repopilot 0.5.0

Local-first CLI for repository audit, architecture risk detection, baseline tracking, and CI-friendly code review.
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77

# GitHub Code Scanning

RepoPilot can write SARIF so GitHub Code Scanning can display findings in the repository security tab and annotate pull requests.

## Generate SARIF locally

```bash
repopilot scan . --format sarif --output repopilot.sarif
```

If your installed RepoPilot version does not support `--output`, redirect stdout instead:

```bash
repopilot scan . --format sarif > repopilot.sarif
```

When validating changes from a RepoPilot source checkout, use the local binary:

```bash
cargo run -- scan . --format sarif --output repopilot.sarif
```

## GitHub Actions

Copy [`.github/workflows/repopilot-sarif.yml.example`](../../.github/workflows/repopilot-sarif.yml.example) to `.github/workflows/repopilot-sarif.yml` in a repository where you want RepoPilot findings uploaded to GitHub Code Scanning.

```yaml
name: RepoPilot SARIF

on:
  pull_request:
  push:
    branches:
      - main

permissions:
  contents: read
  security-events: write

jobs:
  repopilot:
    runs-on: ubuntu-latest

    steps:
      - uses: actions/checkout@v5

      - name: Install RepoPilot
        run: cargo install repopilot

      - name: Run RepoPilot SARIF scan
        run: repopilot scan . --format sarif --output repopilot.sarif

      - name: Upload SARIF
        uses: github/codeql-action/upload-sarif@v4
        with:
          sarif_file: repopilot.sarif
          category: repopilot
```

The workflow needs `security-events: write`; without it, GitHub rejects the SARIF upload. `contents: read` is enough for checkout.

For RepoPilot's own repository or another Rust project where installing from crates.io is too slow during CI, run the local checkout binary instead:

```yaml
      - name: Run RepoPilot SARIF scan
        run: cargo run -- scan . --format sarif --output repopilot.sarif
```

Keep the SARIF file name consistent between the scan step and the upload step. The examples above write and upload `repopilot.sarif`.

## Choosing an output format

Use JSON when a script or service will parse RepoPilot results directly.

Use Markdown when you want a human-readable report for pull request comments, job summaries, or issue descriptions.

Use SARIF when you want CI and code scanning integrations, including GitHub Code Scanning.