Publishes bounded source evidence from GitHub Actions to VAX. The action runs local repository scans in CI, uploads evidence to Firebase, and receives a VAX run URL while the long LLM assessment continues through Pub/Sub.
name: VAX vendor assurance
on:
pull_request:
push:
branches: [main]
workflow_dispatch:
permissions:
contents: read
id-token: write
jobs:
vax:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Run VAX evidence scan
uses: AtA-Systems/vax-security-scan@v1
with:
vax_key: ${{ secrets.VAX_KEY }}
artifact_paths: assurance-artifacts/vax-manifest.jsonid-token: write is required. VAX uses the per-job key to authorize upload to
the configured assessment and the GitHub OIDC token to capture where the job ran.
Scan types are selected in the VAX job configuration, not in the workflow file.
The action currently runs OWASP ASVS Level 1, OWASP ASVS Level 2, OWASP WSTG,
NIST SP 800-161 Rev. 1 Tier 3, CMMC Level 2, and DORA evidence scans locally
in CI and uploads the structured result plus bounded supporting evidence to VAX.
The action fails for missing runtime requirements such as VAX_KEY, OIDC
permission, or upload failure. Security assessment gaps are reported on the VAX
run page instead of failing CI.
Use artifact_paths for evidence that should not be inferred from repository
contents alone, such as SBOMs, SLSA provenance, vulnerability scan exports,
POA&M records, risk registers, security plans, incident response plans, and
business continuity artifacts. JSON manifests can also provide explicit control
mappings, which replace inferred results for the same control deterministically:
{
"artifacts": [
{
"type": "sbom",
"path": "dist/sbom.cdx.json",
"controls": [
{
"framework": "NIST SP 800-161",
"control_id": "NIST-161-SCRM-05",
"status": "pass",
"severity": "medium",
"detail": "CycloneDX SBOM generated by CI for this build."
}
]
}
]
}Known artifact type values also map to local control signals even without an
explicit controls array, so typed evidence remains traceable in the scorecard.