"Shift left. Catch hallucinations in the PR, not in production."
⏱️ Duration: 45 minutes
📊 Level: Advanced
🎯 Goal: Automate AI verification in your CI/CD pipeline using GitHub Actions.
After this module, you'll understand:
- ✅ Shift-Left Verification philosophy
- ✅ Setting up QWED GitHub Action
- ✅ Blocking PRs that fail verification
- ✅ Generating verification artifacts
| Lesson | Topic | Time |
|---|---|---|
| 9.1 | Shift-Left Philosophy | 10 min |
| 9.2 | GitHub Action Setup | 20 min |
| 9.3 | Branch Protection | 10 min |
| 9.4 | v4.0.0 CI/CD Infrastructure | 15 min |
Most teams catch AI errors in production:
Developer → Code → Deploy → Production → 🔥 Error → Hotfix
↑
Too late!
Move verification earlier in the pipeline:
Developer → Code → PR → CI/CD Verification → ✅ Merge
↑
Caught early!
| When Caught | Cost to Fix |
|---|---|
| During coding | $1 |
| In PR review | $10 |
| In staging | $100 |
| In production | $1,000+ |
| After customer impact | $10,000+ |
graph LR
A[Developer Push] --> B[GitHub Action]
B --> C[QWED Verification]
C --> D{All Tests Pass?}
D -->|✅ Yes| E[Allow Merge]
D -->|❌ No| F[Block PR]
F --> G[Developer Fixes]
G --> A
style C fill:#4caf50
style F fill:#f44336
QWED provides a ready-to-use GitHub Action for financial AI verification.
Marketplace: QWED Finance Verify
Create .github/workflows/qwed-verify.yml:
name: QWED Finance Verification
on: [push, pull_request]
jobs:
verify:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: QWED-AI/qwed-verification@v3
with:
action: scan-npv
data_file: tests/transactions.csv
output_format: sarif
fail_on_error: trueNote: The sarif output format integrates financial hallucinations perfectly into the GitHub Security Dashboard alongside your CVEs.
Create tests/transactions.csv (Simulate a "Bad Data" trap):
transaction_id,amount,customer_region,llm_flagged
TXN_001,500,US,False
TXN_002,15000,US,False
⚠️ Note:TXN_002is $15,000 but NOT flagged. This is an AML violation.
git add .
git commit -m "Add QWED verification to CI/CD"
git pushgit add .
git commit -m "Add QWED verification to CI/CD"
git push| Input | Description | Default |
|---|---|---|
action |
The verification action (scan-npv, verify, etc) |
Required |
data_file |
Path to your CSV/JSON file to verify | Required |
output_format |
Format for results (json, sarif, text) |
text |
fail_on_error |
Fail workflow if verification fails | true |
| Output | Description |
|---|---|
verified |
Whether all verifications passed |
receipt-count |
Number of verification receipts generated |
violations |
JSON array of violations found |
Configure GitHub to require QWED verification before merge:
- Go to Settings → Branches → Add Rule
- Enter branch name pattern:
main - Enable "Require status checks to pass before merging"
- Select "verify" from the list
- Save changes
Now when a PR fails QWED verification:
❌ QWED Finance Verification
└── verify: Failed
└── Error: AML verification failed!
🚫 Merge blocked - Fix required
Once your workflow passes, add the badge to your README:
[](https://github.com/QWED-AI/qwed-finance)Scenario: Ideally, Senior Citizens get +0.50% interest. Claude 4.5 hallucinates the math.
Blocking a "Bad PR" that would underpay customers.
Create a file rates_update.csv:
product,base_rate,senior_margin,claude_output
Senior_FD,7.00,0.50,7.035The Error: Claude did
7.00 * 1.005 = 7.035. The Truth:7.00 + 0.50 = 7.50.
Your pipeline will fail because QWED calculates 7.50 but sees 7.035.
Result in Actions tab:
❌ Verification Failed: Interest Rate Mismatch
Expected: 7.50%
Found: 7.035%
Error: Multiplicative logic applied to additive spread.
Update rates_update.csv:
- Senior_FD,7.00,0.50,7.035
+ Senior_FD,7.00,0.50,7.50Result:
✅ QWED Finance Verification
└── verify: Passed
└── Audited 1 row(s). No hallucinations found.
🟢 Ready to merge!
| Item | Status |
|---|---|
| Workflow file created | ☐ |
| Test script written | ☐ |
| Branch protection enabled | ☐ |
| Badge added to README | ☐ |
| Team trained on fixing failures | ☐ |
🆕 New in QWED v4.0.0 Sentinel Edition
v4.0.0 introduced enterprise-grade CI/CD tooling beyond GitHub Actions:
| Tool | Purpose | Integration |
|---|---|---|
| Sentry | Real-time error tracking | sentry-sdk in Python |
| CircleCI | Matrix testing (Python 3.10–3.12) | .circleci/config.yml |
| SonarCloud | Code quality + coverage analysis | GitHub App |
| Snyk | Security vulnerability scanning (SARIF) | snyk test / snyk monitor |
| pip-audit | Python dependency CVE scanning | pip-audit --strict |
| Docker Scout | Container vulnerability scanning | Docker Hub integration |
| SBOM | Software Bill of Materials (SPDX) | anchore/sbom-action |
# Automated on every GitHub Release
# 1. Build multi-platform image
# 2. Sign with pinned base image digests
# 3. Generate SBOM (SPDX format)
# 4. Push to Docker Hub with version tags
# 5. Run Docker Scout vulnerability scan- pip-audit with exclusions — Exclude local packages from audit (
--exclude qwed) - Non-root Docker — All containers run as non-root user via
gosu/runuser - Hash-verified requirements —
pip install --require-hashesin Docker builds - SARIF output — Snyk results exported as SARIF for GitHub Security tab
"One scanner is hope. Five scanners in CI/CD is infrastructure."
| Concept | Implementation |
|---|---|
| Shift-Left | Catch errors in PRs, not production |
| GitHub Action | QWED-AI/qwed-finance@v1.2.0 |
| Branch Protection | Require "verify" status to merge |
| Artifacts | Verification receipts uploaded |
| Sentry | Error tracking in production |
| Snyk + pip-audit | Dependency CVE scanning |
| SBOM | Software supply chain transparency |
Learn the advanced verification engines — Fact Checker, Consensus, and Reasoning:
→ Continue to Module 10: Advanced Patterns
"Production is not a test environment. Verify before you ship."