#CI/CD Integration

Vekt integrates into any CI/CD pipeline via the CLI. Use vekt ci for structured output with severity-threshold gating, or vekt scan for simpler pass/fail checks.

#Table of contents

• Exit codes
• GitHub Actions
• GitLab CI
• Generic CI usage
• SARIF output for GitHub Advanced Security
• Pre-install auditing in CI
• Tips

---

#Exit codes

Code	Meaning
0	Scan completed with no findings (or below --fail-on threshold, or --warn flag used)
1	Scan completed and findings were detected at or above threshold
2	Error (parse failure, network error, invalid arguments)

---

#GitHub Actions

#Using vekt ci (recommended)

name: Supply chain scan

on:
  push:
    branches: [main]
  pull_request:

jobs:
  vekt:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4

      - name: Install Vekt
        run: |
          curl -fsSL https://kief.dev/vekt/install.sh | sh
          echo "$HOME/.local/bin" >> "$GITHUB_PATH"

      - name: Scan dependencies
        run: vekt ci --fail-on malicious .

#Fail on high severity

      - name: Scan dependencies (fail on high+)
        run: vekt ci --fail-on high .

#Separate malicious and vulnerability checks

      - name: Check for malicious packages (blocking)
        run: vekt scan . --malicious-only --quiet

      - name: Check for vulnerabilities (non-blocking)
        run: vekt scan . --warn --quiet

#Upload JSON results as artifact

      - name: Scan dependencies
        run: vekt ci --format json . > vekt-results.json
        continue-on-error: true

      - name: Upload scan results
        uses: actions/upload-artifact@v4
        with:
          name: vekt-results
          path: vekt-results.json

---

#GitLab CI

vekt-scan:
  stage: test
  image: ubuntu:24.04
  before_script:
    - apt-get update -qq && apt-get install -y -qq curl
    - curl -fsSL https://kief.dev/vekt/install.sh | sh
    - export PATH="$HOME/.local/bin:$PATH"
  script:
    - vekt ci --fail-on malicious .
  allow_failure: false

---

#Generic CI usage

Any CI system that runs shell commands works:

# Install
curl -fsSL https://kief.dev/vekt/install.sh | sh
export PATH="$HOME/.local/bin:$PATH"

# Scan with severity threshold
vekt ci --fail-on malicious .

# Or simpler: fail on any finding
vekt scan . --quiet

No API key or account needed. Just install and scan.

---

#SARIF output for GitHub Advanced Security

Upload SARIF results to surface findings in the GitHub Security tab and annotate pull requests:

      - name: Vekt supply chain scan
        run: vekt ci --format sarif --fail-on high . > vekt.sarif
        continue-on-error: true

      - name: Upload SARIF results
        uses: github/codeql-action/upload-sarif@v3
        with:
          sarif_file: vekt.sarif
          category: supply-chain

---

#Pre-install auditing in CI

Use vekt audit to check specific packages before adding them:

      - name: Audit new dependency
        run: vekt audit npm:new-package@1.2.3

---

#Tips

Cache the binary. vekt is a single static file. Cache ~/.local/bin/vekt between runs.

Pin the version. Use a versioned download URL in production pipelines.

Use --warn for non-blocking checks. vekt scan . --warn reports findings but exits 0.

Use --quiet in cron scans. Suppresses output when the project is clean.