CI CLI

Score pull requests and report evidence from any CI pipeline — GitHub Actions, GitLab CI, Jenkins, CircleCI, or Azure Pipelines.

Overview

The MergeWhy CI CLI scores pull requests, detects compliance gaps, and pushes signed attestations to your MergeWhy dashboard — directly from any CI pipeline. Install nothing permanently: run it with npx.

Quick start

npx mergewhy-collector report --ci github-actions

Tip

The CLI auto-detects your CI provider and reads environment variables automatically. In most cases --ci <provider> is the only flag you need.

Installation

No installation required. Use npx to run the latest version on every build:

npx (recommended)

npx mergewhy-collector report --ci github-actions

Or install globally if you prefer:

Global install

npm install -g mergewhy-collector
mergewhy-collector report --ci github-actions

Supported CI Providers

Pass --ci <provider> and the CLI reads the right environment variables automatically:

Provider	Flag	Detection
GitHub Actions	--ci github-actions	GITHUB_ACTIONS=true
GitLab CI	--ci gitlab-ci	GITLAB_CI=true
Jenkins	--ci jenkins	JENKINS_URL set
CircleCI	--ci circleci	CIRCLECI=true
Azure Pipelines	--ci azure-pipelines	BUILD_BUILDID set

CI Integration Examples

GitHub Actions

.github/workflows/ci.yml

- name: MergeWhy Evidence Report
  run: npx mergewhy-collector report --ci github-actions
  env:
    MERGEWHY_API_KEY: ${{ secrets.MERGEWHY_API_KEY }}
    COLLECTOR_SIGNING_KEY: ${{ secrets.MERGEWHY_SIGNING_KEY }}

GitLab CI

.gitlab-ci.yml

mergewhy:
  stage: test
  script:
    - npx mergewhy-collector report --ci gitlab-ci
  variables:
    MERGEWHY_API_KEY: $MERGEWHY_API_KEY
    COLLECTOR_SIGNING_KEY: $MERGEWHY_SIGNING_KEY

Jenkins

Jenkinsfile

stage('Evidence Report') {
  environment {
    MERGEWHY_API_KEY = credentials('mergewhy-api-key')
    COLLECTOR_SIGNING_KEY = credentials('mergewhy-signing-key')
  }
  steps {
    sh 'npx mergewhy-collector report --ci jenkins --framework soc2'
  }
}

CircleCI

.circleci/config.yml

- run:
    name: MergeWhy Evidence
    command: npx mergewhy-collector report --ci circleci

Azure Pipelines

azure-pipelines.yml

- script: npx mergewhy-collector report --ci azure-pipelines
  displayName: MergeWhy Evidence
  env:
    MERGEWHY_API_KEY: $(MERGEWHY_API_KEY)
    COLLECTOR_SIGNING_KEY: $(MERGEWHY_SIGNING_KEY)

Explicit Arguments

Instead of auto-detection, you can pass every field explicitly. This is useful for custom CI systems or local testing:

All flags

mergewhy-collector report \
  --repo owner/repo \
  --pr 123 \
  --commit abc123 \
  --branch main \
  --author username \
  --description "Add payment API endpoint" \
  --ticket PROJ-1234 \
  --reviews 2 \
  --approvals 1 \
  --ci-status pass \
  --tests-passed 142 \
  --tests-failed 0 \
  --coverage 87 \
  --files-changed 12 \
  --framework soc2

Minimum Score Threshold

Fail the CI step if the evidence score is below a threshold. This enforces compliance quality gates in your pipeline:

npx mergewhy-collector report --ci github-actions --min-score 60

Exit code 0 = pass, exit code 1 = fail.

Environment Variables

Set these to push signed attestations to the MergeWhy API:

Variable	Description
MERGEWHY_API_KEY	Your MergeWhy API key (from Dashboard → Settings → API Keys)
MERGEWHY_API_URL	API URL (default: https://mergewhy.com)
COLLECTOR_SIGNING_KEY	Ed25519 private key (base64) for attestation signing

Generate a Signing Keypair

npx mergewhy-collector keygen

This outputs a base64-encoded private key (set as COLLECTOR_SIGNING_KEY) and a public key fingerprint. Register the public key in your MergeWhy dashboard under Settings → Developer → Collector Keys.

Evidence Scoring

The CLI evaluates evidence quality on a 0–100 scale:

Factor	Max Points
Description quality	20
Ticket links (Jira / Linear / GitHub)	15
Code reviews	15
CI/CD evidence (tests, security, coverage)	25
AI assessment	15
Gap resolution	10

Supported Frameworks

Pass --framework <id> to evaluate against a specific compliance framework:

SOC 2
SOX ITGC / SOX 404
HIPAA
ISO 27001
NIST 800-53
CMMC (Level 1 / Level 2 / Level 3)
FedRAMP
DORA
GDPR
PCI DSS

CLI Output

The CLI prints a human-readable summary to stdout:

Example output

┌─────────────────────────────────────────────┐
│  MergeWhy Evidence Report                   │
├─────────────────────────────────────────────┤
│  Repository:   acme/payments-api            │
│  PR:           #247                         │
│  Score:        84 / 100                     │
│  Framework:    SOC 2                        │
│  Compliance:   PASS (12/14 controls)        │
│  Gaps:         MISSING_SECURITY_SCAN (LOW)  │
│  Attestation:  Signed & pushed ✓            │
└─────────────────────────────────────────────┘

API Reference Client-Side Collector