Naftiko · Capability

Github Actions Secret Scan Capability

A capability that runs secret-scan checks against repos using GitHub's secret-scanning alerts API and exposes results as governance events.

Run with Naftiko NaftikoGitHubSecret Scanning

What You Can Do

GET
List secret alerts
/alerts/{{owner}}/{{repo}}

MCP Tools

list-secret-alerts

read-only
get-secret-alert

read-only

Capability Spec

github-actions-secret-scan-capability.yaml Raw ↑ 
naftiko: 1.0.0-alpha2
info:
  title: Github Actions Secret Scan Capability
  description: A capability that runs secret-scan checks against repos using GitHub's secret-scanning alerts API and exposes results as governance events.
  tags: [Naftiko, GitHub, Secret Scanning]
  created: '2026-05-01'
  modified: '2026-05-04'
binds:
- namespace: github-env
  keys: {GITHUB_TOKEN: GITHUB_TOKEN}
capability:
  consumes:
  - namespace: github
    type: http
    baseUri: https://api.github.com
    authentication: {type: bearer, token: '{{GITHUB_TOKEN}}'}
    resources:
    - name: secret-scanning-alerts
      path: '/repos/{{owner}}/{{repo}}/secret-scanning/alerts'
      operations:
      - {name: list-secret-alerts, method: GET, inputParameters: [{name: owner, in: path}, {name: repo, in: path}]}
    - name: secret-alert
      path: '/repos/{{owner}}/{{repo}}/secret-scanning/alerts/{{alert_number}}'
      operations:
      - {name: get-secret-alert, method: GET, inputParameters: [{name: owner, in: path}, {name: repo, in: path}, {name: alert_number, in: path}]}
  exposes:
  - type: rest
    address: 0.0.0.0
    port: 8080
    namespace: github-actions-secret-scan-capability-rest
    description: REST surface for GitHub secret-scan results.
    resources:
    - {name: alerts, path: '/alerts/{{owner}}/{{repo}}', operations: [{method: GET, name: list-secret-alerts, inputParameters: [{name: owner, in: path, type: string}, {name: repo, in: path, type: string}], call: github.list-secret-alerts}]}
  - type: mcp
    address: 0.0.0.0
    port: 3010
    namespace: github-actions-secret-scan-capability-mcp
    description: MCP for secret-scan results.
    tools:
    - name: list-secret-alerts
      hints: {readOnly: true}
      inputParameters: [{name: owner, type: string, required: true}, {name: repo, type: string, required: true}]
      call: github.list-secret-alerts
    - name: get-secret-alert
      hints: {readOnly: true}
      inputParameters: [{name: owner, type: string, required: true}, {name: repo, type: string, required: true}, {name: alert_number, type: string, required: true}]
      call: github.get-secret-alert
  - type: skill
    address: 0.0.0.0
    port: 3011
    namespace: github-actions-secret-scan-capability-skills
    description: Skill for secret-scan governance.
    skills:
    - name: github-actions-secret-scan-capability
      description: GitHub secret-scanning governance.
      location: file:///opt/naftiko/skills/github-actions-secret-scan-capability
      allowed-tools: list-secret-alerts,get-secret-alert
      tools:
      - {name: list-secret-alerts, from: {sourceNamespace: github-actions-secret-scan-capability-mcp, action: list-secret-alerts}}
      - {name: get-secret-alert, from: {sourceNamespace: github-actions-secret-scan-capability-mcp, action: get-secret-alert}}