diff --git a/.forgejo/workflows/nyxscanner.yml b/.forgejo/workflows/nyxscanner.yml
index 3093264..bdda042 100644
--- a/.forgejo/workflows/nyxscanner.yml
+++ b/.forgejo/workflows/nyxscanner.yml
@@ -32,18 +32,48 @@ jobs:
         run: |
           cd .nyx-src
           cargo build --release
-          cp target/release/nyx /usr/local/bin/nyx
 
       - name: Run NYX scan
+        id: nyx
         run: |
-          .nyx-src/target/release/nyx scan --format sarif --fail-on MEDIUM > nyx-results.sarif || true
+          .nyx-src/target/release/nyx scan --format sarif --fail-on HIGH > nyx-results.sarif 2>&1
+        continue-on-error: true
 
-      - name: Show findings
-        run: cat nyx-results.sarif
-
-      - name: Upload SARIF results
+      - name: Post findings as PR comment
         if: always()
-        uses: https://code.forgejo.org/actions/upload-artifact@v4
-        with:
-          name: nyx-sarif-report
-          path: nyx-results.sarif
\ No newline at end of file
+        run: |
+          FINDINGS=$(python3 -c "
+          import json, sys
+
+          with open('nyx-results.sarif') as f:
+              data = json.load(f)
+
+          results = data.get('runs', [{}])[0].get('results', [])
+
+          if not results:
+              body = '✅ NYX scan: no findings above threshold.'
+          else:
+              lines = [f'## 🔴 NYX found {len(results)} issue(s)\n']
+              for r in results:
+                  level = r.get('level', '?')
+                  msg = r.get('message', {}).get('text', '?')
+                  rule = r.get('ruleId', '?')
+                  loc = r.get('locations', [{}])[0].get('physicalLocation', {})
+                  path = loc.get('artifactLocation', {}).get('uri', '?')
+                  line = loc.get('region', {}).get('startLine', '?')
+                  col  = loc.get('region', {}).get('startColumn', '?')
+                  lines.append(f'- **{level.upper()}** \`{path}:{line}:{col}\` [{rule}] — {msg}')
+              body = '\n'.join(lines)
+
+          print(body)
+          ")
+
+          curl -s -X POST \
+            -H "Authorization: token ${{ github.token }}" \
+            -H "Content-Type: application/json" \
+            "https://bitfreedom.net/code/api/v1/repos/${{ github.repository }}/issues/${{ github.event.pull_request.number }}/comments" \
+            -d "{\"body\": $(python3 -c 'import json,sys; print(json.dumps(sys.stdin.read()))' <<< "$FINDINGS")}"
+
+      - name: Fail if HIGH or above findings found
+        if: steps.nyx.outcome == 'failure'
+        run: exit 1
\ No newline at end of file