Shipmoor runs in CI the same way it runs locally: it installs a binary, scans the change, and exits with a stable code. No source is uploaded — the scan happens on your runner, and only SARIF is handed to GitHub code scanning.
Option 1 — the workflow
Drop this in .github/workflows/shipmoor.yml:
name: Shipmoor
on:
pull_request:
push:
branches: [main]
jobs:
shipmoor:
runs-on: ubuntu-latest
permissions:
contents: read
security-events: write
steps:
- uses: actions/checkout@v4
- name: Install Shipmoor CLI
run: curl -fsSL https://dl.shipmoor.dev/install.sh | bash
- name: Run Shipmoor
run: |
"$HOME/.shipmoor/bin/shipmoor" scan --changed \
--sarif --output shipmoor.sarif \
--markdown-summary "$GITHUB_STEP_SUMMARY" \
--fail-on high
- name: Upload SARIF
uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: shipmoor.sarif--markdown-summary "$GITHUB_STEP_SUMMARY" writes a readable summary into the job page; --fail-on high makes the job fail when a high-or-above finding lands.
Option 2 — the composite action
For a shorter step, use the bundled composite action:
- uses: shipmoor/shipmoor-cli@v0
with:
changed: "true"
fail-on: high
sarif-output: shipmoor.sarifInputs:
| Input | Default | Description |
|---|---|---|
scan-path | . | Path to scan when diff mode is not used |
changed | false | Scan staged + unstaged git changes |
fail-on | high | Threshold: none, critical, high, or medium |
sarif-output | shipmoor.sarif | SARIF output path |
Exit codes in CI
A gate firing is reported as exit code 1 — that’s the gate working, not a tooling error; the JSON/SARIF is still produced. Reserve failure handling for 2 (usage) and 3 (scan failed). See SARIF & code scanning for the full contract.
Managed CI gates and PR comments (the Team tier) are coming soon and build on this same local-first core. Today, the workflow above gives you a blocking gate and code-scanning evidence on any plan.