Skip to content

flexera-public/sca-codeinsight-github-actions-agent-pr-scan

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

1 Commit
.github/workflows
.github/workflows
 
 
CHANGELOG.md
CHANGELOG.md
 
 
NOTICE.txt
NOTICE.txt
 
 
README.md
README.md
 
 

Repository files navigation

Code Insight GitHub Actions — PR Scan Demo

This repository demonstrates how to integrate Revenera Code Insight with GitHub Actions to automatically scan pull requests for open-source software (OSS) components and vulnerabilities.

When a PR is opened or updated, the workflow:

  1. Creates a fresh Code Insight project for the PR.
  2. Scans the base branch using the Generic Agent JAR.
  3. Scans the PR HEAD branch using the Generic Agent JAR.
  4. Computes the delta inventory (new / changed OSS components).
  5. Fetches vulnerability counts per component.
  6. Posts a concise summary comment directly on the PR.

Prerequisites

The workflow runs on a self-hosted GitHub Actions runner. Before using this workflow, ensure the following are available on the runner machine:

Requirement Notes
Java (JRE/JDK) Required to execute the Generic Agent JAR
Git Required for cloning the repository branches
Python 3 Required for the vulnerability-fetch step
jq Required for JSON parsing (auto-downloaded on Windows if missing)
Code Insight Generic Agent JAR Must be installed on the runner; see CODE_INSIGHT_GENERIC_JAR below
Network access to Code Insight server The runner must be able to reach CODE_INSIGHT_BASE_URL

Setup Steps

Step 1 — Register a self-hosted runner

  1. In your GitHub repository, go to Settings → Actions → Runners.
  2. Click New self-hosted runner and follow the instructions for your OS.
  3. Ensure the runner has all the prerequisites listed above installed.

Step 2 — Add the required Secret

Go to Settings → Secrets and variables → Actions → Secrets and add:

Secret Name Description
CODE_INSIGHT_TOKEN Required. Code Insight Bearer JWT token used to authenticate all API calls. Obtain this from your Code Insight server under Administration → Security.

Step 3 — Add the optional Variables

Go to Settings → Secrets and variables → Actions → Variables and add any variables you need to override. All variables have sensible defaults but you will likely need to set at least CODE_INSIGHT_BASE_URL and CODE_INSIGHT_GENERIC_JAR.

Variable Name Default Value Description
CODE_INSIGHT_BASE_URL http://localhost:8888/codeinsight Base URL of your Code Insight server (no trailing slash). Example: http://myserver.company.com:8888/codeinsight
CODE_INSIGHT_OWNER CodeInsight_2025R4 Username of the Code Insight user who will own the created PR projects. Must exist in Code Insight.
CODE_INSIGHT_SCAN_SERVER LocalScanner Alias of the scan server registered in Code Insight. Must match the alias shown in Administration → Scan Servers.
CODE_INSIGHT_FOLDER_ID 1 Numeric ID of the Code Insight folder where PR projects will be created. Use 1 for the root folder, or look up the ID via the Code Insight API.
CODE_INSIGHT_SCAN_PROFILE Basic Scan Profile (Without CL) Name of the scan profile to use. Must exactly match a profile name in Code Insight.
CODE_INSIGHT_GENERIC_JAR E:\codeinsight-generic-3.2.5\generic-plugin-binary\codeinsight-generic-3.2.5.jar Absolute path to the Generic Agent JAR on the runner machine. Update this to match your actual installation path.
CODE_INSIGHT_GIT_USER x-access-token Git username used when cloning the repository inside the scan path. Usually x-access-token for GitHub token-based auth.
CODE_INSIGHT_GIT_TOKEN (falls back to GITHUB_TOKEN) Git token / PAT used for authenticated clone. Falls back to the built-in GITHUB_TOKEN if not set. Set this if your repository requires a specific PAT.

Step 4 — Copy the workflow file

The workflow file is already located at:

.github/workflows/code-insight-pr-basic-scan-agent.yml

No changes to the file are needed if you have set the variables above. The workflow triggers automatically on:

on:
  pull_request:
    types: [opened, synchronize, reopened]

Step 5 — Required repository permissions

The workflow requires the following GitHub Actions permissions (already configured in the workflow file):

Permission Level Reason
contents read Clone the repository branches
pull-requests write Post the scan result comment on the PR

If your organisation enforces restrictive default permissions, go to Settings → Actions → General → Workflow permissions and ensure Read and write permissions is enabled, or that the above permissions are allowed.

Step 6 — Open a Pull Request

Once everything is configured, open a pull request against any branch in the repository. The workflow will start automatically and post a comment like this on the PR:

## 🔴 Code Insight Scan — PR #5

|                         |                   |
|-------------------------|-------------------|
| 📦 Total OSS Count      | 12                |
| 🛡️ Vulnerabilities     | 7                 |
|    🚨 Critical          | 1                 |
|    🔴 High              | 3                 |
|    🟡 Medium            | 2                 |
|    🔵 Low               | 1                 |
| 🔗 Project Link         | MyRepo-PR-5-...   |

Followed by a collapsible table listing each OSS component, its version, license, and vulnerability counts.

Workflow Overview

PR opened / updated
        │
        ▼
┌─────────────────────────────────────────────────────────┐
│  1. Create a fresh Code Insight project for this PR     │
│  2. Retrieve the server-assigned scan path              │
│  3. Clone the BASE branch into the scan path            │
│  4. Run Generic Agent JAR  →  base scan                 │
│  5. Extract base-scan job ID from agent log             │
│  6. Poll until base scan completes                      │
│  7. Checkout PR HEAD branch in the same scan path       │
│  8. Run Generic Agent JAR  →  HEAD scan                 │
│  9. Extract HEAD-scan job ID from agent log             │
│ 10. Poll until HEAD scan completes                      │
│ 11. Fetch delta inventory (new / changed components)    │
│ 12. Fetch vulnerability counts per component            │
│ 13. Post summary comment on the PR                      │
└─────────────────────────────────────────────────────────┘

Troubleshooting

Symptom Likely Cause Fix
Failed to create project Invalid CI_TOKEN or wrong CODE_INSIGHT_BASE_URL Verify the token is a valid JWT and the URL is reachable from the runner
Could not retrieve scan path Project was created but scan server is not registered Check CODE_INSIGHT_SCAN_SERVER matches the alias in Code Insight Administration
No log file found Generic Agent JAR path is wrong or JAR has not run Verify CODE_INSIGHT_GENERIC_JAR points to the correct absolute path on the runner
Could not extract jobId Agent log format changed or scan failed immediately Check the agent log in <jar-dir>/logs/ manually
Base scan timed out Scan is taking more than 30 minutes Increase the MAX=60 value (each iteration waits 30 s) or check the Code Insight server load
Scan comment not posted pull-requests: write permission missing Enable write permissions under Settings → Actions → General

Security Notes

  • The CODE_INSIGHT_TOKEN is stored as a GitHub Secret and is never exposed in logs.
  • The GIT_TOKEN / CODE_INSIGHT_GIT_TOKEN used for cloning is also stored as a secret.
  • The workflow uses Bearer token authentication for all Code Insight API calls.
  • Tokens are injected via environment variables and are not hard-coded in the workflow file.

License

See NOTICE.txt for third-party license information.

About

Revenera Code Insight automatically scans every pull request for open-source software (OSS) risk by running a two-pass scan: once against the target (base) branch and once against the incoming (PR HEAD) branch. It then computes the delta — only the OSS components that are new or changed in this PR .

Resources

Readme
Activity
Custom properties

Stars

0 stars

Watchers

0 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

 
 
 

Contributors