Add AI-powered security scanning to your CI/CD pipeline in 3 lines.
📚 Documentation: Quick Start | Deployment Guide | Examples
- uses: actions/checkout@v4
- uses: cloudshipai/station-action@v1
with:
agent: infrastructure-securityThat's it! Your infrastructure will be scanned for security vulnerabilities.
- 🤖 6 Specialized AI Agents - Infrastructure, PR Review, Supply Chain, Deployment Gates, Security Advisor, Metrics
- 🛠️ 97+ Security Tools - Checkov, TFLint, Semgrep, Syft, Trivy, and many more
- 🧠 AI-Powered Analysis - Not just tool output, actual intelligent insights and prioritization
- 📊 Automatic PR Comments - Get security findings directly in your pull requests
- 🔧 Fully Customizable - Override tasks, agents, and workflows as needed
Scans Terraform, Kubernetes, and Docker configurations for misconfigurations, secrets, and compliance violations.
Use when:
- You have IaC files (Terraform, K8s manifests, Dockerfiles)
- You want to check for infrastructure misconfigurations
- You need compliance validation (CIS, NIST, etc.)
Analyzes pull request code changes for security vulnerabilities, focusing on diffs and new code.
Use when:
- Reviewing pull requests
- You want automated security code review
- You need to catch secrets, SQL injection, XSS, etc.
Generates SBOMs and scans dependencies for known vulnerabilities and malicious packages.
Use when:
- You have package dependencies (npm, pip, go.mod, etc.)
- You need SBOM generation
- You want to track dependency vulnerabilities
Pre-deployment validation with compliance attestation and blocking capabilities.
Use when:
- Before deploying to production
- You need security sign-off for deployments
- You want compliance attestation
Proactive security recommendations and modernization suggestions.
Use when:
- You want to improve security posture
- You need guidance on security best practices
- You're doing security hardening
Periodic security metrics aggregation with KPI tracking and executive reporting.
Use when:
- You need security dashboards
- You want trend analysis
- You're generating compliance reports
name: Security Scan
on: [pull_request, push]
jobs:
security:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: cloudshipai/station-action@v1
with:
agent: infrastructure-security
env:
OPENAI_API_KEY: ${{ secrets.OPENAI_API_KEY }}name: PR Security Check
on: pull_request
jobs:
security-review:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: cloudshipai/station-action@v1
with:
agent: pr-security
comment_pr: true
env:
OPENAI_API_KEY: ${{ secrets.OPENAI_API_KEY }}name: Comprehensive Security
on: [pull_request]
jobs:
infrastructure:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: cloudshipai/station-action@v1
with:
agent: infrastructure-security
env:
OPENAI_API_KEY: ${{ secrets.OPENAI_API_KEY }}
supply-chain:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: cloudshipai/station-action@v1
with:
agent: supply-chain
env:
OPENAI_API_KEY: ${{ secrets.OPENAI_API_KEY }}- uses: cloudshipai/station-action@v1
with:
agent: infrastructure-security
task: "Focus only on AWS security groups and check for overly permissive ingress rules"
env:
OPENAI_API_KEY: ${{ secrets.OPENAI_API_KEY }}- uses: cloudshipai/station-action@v1
with:
agent: deployment-gate
fail_on_critical: true # Will fail the workflow if critical issues found
env:
OPENAI_API_KEY: ${{ secrets.OPENAI_API_KEY }}- uses: cloudshipai/station-action@v1
with:
agent: all # Runs Infrastructure, PR Review, and Supply Chain agents
env:
OPENAI_API_KEY: ${{ secrets.OPENAI_API_KEY }}- uses: cloudshipai/station-action@v1
with:
agent: infrastructure-security
env:
OPENAI_API_KEY: ${{ secrets.OPENAI_API_KEY }}
STN_CLOUDSHIP_KEY: ${{ secrets.CLOUDSHIP_KEY }} # Optional: for telemetry and monitoring| Input | Description | Required | Default |
|---|---|---|---|
agent |
Agent to run (infrastructure-security, pr-security, supply-chain, deployment-gate, security-advisor, security-metrics, or all) | No | infrastructure-security |
task |
Custom task description to override default agent behavior | No | Agent-specific default |
openai_api_key |
OpenAI API key (can also use OPENAI_API_KEY env var) | No | From env var |
cloudship_key |
CloudShip AI registration key for telemetry and monitoring (can also use STN_CLOUDSHIP_KEY env var) | No | From env var |
comment_pr |
Post results as PR comment (true/false) | No | true |
fail_on_critical |
Fail workflow if critical issues found (true/false) | No | false |
docker_image |
Override default CloudShip security image | No | ghcr.io/cloudshipai/station-security:latest |
| Output | Description |
|---|---|
exit_code |
Exit code from security scan (0 = clean, non-zero = issues found) |
Go to your repository Settings → Secrets and variables → Actions → New repository secret
- Name:
OPENAI_API_KEY - Value: Your OpenAI API key
Create .github/workflows/security.yml:
name: CloudShip Security
on: [pull_request, push]
jobs:
security-scan:
runs-on: ubuntu-latest
permissions:
contents: read
pull-requests: write # Required for PR comments
steps:
- uses: actions/checkout@v4
- uses: cloudshipai/station-action@v1
with:
agent: infrastructure-security
env:
OPENAI_API_KEY: ${{ secrets.OPENAI_API_KEY }}Commit the workflow file and create a PR to see it in action!
- Checkout: Your code is checked out to the runner
- Agent Selection: Based on your input, the appropriate agent is selected
- Docker Execution: The CloudShip Station container runs with:
- Your workspace mounted at
/workspace - Docker socket for container scanning (privileged mode)
- OpenAI API key for AI analysis
- Your workspace mounted at
- Analysis: The agent:
- Syncs MCP tools (97+ security tools)
- Runs relevant security scanners
- AI analyzes and prioritizes findings
- Generates actionable recommendations
- Results:
- PR comment with summary (if enabled)
- Detailed logs in workflow run
- Optional workflow failure on critical issues
- ✅ Multi-tool orchestration (97 tools vs 1-2 per scanner)
- ✅ AI-powered analysis (prioritization and context, not just rule matching)
- ✅ Single integration (one action vs 5-10 different scanners)
- ✅ Natural language customization (describe what you want, no config files)
- ✅ More coverage (IaC, containers, code, dependencies all in one)
- ✅ Customizable agents (not locked into predefined rules)
- ✅ AI analysis (intelligent insights, not just CVE lists)
- ✅ One action for everything (vs 10+ different actions)
- ✅ Consistent interface (same inputs/outputs for all agents)
- ✅ AI-powered (actual intelligence, not just tool wrappers)
The action itself is free and open source.
You'll need:
- ✅ OpenAI API key (pay-as-you-go, typically $0.10-$0.50 per scan)
- ✅ GitHub Actions minutes (free tier: 2,000 min/month for private repos)
- GitHub App (zero-config installation)
- Custom bundle support (bring your own agents)
- GitLab CI adapter
- CircleCI orb
- Dagger module
- Self-hosted option (no API key required)
- 📖 Documentation: https://docs.cloudshipai.com
- 💬 Discord: https://discord.gg/cloudshipai
- 🐛 Issues: https://github.com/cloudshipai/station-action/issues
- 📧 Email: support@cloudshipai.com
MIT License - see LICENSE for details.
Contributions welcome! See CONTRIBUTING.md for guidelines.
Built with ❤️ by the CloudShip AI team
Add AI-powered security scanning to your pipeline in 3 lines:
- uses: cloudshipai/station-action@v1
with:
agent: infrastructure-security