Skip to content

seqra/seqra-action

Use this GitHub action with your project
Add this Action to an existing workflow or create a new one
View on Marketplace
BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

19 Commits
.github/workflows
.github/workflows
 
 
.releaserc.json
.releaserc.json
 
 
CHANGELOG.md
CHANGELOG.md
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 
action.yml
action.yml
 
 

Repository files navigation

Seqra GitHub Action

Run Seqra static analysis in your CI, generate a SARIF report, and optionally upload it to GitHub Code Scanning.

Usage

Note: The action expects Linux x86_64 runners.

Quick Start

Scan

name: Seqra Analysis
on:
    workflow_dispatch

jobs:
  seqra:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout your repository
        uses: actions/checkout@v4

      - name: Run Seqra code analysis
        uses: seqra/seqra-action@v2

Scan and upload to GitHub code scanning alerts

name: Seqra Analysis
on:
    workflow_dispatch

# Required for Code Scanning upload
permissions:
  contents: read
  security-events: write

jobs:
  seqra:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout your repository
        uses: actions/checkout@v4

      - name: Run Seqra code analysis
        uses: seqra/seqra-action@v2
        with:
          upload-sarif: 'true'
          artifact-name: 'sarif'

All Inputs

name: Seqra Analysis
on:
    workflow_dispatch

# Required for Code Scanning upload
permissions:
  contents: read
  security-events: write

jobs:
  seqra:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout your repository
        uses: actions/checkout@v4

      - name: Run Seqra code analysis
        uses: seqra/seqra-action@v2
        with:
            # Relative path under $GITHUB_WORKSPACE to the root of the analyzed project
            project-root: '.'

            # Should seqra-action upload sarif to GitHub Code Security
            upload-sarif: 'false'

            # Tag of seqra release
            seqra-version: 'v2.1.0'

            # Paths to custom rules directories (comma-separated)
            # By default it is empty, so seqra will use builtin rules
            rules-path: 'security/myrules'

            # Name of uploaded artifact
            artifact-name: 'sarif'

            # Log level
            verbosity: 'info'

            # Scan timeout
            timeout: '15m'

            # Severity levels to report (comma-separated)
            # Valid values: note, warning, error
            severity: 'warning,error'

Artifacts

After the job completes, you’ll find:

  • A SARIF artifact named sarif (configurable) will be uploaded to the workflow run.
  • If upload-sarif: 'true', the SARIF is also sent to Security → Code scanning alerts in your repo.

Permissions

  • For artifact upload: default permissions are fine.

  • For Code Scanning upload: add

    permissions:
  contents: read
  security-events: write

Troubleshooting

  • Monorepos: You can analyze only the project you need using project-root.
  • Timeouts: If the scan times out, increase timeout (e.g., 30m).

Changelog

See CHANGELOG.

License

This project is released under the MIT License.

The core analysis engine is source-available under the Functional Source License (FSL-1.1-ALv2), which converts to Apache 2.0 two years after each release. You can use Seqra for free, including for commercial use, except for competing products or services.

About

GitHub Action for automated security scanning

Resources

Readme

License

MIT license
Activity
Custom properties

Stars

0 stars

Watchers

0 watching

Forks

0 forks
Report repository

Releases 18

v2.1.0 Latest
Jan 15, 2026
+ 17 releases

Packages

No packages published