VibeSafeVibeSafe
All Posts

Automate Security Scans with the VibeSafe GitHub Action

February 23, 20263 min readVibeSafe Team
github-actionci-cdautomationdevops

Zero-Friction Security Scanning in CI/CD

Every deploy should be scanned for security vulnerabilities. But manually running scans is easy to forget. The VibeSafe GitHub Action runs automatically on every push or PR — scan on deploy, results by the time you review.

Quick Setup

Add this workflow to your repo at .github/workflows/vibesafe.yml:

name: VibeSafe Security Scan

on:
  push:
    branches: [main]
  pull_request:
    branches: [main]

jobs:
  security-scan:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4

      - name: Wait for deployment
        if: github.event_name == 'push'
        run: sleep 30

      - name: Run VibeSafe Scan
        uses: arthi-arumugam99/vibesafe/.github/actions/vibesafe-scan@master
        with:
          url: "https://yourapp.com"
          fail-on-grade: "D"
          comment-on-pr: "true"

That's it. Three things happen:

  1. After every push to main, VibeSafe scans your deployed URL
  2. On PRs, the scan results appear as a comment with the grade and findings
  3. If the grade is D or worse, the check fails and blocks the merge

Configuration Options

url (required)

Your deployed app URL. Use a GitHub variable for flexibility:

url: ${{ vars.DEPLOY_URL }}

fail-on-grade (optional)

Set a quality gate. The action fails if the scan grade meets or exceeds this threshold:

  • "F" — only fail on F grades
  • "D" — fail on D or F (recommended)
  • "C" — strict — fail on C, D, or F
  • "" — never fail (just report)

comment-on-pr (optional, default: "true")

Post scan results as a PR comment. Shows the grade, severity breakdown, and a link to the full report.

Outputs

Use the action outputs in subsequent workflow steps:

- name: Run VibeSafe Scan
  id: scan
  uses: arthi-arumugam99/vibesafe/.github/actions/vibesafe-scan@master
  with:
    url: "https://yourapp.com"

- name: Check results
  run: |
    echo "Grade: ${{ steps.scan.outputs.grade }}"
    echo "Critical: ${{ steps.scan.outputs.critical }}"
    echo "Report: ${{ steps.scan.outputs.scan-url }}"

Available outputs:

  • grade — A, B, C, D, or F
  • total-findings — total number of issues
  • critical — number of critical issues
  • high — number of high issues
  • scan-url — link to the full report

How It Works

  1. The action calls the VibeSafe scan API with your URL
  2. VibeSafe runs 55+ security checks in under 60 seconds
  3. Results are parsed and posted to your PR / step summary
  4. If the grade exceeds your threshold, the workflow fails

The scan runs async — it doesn't block your deploy pipeline. By the time you open the PR to review, the results are already there.

What It Checks

The same 55+ checks that run on vibesafe.tech:

  • Exposed API keys and secrets in client bundles
  • Missing security headers (CSP, HSTS, X-Frame-Options)
  • CORS misconfigurations
  • Database exposure (Supabase, Firebase)
  • Payment security (Stripe key exposure)
  • Authentication gaps
  • Infrastructure misconfigurations

Best Practices

  • Set fail-on-grade: "D" as a minimum quality gate
  • Use vars.DEPLOY_URL so the URL isn't hardcoded in the workflow
  • Add a 30-second delay after push to let Vercel/Netlify finish deploying
  • Run on PRs too — catch regressions before they merge

Free to Use

The VibeSafe GitHub Action uses the free scan API. No sign-up or API key required. For unlimited scans and AI-powered fix PRs, upgrade to VibeSafe Pro.

Is your app vulnerable?

Run a free security scan and find out in 60 seconds.

Scan Your App Free