CI Gate action
Last updated: Apr 21, 2026
The CI Gate action connects to the Fluid Attacks platform from your GitHub Actions workflows and checks whether your repository has open vulnerabilities reported by Fluid Attacks. It acts as a security gate in your CI/CD pipeline, optionally blocking merges when policy-breaking findings are present.
Marketplace: fluidattacks/ci-gate-action
Setup
1. Store your CI Gate token as a secret
Go to Settings → Secrets and variables → Actions in your repository
and create a secret named FA_API_TOKEN with your CI Gate token.
To generate or retrieve the token, go to Organization → Groups → GroupName → DevSecOps in the Fluid Attacks platform and click Manage token. The token is valid for 180 days and must be renewed before it expires.
2. Create the workflow
Add .github/workflows/ci-gate.yml to your repository:
name: Fluid Attacks CI Gate
on:
push:
pull_request_target:
types: [opened, synchronize, reopened]
jobs:
ci-gate:
runs-on: ubuntu-latest
steps:
- uses: fluidattacks/ci-gate-action@<version>
id: gate
with:
api_token: ${{ secrets.FA_API_TOKEN }}Replace
<version>with the latest release tag. Find it on the Marketplace page.
pull_request_target is required instead of pull_request because GitHub withholds secrets from
workflows triggered by pull_request when the PR originates from a fork,
which would prevent the action from authenticating.
pull_request_target runs in the base branch context and always has access to secrets.
This is safe because the action never checks out or executes any PR code —
it only calls the Fluid Attacks API.
When repo_name is not set, the action uses the GitHub repository name as the nickname.
If your repository is registered under a different nickname on the Fluid Attacks platform,
set repo_name explicitly:
with:
api_token: ${{ secrets.FA_API_TOKEN }}
repo_name: my-platform-nickname3. Push and run
Commit the file and push. The check runs automatically on the next push or pull request.
Action inputs
| Input | Required | Default | Description |
|---|---|---|---|
api_token | Yes | — | CI Gate token for authenticating with the Fluid Attacks platform. Use a secret: ${{ secrets.FA_API_TOKEN }}. |
repo_name | No | GitHub repo name | Repository nickname as configured in the Fluid Attacks platform. When not set, defaults to the GitHub repository name (GITHUB_REPOSITORY minus the owner prefix). |
strict | No | false | Set to true to enable strict mode. The job fails if open or untreated vulnerabilities that break policy are found. |
report_output_path | No | — | Path relative to the workspace root where the JSON report will be saved. If not set, no report file is written. |
Action outputs
| Output | Description |
|---|---|
vulnerabilities_found | true if policy-breaking vulnerabilities were found, false otherwise. |
report_output_path | Path to the JSON report file. Only set when the report_output_path input is configured. |
You can use these outputs in subsequent workflow steps:
- name: Print result
if: steps.gate.outputs.vulnerabilities_found == 'true'
run: echo "Open vulnerabilities found. Review them on the Fluid Attacks platform."Common scenarios
Strict mode: block merges with open vulnerabilities
Set strict: true to fail the job when policy-breaking vulnerabilities are found.
Combined with branch protection rules, this prevents vulnerable code from being merged:
- uses: fluidattacks/ci-gate-action@<version>
with:
api_token: ${{ secrets.FA_API_TOKEN }}
repo_name: my-repo
strict: trueThen, in your repository settings, enable Require status checks to pass before merging and select the CI Gate check.
Save the vulnerability report as JSON
Use report_output_path to write the full report to a file,
then upload it as a workflow artifact:
- uses: fluidattacks/ci-gate-action@<version>
id: gate
with:
api_token: ${{ secrets.FA_API_TOKEN }}
repo_name: my-repo
report_output_path: fa-report.json
- name: Upload report
if: always()
uses: actions/upload-artifact@v4
with:
name: fluid-attacks-report
path: ${{ steps.gate.outputs.report_output_path }}Lax mode with conditional failure
Run in lax mode but fail the job manually based on the output:
- uses: fluidattacks/ci-gate-action@<version>
id: gate
with:
api_token: ${{ secrets.FA_API_TOKEN }}
repo_name: my-repo
- name: Fail if vulnerabilities found
if: steps.gate.outputs.vulnerabilities_found == 'true'
run: exit 1Troubleshooting
The action fails with an authentication error
Verify that your CI Gate token is correct and has not expired.
Tokens are valid for 180 days.
To renew it, go to Organization → Groups → GroupName → DevSecOps
in the platform and click Manage token.
Update the FA_API_TOKEN secret in your repository with the new token.
You see the error "Remote check failed"
Ensure that repo_name matches the nickname registered in the Fluid Attacks platform exactly.
When repo_name is not set, the action derives it from the GitHub repository name,
which may differ from the nickname on the platform.
Set repo_name explicitly to resolve the mismatch.
The action reports no vulnerabilities but I expect some
Confirm that the repo_name input matches the repository nickname
configured in the Fluid Attacks platform exactly.
A mismatch causes the gate to query the wrong repository and return no findings.
The pipeline fails unexpectedly
If strict: true is set, the job fails whenever policy-breaking vulnerabilities are found.
This is intentional.
Set strict: false if you want the check to report results without failing the pipeline.
The action fails on a non-Linux runner
The action requires Docker,
which is only available on Linux-hosted runners.
Make sure your workflow uses runs-on: ubuntu-latest or another Linux runner.
See the Marketplace page for all configuration options and additional troubleshooting.