This guide provides specific instructions for integrating the Wisec agent into your GitHub Actions workflows.
Before proceeding, ensure you have:
A Wisec account and project created.
Your Project ID from the Wisec dashboard.
Your Agent Signing Key (Private Key) generated from the Wisec dashboard.
Refer to the Installation Guide for details on obtaining these.
Go to your GitHub repository's Settings > Secrets and variables > Actions. Add the following repository secrets:
WISEC_PROJECT_ID:
Value: Your project's unique ID from the Wisec dashboard.
AGENT_PRIVATE_KEY_HEX:
Value: The private part of your Ed25519 signing key pair, obtained from the Wisec dashboard Settings page.
WISEC_API_ENDPOINT:
Value: https://app.wisec.io/api/v1/events
Add a new job or a step within an existing job in your .github/workflows/wisec-scan.yml file to download and execute the Wisec agent.
# .github/workflows/wisec-scan.yml example for Wisec integration
name: Wisec Security Scan
on:
push:
branches: [ "master", "main" ]
pull_request:
branches: [ "master", "main" ]
jobs:
wisec-security-scan:
runs-on: ubuntu-latest # Or your preferred runner
steps:
- uses: actions/checkout@v3
- name: Install Git & Curl (if not already present)
run: |
sudo apt-get update
sudo apt-get install -y git curl tar
- name: Download Gitleaks & Wisec Agent
run: |
echo "Downloading gitleaks..."
wget https://github.com/gitleaks/gitleaks/releases/download/v8.18.2/gitleaks_8.18.2_linux_x64.tar.gz
tar -xzf gitleaks_8.18.2_linux_x64.tar.gz
chmod +x gitleaks
sudo mv gitleaks /usr/local/bin/ # Optional: move to path for easy access
echo "Downloading wisec-agent..."
curl -L -o wisec-agent https://storage.googleapis.com/wisec-downloads/agent
chmod +x wisec-agent
- name: Run Wisec Agent
env:
WISEC_PROJECT_ID: ${{ secrets.WISEC_PROJECT_ID }}
AGENT_PRIVATE_KEY_HEX: ${{ secrets.AGENT_PRIVATE_KEY_HEX }}
WISEC_API_ENDPOINT: ${{ secrets.WISEC_API_ENDPOINT }}
run: |
./wisec-agent
git Installation: The agent relies on git for collecting repository metadata. Ensure your runner image has git installed, or add a step to install it (sudo apt-get install -y git for Ubuntu-based runners).
--public-key parameter: The agent does NOT require a --public-key parameter. The public key is already registered with your Wisec instance when you generate the signing key pair from the dashboard. The API Gateway uses this registered public key to verify the agent's signature.
The workflow example above includes steps to download and install gitleaks. The wisec-agent automatically detects gitleaks and uses it to scan your code for hardcoded secrets, which will appear as CRITICAL alerts in your dashboard.
To manage false positives, you can add a .gitleaksignore file to the root of your repository. For a detailed guide and an example file, please see the Secret Scanning section in our Quick Start guide.
Immutable storage traceability and AI anomaly detection for modern DevSecOps teams
Wisec Β© 2026 π«π·
