Overview

The Amplify GitHub App integrates the Amplify Security Platform with GitHub to secure your GitHub repositories and provide actionable security code fixes directly to developers in Pull Requests.

The Amplify Security GitHub integration is currently in beta. Documentation and functionality may change frequently.

GitHub App

View the Amplify Security GitHub App on the GitHub Marketplace.

GitHub Action

View the Amplify Security GitHub Action on GitHub.

Components

GitHub App

The Amplify GitHub App installs in your GitHub organization and allows Amplify to make Requests to the GitHub API on behalf of your organization. Amplify uses these privileges to receive notifications about Pull Requests and GitHub Actions Workflows, and to commit security code fixes directly to your repositories when approved by a user. Amplify also has the ability to open Pull Requests and comment on Pull Requests to provide security feedback through the GitHub App.

GitHub Action

The Amplify GitHub Action is an action that runs configured security tools on your GitHub repository and sends security findings to the Amplify Platform. The Amplify GitHub Action is installed into the GitHub repositories added to the Github App when you approve the installation Pull Requests created by the Amplify Platform.

Amplify Workflow

The Amplify GitHub Actions Workflow is the workflow installed in any GitHub repositories added to the Amplify Platform. This Workflow runs the Amplify GitHub Action on every Pull Request and on every push to the repository’s main or master branch.

.github/workflows/amplify.yml
---
name: Amplify Security
on:
  pull_request: {}
  workflow_dispatch: {}
  push:
    branches: ["master", "main"]

permissions:
  contents: read
  id-token: write

jobs:
  amplify-security-scan:
    name: Amplify Security Scan
    runs-on: ubuntu-latest
    if: (!github.event.pull_request.head.repo.fork && github.actor != 'dependabot[bot]')
    steps:
      - name: Checkout
        uses: actions/checkout@v4
      - name: Amplify Runner
        uses: amplify-security/runner-action@main

The Amplify Platform currently relies on the name of the Workflow to track and display GitHub Workflows correctly. Do not change the name of the Workflow. This restriction will be lifted soon.

Configuration

Scanning branches other than main or master

By default, the Amplify workflow runs on all Pull Requests and on every push to the repository’s main or master branch. To run on any additional branches, add them to the list of branches in .github/workflows/amplify.yml. For example, we will modify the section below to also execute on the develop branch. Note that the change in syntax from the above YAML is simply for readability.

.github/workflows/amplify.yml
---
name: Amplify Security
on:
  pull_request: {}
  workflow_dispatch: {}
  push:
    # this is equivalent to '["master", "main", "develop"]'
    branches:
      - master
      - main
      - develop