Skip to main content

Getting Started

Getting started with Cimon is as simple as three steps:

Step 1 - Install GitHub App

CI Support

This step is not required for Cycode customers. Cycode customers can integrate GitHub organizations by visiting the integrations page.

GitHub App installation is required to start onboarding.

GitHub App integration allows you to manage security policies and monitor Cimon agent installations using the Cimon platform.

GitHub App

Integrating the GitHub App is crucial for authenticating users, organizations, and repositories. Pay attention that all repositories you wish to secure are authorized through the GitHub App authorization flow. We require minimal permissions for the app; you can further read about it here.

You will be directed to the Cimon application UI once the process is complete.

Step 2 - Generate API Key in Cimon Platform

Cimon API keys consist of two values: client-id and secret, and are used to authenticate the user. Keys can be generated here.

These values should be saved in GitHub organization settings as GitHub Actions secrets and titled CIMON_CLIENT_ID and CLIENT_SECRET.

GitHub Actions Secrets

The best method to use tokens and API keys in GitHub Actions is by defining them in organization actions settings, as explained here. These tokens could be defined in each repository as well.

Step 3 - Add Cimon Action to your Workflow

Cimon Action should be the first step in each of your jobs.


To get Cimon to learn your pipeline, we recommend starting it on "Detect Mode."

- uses: cycodelabs/cimon-action@v0
client-id: ${{ secrets.CIMON_CLIENT_ID }}
secret: ${{ secrets.CIMON_SECRET }}

With our custom GitHub Action, we automatically run the agent, terminate it gracefully, and generate a neat report for you. To help you generate the preventive policy, the Security Report will guide you through the security profile you need to apply for your build.

Get Started Locally

The Cimon action can also be run locally (without authentication) by omitting the authentication details:

- uses: cycodelabs/cimon-action@v0
prevent: true
allowed-hosts: >
allowed-ips: >