v0.1
CI/CD Integration
Automate skill-issue scanning in GitHub Actions, GitLab CI, and other pipelines
CI/CD Integration
skill-issue is designed for automated pipelines. Use JSON or SARIF output, configurable exit codes, and standard CI patterns to catch security issues before they ship.
GitHub Actions
Add skill-issue to your GitHub Actions workflow:
name: Skill Security Scan
on:
pull_request:
paths:
- 'skills/**'
push:
branches: [main]
jobs:
scan:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Download skill-issue
run: |
curl -L https://github.com/daviddrummond95/skill-issue-cli/releases/latest/download/skill-issue-x86_64-unknown-linux-gnu -o skill-issue
chmod +x skill-issue
- name: Run security scan
run: ./skill-issue skills/ --format sarif --error-on warning > results.sarif
- name: Upload SARIF results
if: always()
uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: results.sarif
SARIF Integration
When you upload SARIF results, findings appear directly in the GitHub Security tab and as inline annotations on pull requests:
# Generate SARIF output
skill-issue --format sarif > results.sarif
GitLab CI
skill-security-scan:
stage: test
script:
- curl -L https://github.com/daviddrummond95/skill-issue-cli/releases/latest/download/skill-issue-x86_64-unknown-linux-gnu -o skill-issue
- chmod +x skill-issue
- ./skill-issue skills/ --format json --error-on warning > skill-issue-results.json
artifacts:
reports:
codequality: skill-issue-results.json
when: always
Generic CI Script
For any CI system, the pattern is the same:
#!/bin/bash
set -e
# Download
curl -L https://github.com/daviddrummond95/skill-issue-cli/releases/latest/download/skill-issue-x86_64-unknown-linux-gnu -o skill-issue
chmod +x skill-issue
# Scan with warnings as errors
./skill-issue /path/to/skills \
--format json \
--error-on warning \
--severity warning
# Exit code 0 = clean, non-zero = findings
echo "Scan passed!"
Exit Code Strategy
Use --error-on to control when skill-issue returns a non-zero exit code:
# Fail only on errors (default) — warnings are informational
skill-issue --error-on error
# Fail on warnings too — stricter policy
skill-issue --error-on warning
# Fail on everything including info — maximum strictness
skill-issue --error-on info
--error-on |
Exit 0 | Exit non-zero |
|---|---|---|
error |
Info + Warnings | Errors |
warning |
Info only | Warnings + Errors |
info |
Clean only | Any finding |
JSON Output for Parsing
Parse JSON output in your pipeline for custom reporting:
# Run scan and capture output
skill-issue --format json > results.json
# Check if any errors were found (using jq)
ERRORS=$(jq '.summary.errors' results.json)
if [ "$ERRORS" -gt 0 ]; then
echo "Found $ERRORS error(s)!"
jq '.findings[] | select(.severity == "error")' results.json
exit 1
fi
Pre-commit Hook
Run skill-issue as a pre-commit hook to catch issues before they're committed:
#!/bin/bash
# .git/hooks/pre-commit
# Only scan if skill files changed
CHANGED_SKILLS=$(git diff --cached --name-only -- 'skills/')
if [ -n "$CHANGED_SKILLS" ]; then
echo "Running skill-issue security scan..."
skill-issue skills/ --error-on warning --quiet
if [ $? -ne 0 ]; then
echo "Security issues found. Fix them before committing."
exit 1
fi
fi
Recommended CI Configuration
Create a .skill-issue.toml for your CI environment:
[settings]
severity = "warning"
format = "json"
error_on = "error"
# Ignore informational noise in CI
ignore = [
"SL-NET-001", # URLs (common in docs)
"SL-NET-008", # IP literals (common in examples)
"SL-FS-004", # Temp files (common in scripts)
"SL-FS-009", # Glob operations
"SL-EXEC-005", # Module imports
]
# Allow documented URLs
[[allowlist]]
rule = "SL-NET-001"
file = "docs/**"
reason = "Documentation contains example URLs"