Dependency Security Scanning in GitHub Actions
Add automatic CVE scanning to your GitHub Actions pipeline. Catch vulnerable dependencies on every push before they reach production.
Option 1 — OSV Scanner (recommended)
Google's OSV Scanner uses the same database as PackageFix. Works for all 7 ecosystems.
name: Dependency Security Scan
on: [push, pull_request]
jobs:
osv-scan:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: google/osv-scanner-action@v2
with:
scan-args: |-
--lockfile=package-lock.json
Option 2 — npm audit (npm projects)
name: npm Security Scan
on: [push, pull_request]
jobs:
npm-audit:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: actions/setup-node@v4
with:
node-version: '20'
- run: npm ci
- run: npm audit --audit-level=high
Option 3 — pip-audit (Python projects)
name: Python Security Scan
on: [push, pull_request]
jobs:
pip-audit:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: actions/setup-python@v5
with:
python-version: '3.11'
- run: pip install pip-audit
- run: pip-audit -r requirements.txt --fail-on critical
Option 4 — bundle-audit (Ruby projects)
name: Ruby Security Scan
on: [push, pull_request]
jobs:
bundle-audit:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: ruby/setup-ruby@v1
with:
ruby-version: '3.3'
bundler-cache: true
- run: gem install bundler-audit
- run: bundle audit check --update
Get this YAML from PackageFix: After scanning your manifest, the "Add to CI/CD" action card generates the exact workflow for your detected ecosystem. Copy it directly.
Paste your manifest — get back a fixed version with all CVEs patched in seconds.
Open PackageFix →No signup · No CLI · No GitHub · Runs 100% in your browser
Frequently Asked Questions
Does PackageFix have a GitHub Actions integration?
PackageFix is a browser tool for manual scans. For automated CI scanning, use OSV Scanner (Google's open-source CLI) or the ecosystem audit tools (npm audit, pip-audit). PackageFix generates the GitHub Actions workflow YAML you can copy directly from the results page.
How do I block a deploy if critical CVEs are found?
Use --audit-level=critical in npm audit or --fail-on=critical in pip-audit. The GitHub Actions job will fail and block the deploy. See the workflows below.
Can I use PackageFix in CI without a browser?
PackageFix requires a browser. For headless CI scanning, use OSV Scanner: google/osv-scanner-action@v2. It uses the same OSV database as PackageFix.
How do I get a fixed manifest automatically in CI?
Use Renovate or Dependabot — they open PRs with fixed versions automatically. PackageFix is for manual one-off scans. Use both: PackageFix for immediate checks, Renovate for automated maintenance.