GitHub Action

Audit Every Pull Request

A drop-in workflow that detects changed Solidity files, runs the full WalletGuard audit on each one, posts findings as PR review comments, writes a step summary, outputs SARIF for the Security tab, and fails the build when the severity threshold is hit.

What It Does

-Detects changed .sol files in the pull request using the GitHub API.
-Submits each file to the source-direct audit API and polls for results (cached audits return instantly).
-Posts a PR review with per-finding severity, description, and fix recommendations. Requests changes when findings exceed the threshold.
-Writes a severity-grouped step summary with scores and direct links to hosted reports.
-Outputs SARIF results for upload to the GitHub Security tab via github/codeql-action/upload-sarif.
-Exits non-zero when any finding meets or exceeds the threshold severity (unless fail-on-findings is false).

Installation

Drop this file at .github/workflows/walletguard.yml and set a WALLETGUARD_API_KEY secret in your repository.

.github/workflows/walletguard.yml

name: WalletGuard Audit

on:
  pull_request:
    paths:
      - '**/*.sol'

jobs:
  audit:
    runs-on: ubuntu-latest
    permissions:
      contents: read
      pull-requests: write
    steps:
      - uses: actions/checkout@v4
        with:
          fetch-depth: 0

      - uses: CryptoKupo/walletguard-audit@v1
        with:
          api-key: ${{ secrets.WALLETGUARD_API_KEY }}

The fetch-depth: 0 on checkout is required so the action can diff against the base branch.

Inputs

api-key

Required

Your WalletGuard API key (wg_live_...). Create one at /settings. Store as a repository secret; never commit it.

threshold

Optionaldefault: high

Minimum severity that fails the check. One of critical, high, medium, low, or info. Setting it to 'medium' fails on any critical, high, or medium finding. Lower-severity findings still appear in the PR review and step summary.

fail-on-findings

Optionaldefault: true

Whether to fail the check when findings at or above the threshold are found. Set to 'false' to report findings without blocking the merge.

api-url

Optionaldefault: https://walletguard.ai

Base URL for the WalletGuard API. Override only for staging environments or enterprise self-hosted deployments.

github-token

Optionaldefault: ${{ github.token }}

GitHub token used for PR file detection and posting review comments. The default token works for most repos. Override only if you need cross-repo permissions.

sarif-file

Optionaldefault: walletguard-results.sarif

Path to write SARIF results. Upload with github/codeql-action/upload-sarif@v3 to populate the Security tab.

Severity Thresholds

The threshold input is inclusive: setting it to high will fail the check on any critical or high finding. Set fail-on-findings to false to report without failing.

critical

high

medium

low

info

Source-direct API Verification

What It Does

-Detects changed .sol files in the pull request using the GitHub API.

-Submits each file to the source-direct audit API and polls for results (cached audits return instantly).

-Posts a PR review with per-finding severity, description, and fix recommendations. Requests changes when findings exceed the threshold.

-Writes a severity-grouped step summary with scores and direct links to hosted reports.

-Outputs SARIF results for upload to the GitHub Security tab via github/codeql-action/upload-sarif.

-Exits non-zero when any finding meets or exceeds the threshold severity (unless fail-on-findings is false).

Installation

Drop this file at .github/workflows/walletguard.yml and set a WALLETGUARD_API_KEY secret in your repository.

.github/workflows/walletguard.yml

name: WalletGuard Audit

on:
  pull_request:
    paths:
      - '**/*.sol'

jobs:
  audit:
    runs-on: ubuntu-latest
    permissions:
      contents: read
      pull-requests: write
    steps:
      - uses: actions/checkout@v4
        with:
          fetch-depth: 0

      - uses: CryptoKupo/walletguard-audit@v1
        with:
          api-key: ${{ secrets.WALLETGUARD_API_KEY }}

The fetch-depth: 0 on checkout is required so the action can diff against the base branch.

Inputs

api-key

Required

Your WalletGuard API key (wg_live_...). Create one at /settings. Store as a repository secret; never commit it.

threshold

Optionaldefault: high

fail-on-findings

Optionaldefault: true

Whether to fail the check when findings at or above the threshold are found. Set to 'false' to report findings without blocking the merge.

api-url

Optionaldefault: https://walletguard.ai

Base URL for the WalletGuard API. Override only for staging environments or enterprise self-hosted deployments.

github-token

Optionaldefault: ${{ github.token }}

GitHub token used for PR file detection and posting review comments. The default token works for most repos. Override only if you need cross-repo permissions.

sarif-file

Optionaldefault: walletguard-results.sarif

Path to write SARIF results. Upload with github/codeql-action/upload-sarif@v3 to populate the Security tab.

Audit Every Pull Request

What It Does

Installation

Inputs

Severity Thresholds

Related

Audit Every Pull Request

What It Does

Installation

Inputs

Severity Thresholds

Related