I Want to Add AI Security to My Pipeline

You run GitHub Actions, GitLab CI, or another CI/CD system and want to enforce AI security checks on every pull request and deployment. This guide provides copy-ready YAML configurations for each integration point.

Time to complete: approximately 15 minutes.

Step 1: Security Review on Pull Requests

Run a full 6-phase security review on every pull request. The --ci flag produces non-interactive output, and --format json returns structured results for downstream processing.

.github/workflows/ai-security.yml

name: AI Security Review

on:
  pull_request:
    branches: [main]

jobs:
  security-review:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4

      - name: Run OpenA2A security review
        run: npx opena2a-cli review --ci --format json > review.json

      - name: Check for failures
        run: |
          FAILURES=$(jq '.summary.fail' review.json)
          if [ "$FAILURES" -gt 0 ]; then
            echo "Security review found $FAILURES failures"
            jq '.findings[] | select(.severity == "FAIL")' review.json
            exit 1
          fi

      - name: Upload review report
        if: always()
        uses: actions/upload-artifact@v4
        with:
          name: ai-security-review
          path: review.json

Step 2: Trust Gate for MCP Server Dependencies

Block deployments that depend on MCP servers below a minimum trust score. The trust-gate action queries the OpenA2A Registry and fails the build if any dependency falls below the threshold.

.github/workflows/trust-gate.yml

name: Trust Gate

on:
  pull_request:
    branches: [main]

jobs:
  trust-check:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4

      - name: Verify MCP server trust scores
        uses: opena2a-org/trust-gate-action@v1
        with:
          min-trust-score: 70
          fail-on-unregistered: true
          config-path: .claude/claude_desktop_config.json

Trust Gate Results
==================

Checking 3 MCP server dependencies...

  filesystem    Trust: 78/100  PASS (>= 70)
  postgres-mcp  Trust: 64/100  FAIL (< 70)
  web-search    Trust: --      FAIL (unregistered)

Result: FAILED (2 of 3 below threshold)
Exit code: 1

Step 3: Add a Trust Badge to Your Repository

Display your current trust score as a badge in your README. The badge updates automatically after each CI run.

.github/workflows/trust-badge.yml

name: Trust Badge

on:
  push:
    branches: [main]
  schedule:
    - cron: '0 6 * * 1'  # Weekly Monday 6am

jobs:
  update-badge:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4

      - name: Generate trust badge
        uses: opena2a-org/trust-badge-action@v1
        with:
          agent-name: my-project
          badge-path: .github/badges/trust-score.svg

      - name: Commit badge
        run: |
          git config user.name "github-actions"
          git config user.email "actions@github.com"
          git add .github/badges/trust-score.svg
          git diff --cached --quiet || git commit -m "Update trust badge"
          git push

Add the badge to your README:

![Trust Score](/.github/badges/trust-score.svg)

Step 4: Pre-Commit Detection Hook

Run Shadow AI detection before each commit to catch new unmanaged agents or unsigned MCP configurations that developers may have added.

.husky/pre-commit

#!/bin/sh
npx opena2a-cli detect --ci --quiet

if [ $? -ne 0 ]; then
  echo ""
  echo "AI security check failed."
  echo "Run 'npx opena2a-cli detect' for details."
  exit 1
fi

GitLab CI Configuration

The same workflow adapted for GitLab CI. This runs the security review and trust gate as separate stages.

.gitlab-ci.yml

stages:
  - security

ai-security-review:
  stage: security
  image: node:20
  script:
    - npx opena2a-cli review --ci --format json > review.json
    - |
      FAILURES=$(jq '.summary.fail' review.json)
      if [ "$FAILURES" -gt 0 ]; then
        echo "Security review found $FAILURES failures"
        exit 1
      fi
  artifacts:
    paths:
      - review.json
    when: always
  rules:
    - if: $CI_PIPELINE_SOURCE == "merge_request_event"

shadow-ai-detect:
  stage: security
  image: node:20
  script:
    - npx opena2a-cli detect --ci --export-csv ai-assets.csv
  artifacts:
    paths:
      - ai-assets.csv
    when: always
  rules:
    - if: $CI_PIPELINE_SOURCE == "merge_request_event"

What You Now Have

Automated security review on every pull request with structured JSON output
A trust gate that blocks deployments depending on untrusted MCP servers
A trust badge that reflects your current security posture in your README
Pre-commit detection that catches unmanaged AI agents before code is committed
Full configurations for both GitHub Actions and GitLab CI

Next Steps

Set up fleet-wide AI risk assessment -- aggregate results across your organization.
Share the developer quick-start with your team -- get developers securing their local environments.
Full CI/CD integration reference -- advanced configuration and output format options.