Pipeline Scanning

CI/CD Integrations

Block risky code before it merges. Vibe Shield runs as a pipeline step — every changed file gets evaluated against your governance policies and the build fails on high or critical findings.

Repo-scoped Webhooks

CI Integrations

HMAC-signed endpoints for each repo. No API token needed in the pipeline.

Loading…

1Create an API token on the API Tokens page and copy the vsh_… value.
2Add it as a secret named VIBE_SHIELD_TOKEN in your repo's CI settings.
3Drop the snippet below into your pipeline and push.

# .github/workflows/vibe-shield.yml
name: Vibe Shield
on: [push, pull_request]
jobs:
  scan:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - name: Scan changed files
        env:
          VIBE_SHIELD_TOKEN: ${{ secrets.VIBE_SHIELD_TOKEN }}
        run: |
          FILES=$(git diff --name-only HEAD~1 HEAD | grep -E '\.(ts|tsx|js|jsx|py|go|rb|java)$' || true)
          [ -z "$FILES" ] && echo "No code files changed" && exit 0
          for f in $FILES; do
            echo "Scanning $f"
            CODE=$(jq -Rs . < "$f")
            RES=$(curl -sS -X POST https://shield-vibe-secure.lovable.app/api/public/v1/scan \
              -H "Authorization: Bearer $VIBE_SHIELD_TOKEN" \
              -H "Content-Type: application/json" \
              -d "{\"code\":$CODE,\"agent_id\":\"github-actions\",\"action\":\"ci.$f\"}")
            echo "$RES" | jq .
            STATUS=$(echo "$RES" | jq -r .status)
            RISK=$(echo "$RES" | jq -r .risk)
            if [ "$STATUS" = "flagged" ] && { [ "$RISK" = "high" ] || [ "$RISK" = "critical" ]; }; then
              echo "::error file=$f::Vibe Shield blocked this file ($RISK risk)"
              exit 1
            fi
          done

Tip: Each scan is recorded in your audit log with the agent_id and action you supply — use them to slice CI runs by repo, branch, or workflow.