Back to Documentation
Workflow Templates
Ready-to-use GitHub Actions workflows for different security automation scenarios.
Available Templates
- Simple Scan Only - Weekly scheduled vulnerability detection
- Full Pipeline - Complete scan → validate → fix workflow
- Manual Trigger - On-demand security scans
- Scheduled Weekly Scan - Automated weekly security checks
- Pull Request Only - Scan PRs before merge
Simple Scan Only
Perfect for getting started. Runs weekly to detect vulnerabilities without applying fixes. Creates GitHub issues for manual review.
Features:
- • Runs every Sunday at 2 AM UTC
- • Free - unlimited scans
- • Creates issues for detected vulnerabilities
- • Manual trigger option included
name: RSOLV Security Scan
on:
schedule:
# Run every Sunday at 2 AM UTC
- cron: '0 2 * * 0'
workflow_dispatch:
jobs:
scan:
runs-on: ubuntu-latest
timeout-minutes: 20
permissions:
contents: write
issues: write
steps:
- name: Checkout repository
uses: actions/checkout@v4
- name: RSOLV Security Scan
uses: RSOLV-dev/rsolv-action@v4
with:
rsolvApiKey: ${{ secrets.RSOLV_API_KEY }}
mode: 'scan'Full Pipeline (Scan + Matrix Process)
The recommended approach for complete automation. Scans for vulnerabilities, then processes each issue independently using a GitHub Actions matrix strategy. Each issue gets its own job for validate and mitigate, providing isolation and clear per-issue status.
Recommended: This is the recommended workflow pattern. The scan job detects issues and outputs their numbers, then the process job uses a matrix strategy to handle each issue independently.
Features:
- • Two-job pattern: scan discovers issues, process handles each one
- • Matrix strategy processes issues independently with isolation
- • Skips process job automatically if no issues are found
- • Configurable max_issues and max-parallel settings
- • Creates fix PRs automatically
- • Counts against monthly validate and fix limits
name: RSOLV Security Pipeline
on:
push:
branches:
- main
workflow_dispatch:
concurrency:
group: rsolv-security-${{ github.ref }}
cancel-in-progress: true
jobs:
scan:
name: Scan for vulnerabilities
runs-on: ubuntu-latest
timeout-minutes: 20
outputs:
pipeline_run_id: ${{ steps.rsolv.outputs.pipeline_run_id }}
issue_numbers: ${{ steps.rsolv.outputs.issue_numbers }}
permissions:
contents: write
issues: write
steps:
- name: Checkout repository
uses: actions/checkout@v4
- name: Run security scan
id: rsolv
uses: RSOLV-dev/RSOLV-action@v4
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
with:
rsolvApiKey: ${{ secrets.RSOLV_API_KEY }}
mode: 'scan'
max_issues: '3'
process:
name: Process issue ${{ matrix.issue_number }}
needs: scan
if: needs.scan.outputs.issue_numbers != '[]'
strategy:
matrix:
issue_number: ${{ fromJSON(needs.scan.outputs.issue_numbers) }}
fail-fast: false
max-parallel: 1
runs-on: ubuntu-latest
timeout-minutes: 30
permissions:
contents: write
issues: write
pull-requests: write
steps:
- name: Checkout repository
uses: actions/checkout@v4
- name: Validate and fix issue
uses: RSOLV-dev/RSOLV-action@v4
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
with:
rsolvApiKey: ${{ secrets.RSOLV_API_KEY }}
mode: 'process'
pipeline_run_id: ${{ needs.scan.outputs.pipeline_run_id }}
issue_number: ${{ matrix.issue_number }}Manual Trigger with Options
Run security scans on-demand with customizable parameters. Choose mode and number of issues to process from the Actions UI.
Features:
- • Choose mode: scan, validate, or mitigate
- • Set max_issues limit from UI
- • Perfect for testing and controlled processing
name: RSOLV Manual Security Check
on:
workflow_dispatch:
inputs:
mode:
description: 'RSOLV mode to run'
required: true
type: choice
default: 'scan'
options:
- scan
- validate
- mitigate
max_issues:
description: 'Maximum issues to process'
required: false
default: '5'
type: string
jobs:
security-check:
runs-on: ubuntu-latest
timeout-minutes: 30
permissions:
contents: write
issues: write
pull-requests: write
steps:
- name: Checkout repository
uses: actions/checkout@v4
- name: Run RSOLV
uses: RSOLV-dev/rsolv-action@v4
with:
rsolvApiKey: ${{ secrets.RSOLV_API_KEY }}
mode: ${{ github.event.inputs.mode }}
max_issues: ${{ github.event.inputs.max_issues }}Scheduled Weekly Security Scan
Automated weekly security checks with full pipeline. Runs every Monday morning to catch new vulnerabilities.
Features:
- • Runs every Monday at 9 AM UTC
- • Scan + matrix process pipeline
- • Processes up to 5 issues per run
- • Includes manual trigger fallback
name: Weekly Security Maintenance
on:
schedule:
# Every Monday at 9 AM UTC
- cron: '0 9 * * 1'
workflow_dispatch:
concurrency:
group: weekly-security
cancel-in-progress: false
jobs:
scan:
name: Weekly vulnerability scan
runs-on: ubuntu-latest
timeout-minutes: 20
outputs:
pipeline_run_id: ${{ steps.rsolv.outputs.pipeline_run_id }}
issue_numbers: ${{ steps.rsolv.outputs.issue_numbers }}
permissions:
contents: write
issues: write
steps:
- uses: actions/checkout@v4
- id: rsolv
uses: RSOLV-dev/RSOLV-action@v4
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
with:
rsolvApiKey: ${{ secrets.RSOLV_API_KEY }}
mode: 'scan'
max_issues: '5'
process:
name: Process issue ${{ matrix.issue_number }}
needs: scan
if: needs.scan.outputs.issue_numbers != '[]'
strategy:
matrix:
issue_number: ${{ fromJSON(needs.scan.outputs.issue_numbers) }}
fail-fast: false
max-parallel: 1
runs-on: ubuntu-latest
timeout-minutes: 30
permissions:
contents: write
issues: write
pull-requests: write
steps:
- uses: actions/checkout@v4
- uses: RSOLV-dev/RSOLV-action@v4
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
with:
rsolvApiKey: ${{ secrets.RSOLV_API_KEY }}
mode: 'process'
pipeline_run_id: ${{ needs.scan.outputs.pipeline_run_id }}
issue_number: ${{ matrix.issue_number }}Pull Request Security Check
Scan pull requests for new vulnerabilities before merging. Prevents insecure code from reaching your main branch.
Features:
- • Triggers on all pull request events
- • Scan only mode (no automated fixes)
- • Fast feedback on PR changes
- • Can be required status check
name: PR Security Check
on:
pull_request:
types: [opened, synchronize, reopened]
jobs:
security-scan:
name: Scan PR for vulnerabilities
runs-on: ubuntu-latest
timeout-minutes: 15
permissions:
contents: read
issues: write
pull-requests: write
steps:
- name: Checkout PR branch
uses: actions/checkout@v4
with:
ref: ${{ github.event.pull_request.head.sha }}
- name: RSOLV Security Scan
uses: RSOLV-dev/rsolv-action@v4
with:
rsolvApiKey: ${{ secrets.RSOLV_API_KEY }}
mode: 'scan'
- name: Comment on PR
if: always()
uses: actions/github-script@v7
with:
script: |
const fs = require('fs');
const comment = `## RSOLV Security Scan Complete
Security scan has been performed on this PR.
Check the workflow logs and Issues tab for details.`;
github.rest.issues.createComment({
issue_number: context.issue.number,
owner: context.repo.owner,
repo: context.repo.repo,
body: comment
});Configuration Tips
Cron Schedule Examples
| Schedule | Cron Syntax |
|---|---|
| Every day at midnight | 0 0 * * * |
| Every Monday at 9 AM | 0 9 * * 1 |
| First day of month | 0 0 1 * * |
| Every 6 hours | 0 */6 * * * |
Recommended Timeouts
- • Scan: 15-20 minutes (depends on repository size)
- • Process: 25-30 minutes per issue (validate + mitigate combined)
Max Issues Recommendations
- • Testing: Start with 1-2 to verify workflow
- • Production: 3-5 issues per run balances cost and coverage
- • Initial cleanup: Run multiple times to process all issues
- • Unlimited: Omit max_issues parameter (use with caution)
Best Practices
Start simple:
Begin with scan-only workflow, upgrade to full pipeline once comfortable
Use concurrency control:
Prevent overlapping runs with concurrency groups
Set appropriate timeouts: Prevent workflows from running indefinitely
Monitor your usage: Check dashboard regularly to track consumption
Review PRs carefully: Always review AI-generated fixes before merging
Combine workflows: Use scan on PRs and full pipeline on main branch