Skip to main content
Use kernite check in CI/CD to gate releases when OpenAPI write operations are missing policy coverage.
  1. Export or fetch OpenAPI JSON.
  2. Run strict coverage check.
  3. Publish machine-readable report as a build artifact.
  4. Fail the pipeline on coverage violations.
kernite check \
  --schema ./.kernite/openapi.json \
  --report-out ./.kernite/kernite-check.strict.json
Exit behavior:
  • exit 0: coverage valid
  • exit 1: coverage violations (strict mode)
  • exit 2: input/parse errors

Optional Artifact-Aware Gate

If you generate artifacts in CI, validate mapping + bundle consistency too: 
kernite policy generate \
  --schema ./.kernite/openapi.json \
  --out-dir ./.kernite

kernite check \
  --schema ./.kernite/openapi.json \
  --mapping ./.kernite/policy-map.generated.json \
  --bundle ./.kernite/policy-bundle.generated.json \
  --report-out ./.kernite/kernite-check.generated.json

GitHub Actions Example

name: Policy Coverage

on:
  pull_request:
  push:
    branches: [main]

jobs:
  kernite-check:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - uses: actions/setup-python@v5
        with:
          python-version: "3.12"
      - run: python -m pip install --upgrade uv
      - run: uv tool install --upgrade kernite
      - run: echo "$HOME/.local/bin" >> "$GITHUB_PATH"
      - run: uv sync
      - name: Export OpenAPI JSON
        run: |
          mkdir -p .kernite
          uv run python - <<'PY'
          import json
          from pathlib import Path
          from app.main import app

          Path(".kernite/openapi.json").write_text(
              json.dumps(app.openapi(), indent=2),
              encoding="utf-8",
          )
          PY
      - name: Strict coverage check
        run: |
          kernite check \
            --schema ./.kernite/openapi.json \
            --report-out ./.kernite/kernite-check.strict.json
      - name: Upload check report
        uses: actions/upload-artifact@v4
        with:
          name: kernite-check-report
          path: ./.kernite/kernite-check.strict.json

Rollout Strategy

  • Early rollout: run --no-strict and monitor reports without blocking merges.
  • Enforcement rollout: switch to strict mode and block on exit code 1.
  • Keep reports as artifacts for audit and regression diffing.