DevOps5 min read

Adding Vibgrate to GitHub Actions: CI Drift Gates in 10 Lines of YAML

The real power of drift scoring is not the one-off scan — it is the continuous signal. Adding Vibgrate to your GitHub Actions pipeline means every PR is checked for drift regression, every build knows its upgrade posture, and findings appear directly in your code review workflow.

Luke Geaves

Luke Geaves

Vibgrate Blog

From One-Off to Continuous

Running vibgrate scan . locally gives you a snapshot. Putting it in CI gives you a guardrail. Every pull request, every build, every merge to main — each one is checked for drift regression before it reaches production.

The setup takes less than 10 lines of YAML.

The Basic Integration

Add this to your .github/workflows/ci.yml:

- name: Vibgrate Scan
  run: npx @vibgrate/cli scan . --format sarif --out vibgrate.sarif --fail-on error

- name: Upload SARIF
  if: always()
  uses: github/codeql-action/upload-sarif@v3
  with:
    sarif_file: vibgrate.sarif

This does three things:

  1. Scans the repository for drift on every workflow trigger.
  2. Fails the build (exit code 2) if any error-level finding is detected — such as a runtime within 180 days of EOL or a framework that is 3+ major versions behind.
  3. Uploads the SARIF file to GitHub Code Scanning, so drift findings appear in the Security tab of your repository and inline on pull request diffs.

Adding Baseline Comparison

For even more value, compare each scan against your committed baseline:

- name: Vibgrate Scan with Baseline
  run: |
    npx @vibgrate/cli scan . \
      --baseline .vibgrate/baseline.json \
      --drift-budget 40 \
      --drift-worsening 5 \
      --format sarif \
      --out vibgrate.sarif \
      --fail-on error

Now the pipeline also fails if:

  • The absolute drift score drops below 40 (--drift-budget 40)
  • Drift worsens by more than 5% relative to the baseline (--drift-worsening 5)

This turns drift into a quality gate — equivalent to test coverage thresholds or linting rules.

Pushing to the Dashboard

To track trends over time across repositories, add the optional dashboard upload:

- name: Vibgrate Scan
  env:
    VIBGRATE_DSN: ${{ secrets.VIBGRATE_DSN }}
  run: npx @vibgrate/cli scan . --push --format sarif --out vibgrate.sarif --fail-on error

Store your DSN as a GitHub secret — never commit it to code. The --push flag uploads the scan artifact to the Vibgrate dashboard after a successful scan, enabling trend charts, portfolio views, and historical comparisons.

What Your Team Gets

Once Vibgrate is in CI:

  • Every PR shows its drift impact: developers see whether their changes improve or worsen upgrade health before merging.
  • No silent regression: a dependency downgrade or a missed EOL date triggers a build failure, not a quiet surprise months later.
  • Drift findings in code review: SARIF integration puts findings right where developers already work — in the GitHub PR interface.
  • Historical trends: with dashboard upload, leadership can see drift trends across the entire organization.

The Vibgrate Drift Intelligence Engine was built for CI from day one. The scan is fast (seconds, not minutes), requires no authentication for local analysis, and produces standard output formats that integrate with the tools you already use.

Add drift gates to your pipeline today. Sign up at dash.vibgrate.com to get your DSN, configure GitHub Actions, and start enforcing drift budgets on every PR.

Topics

#github-actions#ci-cd#sarif#vibgrate-cli#drift-gates#automation

Sources & References

Back to all articles