CI Integration

Copy this into your pipeline

VibeGuard runs in any CI system. Output SARIF for GitHub Code Scanning, or JSON for custom integrations. No cloud account required.

2-minute setup
Runs in your runner
Standard SARIF output

GitHub Actions

Copy this file to .github/workflows/. It runs on every push and PR to main, then uploads findings to GitHub Code Scanning.

.github/workflows/vibeguard.yml
name: VibeGuard Security Scan

on:
  push:
    branches: [main]
  pull_request:
    branches: [main]

jobs:
  security-scan:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4

      - name: Set up Python
        uses: actions/setup-python@v5
        with:
          python-version: '3.11'

      - name: Install VibeGuard
        run: pip install vibeguard-cli

      - name: Run security scan
        run: vibeguard scan . --format sarif --output results.sarif

      - name: Upload SARIF to GitHub
        uses: github/codeql-action/upload-sarif@v3
        with:
          sarif_file: results.sarif

SARIF upload: The github/codeql-action/upload-sarif action is GitHub's official action for uploading SARIF files from any tool. Findings appear in the Security tab within seconds and link directly to the relevant lines of code.

Exit codes and thresholds

VibeGuard uses exit codes to signal whether the build should pass or fail. Your CI system handles the rest.

exit 0

Pass

No critical or high findings

exit 1

Warning

Medium findings detected

exit 2

Fail

Critical or high findings detected

Customize thresholds with flags:

vibeguard scan . --fail-on high --warn-on mediumvibeguard scan . --fail-on critical # Only fail on criticalvibeguard scan . --fail-on none # Never fail (report only)

Baseline mode: new issues only

Adopting VibeGuard on an existing codebase? Baseline mode lets CI fail only on newly introduced findings, not legacy debt.

1
vibeguard baseline create

Snapshot your current findings into a baseline file.

2
vibeguard scan . --baseline

Only report findings not in the baseline. Old issues are tracked separately.

3
vibeguard baseline update

As you fix legacy issues, update the baseline to reflect progress.

CI only fails on newly introduced issues. You make progress on technical debt without blocking current work.

GitLab, Jenkins, and everything else

VibeGuard is just a CLI. If you can run pip install and shell commands, it works.

GitLab CI
security-scan:
  image: python:3.11
  script:
    - pip install vibeguard-cli
    - vibeguard scan . --format json --output results.json
  artifacts:
    reports:
      sast: results.json

GitLab consumes the JSON output as a SAST artifact. Findings appear in the Security Dashboard.

Jenkins
pipeline {
    agent any
    stages {
        stage('Security Scan') {
            steps {
                sh 'pip install vibeguard-cli'
                sh 'vibeguard scan . --format json --output results.json'
            }
        }
    }
}

Archive the JSON output as a build artifact. Use the Warnings NG plugin for inline annotations.

CircleCI, Azure DevOps, Bitbucket Pipelines, etc.

Same pattern: install Python, pip install vibeguard-cli, run the scan. Output JSON or SARIF depending on what your platform supports. Check the docs for platform-specific examples.

Add VibeGuard to your pipeline

Security checks on every commit. No cloud account, no manual review.

pip install vibeguard-cli