CI/CD Issues
Build fails on "high" findings
Symptom: The CI workflow fails because NAT found high-severity issues.
This is the intended behavior when fail-on: high is configured. The build is designed to fail when security issues are found.
Options:
- Fix the findings (recommended) — address the vulnerabilities before merging
- Adjust the threshold — change
fail-ontocriticalto only fail on critical issues - Dismiss the finding if it's a false positive:
nat findings dismiss --id FINDING_ID --reason false_positive - Use
continue-on-errortemporarily while addressing findings:- uses: bg-playground/nat-action@v1 continue-on-error: true with: api-url: ...
NAT_API_KEY secret not found
Symptom: Workflow fails with "API key is required" or authentication error.
Solutions:
- Verify the secret is set: Repository → Settings → Secrets and variables → Actions
- Confirm the secret name matches exactly:
NAT_API_KEY(case-sensitive) - For organization-level secrets, ensure the secret is shared with the repository
- Check that the workflow has permission to access secrets (not blocked by environment protection rules)
Target API not reachable from CI runner
Symptom: Connection errors when the CI workflow tries to scan your staging API.
Common causes:
| Cause | Solution |
|---|---|
| Staging not deployed yet | Add a "wait for deployment" step before the scan |
| CI runner can't reach staging | Use a self-hosted runner on the same network as staging |
| Firewall blocks GitHub Actions IPs | Allowlist GitHub Actions IP ranges (opens in a new tab) |
| Staging on private VPN | Add a VPN connection step to the workflow |
Wait for staging to be ready:
- name: Wait for staging deployment
run: |
for i in $(seq 1 30); do
if curl -sf ${{ vars.STAGING_API_URL }}/health; then
echo "Staging is ready"
exit 0
fi
echo "Waiting for staging... ($i/30)"
sleep 10
done
echo "Staging didn't become ready in time"
exit 1Scan times out in CI
Symptom: The scan is killed by the CI runner due to exceeding the job timeout.
Solutions:
- Increase the GitHub Actions
timeout-minutes:jobs: nat-scan: timeout-minutes: 60 - Reduce scan scope:
- uses: bg-playground/nat-action@v1 with: exclude: "/api/v1/reports/*,/api/v1/exports/*" max-requests: "1000" - Reduce concurrency and timeout to prevent queuing:
concurrency: "2" timeout: "15"
SARIF upload fails
Symptom: The github/codeql-action/upload-sarif step fails after the scan.
Solutions:
- Ensure the job has
security-events: writepermission:permissions: security-events: write contents: read - Use
if: always()so the upload runs even when the scan step fails:- uses: github/codeql-action/upload-sarif@v3 if: always() with: sarif_file: nat-results.sarif - Ensure the SARIF file was created — if the scan errored before creating it, the upload will fail:
- uses: bg-playground/nat-action@v1 id: nat continue-on-error: true - uses: github/codeql-action/upload-sarif@v3 if: always() && hashFiles('nat-results.sarif') != '' with: sarif_file: nat-results.sarif
Workflow runs on every commit but is slow
Symptom: The scan workflow adds significant time to every PR.
Solutions:
- Only run on pushes to main and PRs to main (not on every branch push):
on: pull_request: branches: [main] push: branches: [main] - Cache the pip installation:
- uses: actions/cache@v4 with: path: ~/.cache/pip key: nat-${{ runner.os }}-pip - Run the scan as a separate non-blocking job:
jobs: tests: ... nat-scan: needs: [] # run in parallel with tests, not after continue-on-error: true
Secrets not available in pull requests from forks
Symptom: Scans work on direct pushes but fail on PRs from forked repositories.
GitHub does not pass secrets to workflows triggered by pull requests from forks, for security reasons.
Solutions:
- Use the
pull_request_targetevent (with caution — review security implications) - Require collaborators to be added before their PRs are scanned
- Run the scan only on
pushto protected branches, not onpull_request
Next steps
- CI/CD Integration guide — full CI/CD reference
- GitHub Action reference — complete input/output docs
- Connection Errors — network troubleshooting