Skip to main content
The GitHub Actions integration lets you run Pentest-Tools.com scans as part of your CI/CD pipeline.
Available on WebNetSec and Pentest Suite plans.

Benefits

Shift left security

Catch vulnerabilities before they reach production.

Automated testing

Run security scans automatically on every push or PR.

Fail conditions

Fail builds when vulnerabilities exceed your threshold.

Flexible output

Get results in text or JSON format.

Setting up GitHub Actions

1

Create an action

Go to Settings > Integrations > GitHub Actions and click Create action.
2

Configure the action

Set the target, scan type, output format, fail condition, and the name of the GitHub secret that will hold your Pentest-Tools API key.
3

Add your API key to GitHub Secrets

In your GitHub repository, go to Settings > Secrets and variables > Actions. Add your Pentest-Tools API key using the secret name from step 2.
4

Add to your workflow

Copy the generated YAML and add it to a file in .github/workflows/.

Action configuration

SettingDescription
NameA descriptive name for the action
TargetThe URL or IP to scan
Scan typelight or deep
Output formattext or json
Fail conditionSeverity threshold to fail the build
Secret nameName of the GitHub repository secret holding your Pentest-Tools API key

Fail conditions

Configure when your pipeline should fail:
ConditionBuild fails when…
NoneNever fails based on findings
LowLow or higher severity found
MediumMedium or higher severity found
HighHigh or higher severity found
CriticalCritical severity found

Example workflow

The integration generates a YAML snippet using the pentesttoolscom/pentesttools-github-action action. Add it to a file in .github/workflows/. The action handles scan execution and output. No polling required. 
jobs:
  test_deep_scan:
    runs-on: ubuntu-latest
    name: Run a deep scan.
    steps:
      - name: Checkout
        uses: actions/checkout@v4
      - name: Run scan
        uses: pentesttoolscom/pentesttools-github-action@master
        id: ptt
        with:
          target: https://your-website.com
          format: text
          fail: high
          type: deep
          key: ${{ secrets.PTT_API_KEY }}
      - name: Print result
        run: echo "${{ steps.ptt.outputs.result }}"

on:
  schedule:
    - cron: '0 0 * * *'
  pull_request:
The key references the GitHub repository secret you configured. Set fail to the severity level that should fail the build: high means the job fails if any high or critical findings are found.

Scan types

TypeDescriptionUse Case
LightFast reconnaissance scanQuick checks, PR validation
DeepComprehensive vulnerability scanPre-production, scheduled scans
Use Light scans for PR validation to keep CI times short, and schedule Deep scans for nightly or weekly runs.

Output formats

Text output

Human-readable summary of findings, ideal for quick review in logs.

JSON output

Structured data for programmatic processing: 
{
  "scan_id": 12345,
  "target": "example.com",
  "findings": [
    {
      "title": "SQL Injection",
      "severity": "high",
      "description": "..."
    }
  ]
}

Best practices

Store your action secret in GitHub Secrets, never commit it to your repository.
  • Use fail conditions appropriate to your pipeline stage
  • Run Light scans on PRs, Deep scans on main branch
  • Review findings before merging, even if build passes
  • Set up notifications for failed security checks

Troubleshooting

  • Verify the action secret is correct
  • Check that the action exists and is enabled
  • Review GitHub Actions logs for errors
  • Review the fail condition setting
  • Check if findings meet the threshold
  • Verify the target is accessible