CI Integration
Continuous integration setup and configuration
FAQs
How do I integrate Vibgrate into CI/CD pipelines?
The CLI requires no login for scanning and returns meaningful exit codes (0=success, 2=threshold exceeded). Basic CI integration: npx @vibgrate/cli scan --fail-on error. For drift budgets: add --baseline .vibgrate/baseline.json --drift-budget 40. For SARIF upload (GitHub Code Scanning): add --format sarif --out vibgrate.sarif. Works with GitHub Actions, Azure DevOps, GitLab CI, Jenkins, and any CI system with Node.js.
How do I upload SARIF results to GitHub Code Scanning?
Run scan with SARIF output: npx @vibgrate/cli scan --format sarif --out vibgrate.sarif --fail-on error. Then use github/codeql-action/upload-sarif@v3 with sarif_file: vibgrate.sarif. Requires security-events: write permission. Findings appear in the Security tab and inline on PRs.
How do I gate pull requests on known vulnerabilities with GitHub Actions?
Use the maintained vibgrate/cli Action: `uses: vibgrate/cli@v1` with `vulns: true`, `fail-on: error`, and `upload-sarif: true`. It scans installed dependencies against OSV, fails the check on critical/high findings (blocking the merge), and uploads the SARIF to code scanning in one step — the workflow needs `permissions: security-events: write`. Check out with `fetch-depth: 0` so each finding is attributed to the commit that introduced it. The copy-paste template is examples/github-actions/vulnerabilities-sarif.yml; the raw-CLI equivalent is `npx @vibgrate/cli scan --vulns --format sarif --out vibgrate.sarif --fail-on error` followed by github/codeql-action/upload-sarif@v3.
What is a drift budget and how do I use it?
A drift budget sets a maximum acceptable drift score. Use --drift-budget 40 to fail the scan (exit code 2) if your drift score exceeds 40. Combine with --drift-worsening 5 to fail if drift has worsened by more than 5% compared to baseline. This creates 'fitness functions' that prevent drift regression in CI.
How do I set up Vibgrate in Azure DevOps?
Add NodeTool@0 task with versionSpec: '22.x', then run npx @vibgrate/cli scan --fail-on error. For SARIF artifacts: add --format sarif --out vibgrate.sarif, then use PublishBuildArtifacts@1 task. Store VIBGRATE_DSN in pipeline variables for dashboard push. Works with both classic and YAML pipelines.
How do I set up Vibgrate in GitLab CI?
Use node:22 image and run npx @vibgrate/cli scan --format sarif --out vibgrate.sarif --fail-on error. Add artifacts.reports.sast: vibgrate.sarif for SAST integration. Findings appear in Security Dashboard and merge requests. Store VIBGRATE_DSN in CI/CD variables for pushing to Vibgrate Cloud.
How do I run Vibgrate in Jenkins?
Use node:22 Docker image or ensure Node.js 22+ is installed on agents. Run npx @vibgrate/cli scan --format sarif --out vibgrate.sarif --fail-on error. Archive vibgrate.sarif as artifact. The CLI returns exit code 2 on threshold failures, which Jenkins interprets as build failure. No special plugin required.