GitHub Actions Integration

Two workflow patterns: Capability Scan (SARIF upload to GitHub Advanced Security) and Apex Test (JUnit report).

Agent Capability Scan

The recommended workflow. Scans only the diff on PRs, uploads SARIF to the Security tab, and adds inline PR annotations for each violation.

# .github/workflows/squirex.yml
name: SquireX Agent Capability Scan
on:
  pull_request:
    branches: [main, develop]
    paths:
      - '**/*.cls'
      - '**/*.agent'
      - '**/*.genAiFunction-meta.xml'
      - '**/*.genAiPlugin-meta.xml'
      - '**/*.genAiPlannerBundle-meta.xml'
      - '**/*.genAiPromptTemplate-meta.xml'
      - '**/*.genAiPromptTemplateActv-meta.xml'
      - '**/*.flow-meta.xml'
      - '**/*.aiEvaluationDefinition-meta.xml'
      - '**/*.field-meta.xml'
      - '**/schema.json'
      - '**/sfdx-project.json'

permissions:
  security-events: write
  pull-requests: write

jobs:
  capability-scan:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
        with: { fetch-depth: 0 }

      - name: Setup Node.js
        uses: actions/setup-node@v4
        with:
          node-version: '18'

      - name: Install SquireX
        run: npm install -g squirex

      - name: Run PR Scan
        env:
          SQUIREX_LICENSE_KEY: ${{ secrets.SQUIREX_LICENSE_KEY }}
        run: |
          squirex scan-pr -d ./force-app --base ${{ github.base_ref }} --sarif results.sarif || true

      - name: Upload SARIF
        uses: github/codeql-action/upload-sarif@v3
        with:
          sarif_file: results.sarif
          category: agentforce-capability

SARIF upload requires GitHub Advanced Security

SARIF uploads work on public repos and private repos with GitHub Advanced Security enabled. The || true on the scan step prevents blocking the upload when violations are found.

Apex Test Workflow

name: Apex Tests
on: [push, pull_request]

jobs:
  test:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4

      - name: Setup Node.js
        uses: actions/setup-node@v4
        with:
          node-version: '18'

      - name: Install SquireX
        run: npm install -g squirex

      - name: Run Tests
        run: squirex run -d force-app/main/default/classes --junit results.xml

      - name: Publish Results
        uses: mikepenz/action-junit-report@v4
        if: always()
        with:
          report_paths: results.xml

Using a License Key (CI/CD)

A Pro or Enterprise license key is required to run SquireX inside CI/CD pipelines. Set the SQUIREX_LICENSE_KEY secret:

- name: Run Scan
  env:
    SQUIREX_LICENSE_KEY: ${{ secrets.SQUIREX_LICENSE_KEY }}
  run: squirex scan-pr -d ./force-app --base ${{ github.base_ref }} --sarif results.sarif

Add the key in Settings → Secrets and variables → Actions → New repository secret.

Agent Capability Scan​

Apex Test Workflow​

Using a License Key (CI/CD)​

Next Steps​

Agent Capability Scan

Apex Test Workflow

Using a License Key (CI/CD)

Next Steps