GitHub Actions Code Scan

The Code Scan action performs Software Composition Analysis (SCA) on your source code to identify vulnerable dependencies. It supports SBOM generation, secrets detection, and can publish results to the GitHub Security tab.

Action Path: qualys/qualys-github/code-scan@v1

Inputs

Authentication

Input	Required	Default	Description
`qualys_access_token`	Yes	-	Qualys API access token for authentication
`qualys_pod`	Yes	-	Qualys platform POD (US1, US2, US3, US4, EU1, EU2, IN1, CA1, AU1, AE1, JP1, KSA1)

Scan Target

Input	Required	Default	Description
`scan_path`	No	.	Path to the directory to scan (relative to workspace)
`exclude_dirs`	No	-	Comma-separated list of directories to exclude from scanning
`include_dev`	No	false	Include development dependencies in the scan

SBOM Options

Input	Required	Default	Description
`generate_sbom`	No	false	Generate a Software Bill of Materials
`sbom_format`	No	spdx	SBOM format: spdx or cyclonedx
`sbom_output`	No	sbom.json	Output filename for the SBOM

Scan Options

Input	Required	Default	Description
`scan_secrets`	No	false	Enable secrets detection in source code
`offline_mode`	No	false	Scan without uploading results to Qualys platform

Thresholds and Policy

Input	Required	Default	Description
`max_critical`	No	-1	Maximum allowed critical vulnerabilities (-1 = unlimited)
`max_high`	No	-1	Maximum allowed high vulnerabilities (-1 = unlimited)
`max_medium`	No	-1	Maximum allowed medium vulnerabilities (-1 = unlimited)
`max_low`	No	-1	Maximum allowed low vulnerabilities (-1 = unlimited)
`use_policy`	No	false	Use Qualys cloud policy evaluation instead of thresholds
`fail_on_audit`	No	false	Fail the action if policy result is AUDIT

GitHub Integration

Input	Required	Default	Description
`upload_sarif`	No	false	Upload SARIF report to GitHub Security tab
`create_issues`	No	false	Create GitHub Issues for vulnerabilities
`issue_severities`	No	4,5	Severity levels to create issues for (1-5, comma-separated)
`issue_labels`	No	security,dependency	Labels to apply to created issues

Supported Package Managers

Language	Package Manager	Manifest Files
JavaScript/Node.js	npm, yarn, pnpm	package.json, package-lock.json, yarn.lock, pnpm-lock.yaml
Python	pip, poetry, pipenv	requirements.txt, Pipfile.lock, poetry.lock, setup.py
Java	Maven, Gradle	pom.xml, build.gradle, build.gradle.kts
Go	Go Modules	go.mod, go.sum
.NET	NuGet	*.csproj, packages.config, packages.lock.json
Ruby	Bundler	Gemfile, Gemfile.lock
PHP	Composer	composer.json, composer.lock
Rust	Cargo	Cargo.toml, Cargo.lock

Complete Example

name: Code Security Scan

on:
  push:
    branches: [main]
  pull_request:
    branches: [main]

jobs:
  scan:
    runs-on: ubuntu-latest
    permissions:
      contents: read
      security-events: write
      issues: write
    steps:
      - uses: actions/checkout@v4

      - name: Scan code
        id: scan
        uses: qualys/qualys-github/code-scan@v1
        with:
          qualys_access_token: ${{ secrets.QUALYS_ACCESS_TOKEN }}
          qualys_pod: US3
          scan_path: '.'
          exclude_dirs: 'node_modules,vendor,test'
          scan_secrets: true
          generate_sbom: true
          sbom_format: spdx
          max_critical: 0
          max_high: 10
          upload_sarif: true
          create_issues: true
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

      - name: Upload SBOM artifact
        uses: actions/upload-artifact@v4
        with:
          name: sbom
          path: ${{ steps.scan.outputs.sbom_path }}

Monorepo Scanning

Scan specific subdirectories in a monorepo:

jobs:
  scan:
    runs-on: ubuntu-latest
    strategy:
      matrix:
        project: [frontend, backend, shared]
    steps:
      - uses: actions/checkout@v4

      - name: Scan ${{ matrix.project }}
        uses: qualys/qualys-github/code-scan@v1
        with:
          qualys_access_token: ${{ secrets.QUALYS_ACCESS_TOKEN }}
          qualys_pod: US3
          scan_path: packages/${{ matrix.project }}
          generate_sbom: true
          sbom_output: sbom-${{ matrix.project }}.json

SBOM Generation Only

Generate an SBOM without vulnerability scanning:

- name: Generate SBOM
  uses: qualys/qualys-github/code-scan@v1
  with:
    qualys_access_token: ${{ secrets.QUALYS_ACCESS_TOKEN }}
    qualys_pod: US3
    generate_sbom: true
    sbom_format: cyclonedx
    offline_mode: true

Outputs

Output	Description
`vulnerability_count`	Total number of vulnerabilities found
`critical_count`	Number of critical severity vulnerabilities
`high_count`	Number of high severity vulnerabilities
`medium_count`	Number of medium severity vulnerabilities
`low_count`	Number of low severity vulnerabilities
`secrets_count`	Number of secrets detected
`packages_count`	Total number of packages/dependencies found
`policy_result`	Policy evaluation result (ALLOW, DENY, AUDIT, or NONE)
`scan_passed`	true/false based on thresholds or policy
`sarif_path`	Path to SARIF report file
`json_path`	Path to JSON report file
`sbom_path`	Path to generated SBOM file
`issues_created`	Number of GitHub Issues created

Next Steps

Container Scan - Scan container images for vulnerabilities
Configuration - Complete configuration reference
Overview - Return to GitHub Actions overview