This guide adds Vibgrate drift scanning to a CircleCI pipeline so each commit reports a DriftScore and fails on regressions. It targets teams using .circleci/config.yml with the cloud or self-hosted runners.
Prerequisites
- A CircleCI project connected to your repository.
- A Node-capable executor (the
cimg/nodeimage works well).
Job definition
version: 2.1
jobs:
drift:
docker:
- image: cimg/node:22.11
steps:
- checkout
- run:
name: Vibgrate scan
command: npx @vibgrate/cli scan --fail-on error
workflows:
build:
jobs:
- drift
The checkout step puts your code in the working directory, and npx @vibgrate/cli scan scans that directory.
Quality gate
--fail-on error exits non-zero when an error-severity finding exists, which fails the CircleCI step. To gate on a numeric budget instead, use --drift-budget:
npx @vibgrate/cli scan --drift-budget 60
This fails the job if the DriftScore exceeds the budget. See Gate pull requests on a drift budget for the reasoning behind budgets.
Storing the report
Write a report and store it as an artifact:
- run:
name: Vibgrate report
command: npx @vibgrate/cli scan --format markdown --out drift-report.md
- store_artifacts:
path: drift-report.md
Caching
Use CircleCI's save_cache/restore_cache keyed on your lockfile to retain the Vibgrate cache directory between runs and shorten scan time. See Cache Vibgrate scans in CI for the general pattern.
Related
- Upload SARIF results to code scanning for security dashboards.
- Push scan results to Vibgrate Cloud from CI for org-wide trends.