Enforce security, compliance, and quality standards on AI-generated code directly in your GitHub workflows. Korext scans your codebase against policy packs and surfaces violations as GitHub Code Scanning annotations on pull requests.
Add this to .github/workflows/korext.yml:
name: Korext Enforcement
on: [push, pull_request]
permissions:
contents: read
security-events: write
jobs:
enforce:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: Korext/enforce-action@v1That's it. Korext scans your code on every push and PR using the default web policy pack.
- Install -- The action installs the Korext CLI (
v0.9.5) - Scan -- Runs
korext enforceagainst your codebase with the selected policy pack - Report -- Generates a SARIF file and uploads it to GitHub Code Scanning
- Gate -- Fails the workflow if critical or high severity violations are found
Violations appear as annotations directly on the PR diff, powered by GitHub Code Scanning.
| Input | Description | Required | Default |
|---|---|---|---|
directory |
Directory to scan for policy violations | No | . |
pack |
Policy Pack ID to enforce | No | web |
api-token |
Korext API token for authenticated mode | No | (anonymous) |
fail-on-violations |
Fail workflow on critical/high violations | No | true |
sarif-upload |
Upload SARIF to GitHub Code Scanning | No | true |
| Output | Description |
|---|---|
violations |
Total number of policy violations found |
sarif-file |
Path to the generated SARIF results file |
- uses: actions/checkout@v4
- uses: Korext/enforce-action@v1- uses: actions/checkout@v4
- uses: Korext/enforce-action@v1
with:
api-token: ${{ secrets.KOREXT_API_TOKEN }}- uses: actions/checkout@v4
- uses: Korext/enforce-action@v1
with:
pack: owasp-top-10- uses: actions/checkout@v4
- uses: Korext/enforce-action@v1
with:
directory: src/- uses: actions/checkout@v4
- uses: Korext/enforce-action@v1
with:
fail-on-violations: 'false'name: Korext PR Check
on: pull_request
permissions:
contents: read
security-events: write
jobs:
enforce:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: Korext/enforce-action@v1
with:
pack: web- uses: actions/checkout@v4
- uses: Korext/enforce-action@v1
id: korext
with:
fail-on-violations: 'false'
- run: echo "Found ${{ steps.korext.outputs.violations }} violations"Your workflow must include:
permissions:
contents: read # Checkout repository
security-events: write # Upload SARIF to Code ScanningWithout security-events: write, SARIF upload will be skipped.
| Mode | Limit | How to use |
|---|---|---|
| Anonymous (no token) | 20 requests per hour per IP | Default, no setup needed |
| Authenticated | 500+ requests per period | Set api-token input |
Each workflow run consumes 1 request (one korext enforce call). Anonymous mode is sufficient for most open-source projects. For high-traffic repos with many PRs, use an API token.
When sarif-upload is true (the default), the action uploads SARIF results to GitHub Code Scanning. Violations appear as annotations on the PR diff with severity levels:
- Error -- Critical and high severity violations
- Warning -- Medium severity violations
- Note -- Low severity violations
Note: GitHub Code Scanning is free for public repositories. Private repositories require GitHub Advanced Security.
Korext scans the following file types:
.ts .tsx .js .jsx .py .go .java .rs
The scanner automatically skips node_modules, .git, dist, build, and .next directories.
| Exit Code | Meaning | Action Behavior |
|---|---|---|
| 0 | No violations, or only medium/low severity | Workflow passes |
| 1 | Critical or high severity violations found | Workflow fails (if fail-on-violations is true) |
| 2 | Errors analyzing some files | Workflow fails |