firmis ci — CI Pipeline Command

Every PR that touches agent configuration is a potential security regression. firmis ci blocks threats before they reach production — one command, four stages, zero setup beyond a YAML file.

When to use this

PR gates: Block merges when high or critical findings are introduced
Nightly audits: Run a full pipeline on schedule to catch newly discovered threats against existing code
Release checks: Gate deployments — require a clean scan before any release that includes agent changes
Audit artifacts: Generate a BOM and SARIF report as CI artifacts for compliance evidence

For quick local checks, firmis scan is faster. Use ci when you want the full pipeline with BOM generation and structured output baked in.

Usage

firmis ci [path] [options]

Pipeline stages

The ci command runs four stages sequentially. Each stage feeds the next:

1. Discover  →  Auto-detect platforms and components in the project
2. BOM       →  Generate Agent Bill of Materials (CycloneDX 1.7)
3. Scan      →  Run all 209 rules against every discovered component
4. Report    →  Output findings in your chosen format

If any stage fails, the pipeline stops and exits with code 2. If findings exceed your --fail-on threshold, it exits with code 1.

Options

Flag	Type	Default	Description
`--platform <name>`	string	auto-detect	Scope the pipeline to a specific platform — useful in monorepos where only one platform changed
`--fail-on <level>`	enum	—	Fail the build when findings at this severity or above exist. Use `high` for most teams.
`--format <type>`	enum	`sarif`	Report format: `json` for custom tooling, `sarif` for GitHub Security tab, `html` for human review
`--output <file>`	string	—	Save the scan report to a file. Required for uploading to GitHub Security tab.
`--bom-output <file>`	string	—	Save the Agent BOM to a separate file. Required for compliance artifact storage.
`--quiet`	boolean	`false`	Suppress terminal output. The exit code is your signal.
`--verbose`	boolean	`false`	Print detailed progress for every stage — helpful when debugging why the pipeline is failing

Examples

Basic CI scan with SARIF output

npx firmis ci --fail-on high --format sarif --output results.sarif

Full pipeline: scan + BOM artifact

npx firmis ci --fail-on critical --bom-output agent-bom.json --output scan.sarif

Quiet mode — exit code only

npx firmis ci --fail-on high --quiet

GitHub Actions example

Drop this into your repo. It runs on every push and pull request, uploads findings to the GitHub Security tab, and fails the check if any high or critical issues are found.

name: Firmis Security Scan
on: [push, pull_request]

jobs:
  security:
    runs-on: ubuntu-latest
    permissions:
      security-events: write   # required to upload SARIF
      contents: read

    steps:
      - uses: actions/checkout@v4

      - uses: actions/setup-node@v4
        with:
          node-version: '20'

      - name: Run Firmis CI pipeline
        run: npx firmis ci --fail-on high --format sarif --output results.sarif

      - name: Upload SARIF to GitHub Security tab
        if: always()   # upload even if the scan found issues
        uses: github/codeql-action/upload-sarif@v3
        with:
          sarif_file: results.sarif

GitLab CI example

firmis-scan:
  image: node:20
  script:
    - npx firmis ci --fail-on high --format sarif --output results.sarif
  artifacts:
    when: always
    paths:
      - results.sarif
    reports:
      sast: results.sarif

Exit codes

Code	Meaning
`0`	Pipeline completed cleanly. No findings above your `--fail-on` threshold.
`1`	Findings found at or above your `--fail-on` threshold. Fix them before merging.
`2`	Pipeline error — bad path, unreadable config, or unexpected failure in a stage.

GitHub Actions integration — detailed CI setup guide with branch protection rules
SARIF output — understanding the SARIF format and how GitHub surfaces findings
scan — standalone scan without the full pipeline