Connect APVISO with GitHub

How APVISO Integrates with GitHub

APVISO's GitHub integration embeds autonomous penetration testing directly into your development lifecycle. By connecting APVISO to your GitHub repositories, you can trigger scans from CI/CD pipelines, gate pull request merges on security checks, and automatically file vulnerabilities as GitHub Issues in the correct repository.

GitHub Actions: Security in Your Pipeline

The core of the integration is the apviso/scan-action GitHub Action. Add it to any workflow file to run security scans as part of your CI/CD pipeline:

The action accepts your APVISO API key (stored as a GitHub secret), the target URL to scan, a scan profile (quick, standard, or comprehensive), and a severity threshold that determines whether the check passes or fails. When the scan completes, the action reports results as a GitHub Check Run with annotations pointing to the specific findings.

For pull request workflows, this means developers see security results directly in the PR interface — a green check when the scan passes, or a red check with finding summaries when Critical or High vulnerabilities are discovered. This creates a natural security gate that prevents vulnerable code from reaching production.

Automated Issue Creation with Context

When APVISO discovers vulnerabilities, it can automatically create GitHub Issues in the linked repository. Each issue includes:

• A descriptive title with the vulnerability type and severity
• Detailed reproduction steps from APVISO's reporter agent
• Labels for severity (security-critical, security-high, etc.) and vulnerability type (xss, sqli, auth)
• The affected endpoint URL and HTTP method
• Remediation guidance tailored to the specific vulnerability
• A link to the full finding in the APVISO dashboard with exploitation evidence

Issues are automatically deduplicated — if the same vulnerability is found in a subsequent scan, APVISO adds a comment to the existing issue rather than creating a duplicate.

Repository-to-Target Mapping

Organizations with many repositories and targets need findings to land in the right place. APVISO's repository mapping lets you associate each target domain or IP with one or more GitHub repositories. When a finding is discovered for api.example.com, the issue is created in the example/api-server repository. When a finding affects app.example.com, it goes to example/web-frontend.

This mapping also works in reverse — you can configure which repository's workflow should trigger scans for which target, enabling a clean separation of concerns in monorepo and multi-repo architectures.

PR Preview Deployment Scanning

One of the most powerful patterns with the GitHub integration is scanning PR preview deployments. If your CI pipeline deploys each PR to a preview URL (e.g., pr-123.preview.example.com), you can pass that dynamic URL to the APVISO action. This means every pull request is security-tested against its actual running deployment, catching vulnerabilities introduced by that specific set of changes.

Combined with severity-based build gates, this creates a robust pre-merge security check. Critical and High vulnerabilities block the merge, while Medium and Low findings are filed as issues for the team to address in a future sprint.

Scheduled Security Scans

Not every scan needs to be triggered by a code change. Use GitHub Actions' cron schedule to run comprehensive APVISO scans on a regular cadence — nightly, weekly, or after each release. These scheduled scans can use the comprehensive scan profile that tests a broader range of vulnerability categories and takes more time than the quick profile used in PR checks.

The results of scheduled scans are reported as GitHub Check Runs on the default branch, and any new findings are filed as issues with a scheduled-scan label to distinguish them from CI-triggered findings.

Security Dashboard via Check Runs

Every APVISO scan creates a GitHub Check Run with a detailed summary. Over time, this builds a security history for your repository that you can review directly in GitHub's interface. Each check run shows the scan timestamp, duration, target, total findings by severity, and direct links to the APVISO report. This gives engineering managers and security leads a way to track security posture trends without leaving GitHub.