PR Integration

squirex scan-pr scans only the metadata files changed in a pull request, filtering violations to lines present in the diff.

Command

squirex scan-pr -d ./force-app --base main --sarif results.sarif

The --base flag specifies the target branch. SquireX runs git diff internally to determine changed files and line ranges.

Why Diff-Scoped?

A full squirex scan on every commit produces noise from pre-existing violations in unchanged files. scan-pr surfaces only new violations introduced by the current branch — making PR annotations actionable and focused.

With GitHub Advanced Security

Combined with the SARIF upload action, violations appear as inline PR annotations:

- name: Run PR Scan
  run: squirex scan-pr -d ./force-app --base ${{ github.base_ref }} --sarif results.sarif || true

- name: Upload SARIF
  uses: github/codeql-action/upload-sarif@v3
  with:
    sarif_file: results.sarif

See the full workflow →

Command​

Why Diff-Scoped?​

With GitHub Advanced Security​

Command

Why Diff-Scoped?

With GitHub Advanced Security