Home / Documentation / CI/CD Workflows

GitHub Actions CI/CD

Comprehensive CI workflows for testing, security scanning, and quality validation on every push.

📍 When These Workflows Run

CI/CD workflows execute automatically:

  • On every push to any branch
  • On every pull request
  • Can be triggered manually via GitHub UI
  • Scheduled runs (for security scans)

Why CI/CD Matters

Continuous Integration and Continuous Deployment (CI/CD) provides the final layer of defense in your development workflow:

  • Catches what pre-commit missed - Scans entire git history for secrets
  • Team-wide enforcement - All contributors must pass CI checks
  • Comprehensive scanning - Multiple security tools running in parallel
  • Automated testing - Run tests on every change before merging
  • Quality gates - Block merges that don't meet standards

Included Workflows

🔒 Security CI Workflow

File: .github/workflows/security-ci.yml

Triggers: Push, Pull Request, Manual, Schedule (daily at 2 AM)

Security Scanning Tools:

  • Gitleaks Scans entire git history for secrets
  • TruffleHog High-entropy string detection for credentials
  • Bandit Python security linter (finds vulnerabilities)
  • Semgrep SAST (Static Application Security Testing)

🚨 What Happens on Failure

If security scans find issues:

  1. Pull request is blocked - Cannot merge
  2. Red ❌ status appears on PR
  3. Detailed logs show exact issues found
  4. Fix issues and push again to re-run checks

✅ Main CI Workflow

File: .github/workflows/ci.yml

Triggers: Push, Pull Request

Quality Checks:

  • Linting Runs all configured linters (shellcheck, pylint, etc.)
  • Unit Tests Executes test suite (pytest, etc.)
  • Code Coverage Measures test coverage percentage
  • Build Verification Ensures project builds successfully

Security Scanning in Detail

Gitleaks - Git History Scanner

What it does: Scans the entire git history (not just current files) for secrets.

Example Detection:

Gitleaks found the following secrets:

Commit: abc123def456
File: config/settings.py
Secret: AWS Access Key
Line: aws_key = "AKIAIOSFODNN7EXAMPLE"

Action Required:
1. Remove secret from git history (git filter-branch or BFG)
2. Rotate the compromised credential
3. Use environment variables instead

TruffleHog - Entropy Detection

Finds high-entropy strings that are likely to be passwords, API keys, or tokens.

  • Scans commits for suspicious patterns
  • Detects base64-encoded secrets
  • Finds leaked private keys

Bandit - Python Security Linter

Analyzes Python code for common security issues:

  • SQL injection vulnerabilities
  • Use of insecure functions (eval, exec, etc.)
  • Hardcoded passwords
  • Weak cryptography
  • Path traversal vulnerabilities

Semgrep - SAST Scanner

Static analysis for multiple languages with custom rules:

  • XSS (Cross-Site Scripting) detection
  • CSRF (Cross-Site Request Forgery) checks
  • Insecure deserialization
  • Command injection vulnerabilities

Testing & Quality Validation

Automated Testing

CI runs your test suite on every change:

# Example pytest run in CI
name: Run Tests
run: |
  pytest tests/ \
    --cov=src \
    --cov-report=term \
    --cov-report=html \
    --verbose

# CI fails if:
# - Any test fails
# - Coverage drops below threshold (e.g., 80%)

Code Quality Checks

  • Formatting - Verifies code follows style guide (Black, Prettier)
  • Linting - Catches code quality issues (pylint, eslint)
  • Type Checking - Validates type hints (mypy)
  • Documentation - Ensures docstrings exist and are valid

Setup CI/CD

Quick Setup

# Clone Guardrails-AI repository
git clone https://github.com/christopherpaquin/Guardrails-AI .ai-guardrails

# Copy CI workflows
mkdir -p .github/workflows
cp .ai-guardrails/template/.github/workflows/* .github/workflows/

# Commit and push
git add .github/
git commit -m "Add CI/CD workflows"
git push origin main

# GitHub Actions automatically activates!

Verify Setup

  1. Go to your repository on GitHub
  2. Click the "Actions" tab
  3. You should see workflows listed
  4. Push a commit to trigger workflows
  5. Watch the workflows run in real-time

Understanding Workflow Status

  • 🟡 Yellow dot - Workflow is running
  • Green checkmark - All checks passed
  • Red X - One or more checks failed
  • Gray circle - Workflow skipped or pending

Customization

Enabling/Disabling Jobs

Use the management script to control which CI jobs run:

# List all workflows and jobs
./scripts/manage-ci-jobs.sh list

# Disable a specific job (if tests not ready yet)
./scripts/manage-ci-jobs.sh disable ci.yml tests

# Re-enable when ready
./scripts/manage-ci-jobs.sh enable ci.yml tests

# Show job configuration
./scripts/manage-ci-jobs.sh show security-ci.yml gitleaks

Adjusting Security Scan Sensitivity

Edit workflow files to customize scanning:

# In .github/workflows/security-ci.yml

# Gitleaks - Add exclusions
with:
  args: "--exclude-paths gitleaks.toml"

# Bandit - Change severity level
run: bandit -r src/ -ll  # Only high/medium severity

# Semgrep - Custom rules
run: semgrep --config=p/security-audit src/

Branch Protection Rules

Enforce CI checks before merging:

  1. Go to Settings → Branches
  2. Add rule for main branch
  3. Enable: "Require status checks to pass"
  4. Select required workflows:
    • ✓ Security CI
    • ✓ Main CI
  5. Save changes

Secrets Management

If your CI needs credentials (e.g., for deployments):

# Add secrets to GitHub
# Settings → Secrets → Actions → New repository secret

# Use in workflow:
env:
  API_KEY: ${{ secrets.API_KEY }}
  DEPLOY_TOKEN: ${{ secrets.DEPLOY_TOKEN }}

Scheduled Security Scans

Run security scans on a schedule (even without code changes):

on:
  schedule:
    # Run daily at 2 AM UTC
    - cron: '0 2 * * *'
  push:
  pull_request:

Ready to Set Up CI/CD?

Add comprehensive security scanning and testing to your repository.

View Workflow Templates