Recipes / Event-driven

Security scan

Run a dependency and vulnerability scan with the `security-scan` run — gated on PRs and on a weekly schedule, no GHA minutes burned on the scan itself.

Fires on Every PR · weekly — wire it any of these ways:

  • Action recommended A ci.yml step dispatches the run — when it must interleave with other CI jobs or gate the PR.
  • Schedule pattern A Cloudflare Cron Trigger fires it on a wall-clock cadence — no GitHub event, no workflow file. (weekly full-repo scan on a cron)
Use case
Dependency / vulnerability scan, on PR and weekly
FlareDispatch shape
1 typed run + dispatch
Plain GHA shape
1 workflow · 4 jobs (per-scanner + aggregate)

Source

The recommended FlareDispatch shape is shown first. Toggle to Without FlareDispatch to see the full GitHub Actions workflow a team would maintain to do the same job without it.

Action mode — triggered by a GitHub Actions workflow that calls the shipped run.
recipes/security-scan/ci.yml
# Recipe: security / dependency scan on Cloudflare
#
# Use case: dependency and vulnerability scanning that you want on every PR
# *and* on a weekly schedule (to catch newly-disclosed CVEs in code that
# hasn't changed). Offload to the shipped `security-scan` run, which runs
# each selected scanner in its own container in parallel.
#
# Mode: Action mode, fire-and-forget. See specs/04-gha-integration.md.
# Run:  security-scan — see specs/02-runs.md#5-security-scan.

name: security-scan
on:
  pull_request:
  schedule:
    - cron: "0 6 * * 1" # every Monday 06:00 UTC

jobs:
  security-scan:
    runs-on: ubuntu-latest
    steps:
      - uses: openhackersclub/flare-dispatch-action@v1
        with:
          run: security-scan
          endpoint: ${{ vars.FLAREDISPATCH_ENDPOINT }}
          hmac-secret: ${{ secrets.FLAREDISPATCH_HMAC }}
          inputs: |
            {
              "repo": "${{ github.repository }}",
              "sha": "${{ github.sha }}",
              "scanners": ["pnpm-audit", "trivy-fs", "gitleaks"],
              "failOn": "high"
            }

# The scheduled run uses github.sha of the default branch — the same run
# slug, no extra wiring. Findings land in the check-run summary.