GitHub Actions
Automate HIPAA compliance checks in your GitHub CI/CD pipeline.
Quick Start
Create .github/workflows/hipaa-compliance.yml:
name: HIPAA Compliance
on:
push:
branches: [main]
pull_request:
branches: [main]
jobs:
compliance-check:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Setup Node.js
uses: actions/setup-node@v4
with:
node-version: '20'
- name: Run vlayer scan
run: npx vlayer scan . --fail-on high
Full Configuration
With Reports and Artifacts
name: HIPAA Compliance
on:
push:
branches: [main, develop]
pull_request:
branches: [main]
jobs:
compliance-check:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Setup Node.js
uses: actions/setup-node@v4
with:
node-version: '20'
cache: 'npm'
- name: Install dependencies
run: npm ci
- name: Run HIPAA compliance scan
id: vlayer
run: |
npx vlayer scan . -f json -o vlayer-results.json --fail-on critical
continue-on-error: true
- name: Generate HTML report
if: always()
run: npx vlayer report generate vlayer-results.json -f html -o hipaa-report.html
- name: Upload compliance report
if: always()
uses: actions/upload-artifact@v4
with:
name: hipaa-compliance-report
path: |
vlayer-results.json
hipaa-report.html
- name: Check results
if: steps.vlayer.outcome == 'failure'
run: exit 1
PR Comments
Post findings as PR comments:
name: HIPAA Compliance
on:
pull_request:
branches: [main]
permissions:
pull-requests: write
jobs:
compliance-check:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Setup Node.js
uses: actions/setup-node@v4
with:
node-version: '20'
- name: Run vlayer scan
id: scan
run: |
npx vlayer scan . -f json -o results.json
echo "findings=$(cat results.json | jq '.findings | length')" >> $GITHUB_OUTPUT
continue-on-error: true
- name: Comment on PR
uses: actions/github-script@v7
if: github.event_name == 'pull_request'
with:
script: |
const fs = require('fs');
const results = JSON.parse(fs.readFileSync('results.json', 'utf8'));
let body = '## HIPAA Compliance Report\n\n';
if (results.findings.length === 0) {
body += '✅ No compliance issues found!\n';
} else {
body += `⚠️ Found ${results.findings.length} issue(s):\n\n`;
const grouped = {};
results.findings.forEach(f => {
if (!grouped[f.severity]) grouped[f.severity] = [];
grouped[f.severity].push(f);
});
['CRITICAL', 'HIGH', 'MEDIUM', 'LOW'].forEach(severity => {
if (grouped[severity]) {
body += `### ${severity} (${grouped[severity].length})\n`;
grouped[severity].slice(0, 5).forEach(f => {
body += `- **${f.message}** - \`${f.file}:${f.line}\`\n`;
});
if (grouped[severity].length > 5) {
body += `- ... and ${grouped[severity].length - 5} more\n`;
}
body += '\n';
}
});
}
body += '\n---\n*Generated by vlayer*';
github.rest.issues.createComment({
owner: context.repo.owner,
repo: context.repo.repo,
issue_number: context.issue.number,
body: body
});
- name: Fail on critical issues
if: steps.scan.outcome == 'failure'
run: exit 1
Scheduled Scans
Run compliance checks on a schedule:
name: Scheduled HIPAA Audit
on:
schedule:
- cron: '0 9 * * 1' # Every Monday at 9 AM
workflow_dispatch: # Allow manual trigger
jobs:
weekly-audit:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Setup Node.js
uses: actions/setup-node@v4
with:
node-version: '20'
- name: Run comprehensive scan
run: |
npx vlayer scan . -f html -o weekly-audit.html --include-passing
- name: Upload report
uses: actions/upload-artifact@v4
with:
name: weekly-hipaa-audit-${{ github.run_id }}
path: weekly-audit.html
retention-days: 90
Branch Protection
Require compliance checks to pass before merging:
- Go to Settings → Branches → Branch protection rules
- Add rule for
main - Enable "Require status checks to pass before merging"
- Select "HIPAA Compliance" check
Environment-Specific Checks
jobs:
compliance-check:
runs-on: ubuntu-latest
strategy:
matrix:
environment: [development, staging, production]
steps:
- uses: actions/checkout@v4
- name: Run vlayer scan
run: |
if [ "${{ matrix.environment }}" == "production" ]; then
npx vlayer scan . --fail-on medium --config .vlayerrc.prod.json
else
npx vlayer scan . --fail-on high
fi
Caching
Speed up runs with caching:
- name: Cache vlayer
uses: actions/cache@v4
with:
path: ~/.npm
key: ${{ runner.os }}-vlayer-${{ hashFiles('**/package-lock.json') }}
restore-keys: |
${{ runner.os }}-vlayer-
Secrets
If using vlayer Pro features:
- name: Run vlayer scan
env:
VLAYER_API_KEY: ${{ secrets.VLAYER_API_KEY }}
run: npx vlayer scan . --upload-results
See Also
- GitLab CI - GitLab pipeline setup
- Configuration - CI-specific config