rorixrorix
sign in →

GitHub Actions

Use the official Rorix GitHub Action to scan your .NET dependencies as part of your CI/CD pipeline.

Recommended Rollout

  1. Run one scan locally or from the dashboard so you understand the current baseline
  2. Create a .rorix.yml policy that reflects what should actually block a build
  3. Start with advisory scans if the team is still calibrating noise
  4. Turn on policy gating once the baseline looks right

Basic Usage

name: Security Scan
on: [push, pull_request]
 
jobs:
  rorix:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
 
      - name: Rorix Scan
        uses: rorix-security/rorix-action@v1
        with:
          api-key: ${{ secrets.RORIX_API_KEY }}

With Policy Enforcement

name: Security Scan
on: [push, pull_request]
 
jobs:
  rorix:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
 
      - name: Rorix Policy Check
        uses: rorix-security/rorix-action@v1
        with:
          api-key: ${{ secrets.RORIX_API_KEY }}
          command: scan
          policy-file: .rorix.yml

This is the recommended default for teams that already reviewed their first scan and want pull requests to fail on policy violations.

SARIF Upload to GitHub Security Tab

name: Security Scan
on: [push, pull_request]
 
jobs:
  rorix:
    runs-on: ubuntu-latest
    permissions:
      security-events: write
    steps:
      - uses: actions/checkout@v4
 
      - name: Rorix Scan
        uses: rorix-security/rorix-action@v1
        id: rorix
        with:
          api-key: ${{ secrets.RORIX_API_KEY }}
          format: sarif
 
      - name: Upload SARIF
        uses: github/codeql-action/upload-sarif@v3
        with:
          sarif_file: ${{ steps.rorix.outputs.sarif-file }}

Inputs

| Input | Required | Default | Description | | --- | --- | --- | --- | | api-key | Yes | — | Your Rorix API key (use a repository secret) | | command | No | scan | Command to run: scan or sbom | | format | No | table | Output format: table, json, or sarif | | policy-file | No | — | Path to a .rorix.yml policy file | | path | No | . | Path to the project or solution file |

Outputs

| Output | Description | | --- | --- | | sarif-file | Path to the generated SARIF file (when format is sarif) | | exit-code | Exit code from the scan (0 = clean, 1 = issues found) |

Setting Up the API Key

  1. Go to your Rorix dashboard and create an API key
  2. In your GitHub repository, go to Settings then Secrets and variables then Actions
  3. Click New repository secret
  4. Name it RORIX_API_KEY and paste your key
GitHubAzure DevOps