Skip to main content

Code Security Analysis Workflow

The Code Security Analysis workflow examines source code files for security vulnerabilities using AI-powered static analysis. This workflow is ideal for identifying common security issues across multiple programming languages.

Overview

  • Workflow ID: code
  • Primary Use Case: Static analysis of application source code
  • Output: SARIF and HTML security reports

Common Use Cases

1. Security Code Review

  • CLI
  • GitHub Action
# Comprehensive analysis with detailed output
fraim --debug \
  run code --location . \
  --confidence 6 \
  --chunk-size 400

2. Pre-Commit Analysis

  • CLI
# Analyze only changed files
fraim run code --location . --diff

3. Language-Specific Analysis

  • CLI
  • GitHub Action
# Python security analysis
fraim run code --location . --globs "*.py" "requirements.txt"

# JavaScript/Node.js analysis
fraim run code --location . --globs "*.js" "*.ts" "package.json"

# Java application analysis
fraim run code --location . --globs "*.java" "pom.xml" "build.gradle"

GitHub Actions Integration

Use the official Fraim GitHub Action: 
name: Code Security Analysis
on:
  pull_request:
    branches: [main]

jobs:
  security-scan:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v3
      
      - name: Run Fraim Code Security Scan
        uses: fraim-dev/fraim-action@423d9d6b3c80923557887930d80eec4ca22a5c24
        with:
          anthropic-api-key: ${{ secrets.ANTHROPIC_API_KEY }}
          workflow: code
          workflow_args: |
            {
              "confidence": 8,
              "chunk-size": 500,
              "max-concurrent-chunks": 5,
              "max-concurrent-triagers": 3
            }

Available workflow_args

ArgumentTypeDefaultDescription
confidenceinteger (1-10)7Minimum confidence threshold for filtering findings
chunk-sizeinteger500Number of lines per chunk
limitintegernullLimit the number of files to scan
globsarray of stringsnullFile patterns to include (uses workflow defaults if not provided)
max-concurrent-chunksinteger5Maximum number of chunks to process concurrently
max-concurrent-triagersinteger3Maximum number of triager requests per chunk to run concurrently