Protect a repository in under five minutes — no local install required
This guide wires barestripehq/primer-action@v1 into a GitHub Actions workflow,
walks through what happens on a push and on a pull request, and explains the SARIF upload
constraints for private repositories.
Even faster: install the primer GitHub App on your repository and skip the workflow file entirely. Every push and pull request is scanned automatically — primer posts a Check Run and PR comment with no configuration on your end. See GitHub App integration →
Create .github/workflows/security.yml in your repository:
name: Security
on:
push:
branches: [main]
pull_request:
branches: [main]
workflow_dispatch:
permissions:
security-events: write # SARIF upload to GitHub Security tab
pull-requests: write # PR comment
actions: read
contents: read
jobs:
scan:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v6
- name: Scan dependencies
id: primer
uses: barestripehq/primer-action@v1
with:
file: package-lock.json # adjust to your manifest or lockfile
Commit and push to main. The scan runs immediately.
Supported files: package-lock.json, pyproject.toml,
requirements.txt, Cargo.lock, go.sum, yarn.lock,
pnpm-lock.yaml, uv.lock, and more. primer infers the ecosystem from the filename.
The action downloads the primer binary for the runner platform, scans every package in the lockfile against the OSV database, and streams results as queries resolve:
Scanning package-lock.json (npm) — 312 packages [lockfile] …
[1/312] express 4.18.2 — clean
[2/312] lodash 4.17.20 — 1 finding
[3/312] axios 1.3.4 — clean
...
[312/312] ws 8.13.0 — clean
SARIF written to primer-results.sarif
SARIF uploaded to GitHub Security tab
On a clean scan, the job exits 0. On blocking findings (at or above threshold,
default high), the job exits 1 and blocks the merge.
When the workflow runs on a pull_request event, primer posts a findings summary
as a comment on the PR. On a clean scan:
### primer scan — `package-lock.json`
✅ No vulnerabilities found.
On a scan with findings:
### primer scan — `package-lock.json`
| Severity | ID | Description |
|----------|----|-------------|
| 🔴 | `GHSA-jchw-25xp-jwwc` | lodash prototype pollution via zipObjectDeep |
| 🟡 | `GHSA-p6mc-m468-83gw` | lodash ReDoS via toNumber, trim and trimEnd |
> Run `primer scan --file package-lock.json` locally for full details and fix commands.
If you push another commit to the same PR, primer updates the existing comment rather than posting a new one — the PR stays clean.
Reference the action's outputs in downstream steps using the id you set
on the primer step:
- name: Scan dependencies
id: primer
uses: barestripehq/primer-action@v1
with:
file: package-lock.json
- name: Print results
run: |
echo "Total findings : ${{ steps.primer.outputs.findings-count }}"
echo "Blocking : ${{ steps.primer.outputs.blocking-count }}"
echo "SARIF path : ${{ steps.primer.outputs.sarif-path }}"
| Output | Example value | Description |
|---|---|---|
findings-count | 3 | Total vulnerabilities found across all packages |
blocking-count | 1 | Findings at or above threshold |
sarif-path | /home/runner/work/…/primer-results.sarif | Absolute path to the generated SARIF file |
Private repository? SARIF upload to the Security tab requires GitHub Advanced Security on private repos. If you see an "Advanced Security must be enabled" error, set upload-sarif: 'false' — the scan, exit code, and PR comment continue to work normally. See SARIF and private repositories for details.
npm install and pip install are intercepted on developer machines