Keyboard shortcuts

Press or to navigate between chapters

Press S or / to search in the book

Press ? to show this help

Press Esc to hide this help

Examples

This page provides complete workflow files for common use cases. Copy the one that best matches your needs and adjust as necessary.

Basic: Auto-Detect Platform

The simplest configuration. The action detects whether your repository contains CosmWasm, Solana, or EVM contracts and selects the appropriate analyzer automatically.

name: Odin Scan Security Analysis
on:
  pull_request:
    branches: [main, master]

jobs:
  security-scan:
    runs-on: ubuntu-latest
    permissions:
      contents: read
      security-events: write
      pull-requests: write
    steps:
      - uses: actions/checkout@v4
      - uses: odin-scan/odin-scan-action@v1
        with:
          api-key: ${{ secrets.ODIN_SCAN_API_KEY }}

Notes:

  • Triggers on pull requests targeting main or master.
  • Uses all default settings: high severity threshold, SARIF upload enabled, PR comments enabled, full findings visibility.
  • Platform is detected automatically from repository contents.

Full Configuration

Every input is set explicitly. This workflow also demonstrates how to access outputs in a subsequent step.

name: Odin Scan Full Security Analysis
on:
  pull_request:
    branches: [main, master, develop]
  push:
    branches: [main]

jobs:
  security-scan:
    runs-on: ubuntu-latest
    permissions:
      contents: read
      security-events: write
      pull-requests: write
    steps:
      - uses: actions/checkout@v4

      - name: Run Odin Scan
        id: scan
        uses: odin-scan/odin-scan-action@v1
        with:
          api-key: ${{ secrets.ODIN_SCAN_API_KEY }}
          platform: auto
          severity-threshold: medium
          fail-on-findings: true
          comment-on-pr: true
          findings-visibility: full
          upload-sarif: true
          upload-artifact: true
          timeout: 1800
          github-token: ${{ secrets.GITHUB_TOKEN }}

      - name: Print results
        if: always()
        run: |
          echo "Analysis ID: ${{ steps.scan.outputs.analysis-id }}"
          echo "Status: ${{ steps.scan.outputs.status }}"
          echo "Total Findings: ${{ steps.scan.outputs.total-findings }}"
          echo "Critical: ${{ steps.scan.outputs.critical-count }}"
          echo "High: ${{ steps.scan.outputs.high-count }}"
          echo "Report: ${{ steps.scan.outputs.report-url }}"

Notes:

  • Triggers on pull requests targeting main, master, or develop, and also on pushes to main.
  • Sets the severity threshold to medium, so any medium-or-above finding fails the build.
  • The id: scan attribute is required to reference outputs in the “Print results” step.
  • The if: always() condition ensures the results step runs even when the scan fails due to findings.

Solidity-Specific with Path Filters

This workflow only runs when Solidity files or build configuration files change, avoiding unnecessary scans on documentation or frontend changes.

name: Odin Scan EVM Analysis
on:
  pull_request:
    paths:
      - '**.sol'
      - 'foundry.toml'
      - 'hardhat.config.*'

jobs:
  security-scan:
    runs-on: ubuntu-latest
    permissions:
      contents: read
      security-events: write
      pull-requests: write
    steps:
      - uses: actions/checkout@v4
      - uses: odin-scan/odin-scan-action@v1
        with:
          api-key: ${{ secrets.ODIN_SCAN_API_KEY }}
          platform: evm
          severity-threshold: high

Notes:

  • The paths filter restricts the workflow to pull requests that modify .sol files, foundry.toml, or hardhat.config.*. This saves API usage and runner minutes on PRs that do not touch contract code.
  • The platform is set explicitly to evm since this workflow is purpose-built for Solidity projects.
  • The severity threshold is high, so only high and critical findings fail the build.

Public Repository with Private Findings

For public repositories where you want to avoid exposing vulnerability details in PR comments:

name: Odin Scan Security Analysis
on:
  pull_request:
    branches: [main]

jobs:
  security-scan:
    runs-on: ubuntu-latest
    permissions:
      contents: read
      security-events: write
      pull-requests: write
    steps:
      - uses: actions/checkout@v4
      - uses: odin-scan/odin-scan-action@v1
        with:
          api-key: ${{ secrets.ODIN_SCAN_API_KEY }}
          findings-visibility: private

Notes:

  • Sets findings-visibility to private, so the PR comment only shows a link to the authenticated report. No vulnerability titles, file paths, descriptions, or even counts are publicly visible.
  • SARIF uploads and workflow artifacts still contain full details, protected by GitHub’s permission model.
  • See Findings Visibility for a detailed explanation of the three visibility modes.

Further Reading

  • Inputs – full reference for all configuration options.
  • Outputs – how to use scan results in subsequent workflow steps.
  • SARIF Integration – details on GitHub Code Scanning integration.
  • Findings Visibility – controlling what details appear in public channels.