What is CodeQL and why include it?

CodeQL is GitHub's static analysis engine that queries your code for security vulnerabilities like injection, path traversal, and unsafe deserialization. It runs free on public repos and on private repos with GitHub Advanced Security, and surfaces findings directly in the repo's Security tab.

Does npm audit need any extra setup?

No token or secret is required — npm audit reads your lockfile and queries the public advisory database. The generated step runs npm audit with a severity threshold you choose, so a low-severity advisory won't fail the build unless you want it to.

What does the Snyk step need?

Snyk requires a free SNYK_TOKEN added as a repository secret. The builder only includes the Snyk step if you enable it, and references the token as ${{ secrets.SNYK_TOKEN }} so your key is never written into the workflow file itself.

Why add a scheduled weekly run?

New vulnerabilities are disclosed against dependencies you already use, even when your code hasn't changed. A weekly cron scan catches those newly disclosed advisories so a repository that hasn't shipped in months still gets fresh security coverage.

Is the workflow generated locally?

Yes. The YAML is assembled in your browser from your selections and never uploaded, so you can generate security CI config for private repositories safely.

GitHub Actions Security Scan Workflow Builder

Email me this result

Get this tool's output sent to your inbox, plus one useful tool a week. No spam, unsubscribe any time.

The GitHub Actions Security Scan Workflow Builder generates a CI workflow that scans both your code and your dependencies on every change. It wires up CodeQL static analysis for code vulnerabilities, an npm audit step for known dependency advisories, and an optional Snyk scan, triggered on pushes to main, on pull requests, and on a weekly schedule.

How it works

You choose the CodeQL language (JavaScript/TypeScript, Python, Go, and others), an npm audit severity threshold, and whether to include the Snyk step. The builder writes a workflow with the standard CodeQL three-step pattern — init, autobuild, analyze — plus the audit and Snyk steps you enabled. It adds a schedule trigger with a weekly cron so newly disclosed advisories are caught even when the code is idle, and grants the security-events: write permission CodeQL needs to upload its findings to the repo’s Security tab.

The generated workflow

Save the output as .github/workflows/security.yml. CodeQL results appear under the repository’s Security → Code scanning tab, npm audit fails the job when an advisory at or above your chosen severity is found, and the optional Snyk step references ${{ secrets.SNYK_TOKEN }} — so your key lives in repository secrets, never in the committed file.

Tips and notes

CodeQL needs permissions. The workflow sets security-events: write; without it the analysis can’t publish findings.
Tune the audit threshold. Start at high to avoid noise from low-severity transitive advisories, then tighten as you clean up.
Add the Snyk secret. If you enable Snyk, add SNYK_TOKEN under repository Settings → Secrets, or that step will fail to authenticate.