AI & CI/CD

CI/CD Usage

OpenAudit AI is designed to be a first-class pipeline tool. Block deploys on critical findings, export structured results, and integrate with any CI system.

Exit code behavior

OpenAudit AI exits with code 1 when findings are emitted and 0 when no findings match. This makes it trivially easy to fail a CI step on security issues:

CI behavior
# Fail CI on any finding
$openaudit-ai analyze ./contracts
# Fail CI only on high/critical findings
$openaudit-ai analyze ./contracts --severity high
# Fail CI only on critical findings
$openaudit-ai analyze ./contracts --severity critical

GitHub Actions

Add OpenAudit AI to your GitHub Actions workflow to automatically audit contracts on every push and pull request:

.github/workflows/audit.ymlyaml
name: Smart Contract Security Audit

on:
  push:
    branches: [main, develop]
  pull_request:
    branches: [main]

jobs:
  audit:
    name: OpenAudit AI
    runs-on: ubuntu-latest

    steps:
      - name: Checkout repository
        uses: actions/checkout@v4

      - name: Set up Node.js
        uses: actions/setup-node@v4
        with:
          node-version: '18'
          cache: 'npm'

      - name: Install OpenAudit AI
        run: |
          git clone https://github.com/NeuroForgeLabs/openaudit-ai.git /tmp/openaudit
          cd /tmp/openaudit && npm install && npm run build && npm link

      - name: Run security analysis
        run: |
          openaudit-ai analyze ./contracts \
            --json \
            --severity high \
            --output findings.json

      - name: Upload findings artifact
        uses: actions/upload-artifact@v4
        if: always()
        with:
          name: security-findings
          path: findings.json
Tip: Use --severity high on PRs to block merges on serious issues, but allow low/info findings through without failing the build.

Makefile integration

Makefilemakefile
# Makefile

.PHONY: audit

audit:
 openaudit-ai analyze ./contracts --severity medium

audit-json:
 openaudit-ai analyze ./contracts --json --output findings.json

audit-ci:
 openaudit-ai analyze ./contracts --severity high --no-color

Pre-deploy hook

Add a pre-deploy script to your deployment workflow to prevent deploying contracts with critical findings:

scripts/pre-deploy.shbash
#!/bin/bash
# scripts/pre-deploy.sh

echo "Running security audit..."
openaudit-ai analyze ./contracts --severity high --no-color

EXIT_CODE=$?

if [ $EXIT_CODE -ne 0 ]; then
 echo ""
 echo "Security audit failed: high/critical findings detected."
 echo "Review findings before deploying."
 exit 1
fi

echo "Audit passed. Proceeding with deployment."

JSON output in CI

When running in CI, use --json and --no-color for clean machine-readable output. Save the JSON artifact for review in the CI UI:

CI
# Machine-readable output, no ANSI colour codes
$openaudit-ai analyze ./contracts --json --no-color --output findings.json
Wrote 3 findings to findings.json
Note: SARIF output format (for GitHub Code Scanning) is on the roadmap. Once available, findings will appear directly in the GitHub Security tab.

Recommended severity thresholds

Pipeline StageRecommended threshold
PR review (advisory)--severity medium
Merge to main (blocking)--severity high
Deploy to mainnet (blocking)--severity critical
Full audit report(no --severity flag)
Previous
AI Explanation Layer
Next
Roadmap