
- name: Scan ${{ matrix.service }}
id: nixer
uses: Polsia-Inc/nixer-action@v1
with:
api-key: ${{ secrets.NIXER_API_KEY }}
scan-targets: ./${{ matrix.service }}
sarif-output: nixer-${{ matrix.service }}.sarif
severity-threshold: high
- uses: actions/upload-artifact@v4
if: always()
with:
name: nixer-sarif-${{ matrix.service }}
path: nixer-${{ matrix.service }}.sarif
Enable add-badge: 'true' to open a PR adding the Nixer badge to your README. Skipped if badge already present.
name: Nixer Security Scan
on:
push:
branches: [main]
pull_request:
permissions:
security-events: write
contents: write # required for add-badge PR
pull-requests: write
jobs:
nixer:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Nixer scan + badge PR
uses: Polsia-Inc/nixer-action@v1
with:
api-key: ${{ secrets.NIXER_API_KEY }}
add-badge: 'true'
The badge links to your leaderboard entry and updates automatically on each scan. Requires contents: write permission to open the badge PR.
| Input | Default | Description |
|---|---|---|
| api-key | — | Nixer API key. Store as secrets.NIXER_API_KEY. Omit for anonymous mode. |
| scan-targets | ./ | Paths or globs to scan (e.g. ./ or ./src/**). Overrides target. |
| severity-threshold | high | Fail the build on findings at or above this severity: critical | high | medium | low | none. |
| comment-pr | true | Post a sticky PR comment with grade, score, and top findings. Only fires on pull_request events. |
| upload-sarif | true | Upload SARIF to GitHub Security tab. Requires security-events: write. |
| add-badge | false | Open a PR to add the Nixer score badge to your README when absent. Requires contents: write. |
| fail-on-findings | true | Set false for report-only mode — findings reported but build never fails. |
| sarif-output | nixer.sarif | Path to write the SARIF artifact. |
| format | sarif | Output format: sarif (default), json, or text. |
| Output | Description |
|---|---|
| grade | Letter grade: A | B | C | D | F |
| score | Risk score 0–100. Lower is better. Weighted by severity. |
| findings-count | Total findings across all severity levels. |
| critical-count | Number of critical findings. |
| high-count | Number of high findings. |
| report-url | URL to the full Nixer report on nixer.polsia.app. |
| sarif-file | Path to the SARIF artifact (empty when format != sarif). |
- name: Fail if grade is F
if: steps.nixer.outputs.grade == 'F'
run: |
echo "Security grade F — blocking merge"
exit 1
- name: Post Slack alert on critical findings
if: steps.nixer.outputs.critical-count > 0
run: |
curl -s -X POST "$SLACK_WEBHOOK" \
-d '{"text":"🔴 Critical findings in ${{ github.repository }}: ${{ steps.nixer.outputs.critical-count }} critical. Grade: ${{ steps.nixer.outputs.grade }}"}'
The GitHub Action is the pre-merge gate. The Nixer MCP server is the in-editor companion — scan repos, explain findings, and get remediation inline as you write code. Zero context-switching.
Available in the GitHub Marketplace under Code quality and Security. Pin a version or use @v1 for the latest compatible release.
.github/workflows/ci.yml:14src/agent.js:34src/tools/browser.js:8