GITHUB ACTION
Security checks in every PR.
Add the CQwerty Shield GitHub Action to your workflow and automatically check SSL, headers, DMARC, and SPF on every pull request. Fail builds when your security score drops below your threshold.
Quick start
- 1.Create
.github/workflows/security.ymlin your repository. - 2.Paste the workflow below and replace
example.comwith your domain. - 3.Push to your repository. The action runs on every PR and weekly on a schedule.
Minimal usage
yaml
- uses: cqwerty-shield/security-check@v1
with:
domain: your-domain.comFull workflow with PR comment
yaml
name: Security Check
on:
pull_request:
branches: [main]
schedule:
- cron: '0 6 * * 1' # every Monday at 06:00 UTC
jobs:
security:
runs-on: ubuntu-latest
steps:
- uses: cqwerty-shield/security-check@v1
id: scan
with:
domain: example.com
threshold: 70
- name: Comment on PR
if: always() && github.event_name == 'pull_request'
uses: actions/github-script@v7
with:
script: |
github.rest.issues.createComment({
owner: context.repo.owner,
repo: context.repo.repo,
issue_number: context.issue.number,
body: `## Security Check: ${{ steps.scan.outputs.grade }}\n\nScore: ${{ steps.scan.outputs.score }}/100 | SSL: ${{ steps.scan.outputs.ssl-grade }} | Issues: ${{ steps.scan.outputs.issues }}\n\n[Full report](${{ steps.scan.outputs.report-url }})`
})Inputs
| Input | Required | Default | Description |
|---|---|---|---|
| domain | Yes | - | Domain to scan (e.g., example.com) |
| threshold | No | 70 | Minimum passing score (0-100). Build fails if score is below this. |
| fail-on-error | No | false | Whether to fail the workflow if the scan API is unreachable. |
Outputs
| Output | Description |
|---|---|
| steps.scan.outputs.score | Overall security score (0-100) |
| steps.scan.outputs.grade | Security grade (A+ to F) |
| steps.scan.outputs.ssl-grade | SSL certificate grade |
| steps.scan.outputs.issues | Number of issues found |
| steps.scan.outputs.report-url | URL to the full report on CQwerty Shield |
Example job summary
The action writes a markdown summary to the GitHub Actions job summary. Here is what it looks like:
GitHub Actions - Job Summary
CQwerty Shield Security Check
| Score | 83/100 (Grade: A) |
| SSL | A+ (TLSv1.3) |
| Headers | B (62/100) |
| DMARC | True |
| SPF | True |
| Issues | 1 |
View full report →
How it works
- 1.The action calls the free CQwerty Shield API to check SSL, HTTP headers, DMARC, and SPF for your domain.
- 2.Results are combined into a composite security score (40% SSL, 30% headers, 30% email authentication).
- 3.A markdown summary is written to the GitHub Actions job summary for easy review.
- 4.If the score is below your
threshold, the build fails with a clear error message.
Best practices
- •Start with a low threshold. Set
threshold: 50initially, then raise it as you fix issues. - •Run on a schedule. Security configurations can change outside of code deploys. A weekly cron catches regressions early.
- •Post results to PRs. Use the full workflow example above to leave a comment with the score on every pull request.
- •Use outputs in later steps. Reference
steps.scan.outputs.scoreto gate deployments or trigger alerts.