CI/CD patterns - MergeGuide

If your CI system isn’t one with a dedicated integration, you can still gate builds with MergeGuide: install the CLI, run a check, and let the exit code fail the build. This page is the generic recipe.

The pattern

Every CI integration is the same three steps:

Install the CLI (pip install mergeguide).
Run mergeguide check with a fail threshold.
Let the non-zero exit code fail the job.

pip install mergeguide
mergeguide check . --fail-on-warning

check exits 1 when policy violations are found, which fails the step. See exit codes.

Emit SARIF for your security dashboard

Most CI and security platforms ingest SARIF. Write it to a file and upload it with your platform’s mechanism:

mergeguide check . --format sarif --output mergeguide.sarif --fail-on-warning

See Output formats for the available formats.

Examples by system

GitHub Actions
GitLab CI
Generic shell

Use the dedicated GitHub Action — it wraps these steps and uploads to code scanning.

pip install mergeguide
mergeguide check . --format sarif --output mergeguide.sarif --fail-on-warning

Keep credentials in CI secrets

When a step needs an API key, reference it from your CI system’s secret store — never hardcode it:

mergeguide login --api-key "$MERGEGUIDE_API_KEY"

Scanners in CI

The vulnerability and IaC scanners take their own --fail-on threshold and also exit non-zero to fail a build:

mergeguide scan vuln --fail-on critical
mergeguide scan iac --path ./infra --fail-on high

Next steps

Output formats

Pick the right format for your pipeline.

PR gate

Block merges on blocking findings.

Azure DevOps Compliance overview

​The pattern

​Emit SARIF for your security dashboard

​Examples by system

​Keep credentials in CI secrets

​Scanners in CI

​Next steps