CI/CD Integration

Integrate Nomik into your CI/CD pipeline — quality gates, PR impact analysis, architecture rules, and GitHub Actions workflow examples.

Overview

Nomik provides a unified CI command that runs the full quality pipeline in a single step, plus individual commands for granular control.

nomik ci                    # Full pipeline: scan → rules → guard → audit
nomik ci --skip-scan        # Skip scan if graph is already up to date

CI/CD Pipeline Flow

Quality Gate

The nomik guard command acts as a quality gate that blocks deployments or merges when thresholds are violated.

nomik guard                 # Interactive mode
nomik guard --ci            # Non-interactive (exits with code 1 on failure)
nomik guard --install-hook  # Install as git pre-commit hook
nomik guard --uninstall-hook # Remove the pre-commit hook

What It Checks

Check	Default Threshold	Description
Dead code functions	5	Functions never called and not exported from barrel files
God files	3	Files with more than 15 functions (configurable via `--god-file-threshold`)
Duplicate function groups	2	Functions with identical bodyHash (copy-paste detection)

Architecture Rules

The nomik rules command evaluates 9 built-in rules plus any custom Cypher rules you define.

nomik rules                 # Evaluate all rules
nomik rules --init          # Generate .nomik/rules.yaml config

Built-in Rules (9)

Rule	Default	Severity	Description
`max-dead-code`	5	error	Maximum dead code functions allowed
`max-god-files`	3	error	Maximum files with >15 functions (configurable)
`max-duplicates`	2	warning	Maximum duplicate function groups
`max-function-callers`	50	warning	Maximum callers per function (high fan-in)
`max-db-writes-per-route`	3	warning	Maximum DB write functions per route
`no-circular-imports`	true	error	Disallow circular file imports
`max-function-lines`	200	warning	Maximum lines per function
`max-file-lines`	1000	warning	Maximum lines per file
`max-security-issues`	0	error	Maximum security issues allowed

Custom Cypher Rules

Add custom rules to .nomik/rules.yaml using Cypher queries:

.nomik/rules.yaml

maxDeadCode: 5
maxGodFiles: 3
maxGodFileThreshold: 15
maxDuplicates: 2
maxFunctionCallers: 50
maxDbWritesPerRoute: 3
noCircularImports: true
maxFunctionLines: 200
maxFileLines: 1000
maxSecurityIssues: 0

customRules:
  - name: no-direct-db-in-controllers
    description: Controllers should not directly access the database
    severity: error
    maxResults: 0
    cypher: |
      MATCH (f:Function)-[:WRITES_TO|READS_FROM]->(t:DBTable)
      WHERE f.filePath CONTAINS 'controller'
      RETURN f.name as name, f.filePath as filePath

  - name: no-external-calls-in-models
    description: Models should not make external API calls
    severity: warning
    maxResults: 0
    cypher: |
      MATCH (f:Function)-[:CALLS_EXTERNAL]->(api:ExternalAPI)
      WHERE f.filePath CONTAINS 'model'
      RETURN f.name as name, api.name as api, f.filePath as filePath

PR Impact Analysis

Analyze the blast radius of changes in the current branch:

nomik pr-impact             # Human-readable report
nomik pr-impact --json      # Machine-readable JSON output for CI

The command:

Runs git diff to find changed files
Identifies all functions modified in those files
Traverses the graph to find all downstream dependencies
Generates a risk report with affected routes, functions, and DB operations

Dependency Audit

Check for vulnerable dependencies and cross-reference with the knowledge graph:

nomik audit

This runs npm audit internally and then maps vulnerable packages to the files and functions that import them, showing the blast radius of each vulnerability.

GitHub Actions Example

.github/workflows/nomik.yml

name: Nomik Quality Gate
on: [push, pull_request]

jobs:
  quality:
    runs-on: ubuntu-latest
    services:
      neo4j:
        image: neo4j:5-community
        env:
          NEO4J_AUTH: neo4j/nomik_local
        ports:
          - 7474:7474
          - 7687:7687

    steps:
      - uses: actions/checkout@v4
      - uses: actions/setup-node@v4
        with:
          node-version: 22
      - run: npm install -g @nomik-ai/cli
      - run: sleep 10  # Wait for Neo4j to start
      - run: nomik ci

With PR Impact Comments

.github/workflows/pr-impact.yml

name: PR Impact Analysis
on: [pull_request]

jobs:
  impact:
    runs-on: ubuntu-latest
    services:
      neo4j:
        image: neo4j:5-community
        env:
          NEO4J_AUTH: neo4j/nomik_local
        ports:
          - 7474:7474
          - 7687:7687

    steps:
      - uses: actions/checkout@v4
        with:
          fetch-depth: 0  # Full history for diff
      - uses: actions/setup-node@v4
        with:
          node-version: 22
      - run: npm install -g @nomik-ai/cli
      - run: sleep 10
      - run: nomik scan .
      - run: nomik pr-impact --json > impact.json
      - name: Comment on PR
        uses: actions/github-script@v7
        with:
          script: |
            const fs = require('fs');
            const impact = JSON.parse(fs.readFileSync('impact.json', 'utf8'));
            const body = `## Nomik Impact Analysis\n\n${impact.summary}`;
            github.rest.issues.createComment({
              owner: context.repo.owner,
              repo: context.repo.repo,
              issue_number: context.issue.number,
              body
            });

GitHub Bot

Nomik includes a GitHub bot (@nomik/github-bot) that automatically comments on pull requests with blast radius analysis. The bot:

Receives a webhook when a PR is opened or updated
Scans the changed files
Runs impact analysis on all modified functions
Posts a comment with the risk report

Pre-Commit Hook

Install Nomik as a git pre-commit hook to catch quality issues before they reach CI:

nomik guard --install-hook

This adds a pre-commit hook that runs nomik guard --ci before every commit. If any threshold is violated, the commit is blocked.

On this page