Security score on
every pull request
Block insecure code from merging. ShipSafer's GitHub Action posts your live security score as a PR comment and fails the check if you fall below your threshold.
Score check on every PR
Runs a live security scan against your domain and posts results as a PR comment.
Block insecure merges
Set a minimum score threshold. PRs that drop below it fail the status check and cannot merge.
Works with branch protection
Add ShipSafer as a required status check so security gates are enforced automatically.
SARIF output for GitHub Code Scanning
Findings are uploaded to GitHub Advanced Security, showing annotations directly on changed files.
Workflow file
Add this to .github/workflows/shipsafer.yml
name: ShipSafer Security Gate
on:
pull_request:
branches: [main, master]
jobs:
security-check:
runs-on: ubuntu-latest
steps:
- name: ShipSafer Security Gate
uses: shipsafer/security-gate-action@v1
with:
api-key: ${{ secrets.SHIPSAFER_API_KEY }}
domain: your-domain.com
min-score: 70
fail-on-critical: trueReplace your-domain.com with the domain you want to monitor. Set min-score (0–100) and fail-on-critical (true/false).
Set up in 4 steps
Get your free API key
Sign up for ShipSafer and generate an API key in Dashboard → CI/CD Integration.
Add SHIPSAFER_API_KEY secret
Go to your GitHub repo → Settings → Secrets and variables → Actions → New repository secret.
Add the workflow file
Copy the YAML below into .github/workflows/shipsafer.yml in your repo.
Open a PR and see it in action
Every pull request gets a security score comment. Merges are blocked if the score falls below your threshold.
What the PR comment looks like
Also works with GitLab, CircleCI, Jenkins & Bitbucket
ShipSafer's CI/CD integration supports all major platforms via a simple REST API call. No proprietary action required.
- GitLab CI/CD — use our curl-based job template
- CircleCI — use the orb or direct API call
- Jenkins — use the Pipeline script example
- Bitbucket Pipelines — use the pipe or curl step