← Integrations

GitHub Integration

GitHub Actions + Code Scanning

Run VibeGuard in GitHub Actions and see security findings directly in your pull requests using GitHub Code Scanning.

How it works

1

Run VibeGuard in CI

Add a workflow that runs vibeguard scan on push and PR

2

Output SARIF

VibeGuard generates a SARIF file with all findings

3

Upload to GitHub

GitHub's upload-sarif action sends results to Code Scanning

GitHub Actions Workflow

Copy this workflow to .github/workflows/vibeguard.yml

name: VibeGuard Security Scan

on:
  push:
    branches: [main]
  pull_request:
    branches: [main]

jobs:
  security-scan:
    runs-on: ubuntu-latest
    permissions:
      security-events: write
      contents: read

    steps:
      - uses: actions/checkout@v4

      - name: Set up Python
        uses: actions/setup-python@v5
        with:
          python-version: '3.11'

      - name: Install VibeGuard
        run: pip install vibeguard-cli

      - name: Run security scan
        run: vibeguard scan . --output sarif --output-file results.sarif

      - name: Upload SARIF to GitHub
        uses: github/codeql-action/upload-sarif@v3
        with:
          sarif_file: results.sarif

Why GitHub Code Scanning?

See findings in pull requests

Security alerts appear directly in your PR, right where developers work.

Track findings over time

GitHub Code Scanning tracks which issues are new, fixed, or dismissed.

Fail checks on high severity

Configure VibeGuard to fail CI when critical issues are found.

No additional dashboard

Everything lives in GitHub. No context switching to external tools.

What is SARIF?

SARIF (Static Analysis Results Interchange Format) is a standard JSON format for static analysis tool outputs. It was developed by OASIS and is officially supported by GitHub for uploading third-party security tool results.

GitHub explicitly supports uploading SARIF from third-party tools. This is the standard way to integrate security scanners with GitHub Code Scanning.

Advanced configuration

Fail on high severity

vibeguard scan . --fail-on high --output sarif --output-file results.sarif

Use baseline (only new findings)

vibeguard scan . --baseline .vibeguard-baseline.json --output sarif --output-file results.sarif

Exclude directories

vibeguard scan . --exclude node_modules,vendor --output sarif --output-file results.sarif

Ready to set up?

Copy the workflow above and push to your repo. That's it.