Run inkode (ik) against your repository on every PR /
push and post a sticky comment summarising new findings, fixed issues, and the
overall score.
- uses: iszlai/ik-action@v1
with:
token: ${{ secrets.IK_TOKEN }}
fail-on: new-errors- Inline annotations on the PR diff for every finding (severity-mapped to
::error/::warning/::notice). - A sticky PR comment — single comment, updated on subsequent runs — listing new findings introduced by the PR and findings the PR fixed.
- A status check that passes/fails according to your
--fail-onpolicy. - A shareable report URL like
https://api.inkode.co/r/<id>for every scan, exposed as the action'sreport-urloutput and embedded in the sticky comment. - Public trend page + status badge at
https://api.inkode.co/p/<your- project>(opt-in via the per-project admin page). Drop the badge into your README:[](https://api.inkode.co/p/your-project)
- Get a trial token in 30 seconds. Visit api.inkode.co/ci/start, enter a project slug + your email. You get a token good for 10 CI runs over 30 days — enough to wire it up and see a few PRs land. Need more than 10 (or a custom slug that's already taken)? Email hello@inkode.co and we'll mint an unlimited token.
- Add it as a repo secret called
IK_TOKEN:gh secret set IK_TOKEN --repo your-org/your-repo - Drop a
.ik.yamlinto your repo (runik initlocally if you don't have one yet). - Add
.github/workflows/ik.yml:
name: ik
on: [pull_request, push]
jobs:
scan:
runs-on: ubuntu-latest
permissions:
contents: read
pull-requests: write # required for the sticky PR comment
steps:
- uses: actions/checkout@v4
with:
fetch-depth: 0 # ik needs git history for hotspot/coupling
- uses: iszlai/ik-action@v1
with:
token: ${{ secrets.IK_TOKEN }}
fail-on: new-errorsThat's it.
| Name | Default | Description |
|---|---|---|
token |
(required) | Project push token (set as a repo secret). |
endpoint |
https://api.inkode.co |
inkode server URL. Override for self-hosted instances. |
fail-on |
new-errors |
Policy that decides exit code. See below. |
output |
github-annotations |
human | json | github-annotations | sarif. |
comment |
true |
Post (or update) a sticky PR comment. |
ik-version |
latest |
ik release tag (e.g. v0.5.0). |
repo-path |
. |
Path to the repository root. |
| Name | Description |
|---|---|
score |
Overall score 0–100. |
grade |
Letter grade A–F. |
report-url |
Public URL of the uploaded report. |
| Policy | Fails when… |
|---|---|
never |
never. |
score:N |
the overall score is below N. Example: score:60. |
new-errors |
the PR introduces ≥ 1 new finding with severity error. Recommended for PRs. |
new-warnings |
the PR introduces ≥ 1 new finding (any severity). |
score-drop:N |
the overall score drops by ≥ N points vs the base branch. Example: score-drop:5. |
Diff-aware policies (new-errors, new-warnings, score-drop:N) compare
against the most recent report on the PR's base branch. If no baseline exists
yet (the project's first scan, or the base branch has never been scanned),
they degrade to score:60.
See examples/ for ready-to-copy workflows:
basic.yml— minimal setup.pr-only.yml— only run on pull requests.matrix.yml— run across multiple Go versions.
The action posts PR comments via
marocchino/sticky-pull-request-comment.
That requires pull-requests: write on the workflow's permissions: block.
inkode runs 17 static checks across five categories — security (secrets, dep-audit, infra, scripts, error-handling), testing (test-presence), maintainability (duplication, coupling, import-graph, dead-code, magic-numbers, todo-density), complexity (cyclomatic complexity per function, line count), and change risk (git hotspots). Two more informational checks (semantic duplication via an embedded LLM, AI-tool stack detection) surface in the report without affecting the score. Languages covered: Go, Python, JavaScript, TypeScript, Java, and Rust. Findings the PR introduces or fixes are diffed against the base branch's most recent scan.
Email hello@inkode.co — fastest path to a push token, a feature request, or a bug report. For action-specific issues you can also open an issue.
MIT