Install the GitHub App
Customers click Connect GitHub, approve selected repositories, and AbyssGuard keeps only a verified installation reference. No customer CI secret is required for the default path.
GitHub App integration
Connect the read-only GitHub App once. AbyssGuard then creates native check runs and a sticky PR summary on every opened, synchronized, or reopened pull request without customer-managed secrets or workflow YAML.
{
"ok": false,
"summary": {
"conclusion": "failure",
"failOn": "critical",
"repository": "github.com/acme/ai-saas",
"pullRequest": 42,
"safetyScore": 54,
"scannedFiles": 812,
"sourceDeletedAt": "2026-06-27T10:02:11.000Z",
"counts": {
"bySeverity": { "Critical": 1, "High": 3, "Medium": 8, "Low": 4 },
"byPriority": { "Fix now": 2, "Fix soon": 7, "Can wait": 7 }
}
},
"markdown": "## AbyssGuard CI scan: attention needed...",
"sarif": { "version": "2.1.0", "runs": [] }
}Customers click Connect GitHub, approve selected repositories, and AbyssGuard keeps only a verified installation reference. No customer CI secret is required for the default path.
GitHub sends pull_request webhooks to AbyssGuard. We create an in-progress check run on the PR head SHA, scan with a short-lived installation token, then complete the check.
Teams that want policy in their own workflow can install abyssguard from npm and keep SARIF, JSON, and Markdown artifacts inside GitHub Actions.
CLI workflow
The managed GitHub App is the simplest path. The npm CLI is the explicit workflow path for teams that want commands, artifacts, and failure policy in their own CI file.
name: AbyssGuard security check
on:
pull_request:
types: [opened, synchronize, reopened]
workflow_dispatch:
permissions:
contents: read
pull-requests: read
security-events: write
jobs:
abyssguard:
runs-on: ubuntu-latest
steps:
- name: Run AbyssGuard CLI scan
env:
ABYSSGUARD_CI_KEY: ${{ secrets.ABYSSGUARD_CI_KEY }}
GITHUB_TOKEN_FOR_SCAN: ${{ secrets.GITHUB_TOKEN }}
run: |
npx abyssguard scan \
--repo "${{ github.repository }}" \
--ref "${{ github.ref }}" \
--sha "${{ github.sha }}" \
--pull-request "${{ github.event.pull_request.number }}" \
--github-token-env GITHUB_TOKEN_FOR_SCAN \
--fail-on critical \
--app-status already_live \
--app-type "AI SaaS" \
--json abyssguard-response.json \
--markdown abyssguard-summary.md \
--sarif abyssguard.sarif
cat abyssguard-summary.md >> "$GITHUB_STEP_SUMMARY"
- name: Upload SARIF
if: always()
uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: abyssguard.sarifThe GitHub App creates and completes AbyssGuard check runs automatically on opened, synchronized, and reopened pull requests.
The downloadable CLI writes JSON, Markdown, and SARIF artifacts so advanced CI teams do not have to maintain raw curl glue.
AbyssGuard writes or updates one PR summary comment instead of asking customers to inspect a separate dashboard first.
AbyssGuard reads the repository archive for that scan, builds normalized findings, then deletes source workspace files.
The CI endpoint receives repository identity and an optional short-lived GitHub token, downloads the archive for the scan, filters eligible source/configuration files, builds normalized findings, and deletes temporary source workspace files. The JSON, markdown, and SARIF outputs contain findings and metadata, not source-file contents.