GitHub Code Scanning


Bridgecrew's GitHub Action can execute as native GitHub Code Scanning to scan infrastructure-as-code (IaC) files. You can enable code scanning in your repos and set up the Bridgecrew integration, to receive inline code scanning results directly into the Security tab in GitHub.


Bridgecrew IaC errors in the code scanning interface

Errors detected by Bridgecrew will include the policy names as well as links to additional guidelines for how to fix them.


Investigating a single error in the code scanning interface


  1. You will first need to ensure code scanning is enabled in your repo. For more information on how to enable code scanning visit GitHub Docs.

  2. Once enabled, code scanning should appear in the menu on the left side of your screen.


Make sure code scanning is available by visiting the the Security tab

  1. Go to the Actions tab and Select New Workflow.

Select New Workflow

  1. The code scanning integration is accomplished by integrating the Bridgecrew GitHub Action and configuring it to send results in the proper format (SARIF). Use the template YAML code below to create the action. Make sure you use your Bridgecrew API Token and save it as a GitHub Secret.

When finished, make sure to commit the changes to your main branch.


Add the bridgecrew-code-scanning-yaml

# This is a workflow to help you setup Bridgecrew in github code scanning 

name: Bridgecrew

# Controls when the action will run. Triggers the workflow on push or pull request
# events but only for the master branch
    branches: [ main ]
    branches: [ main ]

# A workflow run is made up of one or more jobs that can run sequentially or in parallel
  # This workflow contains a single job called "build"
    runs-on: ubuntu-latest
      actions: read
      contents: read
      security-events: write
    - uses: actions/checkout@v2
    - name: Run Bridgecrew 
      id: Bridgecrew
      uses: bridgecrewio/checkov-action@master
        api-key: ${{ secrets.API_KEY }}
        soft_fail: true
    - name: Expose report
      uses: actions/upload-artifact@v2
        name: SARIF results
        path: results.sarif
    # Uploads results.sarif to GitHub repository using the upload-sarif action
    - uses: github/codeql-action/upload-sarif@v2
        # Path to SARIF file relative to the root of the repository
        sarif_file: results.sarif