GitHub Actions Workflow
Add the following job to your.github/workflows/quality_gates.yml
. It will trigger on every push to your repository and run quality gate checks to detect secrets and other security issues:
Important:
- Add an
ACCESS_TOKEN
secret in your repository settings (Settings -> Secrets and variables -> Actions).- The quality gate will fail your build if secrets are detected in the changed code.
How it works
-
Download script
We fetch the quality gates script (quality_gates.sh
) from the CodeAnt API endpoint. -
Start scan
The script initiates a quality gate scan for your commit using the-o start
operation. -
Poll for results
The script polls for scan results using the-o results
operation with:- Timeout: 300 seconds (5 minutes)
- Poll interval: 15 seconds
-
Pipeline feedback
- Success: Quality gate passes if no secrets are detected
- Failure: Quality gate fails if secrets are found, blocking the build
Script Parameters
Thequality_gates.sh
script accepts the following parameters:
Parameter | Description | Required | Example |
---|---|---|---|
-a, --access-token | GitHub Personal Access Token or repo token | Yes | ${{ secrets.ACCESS_TOKEN }} |
-r, --repo | Repository in format owner/repository | Yes | ${{ github.repository }} |
-c, --commit-id | Commit SHA to scan | Yes | ${{ github.sha }} |
-s, --service | VCS provider | Yes | github |
-o, --operation | Operation to perform (start or results ) | Yes | start or results |
-t, --timeout | Timeout in seconds for polling (default: 300) | No | 300 |
-p, --poll-interval | Poll interval in seconds (default: 15) | No | 15 |
-u, --base-url | Base URL for VCS service (optional) | No | https://github.com |
Quality Gate Checks
Currently, the quality gate performs the following checks:Secret Detection
- Scans for hardcoded secrets, API keys, passwords, and tokens
- Analyzes only the changed lines since your merge base commit
- Uses high-confidence detection to minimize false positives
- Blocks the build if any secrets are found
Best Practices
- Run on all branches: Quality gates should run on every push to catch issues early
- Block merges: Configure branch protection rules to require quality gate checks before merging
- Review failures: When quality gates fail, review the detected issues immediately
- Keep tokens secure: Never commit access tokens directly - always use GitHub Secrets
Troubleshooting
Quality gate times out
If the scan takes longer than expected:- Increase the timeout using
-t 600
(10 minutes) - Check if the CodeAnt service is operational
Authentication failures
If you see “Access token invalid”:- Verify your
ACCESS_TOKEN
secret is correctly configured - Ensure the token has appropriate repository permissions
No results returned
If the scan completes but returns no results:- Check that quality gates are enabled for your repository in CodeAnt
- Verify the commit SHA is correct