GitHub Actions Integration
This page explains how to run inspequte in GitHub Actions and upload SARIF
results to GitHub Code Scanning.
Prerequisites
- Your workflow needs
security-events: writeto upload SARIF. - Install
inspequtein the runner (for example withKengoTODA/setup-inspequte). inspequteoutputs SARIF v2.1.0 only.
Option A: Gradle Plugin (recommended for Gradle projects)
name: inspequte
on:
pull_request:
push:
branches: [main]
jobs:
scan:
runs-on: ubuntu-latest
permissions:
contents: read
security-events: write
steps:
- uses: actions/checkout@v6
- name: Install inspequte
uses: KengoTODA/setup-inspequte@8d212fa51a56245829f88e60f081c6549e312c57
- name: Setup Java
uses: actions/setup-java@v5
with:
distribution: temurin
java-version: "21"
- name: Setup Gradle
uses: gradle/actions/setup-gradle@v4
- name: Run checks
run: ./gradlew check --no-daemon
- name: Upload SARIF
uses: github/codeql-action/upload-sarif@v4
with:
sarif_file: build/inspequte/main/report.sarif
The Gradle plugin generates SARIF under build/inspequte/<sourceSet>/report.sarif.
Option B: Direct CLI invocation
name: inspequte-cli
on:
pull_request:
push:
branches: [main]
jobs:
scan:
runs-on: ubuntu-latest
permissions:
contents: read
security-events: write
steps:
- uses: actions/checkout@v6
- name: Install inspequte
uses: KengoTODA/setup-inspequte@8d212fa51a56245829f88e60f081c6549e312c57
- name: Run inspequte
run: |
inspequte \
--input app.jar \
--classpath lib/ \
--output results.sarif
- name: Upload SARIF
uses: github/codeql-action/upload-sarif@v4
with:
sarif_file: results.sarif
Option C: Codex automation with openai/codex-action
Use this when you want Codex to run analysis and post review feedback.
name: codex-pr-review
on:
pull_request:
types: [opened, synchronize, reopened]
jobs:
codex:
runs-on: ubuntu-latest
permissions:
contents: read
outputs:
final_message: ${{ steps.run_codex.outputs.final-message }}
steps:
- uses: actions/checkout@v6
with:
ref: refs/pull/${{ github.event.pull_request.number }}/merge
- name: Pre-fetch base and head refs
run: |
git fetch --no-tags origin \
${{ github.event.pull_request.base.ref }} \
+refs/pull/${{ github.event.pull_request.number }}/head
- name: Run Codex
id: run_codex
uses: openai/codex-action@v1
with:
openai-api-key: ${{ secrets.OPENAI_API_KEY }}
safety-strategy: drop-sudo
sandbox: workspace-write
prompt: |
Run:
inspequte --input app.jar --classpath lib/ --output results.sarif
Then summarize findings and propose patch-ready fixes.
post-feedback:
runs-on: ubuntu-latest
needs: codex
if: needs.codex.outputs.final_message != ''
permissions:
issues: write
pull-requests: write
steps:
- name: Post Codex feedback
uses: actions/github-script@v7
env:
CODEX_FINAL_MESSAGE: ${{ needs.codex.outputs.final_message }}
with:
github-token: ${{ github.token }}
script: |
await github.rest.issues.createComment({
owner: context.repo.owner,
repo: context.repo.repo,
issue_number: context.payload.pull_request.number,
body: process.env.CODEX_FINAL_MESSAGE,
});
Notes
- If SARIF upload fails with a permission error, confirm
permissions.security-events: write. - If the upload step cannot find the file, verify the path generated by your
build and update
sarif_file. - For
openai/codex-action, addOPENAI_API_KEYto repository secrets.