Integrations / GitHub Actions
Korthex GitHub Actions Integration
Korthex ships a GitHub Actions step that scans every push and pull request for weak, broken, deprecated and quantum-vulnerable cryptography. Findings appear inline in the pull request via SARIF and GitHub Code Scanning, and the build fails above the risk threshold you configure. Runs on GitHub-hosted or self-hosted runners, fully on-premise.
How the integration works
The Actions step runs the Korthex CLI inside your workflow. The exit code gates the job: you choose the risk threshold (Critical, High, Medium or Low) above which the check fails. The SARIF output feeds GitHub Code Scanning, so findings annotate the exact changed lines in the pull request instead of living in a separate dashboard.
A scan of 50,000 to 500,000 lines of code completes in under two minutes, which keeps the gate fast enough to run on every push rather than nightly.
What a pull-request gate catches
- New MD5, SHA-1, DES, 3DES or RC4 usage introduced by a diff or a dependency bump, before it merges
- AES-ECB and CBC-without-integrity misuse in changed code
- Hardcoded keys, credentials and API tokens, in the diff and in history
- TLS configuration regressions: weakened protocol versions, suites or certificates
- New quantum-vulnerable RSA / ECC usage, bucketed against FIPS 203 / 204 / 205
- CBOM drift: the cryptographic inventory stays current on every commit
Self-hosted runners and on-premise operation
Korthex runs 100% on-premise, so the step works on self-hosted runners, including GitHub Enterprise Server environments. Source code never leaves your infrastructure; only anonymized metadata is transmitted for the optional dashboard report.
Beyond GitHub
The same gate runs everywhere: a GitLab CI template, a Jenkins pipeline snippet, and a generic CLI exit code for Azure DevOps, CircleCI, Bitbucket Pipelines, Drone and Buildkite. See the CI/CD integration overview for the full pattern.
Frequently asked questions
Does the Korthex step block merges?
The check fails when findings exceed your configured risk threshold. Combined with GitHub branch protection, a failing check blocks the merge, exactly like a failing test suite.
Do findings show up inside the pull request?
Yes. Korthex emits SARIF, which GitHub Code Scanning renders as inline annotations on the changed lines, plus a summary in the checks tab.
How long does the scan add to CI?
Typically under two minutes for 50,000 to 500,000 lines of code, across all 18 supported languages.
Does the runner need internet access?
No. The scanner runs fully on-premise, including air-gapped self-hosted runners. Only the optional dashboard report transmits anonymized metadata.
Which plan includes CI/CD templates?
CI/CD templates ship with the Extended plan and above. The Free plan includes the CLI, which any pipeline can gate on via its exit code.