Getting started


Generate an API key

Go to Settings → API Keys (opens in a new tab) to generate an API key.

Add the generated API key as a repository secret

Add the generated API key to your repository by creating a repository action secret with the name COANA_API_TOKEN at the following URL: (opens in a new tab). Make sure to replace 'org' and 'repoName' with your organization's name and your repository's name.

You can also add an organization-wide secret in your organization settings. The organization-wide secret will be available to all repositories in the organization, making it a better option if you need to run Coana across many repositories.

Create the workflow file

Create the folders .github/workflows at the root of the repository if they don't already exist and copy the template provided below into a new file named coana-analysis.yml inside .github/workflows. Ensure you adjust the highlighted section of the template to select the appropriate package manager for your project:

name: Coana Vulnerability Analysis
    - cron: '0 3 * * *' # every day at 3 AM
    runs-on: ubuntu-latest
      - name: Checkout code
        uses: actions/checkout@v4
      - name: Use Node.js 20.x
        uses: actions/setup-node@v3
          node-version: 20.x
      - name: Install dependencies
        run: npm install
        # run: pnpm install
        # run: yarn install
      - name: Run Coana CLI
        id: coana-cli
        uses: coana-tech/coana-action/vulnerability-analysis@stable
          apiKey: ${{ secrets.COANA_API_TOKEN }}
A new project is automatically created in Coana when you submit your first report if a project matching its repository url or project name dosen't already exist. There is no reason to manually create the project in Coana first.

It's important to run Coana after installing dependencies, but it's not necessary to compile or bundle your code first.

We recommend setting Coana to run daily at 3 AM, as indicated in the template. This ensures you receive consistent updates regarding vulnerabilities in your dependencies.

If preferred, you can also configure Coana to execute every time there's a push to the main branch:

      - main