§ Docs

GitHub Action

Run a Brektra scan on every Pull Request and block merge on confirmed exploits. Pro and above.

01

Create an API key

Open /settings/api-keys, click New API key, name it (e.g.github-action-prod), and select thescans:ci scope. Copy the key. It is shown once.

02

Add the key as a repo secret

In your GitHub repo: Settings → Secrets and variables → Actions → New repository secret. Name it BREKTRA_API_KEY and paste the value.

03

Add the workflow file

Save the YAML below as .github/workflows/brektra.yml. Replace your-preview-action@v1 with whatever you already use to deploy PR previews (Vercel, Netlify, Cloudflare Pages, custom).

name: Brektra Security
on:
  pull_request:
    types: [opened, synchronize, reopened]

jobs:
  security:
    runs-on: ubuntu-latest
    permissions:
      pull-requests: write
    steps:
      - name: Deploy preview
        id: preview
        uses: your-preview-action@v1
        # outputs.url should be the PR preview URL

      - name: Brektra scan
        uses: MSaiRam10/brektra-action@v1
        with:
          api_key: ${{ secrets.BREKTRA_API_KEY }}
          target_url: ${{ steps.preview.outputs.url }}
          surfaces: "ai,web,api"
          mode: "safe"
          fail_on_severity: "high"
04

Require the check to merge

In your repo: Settings → Branches → Branch protection rules → edit the rule for your default branch → enable Require status checks to pass → add Brektra Security as a required check. Now Brektra blocks merge on any finding at or above fail_on_severity.

Inputs

api_keyRequiredBrektra API key with scans:ci scope.
target_urlRequiredURL of the PR preview to scan.
surfacesDefault ai,web,apiComma-separated. ai, web, api, cloud, hosts.
modeDefault safesafe or aggressive. Aggressive needs per-domain enablement.
fail_on_severityDefault highBuild fails if any finding meets or exceeds this severity.
timeout_minutesDefault 10Hard timeout. Action fails if scan does not finish in this window.

What you get

  • A scan against your PR preview every time the PR opens or new commits land.
  • A PR comment with severity-sorted findings, OWASP tags, proof excerpts, and deep links to the exact exploit step.
  • The check fails when any finding meets your fail_on_severity. With branch protection, that blocks merge.
  • After a fix is merged, Brektra automatically re-tests the patched preview and updates the PR with a "patch holds" or "patch bypassed" comment.

Pinning

  • MSaiRam10/brektra-action@v1: moving pointer. Picks up patch and minor releases automatically.
  • MSaiRam10/brektra-action@v1.0.0: immutable. Pin this if you need bit-for-bit reproducibility.

Plan requirement

CI scanning is on Pro and above. Free and Starter accounts get a 402 ci_not_available from the API and the action fails fast with an upgrade link.

See plans