GitHub Action

Security checks
on every PR.

Add one workflow file. Every pull request gets scanned. Critical findings block the merge. Your team ships with confidence.

View on Marketplace Read the docs

.github/workflows/security.yml

- uses: flowpatrol/scan-action@v1
  with:
    target-url: https://staging.myapp.com
    api-key: ${{ secrets.FLOWPATROL_API_KEY }}

Four lines. That's all it takes.

How it works

Push. Scan. Ship.
Every time.

PR opens

Developer pushes code. Your preview deploy goes live on Vercel, Netlify, or Railway.

Triggers on push

Action scans

Flowpatrol tests the live preview URL for real vulnerabilities. Auth flows, access control, exposed data.

Full DAST scan

Results appear

Findings posted as a PR comment with severity, evidence, and fixes. SARIF uploaded to Code Scanning.

Inline feedback

PR Comment

Findings right
where you review code.

Flowpatrol Security Scanbot

Critical

High

Medium

Low

Critical

IDOR on /api/users/:id — any authenticated user can read other profiles

Endpoint: GET /api/users/42

CWE: CWE-639: Authorization Bypass Through User-Controlled Key

Evidence: Requested /api/users/42 while authenticated as user 7. Got 200 with full profile data.

Fix: Add ownership check: verify req.user.id === params.id before returning user data.

View full report on Flowpatrol

Every finding includes the endpoint, evidence, CWE code, and a concrete fix.

Features

Built for real
CI workflows.

Severity gating

Set fail-on: high and PRs with high or critical findings get blocked. Your team decides the threshold.

SARIF output

Findings show up in GitHub's Security tab alongside CodeQL and Dependabot. One place for everything.

Smart comments

Updates the existing PR comment on each push instead of posting a new one. No noise, always current.

Scan modes

quick scans headers only. standard runs the full test. deep goes aggressive with chained attacks.

Credit-aware

Checks your balance before scanning. Clear error message if credits are low. No surprise failures.

Configurable timeout

Default 15 minutes. Bump it up for deep scans on larger apps. The action waits and streams progress.

Configuration

Full config.
Every option documented.

.github/workflows/security.yml

name: Security Scan
on:
  pull_request:
    types: [opened, synchronize]

jobs:
  scan:
    runs-on: ubuntu-latest
    steps:
      - name: Flowpatrol Security Scan
        uses: flowpatrol/scan-action@v1
        with:
          # Required
          target-url: ${{ env.PREVIEW_URL }}
          api-key: ${{ secrets.FLOWPATROL_API_KEY }}

          # Scan mode: quick | standard | deep
          mode: standard

          # Block the PR if findings meet this severity
          # Options: critical | high | medium | low | none
          fail-on: high

          # Post findings as a PR comment (default: true)
          comment: true

          # Upload SARIF to GitHub Code Scanning (default: true)
          sarif: true

          # Max scan duration in minutes (default: 15)
          timeout: 15

Most teams only need target-url and api-key. Everything else has sensible defaults.

Outputs

Use the results
in downstream steps.

Output	Type	Description
`scan-id`	string	Unique scan identifier for the Flowpatrol dashboard
`status`	string	Scan result: passed, failed, or error
`critical-count`	number	Number of critical findings
`high-count`	number	Number of high findings
`medium-count`	number	Number of medium findings
`low-count`	number	Number of low findings
`report-url`	string	Direct link to the full report on Flowpatrol

Example: Post to Slack when a scan fails

workflow.yml

- name: Flowpatrol Scan
  id: scan
  uses: flowpatrol/scan-action@v1
  with:
    target-url: ${{ env.PREVIEW_URL }}
    api-key: ${{ secrets.FLOWPATROL_API_KEY }}

- name: Post to Slack on failure
  if: steps.scan.outputs.status == 'failed'
  run: |
    curl -X POST ${{ secrets.SLACK_WEBHOOK }} \
      -d '{"text": "Security scan failed: ${{ steps.scan.outputs.critical-count }} critical, ${{ steps.scan.outputs.high-count }} high. ${{ steps.scan.outputs.report-url }}"}'

Add security to your CI
in under a minute.

One workflow file. Every PR scanned. Your team ships faster because they ship with confidence.

.github/workflows/security.yml

- uses: flowpatrol/scan-action@v1
  with:
    target-url: https://staging.myapp.com
    api-key: ${{ secrets.FLOWPATROL_API_KEY }}

View on Marketplace Read the docs

GitHub Action

Security checks
on every PR.

Add one workflow file. Every pull request gets scanned. Critical findings block the merge. Your team ships with confidence.

View on Marketplace Read the docs

.github/workflows/security.yml

- uses: flowpatrol/scan-action@v1
  with:
    target-url: https://staging.myapp.com
    api-key: ${{ secrets.FLOWPATROL_API_KEY }}

Four lines. That's all it takes.

How it works

Push. Scan. Ship.
Every time.

PR opens

Developer pushes code. Your preview deploy goes live on Vercel, Netlify, or Railway.

Triggers on push

Action scans

Flowpatrol tests the live preview URL for real vulnerabilities. Auth flows, access control, exposed data.

Full DAST scan

Results appear

Findings posted as a PR comment with severity, evidence, and fixes. SARIF uploaded to Code Scanning.

Inline feedback

PR Comment

Findings right
where you review code.

Flowpatrol Security Scanbot

Critical

High

Medium

Low

Critical

IDOR on /api/users/:id — any authenticated user can read other profiles

Endpoint: GET /api/users/42

CWE: CWE-639: Authorization Bypass Through User-Controlled Key

Evidence: Requested /api/users/42 while authenticated as user 7. Got 200 with full profile data.

Fix: Add ownership check: verify req.user.id === params.id before returning user data.

View full report on Flowpatrol

Every finding includes the endpoint, evidence, CWE code, and a concrete fix.

Features

Built for real
CI workflows.

Severity gating

Set fail-on: high and PRs with high or critical findings get blocked. Your team decides the threshold.

SARIF output

Findings show up in GitHub's Security tab alongside CodeQL and Dependabot. One place for everything.

Smart comments

Updates the existing PR comment on each push instead of posting a new one. No noise, always current.

Scan modes

quick scans headers only. standard runs the full test. deep goes aggressive with chained attacks.

Credit-aware

Checks your balance before scanning. Clear error message if credits are low. No surprise failures.

Configurable timeout

Default 15 minutes. Bump it up for deep scans on larger apps. The action waits and streams progress.

Configuration

Full config.
Every option documented.

.github/workflows/security.yml

name: Security Scan
on:
  pull_request:
    types: [opened, synchronize]

jobs:
  scan:
    runs-on: ubuntu-latest
    steps:
      - name: Flowpatrol Security Scan
        uses: flowpatrol/scan-action@v1
        with:
          # Required
          target-url: ${{ env.PREVIEW_URL }}
          api-key: ${{ secrets.FLOWPATROL_API_KEY }}

          # Scan mode: quick | standard | deep
          mode: standard

          # Block the PR if findings meet this severity
          # Options: critical | high | medium | low | none
          fail-on: high

          # Post findings as a PR comment (default: true)
          comment: true

          # Upload SARIF to GitHub Code Scanning (default: true)
          sarif: true

          # Max scan duration in minutes (default: 15)
          timeout: 15

Most teams only need target-url and api-key. Everything else has sensible defaults.

Outputs

Use the results
in downstream steps.

Output	Type	Description
`scan-id`	string	Unique scan identifier for the Flowpatrol dashboard
`status`	string	Scan result: passed, failed, or error
`critical-count`	number	Number of critical findings
`high-count`	number	Number of high findings
`medium-count`	number	Number of medium findings
`low-count`	number	Number of low findings
`report-url`	string	Direct link to the full report on Flowpatrol

Example: Post to Slack when a scan fails

workflow.yml

- name: Flowpatrol Scan
  id: scan
  uses: flowpatrol/scan-action@v1
  with:
    target-url: ${{ env.PREVIEW_URL }}
    api-key: ${{ secrets.FLOWPATROL_API_KEY }}

- name: Post to Slack on failure
  if: steps.scan.outputs.status == 'failed'
  run: |
    curl -X POST ${{ secrets.SLACK_WEBHOOK }} \
      -d '{"text": "Security scan failed: ${{ steps.scan.outputs.critical-count }} critical, ${{ steps.scan.outputs.high-count }} high. ${{ steps.scan.outputs.report-url }}"}'

Add security to your CI
in under a minute.

One workflow file. Every PR scanned. Your team ships faster because they ship with confidence.

.github/workflows/security.yml

- uses: flowpatrol/scan-action@v1
  with:
    target-url: https://staging.myapp.com
    api-key: ${{ secrets.FLOWPATROL_API_KEY }}

View on Marketplace Read the docs

Security checkson every PR.

Push. Scan. Ship.Every time.

PR opens

Action scans

Results appear

Findings rightwhere you review code.

Built for realCI workflows.

Severity gating

SARIF output

Smart comments

Scan modes

Credit-aware

Configurable timeout

Full config.Every option documented.

Use the resultsin downstream steps.

Example: Post to Slack when a scan fails

Add security to your CIin under a minute.

Security checkson every PR.

Push. Scan. Ship.Every time.

PR opens

Action scans

Results appear

Findings rightwhere you review code.

Built for realCI workflows.

Severity gating

SARIF output

Smart comments

Scan modes

Credit-aware

Configurable timeout

Full config.Every option documented.

Use the resultsin downstream steps.

Example: Post to Slack when a scan fails

Add security to your CIin under a minute.

Security checks
on every PR.

Push. Scan. Ship.
Every time.

Findings right
where you review code.

Built for real
CI workflows.

Full config.
Every option documented.

Use the results
in downstream steps.

Add security to your CI
in under a minute.

Security checks
on every PR.

Push. Scan. Ship.
Every time.

Findings right
where you review code.

Built for real
CI workflows.

Full config.
Every option documented.

Use the results
in downstream steps.

Add security to your CI
in under a minute.