Skip to main content
Drako is designed to run inside CI. Every scan is offline, deterministic, and exits with a non-zero code when it finds what you tell it to find — making it straightforward to gate merges on governance score.

GitHub Actions

The Drako GitHub Action posts inline PR review comments on the exact lines where issues are found, uploads SARIF to GitHub Code Scanning, and gates merges on governance score.
.github/workflows/drako.yml
name: Drako Governance
on: [push, pull_request]
jobs:
  scan:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - uses: actions/setup-python@v5
        with: { python-version: "3.12" }
      - run: pip install drako
      - run: drako scan . --format sarif > results.sarif
      - run: drako scan . --fail-on critical
      - uses: github/codeql-action/upload-sarif@v3
        with: { sarif_file: results.sarif }
        if: always()

Exit code behavior

--fail-on controls which severity level causes a non-zero exit:
FlagExits non-zero when…
--fail-on criticalAny critical finding is present
--fail-on highAny high or critical finding is present
--fail-on mediumAny medium, high, or critical finding is present
--fail-on lowAny finding at any severity is present
When no findings match the threshold, the command exits 0 and the job passes.

Determinism score threshold

--threshold-det N fails the job if the determinism score drops below N. Scores run from 0 to 100. For example, --threshold-det 60 enforces a minimum determinism grade. 
drako scan . --threshold-det 60
You can combine both flags in the same run: 
drako scan . --fail-on critical --threshold-det 60

SARIF upload and inline PR comments

The --format sarif flag outputs results in the SARIF 2.1.0 format. Uploading that file to GitHub Code Scanning via github/codeql-action/upload-sarif gives you:
  • Inline annotations on the exact lines with findings, visible directly in pull request diffs
  • A Security tab summary with finding counts by severity
  • Persistent finding tracking across commits
The if: always() condition ensures the SARIF file is uploaded even when the scan step fails, so findings are visible for failing PRs.

Pre-commit hook

Run a governance scan before every commit using pre-commit:
.pre-commit-config.yaml
repos:
  - repo: https://github.com/angelnicolasc/drako
    rev: v0.1.0
    hooks:
      - id: drako-scan
The hook runs drako scan . --fail-on critical and blocks the commit if any critical findings are present. It always runs regardless of which files were staged (always_run: true) and uses the system Python environment with drako as a dependency.
Run pre-commit autoupdate to pin to the latest release tag automatically.

Baseline: acknowledge existing issues

Existing projects often accumulate 40+ findings on first scan. The baseline lets teams acknowledge the current state so CI only fails on new issues introduced by a PR.
1

Save the baseline

Run the baseline command once in your main branch. This creates .drako/.baseline.json in your project directory.
drako scan . --baseline
2

Commit the baseline file

Commit .drako/.baseline.json to the repository. It is shared across the team.
git add .drako/.baseline.json
git commit -m "chore: add drako baseline"
3

CI now fails only on new findings

Subsequent scans automatically detect the baseline file and report only findings not present in it.
drako scan . --fail-on critical
The governance score always reflects all findings — the baseline only affects pass/fail for CI. When you view drako scan output, the score represents your real posture.In SARIF output, baselined findings appear with "baselineState": "unchanged" so GitHub Code Scanning can distinguish them from new issues.

Diff scanning for pull requests

For faster feedback on large codebases, scan only the files changed in a PR: 
drako scan --diff HEAD~1
This limits the scan to files modified since the previous commit. Use it as a fast pre-check before the full scan: 
- run: drako scan --diff HEAD~1 --fail-on critical
- run: drako scan . --format sarif > results.sarif

Other CI systems

Because Drako is a standard CLI tool that exits non-zero on failure, it works in any CI environment that can run Python. 
drako-scan:
  image: python:3.12
  script:
    - pip install drako
    - drako scan . --fail-on critical

Build docs developers (and LLMs) love

Get started for freeTalk to us