CI/CD
Drop Decoy Scan into your pipeline and fail builds on policy violations before they reach main.
GitHub Actions
The official action is published on the Marketplace:
- uses: decoy-run/decoy-scan@v1Runs the same scanner as the local CLI, writes a job summary, and uploads SARIF to the GitHub Security tab.
Inputs
| Input | Default | Purpose |
|---|---|---|
policy | no-critical,no-poisoning | Comma-separated policy rules |
sarif | true | Upload SARIF to GitHub Security |
report | false | Upload results to your Guard dashboard |
token | — | Decoy API token (or set DECOY_TOKEN secret) |
config | .mcp.json | Path to MCP config to scan |
verbose | false | Include low-risk tools in output |
Policy rules
policy takes a comma-separated list. The step fails if any rule is
violated:
no-critical— fail on any critical findingno-high— fail on any high findingno-poisoning— fail on any tool-poisoning hitno-toxic-flows— fail on toxic data flow between toolsno-secrets— fail on any credential exposurerequire-tripwires— fail if no Decoy Tripwires are installedmax-critical=N/max-high=N— fail above N findings
Example — stricter gate for main:
- uses: decoy-run/decoy-scan@v1
with:
policy: no-critical,no-high,no-poisoning,no-secrets
report: true
token: ${{ secrets.DECOY_TOKEN }}Other CI providers
The CLI runs anywhere Node 18+ runs:
npx -y decoy-scan@latest --sarif > decoy.sarifFirst-class examples for GitLab CI, CircleCI, and Buildkite are coming.