Quick Start

Add to your workflow file

name: Binary Dependency Check
on: [pull_request]

jobs:
  binshield:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - uses: ashlrai/binshield-action@v1
        with:
          fail-on: high
          github-token: ${{ secrets.GITHUB_TOKEN }}

Inputs

All action inputs and their defaults

Input	Description	Default
api-base-url	BinShield API URL	https://binshieldapi-production.up.railway.app
api-key	API key for authenticated scans	-
github-token	Token for PR comments	-
working-directory	Repo path to inspect	.
scan-mode	native-only or all-dependencies	native-only
fail-on	Risk threshold: critical, high, medium, low, never	high
comment-mode	summary, pr-comment, both, off	summary
include-dev-dependencies	Scan devDependencies too	false
poll-interval-ms	Polling delay in ms	1500
timeout-ms	Polling timeout in ms	120000
max-targets	Max packages to scan	50

Scan Modes

native-only default

Only scan packages identified as native binary candidates. Fast, focused on the highest-risk dependencies.

all-dependencies

Scan every dependency in the lockfile. Use for compliance audits where full coverage is required.

Risk Levels

How BinShield classifies binary behavior risk

Level	Score	Meaning
none	0	No binaries or behaviors detected
low	1-29	Expected behaviors only
medium	30-59	Review-worthy behaviors present
high	60-79	Multiple risk signals, manual review required
critical	80-100	Severe indicators, block until validated

Example PR Comment

What your team sees on each pull request

## BinShield -- Binary Dependency Scan

3 native binaries found in 2 packages

| Package        | Risk     | Evidence                    |
|----------------|----------|-----------------------------|
| bcrypt@6.0.0   | MEDIUM   | 10 binaries, crypto, fs     |
| sharp@0.34.5   | LOW      | 1 binary, filesystem        |

All binaries passed the HIGH threshold.

GitHub Action