Inputs
All inputs are configured under the with: key in your workflow step. Only api-key is required; every other input has a sensible default.
Quick Reference
| Input | Required | Default | Description |
|---|---|---|---|
api-key | Yes | – | Odin Scan API key |
platform | No | auto | Target platform |
severity-threshold | No | high | Minimum severity to fail the build |
fail-on-findings | No | true | Fail workflow when findings exceed threshold |
comment-on-pr | No | true | Post summary comment on pull requests |
findings-visibility | No | full | Detail level in PR comments and annotations |
upload-sarif | No | true | Upload SARIF to GitHub Code Scanning |
upload-artifact | No | true | Upload full report as workflow artifact |
timeout | No | 1800 | Maximum wait time in seconds |
github-token | No | ${{ github.token }} | GitHub token for API calls |
api-url | No | https://api.odinscan.ai | Odin Scan API base URL |
Detailed Reference
api-key
- Required: Yes
- Type: String
- Default: None
Your Odin Scan API key, which starts with odin_sk_. Create one at odinscan.ai/dashboard/settings under API Keys.
Always store this as a repository secret rather than hardcoding it in the workflow file:
api-key: ${{ secrets.ODIN_SCAN_API_KEY }}
platform
- Required: No
- Type: String
- Default:
auto - Allowed values:
auto,cosmwasm,solana,evm
Specifies which smart contract platform to analyze. When set to auto, the action inspects your repository contents and selects the appropriate analyzer:
- EVM – detected by
.solfiles and Foundry/Hardhat configuration. - CosmWasm – detected by Rust files with a
cosmwasm-stddependency. - Solana – detected by Rust files with Anchor or native Solana program structure.
Set this explicitly if auto-detection selects the wrong platform or if your repository contains contracts for multiple platforms.
platform: evm
severity-threshold
- Required: No
- Type: String
- Default:
high - Allowed values:
critical,high,medium,low,none
The minimum severity level at which the action marks the workflow as failed. For example, setting medium causes the action to fail if any finding is rated medium, high, or critical.
Setting none means the action never fails due to findings, regardless of severity. This is useful when you want to collect data without blocking merges.
severity-threshold: medium
fail-on-findings
- Required: No
- Type: Boolean (as string)
- Default:
true
Controls whether the action sets a failing exit code when findings exceed the severity threshold. When set to false, findings are still reported (PR comments, SARIF, artifacts) but the workflow step always succeeds.
fail-on-findings: false
comment-on-pr
- Required: No
- Type: Boolean (as string)
- Default:
true
When enabled, the action posts a summary comment on the pull request with a breakdown of findings by severity. Requires the pull-requests: write permission.
The level of detail in the comment is controlled by findings-visibility.
comment-on-pr: true
findings-visibility
- Required: No
- Type: String
- Default:
full - Allowed values:
full,counts,private
Controls how much detail is shown in PR comments and inline annotations. This is primarily relevant for public repositories where PR comments are visible to anyone.
full– shows severity table, finding titles, file locations, and descriptions.counts– shows severity table only; no titles, file paths, or descriptions.private– shows only a link to the private report; no details at all.
This setting does not affect SARIF uploads or workflow artifacts, which are protected by GitHub’s own permission model.
See Findings Visibility for a detailed explanation of each mode and its threat model.
findings-visibility: counts
upload-sarif
- Required: No
- Type: Boolean (as string)
- Default:
true
Uploads findings in SARIF format to GitHub Code Scanning. This enables native security alerts in the Security tab, inline annotations on pull request diffs, and alert tracking workflows.
Requires the security-events: write permission. On private repositories, GitHub Advanced Security must be enabled.
See SARIF Integration for details.
upload-sarif: true
upload-artifact
- Required: No
- Type: Boolean (as string)
- Default:
true
Uploads the full JSON analysis report as a workflow artifact. The artifact is downloadable from the workflow run summary and is retained according to your repository’s artifact retention settings (default: 90 days).
upload-artifact: true
timeout
- Required: No
- Type: Number (as string)
- Default:
1800
Maximum number of seconds to wait for the analysis to complete. The default is 1800 seconds (30 minutes). Large repositories or complex contracts may require a higher value.
If the analysis does not complete within this window, the action fails with a timeout error.
timeout: 3600
github-token
- Required: No
- Type: String
- Default:
${{ github.token }}
The GitHub token used for posting PR comments, uploading SARIF results, and cloning private repositories. The default github.token is automatically provided by GitHub Actions and is sufficient for most use cases.
You only need to override this if you require cross-repository access or elevated permissions not available through the default token.
github-token: ${{ secrets.GITHUB_TOKEN }}
api-url
- Required: No
- Type: String
- Default:
https://api.odinscan.ai
The base URL of the Odin Scan API. Most users do not need to change this.