Helium Security Vulnerability Scanner

This GitHub Action allows you to automatically run security scans using Helium Security in your CI/CD workflow.

Prerequisites

• Helium.sh account (License Team / Business / Enterprise required)

Create a Helium Security API Key and Store It as a GitHub Secret

1. Log in to your Helium Security account.
2. Go to Settings, select My Account, then open the Integration tab and choose CI/CD Integration.
3. Generate a new API key and copy its value.
4. Go to your GitHub repository, open Settings, then navigate to Secrets and variables → Actions.
5. Create a new secret named HELIUM_API_KEY, paste the API key value, and click Add secret.
6. After adding the secret, the page should appear as follows:

How to Get the Helium Security Workspace ID

1. Log in to your Helium Security account.
2. Go to Settings and select Workspace.
3. Choose the workspace you want to use, then click the Workspace ID. It will be copied to your clipboard automatically.
4. Make sure the selected workspace belongs to the same owner that holds the active license, because the API key can only be used with workspaces covered by that license.
5. Use this Workspace ID in your GitHub Actions workflow with the key workspace_id.

Inputs

Website Scanner Inputs

Without Authentication

Inputs

Name	Type	Default	Required	Description
api_key	string	-	Yes	Helium API Key
workspace_id	string	-	Yes	Workspace ID
tool	string	-	Yes	Scanner type (website-scanner)
scan_option	string	-	Yes	Scanner option (basic_scan, full_scan)
target	string	-	Yes	Target URL to scan
target_path	string	-	No	Path to the target file or directory for scanning
fail_on	string	high	No	Fail the build if severity >= value (low, medium, high, critical)

Example Usage:

steps:
  - name: Helium Security Website Scan (No Auth)
    uses: CyberArmyID/Helium-Security-Vulnerability-Scanner@v1.0.0
    with:
      api_key: ${{ secrets.HELIUM_API_KEY }}
      workspace_id: abcd1234-abcd-abcd-abcd
      tool: website-scanner
      scan_option: basic_scan
      target: example.com
      target_path: /path
      fail_on: high

With Authentication

Cookie Based Authentication

Inputs

Name	Type	Default	Required	Description
api_key	string	-	Yes	Helium API Key
workspace_id	string	-	Yes	Workspace ID
tool	string	-	Yes	Scanner type (website-scanner)
scan_option	string	-	Yes	Scanner option (basic_scan, full_scan)
target	string	-	Yes	Target URL to scan
auth_method	string	-	Yes	Authentication method (cookie)
cookies_input	string	-	Yes	Cookies to use for authentication
after_login_url	string	-	Yes	URL to visit after login
logout_url	string	-	Yes	URL to logout
login_success_indicator	string	-	Yes	String to check in response for successful login
target_path	string	-	No	Path to the target file or directory for scanning
fail_on	string	high	No	Fail the build if severity >= value (low, medium, high, critical)

Example Usage:

steps:
  - name: Helium Security Website Scan (Cookie Auth)
    uses: CyberArmyID/Helium-Security-Vulnerability-Scanner@v1.0.0
    with:
      api_key: ${{ secrets.HELIUM_API_KEY }}
      workspace_id: abcd1234-abcd-abcd-abcd
      tool: website-scanner
      scan_option: full_scan
      target: vuln.example.com
      auth_method: cookie
      cookies_input: "sessionid=abc123; path=/;"
      after_login_url: https://vuln.example.com/dashboard
      logout_url: https://vuln.example.com/logout
      login_success_indicator: "Dashboard"
      fail_on: high

Form Based Authentication

Inputs

Name	Type	Default	Required	Description
api_key	string	-	Yes	Helium API Key
workspace_id	string	-	Yes	Workspace ID
tool	string	-	Yes	Scanner type (website-scanner)
scan_option	string	-	Yes	Scanner option (basic_scan, full_scan)
target	string	-	Yes	Target URL to scan
auth_method	string	-	Yes	Authentication method (form)
login_url	string	-	Yes	URL for authentication/login
login_payload	string	-	Yes	Payload for authentication/login (string or JSON)
after_login_url	string	-	Yes	URL to visit after login
logout_url	string	-	Yes	URL to logout
login_success_indicator	string	-	Yes	String to check in response for successful login
target_path	string	-	No	Path to the target file or directory for scanning
fail_on	string	high	No	Fail the build if severity >= value (low, medium, high, critical)

Example Usage:

steps:
  - name: Helium Security Website Scan (Form Auth)
    uses: CyberArmyID/Helium-Security-Vulnerability-Scanner@v1.0.0
    with:
      api_key: ${{ secrets.HELIUM_API_KEY }}
      workspace_id: abcd1234-abcd-abcd-abcd
      tool: website-scanner
      scan_option: full_scan
      target: portal.example.com
      auth_method: form
      login_url: https://portal.example.com/login
      login_payload: username=user&password=pass
      after_login_url: https://portal.example.com/dashboard
      logout_url: https://portal.example.com/logout
      login_success_indicator: "Welcome, user"
      fail_on: high

API Scanner Inputs

Without Authentication

Inputs

Name	Type	Default	Required	Description
api_key	string	-	Yes	Helium API Key
workspace_id	string	-	Yes	Workspace ID
tool	string	-	Yes	Scanner type (api-scanner)
scan_option	string	-	Yes	Scanner option (basic_scan, full_scan)
target	string	-	Yes	Target URL to scan
target_path	string	-	No	Path to the target file or directory for scanning
api_definition_type	string	-	Yes	API definition type (openapi, swagger, postman, raml, wadl)
api_definition_url	string	-	Yes	URL or path to the API definition file
fail_on	string	high	No	Fail the build if severity >= value (low, medium, high, critical)

Example Usage:

steps:
  - name: Helium Security API Scan (No Auth)
    uses: CyberArmyID/Helium-Security-Vulnerability-Scanner@v1.0.0
    with:
      api_key: ${{ secrets.HELIUM_API_KEY }}
      workspace_id: abcd1234-abcd-abcd-abcd
      tool: api-scanner
      scan_option: basic_scan
      target: example.com
      target_path: /path
      api_definition_type: openapi
      api_definition_url: https://api.example.com/openapi.yaml
      fail_on: high

With Authentication

Inputs

Name	Type	Default	Required	Description
api_key	string	-	Yes	Helium API Key
workspace_id	string	-	Yes	Workspace ID
tool	string	-	Yes	Scanner type (api-scanner)
scan_option	string	-	Yes	Scanner option (basic_scan, full_scan)
target	string	-	Yes	Target URL to scan
target_path	string	-	No	Path to the target file or directory for scanning
api_definition_type	string	-	Yes	API definition type (openapi, swagger, postman, raml, wadl)
api_definition_url	string	-	Yes	URL or path to the API definition file
login_url	string	-	Yes	URL for authentication/login
login_payload	string	-	Yes	Payload for authentication/login (string or JSON)
auth_token_location	string	-	Yes	Location of auth token in response
auth_header_name	string	-	Yes	Header name for auth token
auth_token_prefix	string	-	No	Prefix for auth token in header
fail_on	string	high	No	Fail the build if severity >= value (low, medium, high, critical)

Example Usage:

steps:
  - name: Helium Security API Scan (Auth)
    uses: CyberArmyID/Helium-Security-Vulnerability-Scanner@v1.0.0
    with:
      api_key: ${{ secrets.HELIUM_API_KEY }}
      workspace_id: abcd1234-abcd-abcd-abcd
      tool: api-scanner
      scan_option: full_scan
      target: api.example.com
      api_definition_type: openapi
      api_definition_url: https://api.example.com/openapi.yaml
      login_url: https://api.example.com/auth
      login_payload: {"username":"user","password":"pass"}
      auth_token_location: access.token
      auth_header_name: Authorization
      auth_token_prefix: Bearer
      fail_on: high