Scanning
GitHub

GitHub

Coana can be integrated into your GitHub repository using GitHub workflow actions.

Generate an API key

Go to Settings → API Keys (opens in a new tab) to generate an API key.

Add the generated API key as a repository secret

Add the generated API key to your repository by creating a repository action secret with the name COANA_API_KEY at the following URL: https://github.com/org/repoName/settings/secrets/actions (opens in a new tab). Make sure to replace 'org' and 'repoName' with your organization's name and your repository's name.

You can also add an organization-wide secret in your organization settings. The organization-wide secret will be available to all repositories in the organization, making it a better option if you need to run Coana across many repositories.

Create the workflow file

Create the folders .github/workflows at the root of the repository if they don't already exist and copy the template provided below into a new file named coana-analysis.yml inside .github/workflows.

coana-analysis.yml
name: Coana Vulnerability Analysis
 
on:
  schedule:
    - cron: '0 3 * * *' # every day at 3 AM
  workflow_dispatch:
    inputs:
      tags:
        description: 'Manually run vulnerability analysis'
      # Required by the return-dispatch action
      distinct_id:
 
jobs:
  coana-vulnerability-analysis:
    runs-on: ubuntu-latest
 
    steps:
      - name: Checkout code
        uses: actions/checkout@v4
 
      - name: Run Coana CLI
        id: coana-cli
        uses: docker://coana/coana:latest
        with: 
          args: |
            coana run . \
              --api-key ${{ secrets.COANA_API_KEY }} \
              --repo-url https://github.com/${{github.repository}}
💡
A new project is automatically created in Coana when you submit your first report if a project matching its repository url or project name doesn't already exist. There is no reason to manually create the project in Coana first.
💡
You can change the reachability analyzers' memory limit by using the --memory-limit <memoryMB> flag (defaults to 8GB). For example, to increase the memory limit to 16GB, use --memory-limit 16384.

The workflow_dispatch event allows you to manually trigger the workflow from the Actions tab in your repository. You can omit this event if you don't need to manually trigger the workflow.

You don't need to install project dependencies, such as by running npm install, before using Coana, as Coana will handle the installation of the dependencies for you. However, if you have specific requirements for the installation command, we recommend adding a step to install the dependencies manually. You can refer to the following snippet as an example:

      - name: Use Node.js 20.x
        uses: actions/setup-node@v3
        with:
          node-version: 20.x
 
      - name: Install dependencies
        run: npm install
        # run: pnpm install
        # run: yarn install

It's not necessary to compile or bundle your code prior to running Coana.

We recommend configuring Coana to run daily as in the template. This ensures you receive consistent updates regarding vulnerabilities in your dependencies.

If preferred, you can also configure Coana to execute every time there's a push to the main branch:

on:
  push:
    branches:
      - main