GitHub
Coana can be integrated into your GitHub repository using GitHub workflow actions.
Generate an API key
Go to Settings → API Keys (opens in a new tab) to generate an API key.
Add the generated API key as a repository secret
Add the generated API key to your repository by creating a repository action secret with the name COANA_API_KEY
at the following URL: https://github.com/org/repoName/settings/secrets/actions (opens in a new tab).
Make sure to replace 'org' and 'repoName' with your organization's name and your repository's name.
You can also add an organization-wide secret in your organization settings. The organization-wide secret will be available to all repositories in the organization, making it a better option if you need to run Coana across many repositories.
Create the workflow file
Create the folders .github/workflows
at the root of the repository if they don't already exist and copy the template provided below into a new file named coana-analysis.yml
inside .github/workflows
.
name: Coana Vulnerability Analysis
on:
schedule:
- cron: '0 3 * * *' # every day at 3 AM
jobs:
coana-vulnerability-analysis:
runs-on: ubuntu-latest
steps:
- name: Checkout code
uses: actions/checkout@v4
- name: Run Coana CLI
id: coana-cli
uses: docker://coana/coana:latest
with:
args: |
coana run . \
--api-key ${{ secrets.COANA_API_KEY }} \
--repo-url https://github.com/${{github.repository}} \
--memory-limit 8192
You don't need to install project dependencies, such as by running npm install
, before using Coana, as Coana will handle the installation of the dependencies for you.
However, if you have specific requirements for the installation command, we recommend adding a step to install the dependencies manually.
You can refer to the following snippet as an example:
- name: Use Node.js 20.x
uses: actions/setup-node@v3
with:
node-version: 20.x
- name: Install dependencies
run: npm install
# run: pnpm install
# run: yarn install
It's not necessary to compile or bundle your code prior to running Coana.
We recommend configuring Coana to run daily as in the template. This ensures you receive consistent updates regarding vulnerabilities in your dependencies.
If preferred, you can also configure Coana to execute every time there's a push to the main branch:
on:
push:
branches:
- main