Report formats and CI automation

plugin-scanner can emit human-readable summaries, machine-readable artifacts, and GitHub-friendly security reports from the same scan.

Report formatsDirect link to Report formats

Format	Best use
`text`	local terminal review with category totals and findings
`json`	structured integrations and dashboards
`markdown`	pull request or issue-ready summaries
`sarif`	GitHub code scanning uploads and security automation

Examples:

plugin-scanner scan . --format text
plugin-scanner scan . --format json
plugin-scanner scan . --format markdown
plugin-scanner scan . --format sarif --output plugin-scanner.sarif

Common gating flagsDirect link to Common gating flags

Fail CI when a finding crosses your severity floor:

plugin-scanner scan . --fail-on-severity high

Require stronger optional integrations when needed:

plugin-scanner ./my-plugin --cisco-skill-scan on --cisco-policy strict
plugin-scanner ./my-plugin --cisco-mcp-scan on

Signals emitted by the suiteDirect link to Signals emitted by the suite

The scanner can emit stable machine signals such as:

score
grade
grade_label
policy_pass
verify_pass
max_severity
findings_total

That makes it easy to gate review, registry ingestion, or release workflows on one predictable artifact.

CLI-first CI patternDirect link to CLI-first CI pattern

Use the CLI directly when you want the repository to control install, caching, and report upload:

permissions:
  contents: read
  security-events: write

jobs:
  scan-plugin:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - name: Install scanner
        run: pip install plugin-scanner
      - name: Scan plugin
        run: plugin-scanner scan . --format sarif --output plugin-scanner.sarif --fail-on-severity high
      - name: Upload SARIF
        uses: github/codeql-action/upload-sarif@v3
        with:
          sarif_file: plugin-scanner.sarif

Local pre-commit patternDirect link to Local pre-commit pattern

repos:
  - repo: local
    hooks:
      - id: plugin-scanner
        name: Plugin Scanner
        entry: plugin-scanner
        language: system
        types: [directory]
        pass_filenames: false
        args: ["./"]

Report formatsDirect link to Report formats​

Common gating flagsDirect link to Common gating flags​

Signals emitted by the suiteDirect link to Signals emitted by the suite​

CLI-first CI patternDirect link to CLI-first CI pattern​

Local pre-commit patternDirect link to Local pre-commit pattern​

Next guidesDirect link to Next guides​

Report formatsDirect link to Report formats

Common gating flagsDirect link to Common gating flags

Signals emitted by the suiteDirect link to Signals emitted by the suite

CLI-first CI patternDirect link to CLI-first CI pattern

Local pre-commit patternDirect link to Local pre-commit pattern

Next guidesDirect link to Next guides