Skip to main content

CI/CD Instructions and Setup

Wire AuditAgent into a GitHub Actions workflow so a CI scan runs on every pull request, with findings posted back on the PR. The workflow triggers on PR open, push to the PR branch, reopen, and merge. The dashboard generates the YAML for you; the steps below cover the one-time setup.

Before you start

A few things should be ready.

  • A plan that supports CI integration. See Subscription Plans for the per-plan breakdown.
  • Admin access to the target GitHub repository, so you can add the workflow file and a repository secret.
  • An API key from your AuditAgent dashboard. Step 1 walks through it.
  • Contract files in Solidity (.sol), Cairo (.cairo), or Rust (Solana) in that repository.

GitHub Actions integration

1. Set up an API key

  • Open your profile by clicking on your user icon.
  • Select the API Keys tab.
  • Click Generate Key.
  • Save the key for the next steps.

API Key Management Section

2. Open the GitHub Action setup

Navigate to the GitHub Action tab.

GitHub Action Tab Selection

3. Select the repository to scan

  • Choose your GitHub organization.
  • Select the repository you want to scan.
  • Pick the branch containing your code.
  • Select the language of your smart contracts (Solidity, Cairo, or Rust for Solana).
  • Select the specific contract files to be scanned.

Repository Selection

4. Add the API key to GitHub

  • Go to your GitHub repository.
  • Navigate to Settings, then Secrets and variables, then Actions.
  • Create a new secret named AUDIT_AGENT_TOKEN with your API key.

5. Configure the CI workflow

  • Select the target branch to monitor.

  • Start an indexing scan. If AuditAgent already has an index for that branch, this step is optional and the screen shows the current index state.

    Index State Example 1 Index State Example 2

  • You do not have to wait for the indexing to finish. Continue to the next step and leave the page once setup is done.

  • Copy the generated YAML file and add it to your repository's .github/workflows/ directory.

Workflow Configuration

Editing the workflow

You can edit the generated YAML to add or remove files from contractFiles. Each entry must be a literal path relative to the repo root. Globs and wildcards are not expanded. The dashboard's file picker is the easiest way to keep the list correct.

'contractFiles': ['src/Token.sol', 'src/Vault.sol']

The same path convention works for Solidity (.sol), Cairo (.cairo), and Rust source files for Solana.

Once the indexing scan finishes, AuditAgent runs on every pull request event (open, push to branch, reopen, merge), identifies potential vulnerabilities, and posts findings directly in the GitHub workflow.

Lighter than a full scan

CI scans are a streamlined version of the Developer and Auditor scans tuned for fast turnaround. They do not run the same depth of analysis. Use a full Developer or Auditor scan from the dashboard for release-grade review.

For pricing, see Scan Pricing.