The PromptGuard Security Gate is a GitHub Action that runs automated red team tests against your security configuration on every pull request, ensuring security regressions are caught before merge.
Quick Start
# .github/workflows/security.yml
name: AI Security Gate
on: [pull_request]
jobs:
security:
runs-on: ubuntu-latest
steps:
- uses: promptguard/security-gate@v1
with:
api-key: ${{ secrets.PROMPTGUARD_API_KEY }}
project-id: ${{ secrets.PROMPTGUARD_PROJECT_ID }}
min-grade: B
comment: true
fail-on-regression: true
| Input | Required | Default | Description |
|---|
api-key | Yes | — | PromptGuard API key |
project-id | Yes | — | PromptGuard project ID |
api-url | No | https://api.promptguard.co | API base URL |
min-grade | No | B | Minimum acceptable grade (A, B, C, D, F) |
fail-on-regression | No | true | Fail if grade drops below baseline |
comment | No | true | Post results as PR comment |
budget | No | 100 | Red team iteration count |
Outputs
| Output | Description |
|---|
grade | Security grade (A through F) |
score | Numeric score (0—100) |
bypasses-found | Number of bypasses discovered |
report | Full JSON report |
How It Works
- Calls the PromptGuard Red Team API with your project’s configuration
- Parses the response (grade, passed/failed vectors, score)
- Posts a PR comment with a summary table (if
comment: true)
- Fails the check if grade is below
min-grade
- Compares against baseline if
fail-on-regression: true
When comment: true, the action posts a summary on the PR:
| Metric | Value |
|---|
| Grade | B |
| Score | 84/100 |
| Bypasses | 4 |
| Block Rate | 92% |
Using Outputs in Workflows
jobs:
security:
runs-on: ubuntu-latest
steps:
- id: gate
uses: promptguard/security-gate@v1
with:
api-key: ${{ secrets.PROMPTGUARD_API_KEY }}
project-id: ${{ secrets.PROMPTGUARD_PROJECT_ID }}
- name: Check results
run: |
echo "Grade: ${{ steps.gate.outputs.grade }}"
echo "Score: ${{ steps.gate.outputs.score }}"
echo "Bypasses: ${{ steps.gate.outputs.bypasses-found }}"
Grading Scale
| Grade | Block Rate | Assessment |
|---|
| A | >= 95% | Excellent security posture |
| B | >= 85% | Good, minor improvements possible |
| C | >= 70% | Acceptable, review failing test cases |
| D | >= 50% | Poor, significant gaps detected |
| F | < 50% | Critical, immediate action required |
Best Practices
- Start with grade B: A reasonable minimum for most applications
- Enable regression detection: Catch security degradation early
- Run on every PR: Make security testing part of the development workflow
- Review PR comments: Understand which attack vectors pass through
- Combine with policy-as-code: Version your security config alongside your application
Next Steps
