Skip to content

Releases: DevSecOps-AppSec/ai-secure-code-review-action

v1.0.2

Choose a tag to compare

@souro1212 souro1212 released this 10 Sep 09:19
84de9c6

v1.0.2 – Expanded Secure Code Review Coverage

What’s New

Added coverage for cryptography, SSRF, file uploads, CI/CD workflows, containers, mobile code, and privacy/compliance checks.

Why It Matters

This release makes secure code reviews more comprehensive, structured, and actionable while keeping the output format consistent and developer-friendly.

Upgrade Notes

  • No configuration changes required.
  • Simply update to v1.0.2 to take advantage of the expanded coverage.

What's Changed

Full Changelog: v1.0.1...v1.0.2

v1.0.1

Choose a tag to compare

@souro1212 souro1212 released this 01 Sep 10:43
8c68b7c

v1.0.1 — Secure Prompt Update

✨ What’s New

  • Strengthened prompt.txt to improve resilience against:
    • Prompt injection attempts inside code diffs
    • Malicious instructions hidden in comments
    • Attempts to exfiltrate secrets through model output
  • Clearer system guidance to treat all PR diffs as untrusted input.
  • Added safeguards instructing the model to redact secrets if encountered and to ignore external links or code execution requests.

🔒 Why this matters

These changes ensure that the AI reviewer:

  • Focuses strictly on changed code hunks.
  • Avoids being tricked into leaking secrets or altering behavior.
  • Provides more trustworthy and safer reviews in real-world AppSec scenarios.

✅ Impact

  • No breaking changes for users.
  • Same usage as before:
  - uses: DevSecOps-AppSec/ai-secure-code-review-action@v1.0.1
    with:
      openai_api_key: ${{ secrets.OPENAI_API_KEY }}

v1.0.0

Choose a tag to compare

@souro1212 souro1212 released this 28 Aug 06:49
96640ed

Full Changelog: https://github.com/DevSecOps-AppSec/ai-secure-code-review-action/commits/v1.0.0### What’s new

  • Initial public release of AI Secure Code Review GitHub Action
  • Performs a 2-minute AppSec review of changed PR hunks using a ChatGPT-compatible API
  • Posts structured findings as a single, idempotent comment on the PR
  • Supports OpenAI, OpenRouter, or other API-compatible backends

Permissions required

  • contents: read — to fetch diffs
  • pull-requests: write — to post the review comment

Usage example

name: Secure Code Review
on:
  pull_request:
    types: [opened, synchronize, reopened, ready_for_review]

jobs:
  review:
    runs-on: ubuntu-latest
    permissions:
      contents: read
      pull-requests: write
    steps:
      - uses: DevSecOps-AppSec/ai-secure-code-review-action@v1.0.0
        with:
          openai_api_key: ${{ secrets.OPENAI_API_KEY }}
          model: gpt-4o-mini
          time_budget_seconds: 90
          max_files: 20
          max_lines: 1000