Code Scanning via GitHub Actions in 2 Minutes
Set up automated code scanning in your GitHub repository using GitHub Actions. This guide takes less than 2 minutes.
Prerequisites
- A CoreFix account — sign up with GitHub for the fastest setup.
Step 1 — Create a Pipeline and Get Your API Key
Click the link below to create a new GitHub Actions pipeline in CoreFix:
→ Create GitHub Actions Pipeline
Copy the generated API key — you'll need it in the next step.
Step 2 — Add the API Key to GitHub Secrets
- Go to your GitHub repository → Settings → Secrets and variables → Actions.
- Click New repository secret.
- Name:
X_CFIX_API_KEY - Value: paste the API key from Step 1.
- Click Add secret.
Step 3 — Add the Workflow File
Download the YAML file from the pipeline creation screen, or copy the one below. Save it as .github/workflows/cfix.yaml in your repository.
yaml
name: CoreFix Code Scan
on:
push:
branches: [main]
pull_request:
branches: [main]
permissions:
contents: write
security-events: write
jobs:
corefix-scan:
runs-on: ubuntu-latest
steps:
- name: Checkout code
uses: actions/checkout@v4
- name: Run CoreFix Code Scanner
run: |
mkdir -p ${{ github.workspace }}/scan-results
docker run --rm \
-e X_CFIX_API_KEY=${{ secrets.X_CFIX_API_KEY }} \
-e GITHUB_TOKEN=${{ secrets.GITHUB_TOKEN }} \
-v ${{ github.workspace }}:/code \
-v ${{ github.workspace }}/scan-results:/output \
corefixhq/cfix:latest
- name: Upload scan results
if: always()
uses: actions/upload-artifact@v4
with:
name: corefix-scan-results
path: scan-results/The workflow targets the
mainbranch by default. Change it to any branch you want to scan.
Done
Push the workflow file to your repository. CoreFix will scan your code on every push and pull request to the configured branch. Results appear in your CoreFix dashboard within a few minutes.
What's Next
- Code Scanning CI/CD — Full Reference — scanner flags, BYOK models, and other platforms
- Docker / Local CLI — run scans locally without a pipeline
- Supported Models — choose an AI model for enrichment