GitHub Actions
Integrate netbobr firewall rule analysis into GitHub Actions workflows. The CLI exit codes map directly to workflow pass/fail status, and SARIF output integrates with GitHub Code Scanning.
Basic Analysis
A minimal workflow that fails on high or critical findings:
name: netbobr Firewall Analysis
on:
push:
branches: [main]
pull_request:
branches: [main]
jobs:
analyze:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: actions/setup-node@v4
with:
node-version: 20
- run: npx @netbobr/cli analyze firewall-rules.json --fail-on highThe --fail-on high flag means medium findings pass (exit 0) while high or critical findings fail the workflow (exit 2 or 3).
SARIF Upload to Code Scanning
Upload findings to the GitHub Security tab so they appear as Code Scanning alerts alongside your code:
name: netbobr Firewall Analysis
on:
push:
branches: [main]
pull_request:
branches: [main]
jobs:
analyze:
runs-on: ubuntu-latest
permissions:
security-events: write
steps:
- uses: actions/checkout@v4
- uses: actions/setup-node@v4
with:
node-version: 20
- name: Run netbobr analysis
run: npx @netbobr/cli analyze firewall-rules.json --output sarif > results.sarif
continue-on-error: true
- name: Upload SARIF to Code Scanning
uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: results.sarif
if: always()Using continue-on-error: true ensures the SARIF file is uploaded even when findings are detected. The if: always() on the upload step guarantees it runs regardless of the analysis exit code.
Findings appear in Security > Code Scanning alerts on your repository.
With Configuration
Load a browser-exported netbobr session to apply custom rules, zone definitions, and risk score weights:
- name: Run netbobr analysis
run: npx @netbobr/cli analyze rules.json --config netbobr-config.json --fail-on mediumExport your configuration from the netbobr web app using Session Control > Save and commit the JSON file to your repository.
Cloud Format Analysis
Analyze cloud provider security groups directly. This example fetches AWS Security Groups and analyzes them:
- name: Export security groups
run: aws ec2 describe-security-groups > sgs.json
- name: Analyze security groups
run: npx @netbobr/cli analyze sgs.json --cloud-format aws-sg --output sarif > results.sarif
- name: Upload SARIF to Code Scanning
uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: results.sarif
if: always()Supported cloud formats: aws-sg, azure-nsg, gcp-fw, tf-plan, k8s-netpol, or auto for automatic detection.
PDF Report as Artifact
Generate a PDF compliance report and upload it as a build artifact:
- name: Generate PDF report
run: npx @netbobr/cli analyze rules.json --output pdf --output-file report.pdf
- name: Upload report
uses: actions/upload-artifact@v4
with:
name: security-report
path: report.pdfThe PDF report is downloadable from the workflow run's Artifacts section.
Exit Code Reference
| Exit Code | Severity | Meaning |
|---|---|---|
| 0 | Low / None | All flows are low risk or clean |
| 1 | Medium | At least one medium-severity finding |
| 2 | High | At least one high-severity finding |
| 3 | Critical | At least one critical-severity finding |
Use --fail-on <severity> to control the threshold. Values below the threshold are treated as passing (exit 0).
| Example | Behavior |
|---|---|
--fail-on critical | Only fail on critical findings |
--fail-on high | Fail on high or critical |
--fail-on medium | Fail on medium, high, or critical |
--fail-on low | Fail on any finding |