GitHub Actions Integration

Run Hardpoint in your GitHub Actions workflows to catch security issues before they reach production.

Basic Workflow

name: Security Scan

on:
  push:
    branches: [main]
  pull_request:
    branches: [main]

jobs:
  hardpoint:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4

      - name: Install Hardpoint
        run: |
          curl -sSL https://github.com/dotsetlabs/hardpoint/releases/latest/download/hardpoint_linux_amd64.tar.gz | tar xz
          chmod +x hardpoint
          sudo mv hardpoint /usr/local/bin/

      - name: Run Security Scan
        run: hardpoint scan --severity high

With SARIF Upload

Upload results to GitHub Code Scanning for inline annotations:

name: Security Scan

on:
  push:
    branches: [main]
  pull_request:
    branches: [main]

permissions:
  security-events: write
  contents: read

jobs:
  hardpoint:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4

      - name: Install Hardpoint
        run: |
          curl -sSL https://github.com/dotsetlabs/hardpoint/releases/latest/download/hardpoint_linux_amd64.tar.gz | tar xz
          chmod +x hardpoint

      - name: Run Security Scan
        run: ./hardpoint scan --output sarif > results.sarif
        continue-on-error: true

      - name: Upload SARIF
        uses: github/codeql-action/upload-sarif@v3
        with:
          sarif_file: results.sarif

Scan Specific Directories

- name: Scan AI Configs
  run: hardpoint scan ai --path ./config

- name: Scan Project
  run: hardpoint scan --path . --exclude node_modules --exclude .git

Fail on Critical Findings

- name: Security Scan
  run: |
    hardpoint scan --severity critical
    # Exit code 1 if critical findings exist

Cache for Faster Builds

- name: Cache Hardpoint
  uses: actions/cache@v4
  with:
    path: /usr/local/bin/hardpoint
    key: hardpoint-${{ runner.os }}-v0.1.0

- name: Install Hardpoint
  run: |
    if [ ! -f /usr/local/bin/hardpoint ]; then
      curl -sSL https://github.com/dotsetlabs/hardpoint/releases/latest/download/hardpoint_linux_amd64.tar.gz | tar xz
      chmod +x hardpoint
      sudo mv hardpoint /usr/local/bin/
    fi

Matrix Strategy

Scan multiple directories:

jobs:
  hardpoint:
    runs-on: ubuntu-latest
    strategy:
      matrix:
        path: ['.', './apps/web', './apps/api']
    steps:
      - uses: actions/checkout@v4
      - name: Install Hardpoint
        run: |
          curl -sSL https://github.com/dotsetlabs/hardpoint/releases/latest/download/hardpoint_linux_amd64.tar.gz | tar xz
          sudo mv hardpoint /usr/local/bin/
      - name: Scan ${{ matrix.path }}
        run: hardpoint scan --path ${{ matrix.path }}

Pull Request Comments

Post findings as PR comments using JSON output:

- name: Scan and Comment
  run: |
    FINDINGS=$(hardpoint scan --output json | jq '.findings | length')
    if [ "$FINDINGS" -gt 0 ]; then
      echo "## Security Findings" >> $GITHUB_STEP_SUMMARY
      echo "Found $FINDINGS security issues" >> $GITHUB_STEP_SUMMARY
    fi

Introduction

Dotset CLI

Hardpoint

Tollgate

Deadfall

API Reference

GitHub Actions

GitHub Actions Integration

Basic Workflow

With SARIF Upload

Scan Specific Directories

Fail on Critical Findings

Cache for Faster Builds

Matrix Strategy

Pull Request Comments

Introduction

Dotset CLI

Hardpoint

Tollgate

Deadfall

API Reference

​GitHub Actions Integration

​Basic Workflow

​With SARIF Upload

​Scan Specific Directories

​Fail on Critical Findings

​Cache for Faster Builds

​Matrix Strategy

​Pull Request Comments

GitHub Actions Integration

Basic Workflow

With SARIF Upload

Scan Specific Directories

Fail on Critical Findings

Cache for Faster Builds

Matrix Strategy

Pull Request Comments