{"id":49138689,"url":"https://github.com/prodcycle/actions","last_synced_at":"2026-04-24T05:01:15.850Z","repository":{"id":348630347,"uuid":"1164067809","full_name":"prodcycle/actions","owner":"prodcycle","description":"GitHub Action to scan PR changes for compliance violations via ProdCycle API","archived":false,"fork":false,"pushed_at":"2026-04-21T20:36:33.000Z","size":1480,"stargazers_count":0,"open_issues_count":0,"forks_count":0,"subscribers_count":0,"default_branch":"main","last_synced_at":"2026-04-21T23:36:12.615Z","etag":null,"topics":["code-scanner","code-scanning","compliance","compliance-as-a-service","compliance-as-code","github-actions","hipaa","hipaa-compliance","hipaa-compliant","soc2"],"latest_commit_sha":null,"homepage":"https://prodcycle.com/","language":"TypeScript","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/prodcycle.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":"CONTRIBUTING.md","funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":"SECURITY.md","support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":"AGENTS.md","dco":null,"cla":null}},"created_at":"2026-02-22T15:39:35.000Z","updated_at":"2026-04-21T20:36:25.000Z","dependencies_parsed_at":null,"dependency_job_id":null,"html_url":"https://github.com/prodcycle/actions","commit_stats":null,"previous_names":["prodcycle/compliance-code-scanner","prodcycle/actions"],"tags_count":6,"template":false,"template_full_name":null,"purl":"pkg:github/prodcycle/actions","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/prodcycle%2Factions","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/prodcycle%2Factions/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/prodcycle%2Factions/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/prodcycle%2Factions/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/prodcycle","download_url":"https://codeload.github.com/prodcycle/actions/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/prodcycle%2Factions/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":32209895,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-04-24T03:15:14.334Z","status":"ssl_error","status_checked_at":"2026-04-24T03:15:11.608Z","response_time":64,"last_error":"SSL_connect returned=1 errno=0 peeraddr=140.82.121.6:443 state=error: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["code-scanner","code-scanning","compliance","compliance-as-a-service","compliance-as-code","github-actions","hipaa","hipaa-compliance","hipaa-compliant","soc2"],"created_at":"2026-04-21T23:07:45.457Z","updated_at":"2026-04-24T05:01:15.841Z","avatar_url":"https://github.com/prodcycle.png","language":"TypeScript","readme":"# ProdCycle Actions\n\nA set of GitHub Actions for using [ProdCycle](https://prodcycle.com) in your CI/CD pipelines. A different action is available depending on your use case.\n\n\u003e **Requires a ProdCycle account.** These actions call the ProdCycle API, which requires a valid API key (`pc_...`). [Sign up at prodcycle.com](https://app.prodcycle.com) to get started.\n\n## Supported Actions\n\n| Action | Description |\n| ------ | ----------- |\n| [Compliance](compliance/) | Scan PR changes for SOC 2, HIPAA, and NIST compliance violations |\n\n## Quick start\n\nHere's an example using the Compliance Scanner action:\n\n```yaml\n# .github/workflows/compliance.yml\nname: Compliance Code Scanner\non:\n  pull_request:\n  push:\n    branches:\n      - main\n      - master\n\njobs:\n  compliance:\n    runs-on: ubuntu-latest\n    permissions:\n      contents: read\n      pull-requests: write\n    steps:\n      - uses: actions/checkout@v4\n        with:\n          fetch-depth: 0\n      - uses: prodcycle/actions/compliance@v2\n        with:\n          api-key: ${{ secrets.PRODCYCLE_API_KEY }}\n```\n\nYou can also reference the root action directly, which defaults to the Compliance Scanner:\n\n```yaml\n- uses: prodcycle/actions@v2\n  with:\n    api-key: ${{ secrets.PRODCYCLE_API_KEY }}\n```\n\n## Compliance Scanner\n\nThe Compliance Scanner scans pull request changes for compliance violations against SOC 2, HIPAA, and NIST frameworks via the ProdCycle API.\n\nIt supports two modes (managed automatically by default):\n\n**1. Pull Request mode (diff scan)**\nWhen run on a `pull_request` event:\n- Collects the **diffs** of changed files from the PR (only the changed lines are analyzed)\n- Sends them to the ProdCycle compliance check API\n- Creates inline annotations on the PR for each finding\n- Posts a summary comment with severity and framework breakdown\n- Fails the check if findings match the configured severity threshold\n\n**2. Push / Merge mode (full scan)**\nWhen run on a `push` event (e.g., merge to `main`):\n- Collects and scans the **entire codebase**\n- Validates all tracked files against compliance frameworks\n- Reports any findings in the GitHub Actions summary\n\n### Inputs\n\n| Input                | Required | Default                     | Description                                                              |\n| -------------------- | -------- | --------------------------- | ------------------------------------------------------------------------ |\n| `api-key`            | Yes      |                             | ProdCycle compliance API key (`pc_...`)                                  |\n| `api-url`            | No       | `https://api.prodcycle.com` | ProdCycle API base URL                                                   |\n| `frameworks`         | No       | Workspace setting           | Comma-separated framework IDs (`soc2,hipaa,nist`)                        |\n| `fail-on`            | No       | `critical,high`             | Comma-separated severities that fail the check                           |\n| `severity-threshold` | No       | `low`                       | Minimum severity to include in results                                   |\n| `include`            | No       | All changed files           | Comma-separated glob patterns to include (`**/*.tf,**/*.yaml`)           |\n| `exclude`            | No       | None                        | Comma-separated glob patterns to exclude (`test/**,docs/**`)             |\n| `scan-mode`          | No       | `auto`                      | `auto` (diff for PRs, full for pushes); `diff` (changed lines only); `full` (entire codebase) |\n| `annotate`           | No       | `true`                      | Create inline workflow annotations (`core.error`/`warning`/`notice`) for findings |\n| `comment`            | No       | `true`                      | Post a summary comment on the PR                                         |\n| `review-event`       | No       | *(empty — see below)*        | PR review event: `auto` / `comment` / `request-changes` / `none`          |\n\n### Outputs\n\n| Output           | Description                                       |\n| ---------------- | ------------------------------------------------- |\n| `passed`         | Whether the scan passed (`true`/`false`)          |\n| `findings-count` | Total number of findings                          |\n| `scan-id`        | ProdCycle scan ID for linking to the dashboard    |\n| `summary`        | JSON summary of results by severity and framework |\n\n### Examples\n\n#### Scan specific frameworks\n\n```yaml\n- uses: prodcycle/actions/compliance@v2\n  with:\n    api-key: ${{ secrets.PRODCYCLE_API_KEY }}\n    frameworks: soc2,hipaa,nist\n```\n\n#### Only fail on critical findings\n\n```yaml\n- uses: prodcycle/actions/compliance@v2\n  with:\n    api-key: ${{ secrets.PRODCYCLE_API_KEY }}\n    fail-on: critical\n```\n\n#### Scan only infrastructure files\n\n```yaml\n- uses: prodcycle/actions/compliance@v2\n  with:\n    api-key: ${{ secrets.PRODCYCLE_API_KEY }}\n    include: \"**/*.tf,**/*.yaml,**/*.yml,**/Dockerfile\"\n    exclude: \"test/**,docs/**\"\n```\n\n#### Use outputs in subsequent steps\n\n```yaml\n- uses: prodcycle/actions/compliance@v2\n  id: compliance\n  with:\n    api-key: ${{ secrets.PRODCYCLE_API_KEY }}\n  continue-on-error: true\n\n- run: |\n    echo \"Passed: ${{ steps.compliance.outputs.passed }}\"\n    echo \"Findings: ${{ steps.compliance.outputs.findings-count }}\"\n    echo \"Scan: ${{ steps.compliance.outputs.scan-id }}\"\n```\n\n#### Non-blocking compliance (comments only, never \"Changes requested\")\n\n```yaml\n- uses: prodcycle/actions/compliance@v2\n  with:\n    api-key: ${{ secrets.PRODCYCLE_API_KEY }}\n    review-event: comment\n  continue-on-error: true\n```\n\n#### Explicit full codebase scan\n\n```yaml\n- uses: prodcycle/actions/compliance@v2\n  with:\n    api-key: ${{ secrets.PRODCYCLE_API_KEY }}\n    scan-mode: full\n```\n\n#### Self-hosted ProdCycle instance\n\n```yaml\n- uses: prodcycle/actions/compliance@v2\n  with:\n    api-key: ${{ secrets.PRODCYCLE_API_KEY }}\n    api-url: https://api.yourcompany.com\n```\n\n## Supported frameworks\n\n| ID     | Framework                              |\n| ------ | -------------------------------------- |\n| `soc2` | SOC 2                                  |\n| `hipaa`| HIPAA                                  |\n| `nist` | NIST 800-53 / Cybersecurity Framework  |\n\nIf no `frameworks` input is specified, the action uses the frameworks configured on your ProdCycle workspace.\n\n## Prerequisites\n\n- A **ProdCycle account** ([sign up at prodcycle.com](https://prodcycle.com))\n- A **ProdCycle API key** generated from your workspace settings\n- Compliance check enabled on your workspace\n\n## Setup\n\n### 1. Generate an API key\n\nIn ProdCycle, go to **Settings \u003e API** and create a compliance check API key. The key starts with `pc_`.\n\n### 2. Add the key to GitHub secrets\n\nIn your repository, go to **Settings \u003e Secrets and variables \u003e Actions** and add a new secret:\n\n- **Name:** `PRODCYCLE_API_KEY`\n- **Value:** Your `pc_...` key\n\n### 3. Add the workflow\n\nCreate `.github/workflows/compliance.yml` in your repository with the configuration from the Quick start section above.\n\n## Permissions\n\nThe actions require the following GitHub token permissions:\n\n- `contents: read` to checkout and read changed files\n- `pull-requests: write` to post annotations and summary comments\n\n## Development\n\n```bash\npnpm install\npnpm run type-check    # TypeScript check\npnpm run test          # Run tests\npnpm run build         # Bundle with ncc into compliance/dist/\npnpm run all           # All of the above\n```\n\nSee [CONTRIBUTING.md](CONTRIBUTING.md) for more details.\n\n## Support\n\n- [ProdCycle Documentation](https://docs.prodcycle.com)\n- [Report an issue](https://github.com/prodcycle/actions/issues)\n- [Security policy](SECURITY.md)\n- [Contact support](mailto:support@prodcycle.com)\n\n## License\n\nMIT. See [LICENSE](LICENSE) for details.\n","funding_links":[],"categories":[],"sub_categories":[],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fprodcycle%2Factions","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fprodcycle%2Factions","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fprodcycle%2Factions/lists"}