Use Hardproof in CI

The GitHub Action downloads a hardproof release binary and runs hardproof ci (HTTP or stdio) against your server.

hardproof ci runs scan and fails the job when verification fails or the score falls below threshold.

For release-grade gating, require trust evidence as well so a partial score cannot pass as a publishable full score.

Workflow snippet

name: hardproof

on:
  push:
  pull_request:

jobs:
  verify-mcp:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4

      # Start your MCP server here (or target a deployed URL).
      # - name: Start server
      #   run: ./scripts/start-server.sh

      - name: Run Hardproof CI
        id: hardproof
        uses: x07lang/hardproof/hardproof-scan@v0.4.0-beta.4
        with:
          url: http://127.0.0.1:3000/mcp
          version: v0.4.0-beta.4
          full-suite: "false"
          sarif: "true"
          threshold: "85"
          require-trust-for-full-score: "true"

      - name: Upload reports
        if: always()
        uses: actions/upload-artifact@v4
        with:
          name: hardproof-reports
          path: |
            out/doctor.json
            out/scan/**

Outputs

scan_ok: true if scan passed (exit 0)
report_json: out/scan/scan.json
report_sarif: out/scan/scan.sarif.json (when enabled)

Install locally: /hardproof/install
FAQ / migration: /hardproof/faq

Use Hardproof in CI

Workflow snippet

Outputs

Next