badAPI/.github/workflows/ai-security-review.yml at 422dc35395b66e59d468de88a540cabcfe76537e · Commando-X/badAPI · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
name: Claude Security Review

on:
  pull_request:
    types: [opened, synchronize, ready_for_review, reopened]
    # Optional: only run when security-sensitive areas change
    # paths:
    #   - "src/auth/**"
    #   - "src/api/**"
    #   - "infra/**"
    #   - "config/**"

jobs:
  security:
    runs-on: ubuntu-latest

    # Least privilege for PR review + required OIDC for the Claude GitHub App
    permissions:
      contents: read
      pull-requests: write
      id-token: write

    steps:
      - name: Checkout PR
        uses: actions/checkout@v6
        with:
          fetch-depth: 1

      - name: Claude security review
        uses: anthropics/claude-code-action@v1
        with:
          # anthropic_api_key: ${{ secrets.ANTHROPIC_API_KEY }}
          prompt: |
            REPO: ${{ github.repository }}
            PR NUMBER: ${{ github.event.pull_request.number }}

            Perform a security-focused review. Prioritize:
            - AuthN/AuthZ issues (BOLA/BFLA/BOPLA)
            - Injection (SQLi/NoSQLi/Command)
            - SSRF, deserialization, crypto misuse
            - Sensitive data exposure, logging issues
            - Security misconfig in code/config

            For each finding, include:
            Severity: CRITICAL/HIGH/MEDIUM/LOW
            What/Where
            Impact
            Recommendation

            Use inline comments for line-level issues and one top-level summary comment.

          claude_args: |
            --allowedTools "mcp__github_inline_comment__create_inline_comment,Bash(gh pr comment:*),Bash(gh pr diff:*),Bash(gh pr view:*)"