Commands

scalp ci

One command for CI — resolve, evaluate, block, install, audit, and report in a single step.

CI pipelines don't have time for a multi-step dance. scalp ci is the equivalent of install --guarded + audit + a structured report, packaged as a single command that exits 0 or 1.

Usage

scalp ci [flags]

Flags

FlagDefaultDescription
--pmauto-detectedPackage manager override
--policy.scalp/policy.jsonPolicy path
--output.scalp/ci-report.jsonJSON report path. Use - for stdout
--pr-contextforkPR context: fork or internal
--allow-scriptsfalseAllow install scripts (internal only)
--sarif""Path for SARIF 2.1.0 report

How it works

Load policy — reads .scalp/policy.json or uses defaults
Resolve — runs the package manager's lockfile-only resolve (no install)

Parse and evaluate — parses the lockfile, evaluates every package against policy rules and trust scores

Block if violations — writes the JSON report, annotates the PR (GitHub Actions), and exits

  1. Never installs.

Install — runs npm install (or equivalent) with --ignore-scripts in fork context

Hash sync — hashes every installed package directory, saves to .scalp/lockfile.json

Audit — verifies lockfile hashes against node_modules
Report — writes JSON report (+ optional SARIF), exits 0 or 1

Basic usage

cd my-project
scalp ci

First run (no policy file):

! policy not found; allowing with audit

Report written to .scalp/ci-report.json:

{
  "version": "0.2",
  "passed": true,
  "audit": {
    "verified": 142,
    "mismatched": 0,
    "missing": 0
  }
}

CI with violations

If a package violates policy or trust scoring:

ci failed: [{"PackageID":"evil@1.0.0","Reason":"denylist","Rule":"pattern:*-free"}]

Report:

{
  "version": "0.2",
  "passed": false,
  "violations": [
    {
      "package": "evil@1.0.0",
      "reason": "denylist_match: pattern:*-free",
      "rule": "denylist"
    }
  ],
  "audit": {
    "verified": 0,
    "mismatched": 0,
    "missing": 0
  }
}

PR context

# For PRs from forks
scalp ci --pr-context fork

# For internal PRs
scalp ci --pr-context internal

Fork context forces require_hash: true and blocks install scripts. Internal context respects your policy.

SARIF report

scalp ci --sarif .scalp/report.sarif

Generates a SARIF 2.1.0 report alongside the JSON report. Each violation becomes a SARIF result.

Write report to stdout

scalp ci --output -

Useful for debugging or piping to other tools.

Allow scripts (internal only)

scalp ci --pr-context internal --allow-scripts

Allowing install scripts means packages can run arbitrary code during install. Only use this for trusted projects where you know exactly which packages need build steps.

Why separate from install --guarded?

scalp install --guarded is a dev workflow — warnings, custom PM args, policy-dependent enforcement.

scalp ci is a pipeline command — always blocks, no passthrough args, machine-readable output.

They share the same evaluation engine. Same trust scores, same cache. The difference is the guardrails and the output format.

CI/CD Integration Guide

GitHub Action

scalp policy check

scalp audit

scalp audit

Validate SCAL-P lockfile hashes against node_modules, detect tampering, and generate reports.

scalp policy check

Evaluate policy and trust scores against resolved dependencies without installing anything. Ideal for quick pre-merge checks.

On this page

UsageFlagsHow it worksBasic usageCI with violationsPR contextSARIF reportWrite report to stdoutAllow scripts (internal only)Why separate from install --guarded?