GitHub Actions

This page explains how you can integrate HoundDog.ai's code scanner with GitHub Actions.

Defining GitHub Action Secrets

First, follow the steps in API Keys to generate a HoundDog.ai API key. Then follow the instructions in the GitHub documentation to create a new secret named HOUNDDOG_API_KEY using the value of your key.

Defining the Workflow in hounddog.yml

Next, add a new GitHub Actions workflow file named .github/workflows/hounddog.yml in your repository. Here is an example which scans your repository and uploads the results to HoundDog.ai Cloud Platform:

.github/workflows/hounddog.yml
    
​x
 
name: Run HoundDog.ai Scanon:  push:    branches: ["main"]jobs:  scan:    name: Run HoundDog.ai Scan    runs-on: ubuntu-latest    permissions:      contents: read      security-events: write    container:      image: hounddogai/hounddog      options: --pull=always    # Skip PRs from dependabot to avoid permission issues.    if: (github.actor != "dependabot[bot]")    steps:      - name: Checkout Repository        uses: actions/checkout@master​      - name: Run HoundDog.ai Scan        env:           HOUNDDOG_API_KEY: ${{ secrets.HOUNDDOG_API_KEY }}        run: hounddog scan        continue_on_error: true
Copy

Here is another example for GitHub Enterprise users who prefer to manage their vulnerabilities using GitHub's Advanced Security instead of HoundDog.ai Cloud Platform:

.github/workflows/hounddog.yaml
    
 
name: Run HoundDog.ai Scanon:  push:    branches: ["main"]jobs:  scan:    name: Run HoundDog.ai Scan    runs-on: ubuntu-latest    container:      image: hounddogai/hounddog    # Skip PRs from dependabot to avoid permission issues.    if: (github.actor != "dependabot[bot]")    steps:      - name: Checkout Repository        uses: actions/checkout@master​      - name: Run HoundDog.ai Scan        env:           HOUNDDOG_API_KEY: ${{ secrets.HOUNDDOG_API_KEY }}        run: hounddog scan --output-format=sarif --no-upload-scan-results > hounddog.sarif        continue_on_error: true​      - name: Upload results to GitHub Advanced Security        uses: github/codeql-action/upload-sarif@v3        with:          sarif_file: hounddog.sarif        continue_on_error: true
Copy

Blocking the Workflow Upon Detecting Vulnerabilities

In the examples above, we have been using continue_on_error: true to ignore any errors from the scanner. To fail the pipeline upon detecting vulnerabilities, set continue_on_error to false and provide the --fail-severity-threshold option to the hounddog scan command:

.github/workflows/hounddog.yaml
    
 
name: Run HoundDog.ai Scanon:  push:    branches: ["main"]jobs:  scan:    name: Run HoundDog.ai Scan    runs-on: ubuntu-latest    container:      image: hounddogai/hounddog    # Skip PRs from dependabot to avoid permission issues.    if: (github.actor != "dependabot[bot]")    steps:      - name: Checkout Repository        uses: actions/checkout@master​      - name: Run HoundDog.ai Scan        env:           HOUNDDOG_API_KEY: ${{ secrets.HOUNDDOG_API_KEY }}        # Fail if a vulnerability with severity "medium" or higher is detected.        run: hounddog scan --fail-severity-threshold=medium        # You can alternatively delete this line as it defaults to false already.        continue_on_error: false
Copy

To view all available command-line options for the hounddog scan command, see Scanner Configuration.

Last updated on