Quickstart

Protect a repository in under five minutes — no local install required

This guide wires barestripehq/primer-action@v1 into a GitHub Actions workflow, walks through what happens on a push and on a pull request, and explains the SARIF upload constraints for private repositories.

Even faster: install the primer GitHub App on your repository and skip the workflow file entirely. Every push and pull request is scanned automatically — primer posts a Check Run and PR comment with no configuration on your end. See GitHub App integration →

1. Add the workflow

Create .github/workflows/security.yml in your repository:

name: Security

on:
  push:
    branches: [main]
  pull_request:
    branches: [main]
  workflow_dispatch:

permissions:
  security-events: write   # SARIF upload to GitHub Security tab
  pull-requests: write     # PR comment
  actions: read
  contents: read

jobs:
  scan:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v6

      - name: Scan dependencies
        id: primer
        uses: barestripehq/primer-action@v1
        with:
          file: package-lock.json   # adjust to your manifest or lockfile

Commit and push to main. The scan runs immediately.

Supported files: package-lock.json, pyproject.toml, requirements.txt, Cargo.lock, go.sum, yarn.lock, pnpm-lock.yaml, uv.lock, and more. primer infers the ecosystem from the filename.

2. What happens on push

The action downloads the primer binary for the runner platform, scans every package in the lockfile against the OSV database, and streams results as queries resolve:

Scanning package-lock.json (npm) — 312 packages [lockfile] …
[1/312]  express 4.18.2        — clean
[2/312]  lodash 4.17.20        — 1 finding
[3/312]  axios 1.3.4           — clean
...
[312/312] ws 8.13.0            — clean

SARIF written to primer-results.sarif
SARIF uploaded to GitHub Security tab

On a clean scan, the job exits 0. On blocking findings (at or above threshold, default high), the job exits 1 and blocks the merge.

3. What happens on a pull request

When the workflow runs on a pull_request event, primer posts a findings summary as a comment on the PR. On a clean scan:

### primer scan — `package-lock.json`

✅ No vulnerabilities found.

On a scan with findings:

### primer scan — `package-lock.json`

| Severity | ID | Description |
|----------|----|-------------|
| 🔴 | `GHSA-jchw-25xp-jwwc` | lodash prototype pollution via zipObjectDeep |
| 🟡 | `GHSA-p6mc-m468-83gw` | lodash ReDoS via toNumber, trim and trimEnd |

> Run `primer scan --file package-lock.json` locally for full details and fix commands.

If you push another commit to the same PR, primer updates the existing comment rather than posting a new one — the PR stays clean.

4. Reading the outputs

Reference the action's outputs in downstream steps using the id you set on the primer step:

- name: Scan dependencies
  id: primer
  uses: barestripehq/primer-action@v1
  with:
    file: package-lock.json

- name: Print results
  run: |
    echo "Total findings : ${{ steps.primer.outputs.findings-count }}"
    echo "Blocking       : ${{ steps.primer.outputs.blocking-count }}"
    echo "SARIF path     : ${{ steps.primer.outputs.sarif-path }}"
OutputExample valueDescription
findings-count3Total vulnerabilities found across all packages
blocking-count1Findings at or above threshold
sarif-path/home/runner/work/…/primer-results.sarifAbsolute path to the generated SARIF file

Private repository? SARIF upload to the Security tab requires GitHub Advanced Security on private repos. If you see an "Advanced Security must be enabled" error, set upload-sarif: 'false' — the scan, exit code, and PR comment continue to work normally. See SARIF and private repositories for details.

Next steps