CI Integration

Run kern review in CI. Block PRs on security issues. Export to GitHub Security tab.

GitHub Actions

Add this workflow to .github/workflows/kern-review.yml. It installs the CLI, runs review with SARIF output, and uploads results to the GitHub Security tab.

name: KERN Review
on: [push, pull_request]
jobs:
  review:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - uses: actions/setup-node@v4
        with: { node-version: 22 }
      - run: npm install -g @kernlang/cli
      - run: kern review src/ --recursive --sarif > results.sarif
      - uses: github/codeql-action/upload-sarif@v3
        with: { sarif_file: results.sarif }

Runs on every push and pull request. Findings appear in the Security tab alongside CodeQL results.

SARIF output

SARIF (Static Analysis Results Interchange Format) is the industry standard for static analysis tooling. GitHub, Azure DevOps, and most CI platforms consume it natively. kern review outputs SARIF that uploads directly to the GitHub Security tab with no conversion needed.

kern review src/ --sarif > results.sarif

The SARIF file includes rule IDs, severity levels, file paths, and line numbers for every finding. GitHub renders these as inline annotations on pull requests.

Enforcement

Use --enforce to block PRs when findings exceed a threshold. The process exits with code 1 if the review fails, which marks the GitHub check as failed.

kern review src/ --enforce --min-coverage=80

--enforce exits with code 1 if any rule coverage drops below the threshold set by --min-coverage. Combine with --json for custom CI scripts that parse findings programmatically:

kern review src/ --enforce --min-coverage=80 --json > findings.json
# Parse findings.json in your CI script to post comments, open issues, etc.

JSON output

Use --json for machine-readable output that integrates with custom tooling.

kern review src/ --json

Sample output:

[
  {
    "ruleId": "security/prompt-injection",
    "severity": "error",
    "message": "User input flows into prompt template without sanitization",
    "file": "src/chat.kern",
    "line": 14
  },
  {
    "ruleId": "structure/dead-node",
    "severity": "warning",
    "message": "Node 'sidebar' is declared but never referenced",
    "file": "src/dashboard.kern",
    "line": 42
  }
]

LLM-assisted review

Use --llm to export findings in a compressed IR format that is roughly 5x smaller than the raw source. This IR can be fed directly to an LLM for triage, explanation, and fix suggestions.

kern review src/ --llm

The LLM export strips whitespace, inlines context, and emits a token-efficient representation that fits more findings into a single LLM context window. Pipe it into your preferred model for automated triage:

kern review src/ --recursive --llm | llm "Triage these findings by severity"

Enterprise feature. LLM-assisted review is available on Team and Enterprise plans. The static analysis rules and SARIF/JSON output are free and open source.