Use case
Block risky PRs without slowing every commit.
Use GitHub Actions only where it belongs: as the final gate for high-risk findings, SARIF evidence, and reviewer signal.
Policy-based failure
Fail on high or critical findings while keeping lower-severity cleanup visible but non-blocking.
- Threshold gates
- PR annotations
- SARIF upload
- HTML artifact