cerberauth/jwtop-action
The official action — no setup required, just add it to your workflow.
Run jwtop in your GitHub Actions workflows to catch JWT misconfigurations before they reach production.
cerberauth/jwtop-action
The official action — no setup required, just add it to your workflow.
Raw CLI
Install jwtop directly and run any command in a workflow step.
The cerberauth/jwtop-action action installs jwtop and runs the command you specify.
- uses: cerberauth/jwtop-action@v1 with: args: crack ${{ env.TOKEN }} --url https://api.example.com/protected| Input | Description | Required |
|---|---|---|
args | Arguments passed directly to jwtop | Yes |
name: JWT security scan
on: pull_request:
jobs: jwt-scan: runs-on: ubuntu-latest steps: - uses: actions/checkout@v6
- name: Scan for JWT vulnerabilities uses: cerberauth/jwtop-action@v1 with: args: crack ${{ secrets.TEST_TOKEN }} --url ${{ vars.API_URL }}/protectedIf you need more control, install jwtop as a step and run commands directly.
- name: Install jwtop run: go install github.com/cerberauth/jwtop@latestOr use the Docker image to avoid needing Go:
- name: Scan JWT vulnerabilities run: | docker run --rm ghcr.io/cerberauth/jwtop \ crack "$TOKEN" --url "$API_URL" env: TOKEN: ${{ secrets.TEST_TOKEN }} API_URL: ${{ vars.API_URL }}jwtop crack exits 0 if at least one exploit succeeds. Use a negation to fail the build:
- name: Assert no JWT vulnerabilities run: | if jwtop crack "$TOKEN" --url "$API_URL"; then echo "::error::JWT vulnerability detected" exit 1 fi env: TOKEN: ${{ secrets.TEST_TOKEN }} API_URL: ${{ vars.API_URL }}- name: Generate test JWT run: | TOKEN=$(jwtop create --alg HS256 \ --secret "$TEST_SECRET" \ --sub ci-runner \ --exp 1h) echo "TEST_TOKEN=$TOKEN" >> "$GITHUB_ENV" env: TEST_SECRET: ${{ secrets.TEST_SECRET }}
- name: Run integration tests run: go test ./integration/... env: TEST_TOKEN: ${{ env.TEST_TOKEN }}- name: Verify staging token run: jwtop verify "$TOKEN" --jwks "$JWKS_URI" env: TOKEN: ${{ steps.fetch-token.outputs.token }} JWKS_URI: https://staging.example.com/.well-known/jwks.json- name: Full JWT security scan uses: cerberauth/jwtop-action@v1 with: args: > crack ${{ secrets.TEST_TOKEN }} --url ${{ vars.API_URL }}/protected --key public.pem --wordlist wordlists/secrets.txt