1. Create a CI token
Open the AbyssGuard app on an active paid subscription, go to CI tokens, and create a token for your runner. The raw token is shown once, so copy it before closing the dialog.
CLI install guide
Install the npm package, add a paid-plan CI token, and run source-backed security scans from GitHub Actions or any CI runner.
npm install -D abyssguard
npx abyssguard --version
npx abyssguard scan --repo acme/ai-saas --fail-on criticalOpen the AbyssGuard app on an active paid subscription, go to CI tokens, and create a token for your runner. The raw token is shown once, so copy it before closing the dialog.
Store the value as ABYSSGUARD_CI_KEY in GitHub Actions or your CI secret manager. Do not put tokens in workflow YAML, package scripts, or command history.
Use npx in your workflow. AbyssGuard returns a risk summary, file-level findings, and artifacts your team can review inside the CI run.
GitHub Actions
Use the managed GitHub App for the simplest PR checks. Use the CLI when you want explicit CI commands, SARIF upload, and saved run artifacts.
name: AbyssGuard security check
on:
pull_request:
types: [opened, synchronize, reopened]
workflow_dispatch:
permissions:
contents: read
pull-requests: read
security-events: write
jobs:
abyssguard:
runs-on: ubuntu-latest
steps:
- name: Run AbyssGuard CLI scan
env:
ABYSSGUARD_CI_KEY: ${{ secrets.ABYSSGUARD_CI_KEY }}
GITHUB_TOKEN_FOR_SCAN: ${{ secrets.GITHUB_TOKEN }}
run: |
npx abyssguard scan \
--repo "${{ github.repository }}" \
--ref "${{ github.ref }}" \
--sha "${{ github.sha }}" \
--pull-request "${{ github.event.pull_request.number }}" \
--github-token-env GITHUB_TOKEN_FOR_SCAN \
--fail-on critical \
--app-status already_live \
--app-type "AI SaaS" \
--json abyssguard-response.json \
--markdown abyssguard-summary.md \
--sarif abyssguard.sarif
cat abyssguard-summary.md >> "$GITHUB_STEP_SUMMARY"
- name: Upload SARIF
if: always()
uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: abyssguard.sarif