Use case
CI/CD Gatekeeper
Block risky native binaries in pull requests before they reach production.
The Problem
No CI tool checks native binaries. Your pipeline scans JavaScript source code, runs SAST tools, and checks known CVE databases — but the compiled .node, .so, and .dylib files inside your dependencies are completely invisible. A compromised build pipeline could inject a backdoor into a binary, and your CI would give it a green checkmark.
The Solution
The BinShield GitHub Action adds binary-level scanning to every pull request. It decompiles native artifacts, classifies their behavior with AI, and enforces configurable risk thresholds — all in a single YAML step.
How It Works
Three steps to binary-aware CI- Add the Action — Drop the BinShield step into your GitHub Actions workflow. It runs after
npm installand before your test suite. - Set your policy — Configure a risk threshold (e.g., block PRs with any binary scoring above 60). Customize which behavior families trigger failures.
- Review and merge — BinShield posts a PR comment with a summary of every native binary, its risk score, and detected behaviors. Safe PRs pass automatically.
GitHub Action Configuration
Example workflow step# .github/workflows/binshield.yml
name: BinShield Binary Scan
on:
pull_request:
branches: [main]
jobs:
scan:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: actions/setup-node@v4
with:
node-version: 20
- run: npm ci
- name: BinShield Scan
uses: ashlrai/binshield-action@v1
with:
api-key: ${{ secrets.BINSHIELD_API_KEY }}
risk-threshold: 60
fail-on-high: true
comment-on-pr: trueExample PR Comment
What your team sees on every pull requestBinShield Scan Results
Scanned 3 packages with native binaries. 1 flagged.
| Package | Risk | Behaviors |
|---|---|---|
| bcrypt@6.0.0 | 52 MEDIUM | crypto, filesystem |
| sharp@0.33.2 | 28 LOW | image processing |
| usb@2.14.0 | 68 HIGH | network, process spawn |
Blocked: usb@2.14.0 exceeds risk threshold of 60.
Start scanning binaries in CI today
Free for public repos. Pro plans include private repo scanning and custom policies.