Overview
Vibgrate integrates seamlessly with GitHub Actions. Common patterns include:
- Running drift scans on every PR
- Uploading SARIF results to GitHub Code Scanning
- Enforcing drift budgets as merge checks
- Pushing metrics to the Vibgrate Cloud
Basic Drift Scan
name: Vibgrate Drift Scan
on:
pull_request:
branches: [main]
push:
branches: [main]
jobs:
drift-scan:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: actions/setup-node@v4
with:
node-version: 22
- name: Vibgrate Scan
run: npx @vibgrate/cli scan --fail-on error
SARIF Upload to Code Scanning
name: Vibgrate SARIF
on:
pull_request:
branches: [main]
push:
branches: [main]
jobs:
drift-scan:
runs-on: ubuntu-latest
permissions:
security-events: write
steps:
- uses: actions/checkout@v4
- uses: actions/setup-node@v4
with:
node-version: 22
- name: Vibgrate Scan
run: npx @vibgrate/cli scan --format sarif --out vibgrate.sarif --fail-on error
- name: Upload SARIF
uses: github/codeql-action/upload-sarif@v3
if: always()
with:
sarif_file: vibgrate.sarif
Findings appear directly in the Security tab and inline on PRs.
Vulnerability Gate (--vulns)
The maintained vibgrate/cli Action scans installed dependencies for known vulnerabilities, gates the PR, and uploads SARIF in one step:
jobs:
vulnerabilities:
runs-on: ubuntu-latest
permissions:
contents: read
security-events: write
steps:
- uses: actions/checkout@v4
with:
fetch-depth: 0 # full history -> exposure attribution + remediation MTTR
- uses: vibgrate/cli@v1
with:
vulns: true
fail-on: error # critical/high block the merge
upload-sarif: true
category: vibgrate-vulns
vulns: true adds --vulns (OSV check), fail-on: error blocks the merge on critical/high, and upload-sarif: true runs the code-scanning upload after the scan. Prefer raw CLI steps? Run npx @vibgrate/cli scan --vulns --format sarif --out vibgrate.sarif --fail-on error, then upload the file with github/codeql-action/upload-sarif@v3.
Drift Budget Enforcement
- name: Vibgrate Scan with Budget
run: |
npx @vibgrate/cli scan \
--baseline .vibgrate/baseline.json \
--drift-budget 40 \
--drift-worsening 5 \
--fail-on error
Vibgrate Cloud Push
- name: Push to Vibgrate Cloud
env:
VIBGRATE_DSN: ${{ secrets.VIBGRATE_DSN }}
run: npx @vibgrate/cli@latest push --strict
Store your DSN in Settings → Secrets and variables → Actions.
Scan + Push in One Step
- name: Vibgrate Scan & Push
env:
VIBGRATE_DSN: ${{ secrets.VIBGRATE_DSN }}
run: npx @vibgrate/cli scan --push --strict --fail-on error
Matrix Strategy for Monorepos
jobs:
drift-scan:
runs-on: ubuntu-latest
strategy:
matrix:
project: [packages/api, packages/web, packages/cli]
steps:
- uses: actions/checkout@v4
- uses: actions/setup-node@v4
with:
node-version: 22
- name: Vibgrate Scan ${{ matrix.project }}
run: npx @vibgrate/cli scan ${{ matrix.project }} --fail-on error