Snitch Docs

GitHub Action

Scan every pull request. Sticky comment, inline review, SARIF upload.

The Snitch GitHub Action runs a 72-category security review on every pull request. It posts a sticky summary comment, inline review comments anchored to the diff, uploads SARIF to GitHub Code Scanning, and (optionally) blocks merges on findings above your chosen severity.

Quick install

Drop into .github/workflows/snitch.yml:

name: Snitch
on:
  pull_request:
    types: [opened, synchronize, reopened]
permissions:
  contents: read
  pull-requests: write
  security-events: write
  statuses: write
  models: read
jobs:
  scan:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
        with:
          fetch-depth: 0
      - uses: snitchplugin/snitch-github-action@v1
        with:
          snitch-license-key: ${{ secrets.SNITCH_LICENSE_KEY }}

The default path uses free GitHub Models inference via the auto-issued GITHUB_TOKEN plus permissions: models: read. No external provider key required.

Use a different model

Add one of the following to with: and supply the matching repo secret:

# OpenRouter (one key for every model)
openrouter-api-key: ${{ secrets.OPENROUTER_API_KEY }}
model: anthropic/claude-sonnet-4

# Anthropic
anthropic-api-key: ${{ secrets.ANTHROPIC_API_KEY }}
model: claude-sonnet-4

# OpenAI
openai-api-key: ${{ secrets.OPENAI_API_KEY }}
model: gpt-4o

# Google (Gemini)
google-api-key: ${{ secrets.GOOGLE_API_KEY }}
model: gemini-2.5-pro

Smart mode

Default trigger mode is smart. It scans on PR open, scans on synchronize when no prior PR-scoped scan exists, scans on synchronize when the prior scan had critical or high findings, and self-throttles when the prior scan was clean. Failed scans (provider 401/403/429) are filtered out so a broken run doesn't poison the next push.

Outputs

Every run produces:

  • A sticky PR comment summarizing severity counts
  • Inline review comments at the exact path:line (auto-suppressed when GHAS is rendering SARIF, to avoid duplicates)
  • SARIF uploaded to GitHub Code Scanning (renders as native alerts in the Security tab)
  • A workflow artifact named snitch-security-report with the markdown + SARIF files (30-day retention)

Inputs reference

InputDefaultPurpose
snitch-license-keyrequiredLicense key from your dashboard
modelprovider defaultOverride model id
providerautoForce a specific provider
trigger-modesmartsmart / always / manual
fail-onhighExit non-zero on this severity or above
batch-size5Files per AI call
max-file-bytes100000Skip files larger than this
max-files50Hard cap on files per PR
pathsnoneComma-separated glob filter
disable-inline-reviewfalseManual override to suppress inline comments

Privacy

The Action runs on your runner. Snitch's servers never receive your code, and we don't store anything about it. The Action sends the license check, the methodology download, and per-scan metadata (file count, finding counts, duration) to snitchplugin.com. No repo name, PR number, or branch is collected; PR-scoped scan dedup uses a sha256 hash of the identifier so we can deduplicate without learning which repo it was.

The AI provider you select sees the prompts (your code chunks). That's an unavoidable trade for any cloud-based AI scan, and it's why the BYO-key model matters: the relationship is between you and the provider, not us.

See pricing for plans.

CLI

Run Snitch from any terminal on your device. Brings your own AI key.

Dependency vulnerability scanning (SCA)

How Snitch parses your lockfiles and checks every pinned version against OSV.dev for known CVEs.

On this page

Quick installUse a different modelSmart modeOutputsInputs referencePrivacy
Snitch uses AI to generate findings. AI can make mistakes, miss issues, or flag false positives, even with guardrails. Snitch is not responsible for actions taken based on AI output. Read the full AI disclaimer