Skip to main content

CodeAnt CI Scan Action

A GitHub Action to run CodeAnt CI security and code quality analysis on your repository. You can find this action on the GitHub Marketplace.

Features

  • 🛡️ Automated security and code quality scanning
  • 🔍 Deep code analysis and vulnerability detection
  • 📊 Detailed reports and insights
  • ⚡ Fast and easy integration

Usage

Basic Usage

Add this action to your workflow: 
name: CodeAnt CI Scan

on:
  push:
    branches: [ "main" ]
  pull_request:
    branches: [ "main" ]

jobs:
  codeant_scan:
    name: Run CodeAnt CI scan
    runs-on: ubuntu-latest
    steps:
      - name: Checkout code
        uses: actions/checkout@v3

      - name: Run CodeAnt CI Scan
        uses: CodeAnt-AI/codeant-ci-scan-action@v0.0.5
        with:
          access_token: ${{ secrets.CODEANT_TOKEN }}

Advanced Usage

Customize the scan with additional options: 
- name: Run CodeAnt CI Scan
  uses: CodeAnt-AI/codeant-ci-scan-action@v0.0.5
  with:
    access_token: ${{ secrets.CODEANT_TOKEN }}
    scanners: 'sast,sca'
    include_paths: 'src/,lib/'
    exclude_paths: 'test/,docs/'

Inputs

InputDescriptionRequiredDefault
access_tokenCodeAnt API token (cdt_…) — see API TokensYes-
api_baseCodeAnt API base URLNohttps://api.codeant.ai
scannersComma-separated list of scanners to runNosast,sca
include_pathsComma-separated paths to include in scanNo'' (all files)
exclude_pathsComma-separated paths to exclude from scanNo'' (none)
quality_gateFail the workflow if the whole-repo quality gate does not pass. Writes results.json, codeant.sarif, codeant-qg.xmlNofalse

Setup

1. Create a CodeAnt Token

In CodeAnt AI, open the user menu (click your email at the bottom-left) and select API Tokens, click Create token, and copy the generated token (it starts with cdt_ and is shown only once). See API Tokens for the full walkthrough. This single token authenticates the scan — you don’t need a GitHub personal access token.

2. Add Token to GitHub Secrets

  • Go to your repository’s Settings
  • Navigate to Secrets and variables → Actions
  • Click “New repository secret”
  • Name: CODEANT_TOKEN
  • Value: Paste your CodeAnt token (cdt_…)
  • Click “Add secret”

3. Create Workflow File

Create .github/workflows/codeant-scan.yml in your repository with the usage example above.

Supported Events

This action works with any GitHub event that provides commit information:
  • push
  • pull_request
  • workflow_dispatch
  • schedule

Example Workflows

Scan on Push and Pull Request

name: CodeAnt CI Scan

on:
  push:
    branches: [ "main", "develop" ]
  pull_request:
    branches: [ "main" ]

jobs:
  codeant_scan:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v3
      - uses: CodeAnt-AI/codeant-ci-scan-action@v0.0.5
        with:
          access_token: ${{ secrets.CODEANT_TOKEN }}

Scheduled Daily Scan

name: Daily CodeAnt Scan

on:
  schedule:
    - cron: '0 2 * * *'  # Run at 2 AM UTC daily

jobs:
  codeant_scan:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v3
      - uses: CodeAnt-AI/codeant-ci-scan-action@v0.0.5
        with:
          access_token: ${{ secrets.CODEANT_TOKEN }}

Scan Specific Directories with Security Focus

- uses: CodeAnt-AI/codeant-ci-scan-action@v0.0.5
  with:
    access_token: ${{ secrets.CODEANT_TOKEN }}
    scanners: 'sast,secrets'
    include_paths: 'src/,backend/'
    exclude_paths: 'src/tests/,backend/vendor/'

Scanner Options

🔍 Available Scanners: The scanners input allows you to customize which security scanners run during analysis:
  • sast - Static Application Security Testing (code vulnerabilities)
  • sca - Software Composition Analysis (dependency vulnerabilities)
  • secrets - Secret detection (API keys, passwords, tokens)
  • antipatterns - Code quality and duplicate code detection
  • iac - Infrastructure as Code security (Terraform, CloudFormation, etc.)
  • all - Run all available scanners
Default: If not specified, runs sast,sca Examples:
  • Run all scanners: scanners: 'all'
  • Only SAST: scanners: 'sast'
  • SAST + Secrets: scanners: 'sast,secrets'
  • Full security suite: scanners: 'sast,sca,secrets,iac'

Scanner Configuration Examples

Run All Scanners

- uses: CodeAnt-AI/codeant-ci-scan-action@v0.0.5
  with:
    access_token: ${{ secrets.CODEANT_TOKEN }}
    scanners: 'all'

Security-Focused Scan

- uses: CodeAnt-AI/codeant-ci-scan-action@v0.0.5
  with:
    access_token: ${{ secrets.CODEANT_TOKEN }}
    scanners: 'sast,secrets'

Quality Gate Enforcement

🚦 Block the workflow on the whole-repository posture: Set quality_gate: true to turn the scan into an enforced gate. After the scan completes, CodeAnt evaluates the entire repository against your thresholds and the workflow fails if the gate does not pass. This is the Checkmarx / SonarQube-style whole-repo gate, independent of the new-code/PR quality gate. Configure thresholds in Settings → Code Analysis → Quality Gates using the “(Full Code / CI Pipeline)” metrics (these run only in the pipeline, never on pull requests):
  • (Full Code / CI Pipeline) SAST Security Rating C
  • (Full Code / CI Pipeline) SCA Security Rating C
  • (Full Code / CI Pipeline) IaC Security Rating C
  • (Full Code / CI Pipeline) Duplicate Code Percentage > 30
Results group into three status checks: SAST (app security + IaC), SCA (dependencies), and SCR (duplicate code). 
- name: CodeAnt Quality Gate
  uses: CodeAnt-AI/codeant-ci-scan-action@v0.0.5
  with:
    access_token: ${{ secrets.CODEANT_TOKEN }}
    scanners: 'all'
    quality_gate: true
- name: Upload CodeAnt SARIF
  if: always()
  uses: github/codeql-action/upload-sarif@v3
  with:
    sarif_file: codeant.sarif

Troubleshooting

Authentication Errors

  • Ensure your CODEANT_TOKEN is correctly set in repository secrets
  • Verify the CodeAnt token (cdt_…) hasn’t been revoked
  • Check that the token belongs to the same organization as the repository

Scan Failures

  • Verify your repository is accessible
  • Check that the API base URL is correct
  • Review the action logs for specific error messages

Support

License

This project is licensed under the MIT License - see the LICENSE file for details.

On-Premise Deployment

If you are using a self-hosted CodeAnt instance, you can specify a custom API endpoint using the api_base parameter: 
- name: Run CodeAnt CI Scan
  uses: CodeAnt-AI/codeant-ci-scan-action@v0.0.5
  with:
    access_token: ${{ secrets.CODEANT_TOKEN }}
    api_base: 'https://your-codeant-instance.example.com'
Note: The api_base parameter is only required for on-premise deployments. Cloud users do not need to configure this.

Support

For issues, questions, or contributions, please visit the GitHub repository.