Skip to main content

CI Integration: GitHub Actions

Set up Vibgrate in GitHub Actions for continuous drift detection, SARIF integration with Code Scanning, and automated dashboard uploads.

Vibgrate Docs

Vibgrate Help

Overview

Vibgrate integrates seamlessly with GitHub Actions. Common patterns include:

  • Running drift scans on every PR
  • Uploading SARIF results to GitHub Code Scanning
  • Enforcing drift budgets as merge checks
  • Pushing metrics to the Vibgrate Cloud

Basic Drift Scan

name: Vibgrate Drift Scan
on:
  pull_request:
    branches: [main]
  push:
    branches: [main]

jobs:
  drift-scan:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4

      - uses: actions/setup-node@v4
        with:
          node-version: 22

      - name: Vibgrate Scan
        run: npx @vibgrate/cli scan --fail-on error

SARIF Upload to Code Scanning

name: Vibgrate SARIF
on:
  pull_request:
    branches: [main]
  push:
    branches: [main]

jobs:
  drift-scan:
    runs-on: ubuntu-latest
    permissions:
      security-events: write
    steps:
      - uses: actions/checkout@v4

      - uses: actions/setup-node@v4
        with:
          node-version: 22

      - name: Vibgrate Scan
        run: npx @vibgrate/cli scan --format sarif --out vibgrate.sarif --fail-on error

      - name: Upload SARIF
        uses: github/codeql-action/upload-sarif@v3
        if: always()
        with:
          sarif_file: vibgrate.sarif

Findings appear directly in the Security tab and inline on PRs.

Vulnerability Gate (--vulns)

The maintained vibgrate/cli Action scans installed dependencies for known vulnerabilities, gates the PR, and uploads SARIF in one step:

jobs:
  vulnerabilities:
    runs-on: ubuntu-latest
    permissions:
      contents: read
      security-events: write
    steps:
      - uses: actions/checkout@v4
        with:
          fetch-depth: 0   # full history -> exposure attribution + remediation MTTR

      - uses: vibgrate/cli@v1
        with:
          vulns: true
          fail-on: error          # critical/high block the merge
          upload-sarif: true
          category: vibgrate-vulns

vulns: true adds --vulns (OSV check), fail-on: error blocks the merge on critical/high, and upload-sarif: true runs the code-scanning upload after the scan. Prefer raw CLI steps? Run npx @vibgrate/cli scan --vulns --format sarif --out vibgrate.sarif --fail-on error, then upload the file with github/codeql-action/upload-sarif@v3.

Drift Budget Enforcement

      - name: Vibgrate Scan with Budget
        run: |
          npx @vibgrate/cli scan \
            --baseline .vibgrate/baseline.json \
            --drift-budget 40 \
            --drift-worsening 5 \
            --fail-on error

Vibgrate Cloud Push

      - name: Push to Vibgrate Cloud
        env:
          VIBGRATE_DSN: ${{ secrets.VIBGRATE_DSN }}
        run: npx @vibgrate/cli@latest push --strict

Store your DSN in Settings → Secrets and variables → Actions.

Scan + Push in One Step

      - name: Vibgrate Scan & Push
        env:
          VIBGRATE_DSN: ${{ secrets.VIBGRATE_DSN }}
        run: npx @vibgrate/cli scan --push --strict --fail-on error

Matrix Strategy for Monorepos

jobs:
  drift-scan:
    runs-on: ubuntu-latest
    strategy:
      matrix:
        project: [packages/api, packages/web, packages/cli]
    steps:
      - uses: actions/checkout@v4
      - uses: actions/setup-node@v4
        with:
          node-version: 22
      - name: Vibgrate Scan ${{ matrix.project }}
        run: npx @vibgrate/cli scan ${{ matrix.project }} --fail-on error

Related Commands