Docs
Use the GitHub Action fallback for AI Gate.
The GitHub App is the recommended self-serve path. Use this fallback workflow when a repository needs a CI-native shakerscan ai gate command instead of App-backed Check Runs.
Sample gate decision
GitHub check blocks unsafe AI behavior
The check publishes a policy failure tied to the evidence URL and expected verification scope. The merge is blocked until the AI target passes or an approved exception exists.
Create a ShakerScan API key and save it as a GitHub Actions secret.
Create or select a saved AI target in ShakerScan.
Run shakerscan ai gate with repo, branch, commit, target, environment, probe pack, and expected release scope.
Fail the job when verification fails, policy blocks, or approval is required without a valid token.
Why ShakerScan
The output is a release control, not just a report.
ShakerScan is built around release evidence: a tested target, a policy result, a verifier command, and an approval path when risk needs human review.
Signed evidence
Evidence hashes and AI Gate attestations bind the decision to the target, environment, policy, probe pack, and release scope when signing is configured.
CI-verifiable decision
GitHub Actions or the shakerscan CLI can verify that the decision matches the expected repo, commit, branch, environment, target, policy, and evidence hash.
Approval workflow
When an eligible workflow is approved, scoped approval tokens record the reason, audience, expiry, and decision path instead of bypassing the gate silently.
Checklist
GitHub setup checklist
Add SHAKER_API_KEY as a repository or environment secret.
Use npx -y shakerscan ai gate in the workflow.
Pass --repo, --branch, --commit-sha, --environment, --probe-pack, and --scan-profile.
Keep raw credentials out of workflow files and logs.
Require the GitHub check before merging protected branches.
Limitations
What this page does not claim
ShakerScan does not replace human security review, threat modeling, or a scoped penetration test.
AI Gate decisions depend on the configured target, probe pack, policy, scan profile, and available evidence.
Production targets require authorization, safe scope, rate limits, and operational approval.
FAQ
Is ShakerScan an AI pentesting replacement?
No. ShakerScan is a verifiable security gate for release workflows. It complements deeper manual testing by producing repeatable runtime evidence and CI-verifiable allow, block, or needs_approval decisions.
Can ShakerScan scan any target?
No. Targets must be owned by the customer or explicitly authorized. Production scans should use safe profiles, rate limits, and defined scope.
Does the workflow need dashboard access?
No. CI can use the CLI and API key. The dashboard is useful for reviewing evidence, findings, and approval state.