Coana can be integrated into your GitHub repository using GitHub workflow actions.

Generate an API key

Go to Settings → API Keys (opens in a new tab) to generate an API key.

Add the generated API key as a repository secret

Add the generated API key to your repository by creating a repository action secret with the name COANA_API_KEY at the following URL: (opens in a new tab). Make sure to replace 'org' and 'repoName' with your organization's name and your repository's name.

You can also add an organization-wide secret in your organization settings. The organization-wide secret will be available to all repositories in the organization, making it a better option if you need to run Coana across many repositories.

Create the workflow file

Create the folders .github/workflows at the root of the repository if they don't already exist and copy the template provided below into a new file named coana-analysis.yml inside .github/workflows.

name: Coana Vulnerability Analysis
    - cron: '0 3 * * *' # every day at 3 AM
    runs-on: ubuntu-latest
      - name: Checkout code
        uses: actions/checkout@v4
      - name: Run Coana CLI
        id: coana-cli
        uses: docker://coana/coana:latest
          args: |
            coana run . \
              --api-key ${{ secrets.COANA_API_KEY }} \
              --repo-url${{github.repository}} \
              --memory-limit 8192
A new project is automatically created in Coana when you submit your first report if a project matching its repository url or project name dosen't already exist. There is no reason to manually create the project in Coana first.

You don't need to install project dependencies, such as by running npm install, before using Coana, as Coana will handle the installation of the dependencies for you. However, if you have specific requirements for the installation command, we recommend adding a step to install the dependencies manually. You can refer to the following snippet as an example:

      - name: Use Node.js 20.x
        uses: actions/setup-node@v3
          node-version: 20.x
      - name: Install dependencies
        run: npm install
        # run: pnpm install
        # run: yarn install

It's not necessary to compile or bundle your code prior to running Coana.

We recommend configuring Coana to run daily as in the template. This ensures you receive consistent updates regarding vulnerabilities in your dependencies.

If preferred, you can also configure Coana to execute every time there's a push to the main branch:

      - main