Installation Guide
Get RSOLV up and running in your repository in just a few minutes.
Prerequisites Checklist
- A GitHub repository with admin access
- GitHub Actions enabled in your repository
- GitHub Issues enabled in your repository (RSOLV reports vulnerabilities as issues)
- 5-10 minutes to complete setup
1 Get Your RSOLV API Key
- Visit rsolv.dev/signup and create an account
- Complete email verification
- Navigate to your dashboard at rsolv.dev/portal
- Copy your API key from the API Keys section
Free Plan: Free accounts include 5 validations per month. The recommended Option A workflow uses up to 2 of them on first push, leaving runway to re-run as you push fixes. Scan-only (Option B) is always free and unlimited.
2 Add API Key to GitHub Secrets
Store your RSOLV API key securely as a GitHub Secret:
- Go to your repository on GitHub
- Click Settings → Secrets and variables → Actions
- Click New repository secret
-
Set the name to:
RSOLV_API_KEY - Paste your API key in the value field
- Click Add secret
Security Note: Never commit API keys directly to your repository. Always use GitHub Secrets.
3 Create GitHub Actions Workflow
Create a new file in your repository at:
.github/workflows/rsolv-security.ymlOption A: Recommended Default (Scan + Matrix Process)
On first push, RSOLV scans for vulnerabilities, then validates up to 2 of them by writing behavioral tests that prove the vulnerability is real and opening pull requests with the fix. The cap keeps free-tier first runs well within the 5 validations/month quota while producing enough proof artifacts to evaluate the tool.
name: RSOLV Security Pipeline
on:
push:
branches: [main]
workflow_dispatch:
jobs:
scan:
runs-on: ubuntu-latest
outputs:
pipeline_run_id: ${{ steps.rsolv.outputs.pipeline_run_id }}
issue_numbers: ${{ steps.rsolv.outputs.issue_numbers }}
permissions:
contents: write
issues: write
steps:
- uses: actions/checkout@v4
- name: Scan for vulnerabilities
id: rsolv
uses: RSOLV-dev/RSOLV-action@v4
with:
rsolvApiKey: ${{ secrets.RSOLV_API_KEY }}
max_issues: '2'
process:
needs: scan
if: needs.scan.outputs.issue_numbers != '[]'
strategy:
matrix:
issue_number: ${{ fromJSON(needs.scan.outputs.issue_numbers) }}
fail-fast: false
max-parallel: 1
runs-on: ubuntu-latest
permissions:
contents: write
issues: write
pull-requests: write
steps:
- uses: actions/checkout@v4
- name: Validate and fix issue
uses: RSOLV-dev/RSOLV-action@v4
with:
rsolvApiKey: ${{ secrets.RSOLV_API_KEY }}
mode: 'process'
pipeline_run_id: ${{ needs.scan.outputs.pipeline_run_id }}
issue_number: ${{ matrix.issue_number }}Option B: Evaluation-Only (Scan to CI Artifact)
For evaluation runs, large monorepos, or teams that want zero issue/PR creation while assessing fit: scan only and emit a JSON report as a workflow artifact. No GitHub issues, no PRs, no validation cost.
name: RSOLV Security Scan (Report Only)
on:
workflow_dispatch:
jobs:
scan:
runs-on: ubuntu-latest
permissions:
contents: read
steps:
- uses: actions/checkout@v4
- name: RSOLV Security Scan
uses: RSOLV-dev/RSOLV-action@v4
with:
rsolvApiKey: ${{ secrets.RSOLV_API_KEY }}
mode: 'scan'
scan_output: 'report'
Tip:
Option A is the recommended default and runs as-is — paste the YAML into .github/workflows/rsolv-security.yml,
set the
RSOLV_API_KEY
secret, push, and you'll see PRs with proof tests on the first run.
No customization required. Option B runs SCAN only — no VALIDATE phase, no
PRs, no behavioral tests written; you'll get a JSON+markdown report as a
workflow artifact, useful for evaluation runs where you want zero noise in
the repo before deciding to enable the full pipeline.
4 Commit and Verify Installation
Commit the workflow file
git add .github/workflows/rsolv-security.yml
git commit -m "Add RSOLV security workflow"
git push origin mainVerify the workflow runs
- Go to your repository's Actions tab
- You should see one of: "RSOLV Security Pipeline" (Option A) running with a scan job followed by one process job per issue (up to the 2 cap), OR "RSOLV Security Scan (Report Only)" (Option B) running a single scan job
- Click on the workflow run to view progress
- Wait for completion (typically 5-15 minutes for Option A's full pipeline; under a minute for Option B's report-only)
Check the results
-
Option A:
Navigate to your Pull Requests
tab — look for PRs from
rsolv-fix/*branches. Each PR contains a failing behavioral test (RED) demonstrating the vulnerability and the fix that makes it pass (GREEN). The matching GitHub issue (in the Issues tab, labeled security and rsolv ) is referenced from the PR body. -
Option B:
Navigate to the workflow run's Summary
page and
download the
rsolv-scan-reportartifact. Contains a JSON report and a markdown summary of all findings, with no GitHub issues or PRs created.
Common Installation Issues
Workflow fails with "Invalid API key"
-
Verify the secret name is exactly
RSOLV_API_KEY - Check that you copied the full API key from your dashboard
- Regenerate your API key if necessary
No issues created after scan
- Great news! Your code may not have detectable vulnerabilities
- Check workflow logs to confirm scan completed successfully
- RSOLV only creates issues for confirmed vulnerabilities (AST-validated)
Scan fails with "410" or "Issues has been disabled"
- GitHub Issues must be enabled for RSOLV to report vulnerabilities
- Go to Settings → General → Features and check Issues
- This is common on forked repositories, where GitHub disables Issues by default
Permission errors
- Ensure permissions block is present in your workflow (see examples above)
- For organizations: Settings → Actions → General → Allow GitHub Actions to create PRs
- Verify you have admin access to the repository
For more help, see the Troubleshooting Guide or email support@rsolv.dev.