Comprehensive security scanning examples with SAST (CodeQL), dependency scanning, container vulnerability detection (Trivy), and SARIF upload to GitHub Security tab.
Provides copy-paste ready GitHub Actions workflows that integrate SAST (CodeQL), dependency scanning, and container vulnerability detection (Trivy) with SARIF upload to GitHub Security tab. Use when you need comprehensive security scanning pipelines that block merges on critical findings with minimal permissions.
/plugin marketplace add adaptive-enforcement-lab/claude-skills/plugin install secure@ael-skillsThis skill inherits all available tools. When active, it can use any tool Claude has access to.
reference.mdscripts/example-1.yamlCopy-paste ready security scanning workflow templates with comprehensive coverage. Each example demonstrates SAST with CodeQL, dependency vulnerability detection, container image scanning with Trivy, and SARIF upload to GitHub Security tab for centralized visibility.
Complete Security Patterns
These workflows integrate all security scanning patterns: SHA-pinned actions, minimal GITHUB_TOKEN permissions (
security-events: writefor SARIF upload), automated scanning on every PR and push, SARIF result aggregation in GitHub Security tab, and security gates that block merges on critical findings.
See the full implementation guide in the source documentation.
Every security scanning workflow in this guide implements these controls:
security-events: write scoped to scanning jobs onlySee reference.md for complete documentation.