GitHub - XSource-Sec/agent-audit-action: GitHub Action for AI Agent Security Testing with AgentAudit

🛡️ AgentAudit GitHub Action

Scan your AI agent endpoints for security vulnerabilities in your CI/CD pipeline.

AgentAudit automatically tests your AI endpoints for prompt injection, jailbreaking, data exfiltration, and other AI-specific security risks.

🚀 Quick Start

name: Security Scan

on: [push, pull_request]

jobs:
  security-scan:
    runs-on: ubuntu-latest
    steps:
      - uses: XSource-Sec/agent-audit-action@v1
        with:
          target: ${{ secrets.AI_ENDPOINT_URL }}
          api_key: ${{ secrets.AGENTAUDIT_API_KEY }}

That's it! Your AI endpoint will be scanned on every push and pull request.

📋 Inputs

Input	Required	Default	Description
`target`	✅ Yes	-	Target URL to scan (your AI endpoint)
`api_key`	✅ Yes	-	AgentAudit API key (Get one here)
`mode`	No	`quick`	Scan mode: `quick`, `standard`, or `full`
`fail_on`	No	`high`	Fail build on findings at this severity or higher
`timeout`	No	`300`	Scan timeout in seconds (30-1800)

Scan Modes

Mode	Description	Use Case
`quick`	Essential security tests, fast execution (~1-2 min)	PRs, frequent commits
`standard`	Balanced coverage and speed (~3-5 min)	Pre-merge checks
`full`	Comprehensive testing of all vectors (~5-10 min)	Release gates, scheduled scans

Fail On Options

Value	Behavior
`critical`	Fail only on critical vulnerabilities
`high`	Fail on critical or high severity (default)
`medium`	Fail on medium or higher
`low`	Fail on any finding
`none`	Never fail based on findings

📤 Outputs

Output	Description
`scan_id`	Unique identifier of the scan
`total_findings`	Total number of findings
`critical_count`	Number of critical severity findings
`high_count`	Number of high severity findings
`medium_count`	Number of medium severity findings
`low_count`	Number of low severity findings
`risk_score`	Overall risk score (0-100)
`report_url`	URL to the full scan report
`status`	Scan status (completed/failed)

📖 Examples

Block PRs with Security Issues

name: PR Security Gate

on: pull_request

jobs:
  security-gate:
    runs-on: ubuntu-latest
    steps:
      - uses: XSource-Sec/agent-audit-action@v1
        with:
          target: ${{ secrets.STAGING_ENDPOINT }}
          api_key: ${{ secrets.AGENTAUDIT_API_KEY }}
          mode: standard
          fail_on: high

Add PR Comment with Results

name: Security Scan with Comment

on: pull_request

jobs:
  security-scan:
    runs-on: ubuntu-latest
    steps:
      - uses: XSource-Sec/agent-audit-action@v1
        id: scan
        with:
          target: ${{ secrets.AI_ENDPOINT_URL }}
          api_key: ${{ secrets.AGENTAUDIT_API_KEY }}
        continue-on-error: true

      - name: Comment PR
        uses: actions/github-script@v7
        with:
          script: |
            const output = `## 🛡️ AgentAudit Security Scan

            | Metric | Value |
            |--------|-------|
            | Risk Score | **${{ steps.scan.outputs.risk_score }}/100** |
            | Critical | ${{ steps.scan.outputs.critical_count }} |
            | High | ${{ steps.scan.outputs.high_count }} |
            | Medium | ${{ steps.scan.outputs.medium_count }} |
            | Low | ${{ steps.scan.outputs.low_count }} |

            📄 [View Full Report](${{ steps.scan.outputs.report_url }})`;

            github.rest.issues.createComment({
              issue_number: context.issue.number,
              owner: context.repo.owner,
              repo: context.repo.repo,
              body: output
            });

Scheduled Full Scans

name: Weekly Security Audit

on:
  schedule:
    - cron: '0 9 * * 1'  # Every Monday at 9 AM

jobs:
  full-audit:
    runs-on: ubuntu-latest
    steps:
      - uses: XSource-Sec/agent-audit-action@v1
        with:
          target: ${{ secrets.PRODUCTION_ENDPOINT }}
          api_key: ${{ secrets.AGENTAUDIT_API_KEY }}
          mode: full
          timeout: 600

Multi-Environment Scan

name: Multi-Environment Security Scan

on: push

jobs:
  scan:
    runs-on: ubuntu-latest
    strategy:
      matrix:
        environment: [staging, production]
    steps:
      - uses: XSource-Sec/agent-audit-action@v1
        with:
          target: ${{ secrets[format('{0}_ENDPOINT', matrix.environment)] }}
          api_key: ${{ secrets.AGENTAUDIT_API_KEY }}
          mode: ${{ matrix.environment == 'production' && 'full' || 'quick' }}

Conditional Deployment

name: Secure Deployment

on:
  push:
    branches: [main]

jobs:
  security-check:
    runs-on: ubuntu-latest
    outputs:
      passed: ${{ steps.scan.outputs.status == 'completed' && steps.scan.outputs.critical_count == '0' }}
    steps:
      - uses: XSource-Sec/agent-audit-action@v1
        id: scan
        with:
          target: ${{ secrets.STAGING_ENDPOINT }}
          api_key: ${{ secrets.AGENTAUDIT_API_KEY }}
          fail_on: critical

  deploy:
    needs: security-check
    if: needs.security-check.outputs.passed == 'true'
    runs-on: ubuntu-latest
    steps:
      - name: Deploy to Production
        run: echo "Deploying..."

🔑 Get Your API Key

Sign up at app.xsourcesec.com
Navigate to Settings → API Keys
Click Create API Key
Copy the key and add it to your GitHub Secrets as AGENTAUDIT_API_KEY

Pricing

Plan	Scans/Month	Targets	Attack Vectors	Price
Free	5	1	100+	$0/forever
Pro	100	5	600+	$149/mo
Team	Unlimited	Unlimited	650+	$299/mo
Enterprise	Unlimited	Unlimited	650+	Custom

View Pricing →

🔒 Security

API keys are only transmitted over HTTPS
Scan results are encrypted at rest
We never store your endpoint credentials
SOC 2 Type II compliant

📞 Support

📧 Email: support@xsourcesec.com
💬 Discord: Join our community
📖 Docs: docs.xsourcesec.com
🐛 Issues: GitHub Issues

📄 License

MIT License - see LICENSE for details.

Built with ❤️ by XSource Security