Run Pentrova pentests from GitHub Actions to gate a release on the presence of unfixed Critical or High findings. Pentrova ships a workflow template that calls the public REST API; copy it into .github/workflows/security-scan.yml and supply your API key and target URL through repository secrets.
What you configure once#
- In your Pentrova workspace, go to Settings → API Keys and create an API key with permission to start pentests.
- Add the following secrets to your GitHub repository:
PENTROVA_API_KEY— the key from step 1.PENTROVA_URL— your Pentrova workspace URL (for the SaaS launch this is the hosted control plane).STAGING_URL— the URL the pentest should run against.
- Copy
ci-templates/github-actions.ymlfrom the Pentrova samples into your repository at.github/workflows/security-scan.yml.
What the workflow does#
On every pull request and push to main / develop, the workflow makes a POST to the Pentrova REST API to create a pentest, polls for completion, downloads the per-finding evidence bundles, and fails the build when any unfixed Critical or High finding is reported. The full template is the source of truth for the exact API calls; this guide is the framing.
Authenticated pentests#
For authenticated pentests, add these additional secrets:
SCAN_LOGIN_URL— the login page URL.SCAN_USERNAME— a test-account username.SCAN_PASSWORD— the test-account password.
The workflow then runs the pentest in AUTH_LLM_LOGIN mode so the LLM-driven login agent can sign in and exercise the authenticated surface.
Failure behaviour#
The build fails when any new unfixed Critical or High finding lands on the candidate branch. Adjust the gate by changing the severity check at the bottom of the workflow file.
Artefact upload#
The workflow uploads the engagement summary and per-finding evidence URLs as a workflow artefact so reviewers can download and replay findings locally without opening the Pentrova console.