Integrations

Wire primer into your workflow

primer works at multiple layers of a development workflow. Pick the ones that fit your team.

1. Shim Intercept — developer machines

The zero-config option. Run primer init once on each developer machine. After that, npm install, pip install, cargo add, and go get are intercepted and scanned transparently — no changes to existing scripts or workflows.

primer init

Clean installs are silent. Vulnerable ones prompt before anything touches the filesystem.

Full installation guide →

2. Git Hook — local last-resort gate

An opt-in pre-commit hook that blocks commits which add vulnerable packages to manifests. Best used alongside the GitHub Action — the hook catches issues before they leave the developer's machine; the Action enforces the same policy for the whole team regardless of local setup.

primer hook install    # run once per repo

Monitors staged changes to package.json, requirements.txt, go.mod, Cargo.toml, and their lockfiles.

Full Git Hooks guide →

3. CI/CD — GitHub Actions

Use the official GitHub Action. It installs primer, scans the manifest, uploads SARIF results to the GitHub Security tab, and posts a findings summary as a PR comment — all in one step.

permissions:
  security-events: write   # SARIF upload
  pull-requests: write     # PR comments
  actions: read
  contents: read

steps:
  - uses: actions/checkout@v6

  - uses: barestripehq/primer-action@v1
    with:
      file: package-lock.json

Inputs

Input	Required	Default	Description
`file`	yes	—	Manifest or lockfile to scan (`requirements.txt`, `package-lock.json`, `Cargo.lock`, etc.)
`threshold`	no	`high`	Minimum severity that blocks the check: `critical`, `high`, `medium`, `low`
`upload-sarif`	no	`true`	Upload SARIF results to the GitHub Security tab
`comment-pr`	no	`true`	Post a findings summary as a PR comment
`fail-on-findings`	no	`true`	Exit 1 when blocking findings are detected
`primer-version`	no	`latest`	Pin a specific primer release tag (e.g. `v0.1.5`)
`token`	no	`github.token`	GitHub token for SARIF upload and PR comments

Outputs

Output	Description
`findings-count`	Total vulnerabilities found across all packages
`blocking-count`	Findings at or above the threshold
`sarif-path`	Absolute path to the generated SARIF file

Examples

# Audit only — never block the workflow
- uses: barestripehq/primer-action@v1
  with:
    file: Cargo.lock
    fail-on-findings: 'false'

# Stricter threshold
- uses: barestripehq/primer-action@v1
  with:
    file: pyproject.toml
    threshold: medium

# Scan multiple manifests
- uses: barestripehq/primer-action@v1
  with:
    file: backend/pyproject.toml

- uses: barestripehq/primer-action@v1
  with:
    file: frontend/package-lock.json

Platform support: Linux (x86_64, ARM64), macOS (Intel, Apple Silicon), and Windows (x86_64).

SARIF upload and private repositories

SARIF upload to the GitHub Security tab uses the Code Scanning API, which requires GitHub Advanced Security on private repositories. Public repositories get code scanning for free.

Repository	Security tab	PR comment	Exit code
Public	✅ Free	✅	✅
Private + GitHub Advanced Security	✅ Paid add-on	✅	✅
Private, no Advanced Security	❌	✅	✅

For private repositories without Advanced Security, set upload-sarif: 'false'. The scan, PR comment, and exit code all work as normal — only the Security tab integration is skipped.

- uses: barestripehq/primer-action@v1
  with:
    file: package-lock.json
    upload-sarif: 'false'

Alternative: install the CLI directly

For full control over the scan step, or for non-GitHub CI systems (CircleCI, GitLab CI, Jenkins), install primer via the installer script and call the CLI yourself. primer auto-detects CI=true and switches to non-interactive mode.

- name: Install primer
  run: |
    curl --proto '=https' --tlsv1.2 -fsSL https://github.com/barestripehq/primer/releases/latest/download/primer-installer.sh | sh

- name: Scan dependencies
  run: primer scan --file package-lock.json --format sarif --output results.sarif

Variable	Effect
`PRIMER_CI_MODE=allow-all`	Scan and log findings but never exit 1 (audit-only).
`PRIMER_AI=0`	Disable AI summaries to reduce noise in CI logs.

4. Directory Watcher — local dev sessions

Runs in the background during a dev session. Re-scans manifest files automatically whenever they change.

primer watch --directory . --scan

Watches: requirements.txt, pyproject.toml, package.json, go.mod, Cargo.toml. 500 ms debounce prevents double-firing on rapid saves. Exit with Ctrl+C.

--scan triggers an immediate scan of all watched manifests on startup.

5. SBOM Generation

Generate a Software Bill of Materials from any manifest or lockfile. Useful for compliance, audits, and supply chain reporting.

# CycloneDX v1.5 (default)
primer sbom --file backend/pyproject.toml --output sbom-backend.json

# SPDX 2.3
primer sbom --file frontend/package-lock.json --output sbom-frontend.json --format spdx

# Inventory only — skip OSV enrichment
primer sbom --file Cargo.toml --no-scan

Output is sorted by name → version for deterministic diffs in version control.

6. MCP Server — AI coding agents

Exposes a scan_package tool to any MCP-capable AI agent (Claude Code, Cursor, Cline). The agent calls it before suggesting a package install, making the vulnerability check part of its reasoning rather than a post-hoc interception.

{
  "mcpServers": {
    "primer": {
      "command": "primer",
      "args": ["mcp"]
    }
  }
}

Add to your project's .mcp.json, or ~/.claude/mcp.json for global use.

Full MCP Server guide →