Coana can be integrated into your GitHub repository using Coana's GitHub Action.

Generate an API key

Go to Settings → API Keys (opens in a new tab) to generate an API key.

Add the generated API key as a repository secret

Add the generated API key to your repository by creating a repository action secret with the name COANA_API_TOKEN at the following URL: (opens in a new tab). Make sure to replace 'org' and 'repoName' with your organization's name and your repository's name.

You can also add an organization-wide secret in your organization settings. The organization-wide secret will be available to all repositories in the organization, making it a better option if you need to run Coana across many repositories.

Create the workflow file

Create the folders .github/workflows at the root of the repository if they don't already exist and copy the template provided below into a new file named coana-analysis.yml inside .github/workflows.

name: Coana Vulnerability Analysis
    - cron: '0 3 * * *' # every day at 3 AM
    runs-on: ubuntu-latest
      - name: Checkout code
        uses: actions/checkout@v4
      - name: Use Node.js 20.x
        uses: actions/setup-node@v3
          node-version: 20.x
      - name: Run Coana CLI
        id: coana-cli
        uses: coana-tech/coana-action/vulnerability-analysis@stable
          apiKey: ${{ secrets.COANA_API_TOKEN }}
A new project is automatically created in Coana when you submit your first report if a project matching its repository url or project name dosen't already exist. There is no reason to manually create the project in Coana first.

You don't need to install project dependencies, such as running npm install, before using Coana, as Coana will handle the installation of the dependencies for you. However, if you have specific requirements for the installation command, we recommend adding a step to install the dependencies manually. You can refer to the following snippet as an example:

      - name: Install dependencies
        run: npm install
        # run: pnpm install
        # run: yarn install

It's not necessary to compile or bundle your code prior to running Coana.

We recommend configuring Coana to run daily as indicated in the template. This ensures you receive consistent updates regarding vulnerabilities in your dependencies.

If preferred, you can also configure Coana to execute every time there's a push to the main branch:

      - main